Presentations

Slide 1: The single-person (and several dozen AI agent) CTI team

Summary: Title slide

Brendon Hawkins
IndependINT

Slide 2: What we'll be covering today

Summary: Describes the content covered in the presentation and a summary of the experience of the presenter.

1. We'll examine what AI agents are and how they can be used to augment cyber threat intelligence capabilities.
2. I'll run you through some practical examples of using AI workflows from some of my own work.
3. We'll bed down some of the principles of what works when building AI tools for threat intelligence.
4. I'll discuss the potential applications of combining intelligence tradecraft with AI to build knowledge about the world.

I'm a senior intelligence professional with over 20 years of experience across Defence, NIC, policing, and corporate intelligence functions. My intelligence-related interests include intelligence training, prototyping tools, and experimenting with new processes.

Slide 3: The state of CTI in Australia

Summary: Examines the current state of cyber threat intelligence in Australia and the limitations of organisations, particularly with regard to FTE and broad remit.

Most organisations in Australia don't have a dedicated Cyber Threat Intelligence team. When they do, it's often a single analyst, typically juggling multiple roles.

Some organisations outsource CTI, which can work, but might miss out on internal context.

FTE growth is a challenge, particularly when there are other security needs. Australia's CTI workforce is also small and specialised, meaning hiring expert staff is difficult and expensive.

The question for us today: how can we use AI to augment CTI capabilities in Australian organisations.

I've been looking at this in my spare time for the past few years and have built some use cases which I'd like to share with you all.

Slide 4: There will be three main functions of a CTI analyst as AI matures:

Summary: Looks at roles that will be resistant to job losses caused by AI in the future. The speaker talks about how highly specialised analyst roles, individuals tasked with communicating intelligence to leaders, and managers of intelligence capabilities will likely be core human functions. The speaker suggests that it's junior roles that will be replaced first and notes the requirement to build a pipeline to train junior analysts.

• Specialist Analysts
• Intelligence Communicator
• Intelligence Manager

How do we build the skills pipeline for junior analysts?

Slide 5: The tech team

Summary: The presenter summarises the software used for the tools demonstrated in this presentation. He also highlights his strengths and limitations in performing this kind of work.

I use a range of commercial and open-source tools when building my experiments. These include Telegram, Gemini, Chat GPT, Python, PostgreSQL, Scikit Learn, Claude, Cursor, and Spacy.

As for the human member:

• ✓ I am very experienced with intelligence process
• ✓ I've worked across the full intelligence cycle
• ✓ I've worked across a range of targets
• ✓ I can code (Python), build databases, use APIs
• ✓ I am very comfortable with data analysis
• ✓ I have someone to build infrastructure for me
• × I am not a software engineer
• × I'm an intelligence expert, not an AI expert
• × I am not a data scientist
• × Don't ask me to design a front end…

Slide 6: What are AI Agents?

Summary: Provides a brief definition of AI agents for a broad non-technical audience.

An agent is someone or something that acts on your behalf.

AI agents are software systems that can act independently to complete tasks for you.

In intelligence, AI agents can collect data, summarise reports, tag threats, and even draft assessments.

AI agents are becoming more autonomous, chaining tasks together and even collaborating with other agents.

AI agents aren't analysts. They are highly efficient digital workers. They handle volume and speed, but only humans bring context, ethics, and responsibility.

Slide 7: Working with the limitations

Summary: Acknowledges that LLMs are effective when doing certain tasks like summarising and triaging at speed. The presenter asserts that the best way of keeping them focussed is to use robust intelligence requirements.

LLMs are fantastic for summarising, translating, triaging information, and speed

LLMs are less effective for analysis*, long reports, referencing, and remembering.

Where I have had most success is in keeping AI focused on tasks by using robust intelligence requirements.

Then you need to understand your own intelligence processes and break them down into manageable chunks.

LLMs, like human analysts, make mistakes. But good process can minimise these.

AI is faster if you can tell it what you need.

Slide 8: The Intelligence Cycle

Summary: The presenter gives an overview of the intelligence cycle for non-intelligence professionals. He suggests that the structured, systematic approach of intelligence is well suited for building AI agents as they perform specific tasks.

Intelligence is an ancient profession. But it was only systemised during the 20th century. In the western military context, it was structured using the intelligence cycle.

