It seems like we each have very different tastes when it comes to the books we read, the shows we watch, or the podcasts to which we listen. But media consumption studies reveal that most of us have at least one thing in common: we love a good whodunnit story. It may be the challenge: Can we follow the clues investigators come across, identifying and stopping the criminal before they strike again?

I understand this fascination, this race against the clock, because in the early part of my career, I led investigative teams at the Federal Bureau of Investigation (FBI) and Central Intelligence Agency (CIA) and served on one of the nation’s first Joint Terrorism Task Forces.

I can’t imagine successfully protecting the people, processes and assets for which I was responsible or apprehending the threat actors posed against them without having access to insights on how and why these interests were at risk. I feel the same way today as a chief information security officer (CISO) navigating the cyber threat landscape that currently challenges us. I still believe the ability to advance a successful cyber defense strategy is predicated on access to the right kinds of cyber threat intelligence (CTI).


Cyberattacks are no longer just about the malware. Clearly, while malicious code is the tool a threat actor uses against our organizations, when it, like any tool, ceases to serve its purpose, the adversaries will discard it and try another — and another — until they find the right one for the job. Stopping the malware, the tool being utilized at a particular moment, may not stop the threat, and that is why the phrase “whack-a-mole” has meaning for most of us. To break that cycle, security leaders need to understand who is behind an attack and what they are trying to achieve.

I heard this explained quite well recently on a LinkedIn Live broadcast featuring BlackBerry’s Vice President of Threat Research and Intelligence, Ismael Valenzuela.

“You may not think you need to know whether an attack is coming from — let’s say Russia or China. But we want to know that, and actually, it adds context. That information alone may not seem that helpful — unless you were a three-letter agency or working in law enforcement. You’re not going to prosecute anybody, right? But the reality is that knowing who’s behind an attack helps you to understand their motivation.

At the end of the day, we’re dealing with humans. If we reduce it to just the malware, you’re removing the human aspect, the geopolitical aspect, and the economic or military factors that drive somebody to launch an attack against an organization,” said Valenzuela.

Another way to look at the value of contextual CTI is to consider the following: threat actors often have specific working hours just like we do. They make to-do lists; they have goals they are trying to achieve and even profit targets to hit. And quite frankly, it helps tremendously to know if certain threat actors — often with access to specific tools, techniques and procedures (TTPs) — have your company, your region or your industry vertical on their list of targets.

Knowing and applying this information can help you improve your defenses and resilience against certain “more likely” TTPs.


Many organizations that understand the importance of CTI depend on some sort of threat intelligence subscription service. If you are looking to adopt the power of CTI in 2023, here are three things for which I suggest you look:

  1. Ask for a sample CTI report. The data should be actionable and help you bridge the gap between threat research and business decision-making.
  2. Ask how much context the CTI provider will provide. Does it track threats by industry vertical and other factors? This kind of detailed information is crucial to aligning your defenses against likely attacks.
  3. Ask potential CTI providers if their threat research team is global. If yes, that’s a major plus, because intelligence analysts based in multiple countries can track geopolitical nuances and threat actor actions that might otherwise be missed.


Think about the sales teams of your organization for just a moment. Chances are they have some sort of competitive intelligence. They know what the competing sales teams are saying on social media and how those companies are positioning themselves in the market. Learning about these behaviors and motivations can help sales teams counter competitive threats and make more strategic, data-driven business decisions.

Through cyber threat intelligence, CISOs have the same opportunity when it comes to the threat actors we face.

Cybersecurity should be more than a whodunnit. Ideally, it’s a who might do it — and a potential roadmap for how to prevent the crime from occurring in the first place.