Let's talk about a threat intelligence "indicator" - how long will hashes, and IP's that are always after the fact be helping you in the long run? Do you think sophisticated attackers that you can't see usually are going to repeat themselves that often with the same techniques when they hack you after they hacked someone else? I guess that wouldn't be very "advanced".
What do indicators truly indicate? Let's try this:
Answer those questions.
Many people do not realize that an attack isn't an initiation - it's a provocation to the attacker? But we always ask why did they do that? For example: One day there was a pop-star that had their twitter account hacked by an electronic army from the middle east and everyone always wants to just go after the simple why? But how do you ask why? When this was presented to me that day my question was: What (and where) was the pop-star doing at the time?
Those answers gave us more than just looking at indicators in a typical fashion:
We learned what media the attackers read
We learned why they did it and other potential future targets
And we learned the techniques, tools, and motivators that I described above that then can be used for understanding how to minimize a future risk, be it you're a pop star, or an organization.
(The pop-star happened to be on a tour in middle east at the time for those wondering).
Perception management - think as if you are the attacker, and you feel provoked - why? What would provoke you, why don't you like company X? Then as the company, what can you do to provoke less?
What can a security leader do to get started on this path?
The computers are doing just fine on their own - the vulnerabilities, the exploits, the crime, the attacks - all PEOPLE. Same with how we manage security as a leader.
1) QTIP - Quit taking it personally
a. You will hear so much more if you don't take things personally - your ego won't be wasting time defending, and instead you will be learning and listening and creating new ideas to solve these hard problems.
2) Leave your ego at the login prompt
a. Get humble. Start over, learn what you were like as the young hacker knowing nothing and pretend that is you all over again. Because it is, we just forget it. Whether you're a CISO, a team lead, a security consultant, is there any harm in being humble and learning again?
3) Be Honest with yourself and others
Sign up for Computerworld eNewsletters.