The intelligence cycle is a simplified framework for the activity of intelligence. Each part of the cycle traditionally uses specialised professionals to perform their part.

It's the same with AI agents in intelligence – they should be specialised to perform their role in the intelligence cycle.

Slide 9: Refining intelligence requirements

Summary: The presenter demonstrates using LLMs in voice mode to refine intelligence requirements for the audience. He gives an overview of the challenges of defining requirements over a large user base with a small intelligence staff.

Intelligence teams service a range of business areas. They need to engage with stakeholders and bring the results together to generate perfect information needs!

A challenge for any intelligence function is that they are servicing a range of stakeholders. AI can be used to help refine requirements and make sure that the right intelligence is reaching the parts of the business that need it.

The QR code below links to a custom GPT which interviews a cyber security stakeholder from the company TelcoTechCom to determine how their needs align to intelligence requirements.

Scan it, open the web page, and have a go at using it after the presentation. It works best with voice mode.

Slide 10: Collection: Survey tool

Summary: The presenter displays a workflow of a collection survey tool that takes a collection channel under a supervising agent, then collects data, triages against requirements, generates information reports, uploads the entities into a knowledge graph, and performs statistical analysis. It then assesses it for timeliness, accuracy, relevance, and uniqueness, before recommending sustained tasking or not of interest.

No slide text provided.

Slide 11: Processing

Summary: Focusses on a strength of LLMs, taking unstructured data and transforming it into structured information. It provides three examples

The real strengths of AI is in the processing phase of the intelligence cycle. These strengths include:

• Translating.
• Surfacing priority information.
• Formatting unstructured data.
• Working fast with good accuracy.

To get the most out of AI for processing, you need a well-managed intelligence function:

• A comprehensive set of intelligence requirements.
• Good collection management.
• A flexible data processing environment.
• A work environment that encourages the use of AI.

Most of these are simple LLM, ML, or statistical workflows

Three examples:

• Capturing Threat Actor Knowledge [Report -> STIX Formatter -> TIP]
• Clustering Articles [News aggregator -> NLP Clustering Summarising -> Summary Report]
• Triage Vulnerabilities [Alert -> Tech Stack Email Composer -> Formatted Email]

Slide 12: Writing information reports

Summary: The presenter guides the audience through the process of taking raw intelligence collect, using LLMs to triage, summarise, generate metadata, produce a report, and database.

The activity best suited to the capabilities of LLMs is generating information reports from unanalysed collected information. Asking an LLM to summarise a piece of information in a standard, repeatable way is well within its abilities, particularly when providing it with a good understanding of the context.

• Take a social media post.
• Check against intelligence requirements.
• Pass to an LLM to summarise content and generate data.
• Produce an information report and data.
• Push to a database.

I've had a lot of success producing information reports from Telegram posts. The target sets that I've focused on are Hacktivists, the Russia-Ukraine War, and Right-Wing Extremism.

Slide 13: Hacktivism

Summary: The presenter provides an example of an information report produced about the Black Security Team group.

{
   "cid": "CTI-TGM-1132964271-13567-20231204220140",
   "requirement_id": ["CTI-1.3.1", "CTI-1.3.3"], 
   "information_report": "On 04 December 2023 at 22:01:40, the Telegram channel 'Black Security Team' posted a message by 'Tencher Scott' announcing a free cybersecurity course focused on SQL Injection vulnerabilities and countermeasures. The post explains that SQL Injection occurs when a backend developer fails to implement proper filtering while executing database queries. The message includes a link to the course hosted on 'BlackSecurityTeam.com' and promotes it as a comprehensive web security training. An attached promotional image indicates that the course instructor is 'Mehdi Hassani' from the Black Security Team. The post also provides Telegram and website links for further engagement.", 
   "analyst_comment": "This post promotes cybersecurity training with a focus on SQL Injection, a widely exploited web application vulnerability. While the course appears to be for educational and defensive purposes, similar materials can be leveraged for offensive security and penetration testing. The presence of a dedicated cybersecurity community and training website suggests an organised effort to spread cybersecurity knowledge, potentially attracting both security professionals and individuals with malicious intent.", 
   "languages": ["Persian", "English"], 
   "entities": [ 
	"04 December 2023 (DATE)", 
	"22:01:40 (TIME)", 
	"Black Security Team (ORG)", 
	"Tencher Scott (PERSON)", 
	"Mehdi Hassani (PERSON)", 
	"SQL Injection (TECHNIQUE)", 
	"BlackSecurityTeam.com (DOMAIN)", 
	"T.me/Black_Security (ORG)" 
	] 
}

Slide 14: Hacktivism

Summary: The presenter provides an example of an information report produced about NoName057.

