Great breakdown on CISA's institutional memory problem. The point about NotPetya really lands because that kind of visceral ground-level experience isn't somethingyou can replicate with threat feeds or pattern matching. Most orgs I've worked with lean way too heavy on external intelligence without building internal capacityfor contextualization, which means they're basically just consuming alerts without understanding tradecraft evolution.
Spot on. You hit the nail on the head regarding the gap between 'consuming alerts' and 'understanding tradecraft.'
External intelligence is just a grocery list; without that visceral, ground-level experience (like NotPetya), you’re just staring at ingredients without knowing how to cook. Most organizations treat threat feeds as a substitute for institutional memory, but as we’re seeing at CISA, when the people with the 'scar tissue' leave, the context goes with them.
Thanks for the sharp addition to the conversation—glad the breakdown resonated!
Great breakdown on CISA's institutional memory problem. The point about NotPetya really lands because that kind of visceral ground-level experience isn't somethingyou can replicate with threat feeds or pattern matching. Most orgs I've worked with lean way too heavy on external intelligence without building internal capacityfor contextualization, which means they're basically just consuming alerts without understanding tradecraft evolution.
Spot on. You hit the nail on the head regarding the gap between 'consuming alerts' and 'understanding tradecraft.'
External intelligence is just a grocery list; without that visceral, ground-level experience (like NotPetya), you’re just staring at ingredients without knowing how to cook. Most organizations treat threat feeds as a substitute for institutional memory, but as we’re seeing at CISA, when the people with the 'scar tissue' leave, the context goes with them.
Thanks for the sharp addition to the conversation—glad the breakdown resonated!