Part-two of the SANS CTI series ended with a 4 000-word deep-dive on structured analytic techniques. Below is the abridged field guide—vendor-neutral, slide-ready—that turns those SATs into a two-page brief you can hand to a C-suite before lunch.
1. Pick the Frame Before You Pick the Tool
- Risk frame = “business impact × chance of occurrence”
- Lived-event frame = “this rhymes with NotPetya, here’s how”
Choose one; mixing them produces word-salad.
2. The 5-Line Intelligence Question (Write It at the Top)
- What is the advancement?
- Who gains capability or intent?
- Does it shift offence/defence balance beyond the margin?
- What observables prove adoption?
- When do we expect to see them?
If you can’t answer all five, you’re still in the research phase.
3. Three SATs That Fit on a Sticky Note
| SAT | One-Sentence Use | Output Format |
|---|---|---|
| Signposts of Change | “We will believe X is real if we see A, B, C” | Bulleted list, 3–5 items |
| Cone of Plausibility | “Best case / baseline / worst case in 24 months” | 3-column table |
| What-If? | “If worst case happens, here’s the backward chain” | Timeline diagram |
4. Order-of-Effect Cheat-Sheet
- First order: the tech works / the attack succeeds
- Second order: our controls fail / costs spike
- Third order: regulator moves / insurance voids
Stop at three; fourth order is speculation, not analysis.
5. AIMS in 25 Words or Less
- Audience: COO (operations budget)
- Issue: new OT-remote access feature
- Message: “delays production by 3 weeks if abused”
- Storyline: NotPetya → same vector → we are vulnerable → here’s the fix cost
Stick the 25-word summary at the top of page 1; everything else is appendix.
6. Slide-One Template (Copy/Paste)
| Advancement | OT Remote-Access SaaS feature |
|---|---|
| Admiralty Score | B2 (vendor reliable, claim probable) |
| Best Case | Zero adoption; current controls suffice |
| Baseline | 11 % of suppliers adopt; we add monitoring |
| Worst Case | 60 % adoption; attacker pivots through vendor cloud → 3-week shutdown |
| Signposts to Watch | 1. Vendor releases API docs (Q2) 2. MITRE TTP added (Q3) 3. We find active session in logs (now) |
| Ask | Approve SAR 120 k for jump-host upgrade before Q3 |
7. Free Repo That Builds the Brief for You
github.com/cti-brief/2025-template
sat-signpost.py→ populates signpost table from STIX feedcone-calc.py→ generates best/base/worst numbers from historical incidentsaims-writer.md→ fills the one-page slide template
All outputs are Markdown → paste into PowerPoint or Google Slides.
8. Common Kill-Shots
- Mirror imaging: “If I were China I would…” → delete sentence, use prior intrusion timeline instead
- Metric salad: more than 3 numbers on slide = zero numbers remembered
- No ask: if there’s no budget or head-count request, the brief is a blog post, not intel
9. One-Hour Dry-Run (Do It Today)
- Pick last week’s CVE with CVSS ≥ 9
- Run the repo scripts → get one-page slide
- Present to a colleague in finance; time their questions
- Refine until questions are about cost, not concept
Bottom Line
Leaders don’t need more indicators; they need a story with a price tag. Use the frame, fill the template, deliver the ask. If the COO can quote your slide in the hallway, your CTI team will still have a budget next year.
正文完
