In this episode, our guests Mike Sheward and Gary Brown join us to discuss the importance of threat intelligence.
Threat intelligence is a collection of the knowledge, skills, and experience to understand and assess the protentional cyber and physical threats facing an organization. Threat intelligence is reported in either tactical, operational, or strategic reports. Each of these are used for different things in organizations, so we will discuss each of their uses.
We also discuss what to do with threat intelligence information to help your organization during various threats and attacks. Threat intelligence is used to help solve problems more efficiently and prevent larger breaches from occurring.
Threat intelligence comes from many places, so it is important to understand various concepts like the dark web, ransomware, malware, the different types, and tiers of attacks, and the different ways to defend the company against them. After all, there will always be threats and problems to deal with, regardless of how well prepared and protected you think your company might be. But, having threat intelligence can help provide you additional time and space during an attack to think through the issue and clearly communicate the solution with your team.
Kip Boyle:
Hi, welcome. This is Your Cyber Path. We’re the podcast that helps you get your dream cybersecurity job. I’m Kip Boyle. I’m here with Wes Shriner. We are experienced hiring managers of cybersecurity professionals, and we’re here to help you get your dream cybersecurity job.
This episode that you’re checking out right now is available as an audio only recording. If you want that, just go to your favorite podcast app and grab it. We’re also a video on our YouTube channel. Just go to YouTube and search for Your Cyber Path podcast, and you’ll see a playlist and everything will be there.
Let’s talk about the series we’re in. What we’re doing is a series of episodes. What we’re trying to do is tell you all about the way a typical cybersecurity organization is put together in a larger sized organization, because if you know what’s available, then you can figure out what’s the best job for you in this career field that we now call cybersecurity, some of us with some reluctance, I must admit. We have better names for ourselves.
Anyway, so today we’re going to tell you about the threat intelligence service, right? We have a whole service catalog that we’re walking through. This is number 15, and you’ll see it. When we get to that slide, we’ll show you all the services. Look for number 15, and then you’ll see where it belongs.
Today we’re going to explore that service with the help of two guests. We’ve got Mike and Gary here, but before we introduce our guests, Wes, tell us what is happening on the farm.
Wes Shriner:
We had a wild week on the farm this week, Kip. We had a young couple come on out to the backyard, set up a 40 x 20 tent and get married back there. It was really, really cool.
Kip Boyle:
Did you know them?
Wes Shriner:
Oh yeah, this is a young man that I’ve been mentoring for years, a sweet friend, and so congratulations to Dave and Emma, who are happily married and figuring out life together as a married couple. It was really fun to pause and celebrate with them as they start this new life together, and it was fun to get through winter and realize that spring is coming and new life and new marriage and new happiness is coming, because winter’s a long dredge on the farm. I’m not going to lie.
Kip Boyle:
Yeah. That is so cool.
Wes Shriner:
Yeah, that was a pretty sweet time. Congratulations to those two. My favorite part is that when you have a wedding coming, teenagers mow the lawn without being asked. I mean, without being asked multiple times. Sorry.
Kip Boyle:
Oh, okay, because I was about to say, as a teenager, I would not have gotten the hint. I wouldn’t have picked it up.
Wes Shriner:
That’s a highlight. All right, let’s jump into some guests and tell you who we have here today.
Kip Boyle:
Please.
Wes Shriner:
First, we’ve got Mike Sheward. Shewy comes to us from Seattle, Washington, where he has been… I’m sorry. I was a game show host when I got started.
Kip Boyle:
Thanks, Guy Smiley.
Wes Shriner:
Shewy has been all of the places. He’s been at ExtraHop and Expedia. He’s currently Head of Security at Particle. He’s written 20-some articles, taught security classes at the University of Washington. I think my favorite part of Shewy’s profile on LinkedIn says, “Enthusiastic information security leader who will do everything in his power to make sure he never has to get on the phone at 2:00 a.m. to tell his leadership team a breach happened, never wants to receive a phone call from Brian Krebs, never wants to offer you two years of free credit monitoring, and offers practical solutions, puts in the effort to make these goals a reality.”
