Separating Actors and Actions in CTI

Photo by Markus Spiske on

BLUF – Using traditional intelligence models in private sector often doesn’t account for the difference in audience and scope of responses available. By separating the focus between actors and actions, CTI practitioners can focus on delivering actionable intel to decision-makers thus also building the case for cyber as a value generating component of the P&L.


In the world of Cyber Threat Intelligence (CTI) many backgrounds come together to look outside organisational borders to aid in combating an exponential threat. Many of us came from prior intelligence professions – government, military, or law enforcement. Names like Lowenthal or Hall are familiar. We know how to attribute incidents to threat actors with varying degrees of confidence. There are whole profiles built around nation-state and sophisticated criminal actors/ groups.

In the private sector there is but one basic premise of intelligence — to aid decision-makers in choosing the best course of action. This assumes the decision-makers know/ keep effective courses of action for the intelligence provisioned, though this may not always be the case. In traditional intelligence venues, the decision-makers are often in a position to counter the actors. In business however, the focus is not on the actor/ action, but on the business maintaining operations. What can/ will private sector organisations do with attribution? Knowing who was responsible is vital information, though not actionable for many organisations, creating a disconnect between the CTI/ InfoSec professionals and the businesses they serve.

Separating the actor and the action becomes crucial to provisioning actionable intel to the business. The business may feel privileged to know who was behind an incident, but they can take actual action only on what happened. Private sector organisations cannot offer justice or retaliation to actors, but they may circumvent or mitigate the activities of those actors.

Pairing understanding of activities with organisational transparency creates viable frameworks for risk and control efficacy. Whilst larger information sharing communities (continents) can build useful intelligence from attribution, the individual organisations (islands) fare better with understanding what happened and what to do about it.

Until CTI and their parent organisations offer intelligence directly affecting decisions or actionable by the business, it will continue to be seen as an overhead or cost centre in the P&L instead of being seen as a value generator in itself.