SUMMARY

Former military intelligence analyst turned consultancy director Martijn Docters van Leeuwen joins Freddy Murre to unpack what cyber threat intelligence really is, and why so many teams "talk the talk" without "walking the walk", i.e. doing the work.


Martijn Docters van Leeuwen has done the whole journey, infantry, military intelligence, stopping ATM skimming and gas attacks in the Netherlands, to building a bank's first CTI team, and now being a cybersecurity consultant.


So when he talks about CTI being a tradecraft and not a report that magically lands in your inbox, he's not theorizing. He's been the only analyst in the room wearing all seven hats, the guy getting asked "why does this cost so much?", the one trying to prove value in the six quiet months when nothing's on fire.


We get into the stuff analysts actually argue about: why most teams are great at talking the talk and bad at doing it, the trap of living in your own little football field while the business has no idea what you do, how people game their own metrics to manufacture a crisis, and where AI genuinely helps versus where it's just a confident liar with no fingers. Threat vs. risk, mirror imaging, incident-driven vs. intel-driven, and the brutal truth that training does nothing if you walk out the door and never apply it.


If you do this work, or you're trying to convince someone it's worth doing, pour a coffee and settle in.



RESOURCES

Structured Analytic Techniques (SAT) Certification Training by Intel Tradecraft and Pherson - https://inteltradecraft.com/sat-certifications

Intelligence Mind Map - https://github.com/Errum/IntelArchitectureMap

When does something go from a Google answer to Intelligence - https://www.linkedin.com/posts/fmurre_in-your-opinion-when-does-something-go-from-activity-7181221399561203712-mV-m/

Mitre Att@ck - https://attack.mitre.org/resources/attack-data-and-tools/

Mark Arena - CTI: Comparing the incident-centric and actor-centric approaches - https://medium.com/@markarenaau/cyber-threat-intelligence-comparing-the-incident-centric-and-actor-centric-approaches-f20cfba2dea2

ASML The world's supplier to the semiconductor industry - https://www.asml.com/en

SANS FOR578 CTI - https://www.sans.org/cyber-security-courses/cyber-threat-intelligence

TIBER European Central Bank - https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html

Freddy's resources on SANS - https://www.sans.org/profiles/freddy-murstad#resources

The intelligence cycle - https://github.com/Errum/IntelArchitectureMap

Basic cyber-hygiene guidance from CISA - https://www.cisa.gov/topics/cybersecurity-best-practices

NSM ICT Security Principles - https://nsm.no/advice-and-guidance/publications/nsm-ict-security-principles

SANS FOR578 CTI - https://www.sans.org/cyber-security-courses/cyber-threat-intelligence

Obsidian (note-linking/mind-mapping for research) - https://obsidian.md/

CTI-CMM - https://cti-cmm.org/

CREST - https://www.crest-approved.org/

Google Notebook LM - https://notebooklm.google/

Intelligence minor, Leiden University - https://www.universiteitleiden.nl/en/education/minors/minor/fgga-minor-intelligence-studies

Heuer & Pherson Structured Analytic Techniques for Intelligence Analysis - https://www.amazon.com/Structured-Analytic-Techniques-Intelligence-Analysis/dp/150636893X/



CHAPTERS

00:00 Introduction & from military intel to CTI

08:30 Building a bank's first CTI team

15:00 What is intelligence — and what is CTI?

26:00 Talking the talk vs. doing the work

35:00 Incident-driven vs. intelligence-driven CTI

46:00 Tradecraft, methodology & pricing CTI work

53:00 Collection, analysis & tailoring reports

01:04:00 Mirror imaging & understanding threat actors

01:08:00 Measuring the value of a CTI program

01:19:00 Threat vs. risk: capability, intent & opportunity

01:24:00 Training intel skills & making it stick

01:36:00 Can AI help us do intelligence better?

Podden och tillhörande omslagsbild på den här sidan tillhör Freddy Murre. Innehållet i podden är skapat av Freddy Murre och inte av, eller tillsammans med, Poddtoppen.