Shewy, tell us a little bit about you. How did you get your start in cybersecurity?
Mike Sheward:
Yeah, so I’m originally from the UK. You’ll see various bits of my old life behind me on the wall, things like that. I actually got my start by accident. I was working as a network engineer in the local education authority at my local county council, which is basically like state level government in the UK, and I noticed a bunch of traffic going out of the network in the wrong direction at quite a lot of speed, and so I decided to investigate. I found what I thought was actually malware at the time, and so I basically shut off the port where the traffic was coming out of the network, and it resolved itself the next couple of days.
Then, probably about six months later, somebody came to me and said, “Hey, can you explain why you did what you did six months ago?” I said, “Sure, it was because I saw this.” Anyway, it turned out that I had just busted, by accident, somebody doing something very bad. They were sharing some files that they shouldn’t have been sharing, and so I was like, “That was pretty cool. It was a good feeling to be able to spot something and jump on it, and stop something bad happening. Maybe I should do this as a career.” That’s where I got started.
Wes Shriner:
That’s a great start. That was in the UK. How long have you been in the U.S.
Mike Sheward:
It was 10 years. I’ve been in the U.S. 10 years last week, so I’m just celebrating my 10-year anniversary, which is why my accent is kind of halfway between the two countries at the moment.
Kip Boyle:
Well, you sound like you’re from New York, so it fits.
Mike Sheward:
Yeah, yeah. I used to tell people I was kind of at the Azores. Now, yeah, I’m definitely closer to Boston and New York for sure.
Wes Shriner:
You’ve got a strong threat intelligence background. Can you tell us a little bit about your experience in threat intelligence?
Mike Sheward:
Yeah, sure. I mean, my biggest thing that jumps to mind whenever I think of threat intelligence… At Concur, I used to use threat intelligence quite a bit. We had a travel book. I ran the security operations team there, where we had a travel booking feature. We used to get people that would phish their way into our platform and spin up fraudulent travel bookings and things like that.
Early on, I dealt with some very custom, very specific threat intelligence based detections for detecting that kind of fraud. That was actually a really good thing to do, because it’s a security thing but it’s also a businessy thing, where it saved customers real money. Early on at Concur that was a very good way to get a lot of buy-in from the exec team, so it enabled growth in the technical security space.
I’ve done that, and then at other places, as well, and up to present day, do a lot with the traditional threat intelligence detections and things like that. What I really like about threat intelligence and surfacing things up at cloud service providers, which is where I’ve historically been, is that it’s a resalable thing, threat intelligence, right?
If you’re offering a service or hosting or something along those lines, and you’re doing a bunch of threat intelligence correlation, it’s not that difficult to resell that or just repost it back to your customers. That way you get, obviously, their eyes on it. Some of them have bigger security teams than I have, so it’s nice to be able to expose that stuff back out, and it makes you very popular amongst your customer security teams, which is always a good thing to be.
Wes Shriner:
Nice. Nice. Now, I heard you say it was a security thing and a businessy thing.
Mike Sheward:
Mm-hmm (affirmative).
Wes Shriner:
Now, that’s a new word. Is that an American-English word or a British-English word that you created there?
Mike Sheward:
Businessy is actually from an ancient Anglo-Saxon proverb that was first documented in 52 A.D. or something like that, I’m sure.
Wes Shriner:
Outstanding. Thank you.
Kip Boyle:
Now you know why we invited Mike to be on the show.
Wes Shriner:
Glad to have you.
Mike Sheward:
Thank you for having me.
Wes Shriner:
All right, and I want to turn over here and look at Gary Brown. Gary Brown has been a peer of mine, a coworker at one of our companies. While he was there, I watched him set his sights on moving into threat intelligence for years and focus and now execute on that goal to where he is now the Principal Intelligence Analyst at a major telecom, so really well done, Gary. I want to hear your story, as well. Tell us a little bit about who you are and where you come from, what you’ve got in the background.
