When I first came to CTI, I cared about 2 things: the "why" and the most precise version of the "who". But the longer I stay at the fair, I realize those are nice to know but once you have the solid idea of each for an actor, the "what/how", "when", "where" matter so much more.

Don't get me wrong, in CTI the "why" and the "who" of hostile activity matter -- up to a point. Beyond that point, firming up attribution is great when possible but you only enable blue teams/degrade adversaries but nailing the "what/how", "when", and "where".

It's slowly dawning that this might be seen as questioning the value of attribution. To be clear: I believe attribution matters. I'm just saying once you've been able to attribute, I prefer current malware/infrax/TTPs over unit number etc. --but I do still want it all.

TL;DR - Having spent some serious time tracking actors for a living: now once I'm sure of who I'm tracking, my immediate priority becomes "where the fuck are they right now?" and how can what I know about identity or prior ops potentially answer that question.

One last piece of context — everything I said in this thread is in the context that I work in a vendor space. If I was doing what I do solely for a government, my priorities would be different based on multiple variables (including what precise role I would be filling).