{
   "cid": "CTI-TGM-1732250465-5429-20231209030235",
   "requirement_id": ["CTI-1.1.1", "CTI-2.2.1", "CTI-2.2.2"], 
   "information_report": "On 9 December 2023, NoName057(16) posted an image on their Telegram channel, showing website outage messages for multiple entities. The image indicated denial of service attacks targeting websites related to the government and financial sector in Bulgaria, as well as transportation services in Norway and the United Kingdom. The affected sites included: the Bulgarian government portal (government.bg), the Bulgarian Customs Agency application access portal (testiam-ids.ext.customs.bg), DSK Bank in Bulgaria (dskbank.bg), the Norwegian railway ticketing service (ruter.no), and the UK Swift transport card service (swiftcard.org.uk). The image displayed error messages in Russian stating 'Unable to access site' and 'Connection timed out'. This image was published alongside a text post discussing external media protection.",
   "analyst_comment": "This image is highly likely part of NoName057(16)'s ongoing pro-Russian politically motivated DDoS campaign. The selection of targets aligns with previous campaigns, focusing on entities in countries supporting Ukraine. The image serves as visual 'proof of success' for the group's attacks, aimed at bolstering credibility within their support base.", 
   "languages": "Russian", 
   "entities": [
	"9 December 2023 (DATE)", 
	"NoName057(16) (ORG)", 
	"Bulgaria (GPE)", 
	"Norway (GPE)", 
	"United Kingdom (GPE)", 
	"Bulgarian Government Portal (ORG)", 
	"Bulgarian Customs Agency (ORG)", 
	"DSK Bank (ORG)", 
	"Norwegian Railway Ticketing Service (ORG)", 
	"Swift Transport Card Service (ORG)", 
	"government.bg (URL)", 
	"testiam-ids.ext.customs.bg (URL)", 
	"dskbank.bg (URL)", 
	"ruter.no (URL)", 
	]
}

Slide 15: Hacktivism

Summary: The presenter provides an example of an information report produced about IT Army of Ukraine.

{
   "cid": "CTI-TGM-1601423054-1828-20231204203150",
   "requirement_id": ["CTI-1.1.1", "CTI-2.1.3", "CTI-2.3.1", "CTI-2.3.2"], 
   "information_report": "On 4 December 2023 at 20:31, the IT ARMY of Ukraine posted on their Telegram channel providing an update on operational leaders for week 48. The post identified four individuals or teams leading in the use of different cyber tools during the week. DTS led in the use of 'db1000n', generating 28.2 TB of traffic. UkrByte led operations using the 'Distress' tool, generating 1,041.6 TB of traffic. Littlest_giant led in the use of 'Mhddos', contributing 482.6 TB of traffic. Uashield21 led in 'X100' operations, producing 358.2 TB of traffic. The post highlighted that each of these leaders and tools played a key role in the group's collective efforts.",
   "analyst_comment": "This post is almost certainly related to ongoing distributed denial of service (DDoS) campaigns conducted by the IT ARMY of Ukraine against Russian or Russian-affiliated targets. The naming of specific tools (db1000n, Distress, Mhddos, X100) aligns with known tools used in crowdsourced DDoS attacks. The identification of operational leaders is likely intended to both motivate participants and publicly demonstrate the IT ARMY's continued activity and effectiveness. The use of both Ukrainian and English text indicates the message was intended for both domestic and international audiences.", 
   "languages": ["Ukrainian", "English"], 
   "entities": [
	"4 December 2023 (DATE)", 
	"20:31 (TIME)", 
	"IT ARMY of Ukraine (ORG)", 
	"Telegram (ORG)", 
	"DTS (PERSON)", 
	"UkrByte (PERSON)", 
	"Littlest_giant (PERSON)", 
	"Uashield21 (PERSON) ", 
	"db1000n (PRODUCT) ", 
	"Distress (PRODUCT)", 
	"Mhddos (PRODUCT)", 
	"X100 (PRODUCT)"
	]
}

Slide 16: Russia-Ukraine War

Summary: The presenter provides an example of an information report produced about Ukraine's 3rd Separate Assault Brigade.

