Mar 23, 2020
Sergio began his career doing threat intelligence in the US
Government's NSA and now is the VP of Threat Intel at Dragos. We
focus in this episode on where the data for threat intel is
obtained, how the threat intel product is created, and how it
should be used by an ICS asset owner.
- Where are the data 'mines' where the raw data is available and
how to find the nuggets?
- What is a typical threat intel product / set of
- Does threat intel include attribution (who is the threat
actor(s))? What is the difference between a threat actor and what
Sergio calls an activity group? Is this important for the asset
owner to know?
- How do you determine when you have enough completeness and
accuracy to write and deliver threat intel product?
- How do you define the accuracy of a threat intel report or
specific findings in a report?
- How would an asset owner use threat intel? Is it actually
providing new recommendations that a good ICS security program
wouldn't already prioritize.
- Customers should drive threat intel through their questions so
they can make better business decisions.