Gary Brown:
Well, I originally, I guess, started life in Portland, Oregon. Went to Portland State University there and worked full-time, while I was doing that, as a Command Post Controller for the Air Force and scrambled fighter jets actually and did emergency response actions and a bit of classified work doing that while I was working my way through college and got an officer slot as a Command and Control Officer at Western Air Defense Sector of NORAD, but what I really wanted to do was intelligence. That was, I felt, my calling.
I got an opportunity to apply for a position at what was called the Information Warfare Aggressor Squadron at that time. It’s now called the Cyber Operations Squadron. I got my start out working with Air Force Red Teams as an intelligence officer, what’s called an All-Source Intelligence Officer, which most Air Force intelligence officers are, where we look at a whole spectrum of different intelligence disciplines, including human intelligence and signals intelligence among them, and other types that are a little bit more exotic than those, and just developed experience in cyber and working with an operational Red Team mindset, doing intelligence support of the Red Team or actually participating and/or actually leading the Red Teams at times. I ended up being a Tactics Officer and then a Flight Commander.
Some of my more memorable experiences were actually serving in non-cyber capacities, but working as a Chief of Information Operations Intelligence in Iraq for the country and also working on host force nation issues in Afghanistan, for a few years in each, more in Afghanistan actually, and working for Central Command as a Strategic Intelligence Analyst. I’ve always considered myself first an intel guy and second a cyber guy. I may offer a little bit of a different perspective to you. It’s really cool to meet Mike and experience or hear what his insights are, as well. They’ll be a little bit different than mine.
I joined corporate world at a telecom company, and worked beginning as operational security, and which provides essentially ways to protect information, company information and company secrets, that are not limited to cyber, but also go beyond cyber, as well, into touching on physical security or touching on how we transmit information, for example. Then I was selected to start the Security Awareness Program, Enterprise Security Awareness Program for the company, which is… In my mind, security awareness and intelligence have a huge [inaudible]. Most of what we have, information for what works in security awareness, is drawn from threat intelligence, but it’s very, very proven threat intelligence information that we’re giving you at that point in time.
Then, I started working a couple years ago, part-time and then full-time, on the intel side of the house for the company, and just was able to prove my bona fides, I guess, doing intel. Having all that Air Force intel experience, people don’t necessary always see that as translating into a corporate environment, because there are some differences. I think I’m able to demonstrate that there are some really good translations that we could learn from each other.
Wes Shriner:
I really hope you get a chance to share some of those along the way today, because I think that’s a huge value add to our audience, right? Many of the folks in our audience come from a strong military background and are looking to make the transition to corporate America. The way you did it, with humility and strength, was really, really cool. I hope that comes out in today’s episode in some ways.
Gary Brown:
Thank you.
Wes Shriner:
All right, so let’s jump in and see what we’ve got for today. Let’s see. To remind our audience, this is our placemat of the 23 common services of a security service catalog. We’re going to focus specifically on the threat intelligence discipline, the threat intelligence service catalog item number 15 here. That threat intel service catalog item, when I showed this to 10 peers and said, “Hey folks, here’s what I’ve got for threat intel,” every one of them put it in a different spot.
Some people put it in engineering, architecture, and test. Some people put it over in risk management. Some people believe it belongs in security operations. We just heard Gary say it might belong next to security awareness and training. We will have an MMA throwdown at the end of this call to figure out where threat intel is supposed to land, but for now we’ve got it living over in engineering, architecture, and test.
We will go to the next slide now and start to jump into what is threat intelligence and reporting? I want to start with the reports, because if you can begin with the end in mind, then you can understand how to get there.
To understand threat intelligence, we want to look at a report horizon. We’ve got three different report horizons, the first being that in the next three days, right? That’s your tactical report telling you what’s going to happen next. Your three days and three months might be an operational report, and anything with three months or greater timeline is going to be your strategic report.