{
    "cid": "RUK-TGM-1639691719-003203-20231001173007",
    "requirement_id": ["RUK-6.1.2"],
    "information_report": "On 01 October 2023 at 17:30 UTC, the 3rd Separate Assault Brigade (3 ОШБр) posted a message on their Telegram channel celebrating Defender of Ukraine Day. The post states that the brigade is marking the occasion while deployed on the frontlines, emphasizing their commitment to defending Ukraine, their homeland, and its future. It references fallen comrades and inherited bravery from ancestors, stating that retreat or weakness is not an option. The brigade extends greetings to all Ukrainian servicemen and women in honor of the national holiday. The message includes links to the brigade's social media and support channels, including Telegram, Instagram, Facebook, YouTube, and TikTok.",
    "analyst_comment": "This post follows a common Ukrainian military narrative, reinforcing themes of resilience, sacrifice, and national unity. The invocation of fallen comrades and ancestral bravery aims to boost morale and frame continued combat as an honorable duty. The inclusion of multiple social media links suggests an organized effort to increase public engagement and support. The mention of the national holiday ties the post to broader Ukrainian state messaging, which often emphasizes the military's role in national survival. The SupportAZOV link may indicate ties to the broader nationalist military movement, a common theme in some Ukrainian units' outreach efforts.",
    "languages": ["Ukrainian"],
    "entities": [
    	"01 October 2023 (DATE)",
	"17:30 UTC (TIME)",
	"3rd Separate Assault Brigade (ORG)",
	"Ukraine (GPE)",
	"Defender of Ukraine Day (EVENT)",
	"Telegram (ORG)",
	"Instagram (ORG)",
	"Facebook (ORG)",
	"YouTube (ORG)",
	"TikTok (ORG)",
	"SupportAZOV (ORG)"
    ]
}

Slide 17: Nil

Summary: This slide is an AI generated comic about an intelligence analyst producing a report. It goes through their process: tasking, research, planning, production, editing, and dissemination. The presenter explains that parts of this process can be replicated with LLMs.

No slide text provided.

Slide 18: Writing longer intelligence reports with AI

Summary: The presenter explains the challenges in using LLMs to write longer intelligence reports.

There are significant challenges in getting LLMs to write longer intelligence reports:

• Replicating the full process that experienced analysts use.
• Asking an LLM to extract the most important points from a corpus.
• Problems with context windows and hallucination (particularly at +80%).
• Capturing expert target knowledge.
• Referencing intelligence source information in a reliable way.
• Effectively assessing information.

The best solution at this stage is AI-assisted intelligence production

Slide 19: An example workflow for intelligence reports

Summary: This slide shows a multi-agent workflow for intelligence report production. It moves through tasking and problem deconstruction, establishing key points, writing the report body, writing the assessment, editing, and the human-in-the-loop checkpoints.

Each AI icon is a multi-agent process.

AI does the heavy lifting, but humans own the judgment and the meaning.

Slide 20: Trying this workflow

Summary: A presentation of a report prompt and Python script running through a multi-agent workflow.

I decided to have a go at building out this workflow using some old scripts and Cursor + Claude 3.7.

Writing* the code took about half an hour. The report used Gemini 1.5 Pro, took three minutes and cost $3.72.

Some issues with the report:

• Shorter than I would like.
• Paragraphs don't go into enough detail.
• Some issues with the referencing.
• It's clearly missed some attacks and countries.
• I didn't sense check along the way.
• It didn't have to generate the query.

Still, it produced something that is consistent with my understanding faster than any analyst could over that much data. I wouldn't normally do this in one pass.

Slide 21: CARR Cyber Group: Expanding Targeting and Evolving Capabilities

Summary: This slide is the output of the AI generated report writing.

TITLE: CARR Cyber Group: Expanding Targeting and Evolving Capabilities

EXECUTIVE SUMMARY:
CARR, a suspected Russian state-influenced cyber group, has broadened its targeting from Ukrainian entities to include nations providing aid to Ukraine, indicating an escalation in geopolitical alignment.  The group primarily uses publicly available website vulnerability scanning tools to identify targets. While CARR has expressed intent to target US critical infrastructure, it currently lacks the demonstrated capability to pose a significant threat.  CARR's organizational structure appears fluid, potentially hampered by internal conflict and marked by fluctuating collaborations with other pro-Russian cyber groups.

