SANS Cyber Threat Intelligence Summit 2023 Implementing Intelligence: Formulating Detections Joe Slowik, Threat Intelligence & DetectionsEngineering Lead, Gigamon Threat intelligence in isolation is at best informative, at worst useless to security practitioners. Cyber threat intelligence (CTI) practitioners must look for mechanisms to employ findings whenever possible to ensure that the end result of the intelligence cycle is some concrete action improving defensive outcomes. Failure to do so consigns CTI to operational irrelevance, and ultimate obsolescence. In this presentation, we will explore an intelligence-driven process for detection development, following the traditional intelligence cycle but emphasizing "off ramps" for informing and driving detection development within the enterprise. We will examine detections as a mechanism to inform security practitioners when events of interest take place, and use such items in a fashion free of static indicators of historical activity but instead stressing observations informed by CTI of adversary behaviors and tendencies. Based on this framework, CTI becomes a critical factor driving everyday security outcomes for the mature organization, ensuring it is prepared and looking for events of interest based on analysis of threats. Through this discussion, attendees will learn how to apply CTI in an iterative, applicable fashion to achieve recognizable, measurable security outcomes through overall defensive improvement. As part of this discussion, we will explore items such as mapping observations to frameworks such as ATT&CK and the Cyber Kill Chain, but also emphasize how CTI must adapt to and recognize the needs and limitations of supported organizations in framing and presenting finalized observations. Overall, this presentation aims to connect CTI in a classic perspective with the realities of operational threat intelligence to ensure desirable, sustainable results within the information security field. View upcoming Summits: Download the presentation slides (SANS account required) at