Cyber Threat Intelligence (CTI) is often misunderstood by leadership and misapplied by operations. This talk argues that CTI is best understood as a parallel to the National Weather Service (NWS)—a discipline of predictive risk management.

The presentation is divided into two parts: first, it examines the methodology of the industry (NWS vs. CTI), and second, it examines the operational role of the analyst (The Lookout).

Part 1: The Methodology (NWS vs. CTI)
This session breaks down the structural similarities between tracking weather and tracking threat actors:

• The Sensor Grid: This section compares Telemetry vs. Logs, analyzing how COMPS Buoys function like Network Intrusion Detection Systems (NIDS), and how Dropsondes (sensors dropped into storms) mirror Malware Sandboxing to gauge the “pressure” and “wind speed” of a threat.

• Signatures and Naming: How the NWS identifies atmospheric signatures to name storms (Hurricane Milton), and how CTI uses Indicators of Compromise (IOCs) to cluster activity into named groups (Midnight BLIZZARD).

• Modeling the Path: A comparison of the “Cone of Uncertainty” (Spaghetti Models) against the Cyber Kill Chain. The talk demonstrates how both fields use environmental steering currents—pressure systems for weather, network topology/vulnerabilities for hackers—to predict the path of least resistance.

• Physics vs. Psychology: The critical divergence. A hurricane does not read the weather report, but an adversary does read the CTI report. This section highlights the difficulty of tracking an adaptive threat.

Part 2: The Operational Role (The Lookout)
This presentation defines where CTI sits in the organization using the analogy of the Ship (Organization), the Captain (Leadership), and the Deck Crew (IT/SOC).

• Integrated, Yet Removed: Why the Lookout cannot “scrub the deck” (patch servers) or “man the cannons” (active defense). If the Lookout comes down to help tie ropes, the ship becomes blind.

• Vantage Point: Defining the value of height. The Deck Crew sees the waves hitting the hull; the Lookout sees the storm hundreds of miles away.

• The Bell (Limit of Power): Addressing the friction of the CTI role. The Lookout’s job is to ring the bell (“Ransomware Group Detected”), but they cannot turn the wheel. The talk addresses the psychological toll of watching a disaster unfold when the Captain ignores the bell.

• Ghost Ships (Signal to Noise): The consequences of false alarms. How to tune the “bell” to avoid alert fatigue when a developer working late looks like a nation-state actor.

• The Discipline of Boredom: Strategies for maintaining vigilance when the “horizon” has been clear for weeks.

Key Takeaways:

• A framework for explaining the “Limit of Power” to stakeholders (Alerting vs. Steering).

• Arguments for why CTI must be physically or operationally separated from ticket-based SOC work.

• An understanding of the “Cone of Uncertainty” in cyber defense and how to communicate probability rather than certainty.