ASSESSMENT:
CARR's expanded targeting almost certainly reflects increasing alignment with Russian strategic objectives and elevates the risk of wider cyber conflict.  We assess with high confidence that CARR will continue targeting nations supporting Ukraine, likely escalating to more disruptive attacks, particularly against government and infrastructure targets.  CARR may attempt to develop or acquire more sophisticated capabilities, though its current reliance on readily available tools suggests resource limitations.  The fluidity of CARR's structure makes predicting future behavior challenging; however, continued monitoring of its tactics, techniques, and procedures (TTPs) and affiliations remains critical.

DETAILED ANALYSIS:

KEY POINT 1: Expanded Targeting Beyond Ukraine (CTI-3.1, CTI-2.2)
CARR has expanded its targeting to nations providing military and humanitarian aid to Ukraine, significantly broadening its operational scope.  Initial attacks focused on Ukrainian government and infrastructure, including recruitment centers (CTI-TGM-1781536189-006102). Subsequent targeting of government and aid-related websites in Norway (CTI-TGM-1781536189-006125), Bulgaria (CTI-TGM-1781536189-006165), and Latvia (CTI-TGM-1781536189-006231) suggests an intent to pressure and disrupt Ukraine's international support network. This geographic expansion increases the risk of broader cyber conflict and necessitates a coordinated international response. This shift likely signifies a transition from patriotically motivated hacktivism to a geopolitically driven campaign aligned with Russian strategic objectives.

KEY POINT 2: Reliance on Publicly Available Tools (CTI-1.3, CTI-2.3)
CARR frequently uses publicly available website vulnerability scanning tools, such as check-host.net (CTI-TGM-1781536189-006091, CTI-TGM-1781536189-006137, CTI-TGM-1781536189-006170), indicating a pragmatic but potentially low-sophistication approach. This allows CARR to rapidly identify vulnerabilities without specialized expertise. While this reliance on public resources complicates attribution, it does not preclude the group from possessing or acquiring more advanced capabilities. Continued TTP monitoring is necessary to identify any evolution in sophistication.

KEY POINT 3: Suspected Russian State Influence (CTI-2.1.1, CTI-3.1.2)
Several indicators suggest a strong link between CARR and Russian intelligence services, though definitive attribution remains challenging. CARR's targeting aligns with Russian geopolitical interests, specifically pressuring nations aiding Ukraine (see Key Point 1).  Its rhetoric often mirrors themes in Russian state-sponsored propaganda (CTI-TGM-1781536189-006158, CTI-TGM-1781536189-006220).  An unverified report mentioning potential FSB contracts (CTI-TGM-1781536189-006094) further strengthens this assessment.  While conclusive evidence of direct control is absent, these factors suggest CARR's operations are likely influenced, if not coordinated with, Russian intelligence objectives, raising concerns about potential escalation and the use of CARR as a proxy force.

KEY POINT 4:  Threats Against Critical Infrastructure (CTI-1.1.4, CTI-2.2)
CARR has expressed intent to target US critical infrastructure, including water supply systems and energy companies (CTI-TGM-1781536189-006265, CTI-TGM-1781536189-006428).  However, no confirmed successful attacks causing significant disruption or damage have been observed, suggesting limited capabilities or a prioritization of other targets.  Despite this, CARR's stated intent necessitates vigilance and proactive defensive measures by potential target organizations.

KEY POINT 5: Fluid Organizational Structure (CTI-2.4)
CARR's organizational structure appears fluid and evolving, potentially marked by internal conflict, shifting allegiances, and varying levels of coordination with other pro-Russian cyber groups, such as 22C (CTI-TGM-1781536189-006256) and NoName057(16) (CTI-TGM-1781536189-006412). Reports indicate internal disputes and shifting allegiances within CARR (CTI-TGM-1781536189-006094, CTI-TGM-1781536189-006882).  Understanding these internal dynamics is crucial for anticipating future actions, but this fluidity complicates predicting behavior and assessing overall capabilities.  Continuous monitoring of CARR's internal and external relationships is necessary to accurately assess the group's evolving threat landscape.