Some of the most common reports might be the current intelligence brief or an incident watch. Maybe there’s some geopolitical instability, an industry threat, a company threat, a tech threat, travel advisories, executive protection. These are all common reports you might see from a threat intelligence team. I want to call out… The threat intelligence analyst is going to bring together analysis, data, and tools. If we can get the tools, the analysis, and the data in the right place, we’re going to get to the analytical sweet spot. If we flex in any of the wrong directions of that Venn diagram, we’re going to either end up with overworked, unproductive analysts; speculative guesswork; or unreliable auto generated garbage. That’s the value of having a great intelligence analyst bringing you the data. Would you guys have anything to add to this slide? How would you make it better?
Gary Brown:
Well, I would clarify that it’s correct, but to get optimal results, you need the right tools, the right data, and the right analyst.
Wes Shriner:
You kind of need the right stuff.
Gary Brown:
Yeah, I mean, and then as far as a lot of understandings, I think, that I’ve read about, about the way corporate views intelligence is they view it as very, very tactical a lot of times, and that has them putting the intelligence organization with cyber incidence response team and maybe with cybersecurity operations center, which is a very short-term look at threat intelligence. I’m not trying to discount that, but what I would say is that when it comes to what’s actually the most important, think of it as a downward flow from strategic to operational to tactical.
If you think of security organizations, all these together, as kind of a net that you showed on that previous slide, all those different boxes as part of different strands out of a net trying to stop attacks from happening, the further out you can see that happening, which means strategic, the more effectively your leadership can allocate resources, so that they can meet those risks, but that’s also the hardest to do is the strategic intelligence. The operational part, it’s closer in, but you still have time before the attacker is actually on your network. I would put something like vulnerability management, for example, in that operational side, but it could be tactical if they’re already exploiting or are in the process of exploiting that vulnerability, in which case you’re too late, right? Now you’ve moved it to cyber incident response team and what’s actually happening on your network, right? It’s a little late in the game, but that’s where tactical intelligence comes in really, really valuable.
Wes Shriner:
What can I do tomorrow to make this place better and more secure?
Gary Brown:
What can I do today to make this place better, more secure?
Wes Shriner:
Cool. Shewy, is there anything you’d want to add there?
Mike Sheward:
I mean, I would say that the kind of diagram over there, although this is written from the perspective of human intelligence and potentially signals intelligence, as well, I was going to say that a lot of what… You could use that same diagram to talk about how some of the things that are detected in the modern security operations center, as well, which falls into that tactical intelligence bracket that you were talking about, but there’s definitely a lot of the same sort of tools analyst data overlap there, as well. What comes out of that process could be considered intelligence, so that’s why some people, me included, think that intelligence can live in the [inaudible] quite nicely.
There’s intelligence that comes from external sources, and there’s also your own intelligence that comes from your own monitoring and response, as well. Both sources are equally important, in my opinion.
Wes Shriner:
Very cool. Outstanding. Let’s take that and let’s now build on that with our next slide here, the understanding of how do we get from a big pile of data to something useful that we can work with.
Kip Boyle:
By the way, I think we have the best slides yet on this episode, the best visuals.
Wes Shriner:
Well, and you’ll notice that every one of them is sourced, because we didn’t create most of these, right? These are coming from some really good industry sources.
Kip Boyle:
With attribution, nice job.
Gary Brown:
Or in this case, military source from the Joint Intelligence Publication 2-0 from the Joint Chiefs of Staff.
Wes Shriner:
Gary, do you want to tell us a little bit about this slide?
Gary Brown:
Sure. It’s extremely important for you to get a baseline understanding of the operational environment you’re working in; in the case of the military, what the mission is; or what the business priorities are of the business; and, also, what your assets are, so you know what’s important to defend. Then, even amongst those assets, what’s most important among them, and what are the impacts if you lose that, because you always have to face triage, in terms of how you allocate your resources, how your leadership allocates resources, who they hire. That’s very critical.