Slide 22: What's the trick to it all?

Summary: This slide summarises some of the best practice for using artificial intelligence to generate intelligence report. It includes a comic discussion between our intelligence analyst character and an android.

It comes down to knowing how intelligence works inside out.

There are still pieces to the puzzle that I haven't quite figured out, particularly around the assessment of the reliability and accuracy of the information.

But if you can critically assess your own processes, break them up into meaningful chunks, and produce clear instructions, then you can build an army of AI assistants.

If I don't know how to do a task…then how are you going to instruct me to help you?

If I don't know my requirements…then how am I going to focus on what you need to know?

If I don't have well managed intelligence collection…then how can I find the information I need?

Slide 23: Intelligence process + AI to generate knowledge

Summary: The presenter offers his philosophy on how to best approach using AI for generating intelligence reports.

We've only scratched the surface today, but there is more going on here than just threat intelligence. I've applied these principles and processes, in limited ways, to other domains of knowledge.

It's more than a workflow; you can use these principles for trustworthy machine-assisted knowledge creation in any domain.

• Start with the Requirement
• Follow a Transparent Process
• Preserve the Epistemic Trace
• Structure the output
• Keep human judgment in the loop

Slide 24: Do you have any Questions?

Summary: Contact slide.

No slide text provided.

Slide 1: Teaching the intelligence bits of cyber threat intelligence

Summary: Title Slide.

Brendon Hawkins
IndependINT

Slide 2: Today's objectives

Summary: Introduces what will be covered in the conference talk.

1. Consider what an intelligence analyst needs to be able to do, focusing on the skills that contribute to intelligence as a discipline.
2. Consider what an intelligence analyst needs to be able to do, focusing on the skills that contribute to intelligence as a discipline.
3. Provide a wish list of training I would love to see made available to analysts.
4. Attempt to justify the investment of time and money needed to uplift the skills of CTI analysts.

Tell them what you're going to tell them, tell them, then tell them what you've told them.
My IET instructor
DFSS-EWW, 2002

Slide 3: About me

Summary: Images of various stages of Brendon's intelligence career.

No slide text provided.

Slide 4: Intelligence analysis at its most basic

Summary: This slide goes through intelligence analysis for an audience which may not have been exposed to intelligence in their roles. The speaker describes intelligence as a type of information or knowledge, which, after being subjected to selection, collection, evaluation, processing, analysis, and finally dissemination, provides insights to decision makers on a matter of national security.

Intelligence analysts build an understanding of the enterprise…

…and use their knowledge about the threat landscape to go looking for relevant threats.

They find data, bring it into one place, and evaluate it…

…before they use their subject matter expertise to perform intelligence analysis.

The output of this analysis is used to produce intelligence…

…which is communicated to other parts of the enterprise…

…to support decision makers.

For today, I'd like you all to step back and think about Cyber Threat Intelligence (CTI) as an intelligence discipline where the threat actor is targeting an organisation through its IT infrastructure.

Slide 5: Nil

Summary: The slide shows scans of the a document from NSA's Cryptographic Quarterly, titled "Intelligence Analysis: Does NSA Have What It Takes?" It details core abilities, knowledge, characteristics, and skills for intelligence analysts.

No slide text provided.

Slide 6: NSA core competencies for intelligence analysis

Summary: The presenter shows a clearer list of the competencies listed on the previous slide. He points out the variety of competencies required, and highlights that very few of these are technical skills despite signals intelligence being a highly technical intelligence discipline.

The point here is not to focus on the details of a 25-year-old think piece: it's that when they went through what they needed out of their intelligence analysts, most of it wasn't technical skills, even at NSA, the most technical intelligence agency.

Slide 7: Duties of a CTI analyst

Summary: The presenter highlights the broad range of skills that an intelligence analyst is expected to have in a corporate role, particularly when they are the sole intelligence resource. He explains that it's unrealistic and that training analysts across all of these skills takes years.

Intelligence analysts of all disciplines are required to have a broad variety of skills as well as at least one area of deep subject matter expertise.

An ideal cyber threat intelligence analyst:

• Writes at a postgraduate level.
• Has elite technical skills.
• Is comfortable engaging with leadership.
• Can knock up a briefing in 5 minutes.
• Is able focus deeply on complex analytic tasks.
• Can seamlessly multitask.
• Is able to code and automate workflows.

Often a corporate intelligence capability is a single individual who needs to do it all.

Slide 8: Mapping CTI against the intelligence cycle

Summary: The presenter details the tasks that cyber threat intelligence analysts are expected to perform and maps them against the intelligence cycle.

Intelligence is often just thought of as a product.

But what separates intelligence from other types of information or knowledge is that it has been through a process of selection, processing, evaluation, synthesis, analysis, and communication.

The intelligence analyst is the master of this process. The question is how do we teach these skills.

Planning and Direction

• Gathering requirements
• Eliciting feedback
• Stakeholder engagement
• Metrics
• Project management

Collection

• Collection planning
• Collection management
• Onboarding new sources
• OSINT
• Writing and tuning rules

Processing

• Managing platforms
• Knowledge bases
• Automating feeds
• Triaging raw intelligence
• Evaluating intelligence

Analysis and Production

• Data and log analysis
• Writing reports
• Information synthesis
• Reading, reading, reading
• Producing data products

Dissemination

• Engaging with leadership
• Briefing intelligence
• Managing communities
• Establishing and maintaining comms channels

Slide 9: Where do we learn CTI skills?

Summary: Highlights that cyber skills often come from tertiary education while intelligence skills are more likely from government, private courses, or on the job training.

Cyber Skills

• Most CTI analysts will have a strong technical background (Cyber, IT or Computer Science) from tertiary education. Many will have experience in other cyber roles.

Intelligence Skills

• Military and intelligence agencies
• Public and private courses
• On-the-job training

Slide 10: Option 1: recruit from government

Summary: Examines the pros and cons of recruiting CTI analysts trained by government.

Pros:

• Government intelligence analysts will have been trained in intelligence as a discipline.
• They may have existing target or technical knowledge.
• Often they have worked a range of targets making them adaptable

Cons:

• They may still require further technical training.
• They may not have a solid background in broader corporate cyber operations.
• Government analysts will need to adapt to a corporate culture.
• Must adjust to a different mission.

In a larger CTI team, having a mix of intelligence analysts from both a technical cyber background and a government intelligence background is ideal. However, few corporate CTI teams operate at a scale where they have more than one or two analysts.

Slide 11: Option 2: training courses

Summary: Examines the pros and cons of using training courses to develop analysts.

University pros:

• Universities offer degrees in intelligence.
• These courses focus on the core competences required to manage an intelligence capability.

University cons:

• These post graduate courses start at 1 year of part time study.
• They are expensive.
• They are more suited to analysts moving into management.
• Focussed on theory over practical skills.

Private course pros:

• There are a range of private providers who offer CTI training.
• Some of these courses include modules for skills like critical thinking, recognising, bias etc

Private course cons:

• They can be very expensive.
• There is generally a focus on cyber skills rather than broader intelligence skills.
• The one intelligence course in the VET training framework is not fit for purpose for CTI.

Slide 12: No Title

Summary: This slide shows the units on for Masters of Intelligence training offered by Charles Sturt University and Macquarie University.

No slide text provided.

Slide 13: DEF40217 - Certificate IV in Intelligence Operations

Summary: This slide shows the core competencies for the nationally recognised training qualification DEF40217 Certificate IV in Intelligence Operations. The presenter highlights that it isn't suitable for cyber threat intelligence and is outdated for intelligence training more broadly.

No slide text provided.

Slide 14: Option 3: on-the-job training

Summary: Highlights the pros and cons of on-the-job-training for CTI analysts.

Pros:

• Training can be tailored to the capabilities of the analysts in the team.
• Training can be delivered at a convenient time and pace.
• Training can be aligned with uplift and work activities in the team.

Cons:

• Someone needs to develop and deliver the training.
• Generally, this falls to a senior member of the team, who may not have the time to spare.
• It requires an intelligence function at the scale where developing training in-house is worthwhile

Even senior analysts within CTI may not necessarily have the breadth of intelligence exposure to teach the general intelligence skills and processes, because most CTI capabilities don't operate on the scale of government intelligence agencies.

Slide 15: On-the-job training at ANZ

Summary: Presents the modules that were delivered by the presenter to his team while Product Owner Cyber Threat Intelligence at ANZ Bank.

When examining what was needed for intelligence training within the CTI team at ANZ, it was recognised that the team had exceptional technical skills but had not been exposed to broader intelligence practices.

1. What is intelligence?
2. The Intelligence Cycle
3. Intelligence Requirements
4. Admiralty Code and Words of Estimative Probability
5. Data, Information, Knowledge and Wisdom
6. What is intelligence?
7. The Intelligence Cycle
8. Intelligence Requirements
9. Admiralty Code and Words of Estimative Probability
10. Data, Information, Knowledge and Wisdom

These ten modules were delivered over the course of a year, one per month, and were generally very well received. However, there is a need for more training, and it was a challenge to continually develop and deliver training while managing a team. Ultimately, it's unsustainable

Slide 16: What I'd like for intelligence analyst training

Summary: Is the presenter's wish list for a comprehensive intelligence training program. This curriculum focusses on core intelligence skills rather than the domain skills required for cyber threat intelligence.

Introduction to intelligence

• What is intelligence
• Types of intelligence
• Professions in intelligence

Introduction to the Intelligence Cycle

• Intelligence as a process
• Planning and direction (requirements)
• Collection
• Processing
• Analysis and production
• Dissemination
• Feedback and Evaluation

Conceptual foundations of intelligence analysis

• Bias & Logic
• Intelligence failures
• Data, information, knowledge and wisdom
• WWWWHW&W
• Introduction to ontology

The target

• Target discovery
• Target development
• Turning intelligence into target knowledge
• Empathy – understanding your target's perspective
• Cultural considerations

Ethics and intelligence

• Privacy
• Proportionality
• Legal compliance
• Managing sensitive data

Collection management

• Collection management matrix
• Collection operations planning
• Collection operations management
• Managing OSINT activities
• Onboarding collection sources
• Collection metrics

Processing intelligence

• Evaluating source reliability
• Evaluation information quality
• Structuring unstructured information
• Developing intelligence ontologies
• Processing intelligences using AI

Analytic technique

• Induction and deduction
• Analysis using DIKW
• Aggregating data using basic statistical methods
• Temporal analysis
• Network analysis
• Geospatial analysis
• Progressing from platform to tool to scripts
• Structured analytic techniques
• Applying data science and AI for intelligence analysis
• Python for intelligence analysis

Report writing

• Using words of estimative probability
• Analyst comments and assessments
• Information reports
• Intelligence reports
• Intelligences assessments

Dissemination

• Briefing intelligence
• Understanding your audience
• Tailored intelligence reporting

Managing Intelligence

• Stakeholder engagement
• Requirements and feedback
• Managing intelligence analysts
• How to say no to senior managers
• Applying metrics to an intelligence capability
• Full-cycle intelligence management

Slide 17: Some practical considerations

Summary: The presenter anticipates some of the critiques of such a comprehensive training program for intelligence analysts.

That's a lot of training!

• Yes, but it can take a decade or more to build a senior intelligence analyst.

Who could deliver this?

• Government?
• Private enterprise?
• Loose coalition of desperate intelligence managers?

Is there demand?

• This is a lot of the reason why I put this presentation together:
• Do analysts feel they need this type of training?

Slide 18: Why do I think there is a need?

Summary: The presenter provides a justification for his comprehensive training curriculum.

1. CTI in corporate cyber security functions has rapidly changed from simply ingesting and matching IOC strings to complex analysis done in-house, narrative intelligence reporting, long-term assessments, and advising senior executives on strategy and procurement.
2. Intelligence functions within companies therefore require more active management grounded in a comprehensive understanding of how intelligence works.
3. The skills and experience to manage a full intelligence capability are rare in a single individual. Even intelligence agencies rely on hundreds of specialised staff each fulfilling a small part of the intelligence cycle.
4. Corporate CTI teams will necessarily operate at a small scale. While vendors can assist (and some are truly excellent), the CTI team must manage the full capability and contextualise intelligence to the organisation's requirements.

CTI analysts trained in broad intelligence practices will better meet the needs of their organisation

Slide 19: Conclusion

Summary: Conclusion slide for the presentation.

We've gone through the skills that intelligence analysts need

We've examined existing training options

We've considered what a curriculum could look like

I've had a go at trying to convince you why it's needed

Any questions or comments?

Slide 20: Thank You!

Summary: Closing slide

No slide text provided.