The other thing to understand, and this is an enormous misunderstanding about there that seems hard for a lot of people to get, and that is they confuse the idea of information with intelligence. Basically, so this depicts the process that you’re supposed to have, which is a lot of times you’ll start with data, which is kind of unprocessed, unorganized information. You organize it and maybe call it information and make it a little bit more meaningful, just by that organization and narrowing it down. Then, the intelligence part is where you’re making estimates and assessments about what that actually means and how that might impact the future decisions of the company and how to allocate resources, basically towards the goal of reducing risk. Mike, do you have comments on that?
Mike Sheward:
Yeah, that last part, the production of the intelligence is the art form, right? That’s the part that can sometimes be overlooked, right? Because it’s fairly easy to go collect a bunch of this stuff, and the classic example is if you run a large company, and you have a web application firewall, and it picks up six billion events per month, and you go and you hand six billion events per month to anyone, say, more senior, who, they’re like, “Well, what do I about this? Is this good?”
The art, in a lot of security topics, is taking that raw data and presenting it in a way that folks will understand and be able to get value out of. Penetration test reports, very similar thing in a way that it’s the only tangible output of the process, right? It’s the same here.
Early on in my career, when I was doing either pen test reports or incident reports and stuff like that, people would always yell at me, because they would claim that they read like a Jane Austen novel. I’d write a pen test report, and it would start off like, “It was a warm Wednesday morning, and I arrived at the office, and what I found was…” Just get to the point and make it very clear what is actually out there, what the threat is, and what we could potentially do about it. Making it a very concise and readable and digestible brief is a skill.
Kip Boyle:
I really like-
Wes Shriner:
Do you read a lot of Jane Austen novels? I’ve just got to know.
Mike Sheward:
I’ve never read a Jane Austen novel.
Wes Shriner:
Oh, come on.
Mike Sheward:
That’s why I didn’t know what it was like.
Wes Shriner:
It was a warm Wednesday morning.
Kip Boyle:
Well, you are a writer. You have several books and papers published, Mike, so there’s got to be-
Mike Sheward:
Well, that’s because I had to have some kind of outlet, because I couldn’t do it in my pen test reports, my incident reports anyway, so I had to have an outlet somehow.
Kip Boyle:
So there is a writer in there after all. Hey, I just want to say that one of the things that we try to do in our episodes is highlight when a service that we’re talking about is different, depending on the size of the organization that you’re working in, the industry that you happen to be working in. Those things can make a big difference.
Mike, when I heard you talk about, for example, some kind of a log, some kind of a system that was making log entries, and a ton of log entries in a given time… When I was working at a mid-sized insurance company, I didn’t have the budget to actually process those logs and turn them into intelligence. I wish I had, but it really wasn’t an option. It fell below the line in my budget, and so, to me, that’s one of the compromises in working in a smaller organization is you don’t always have the ability to breathe life into all of the services that we’re talking about here. In contrast, people working in very large enterprises probably do get the opportunity to do more of this work.
Wes Shriner:
I think in a large company, you do get a little more state of the art. At the smaller company, I think it’s very likely that you wear six different hats during the day, and maybe there’s a 15-minute window at three o’clock in the afternoon, where you’re allowed to put the threat intelligence hat on and say, “All right, those are the things I’m going to deliver.” Hopefully, this episode helps you understand what are the most important things to do in those 15 minutes.
Kip Boyle:
Yeah, besides go, “I wish I could spend 20 minutes on this.
Wes Shriner:
Ha!
Mike Sheward:
Yeah, I generally prefer smaller organizations and smaller teams for that reason, right? I get bored with myself easily, so I like to wander around and do different things. Yeah, I really enjoy the mixture, but yes, it’s true that if you’re in a smaller team, you might get to mix in threat intelligence here and there, and you might get some benefit from it, which is why I was saying earlier about exposing it back out to your customers is a good way of maximizing the impact of it, especially if they’re bigger than you.
Yeah, it definitely varies. There are obviously enterprise organizations out there that have giant intelligence, threat intelligence, teams out there that are bigger than many just whole security teams. I think it’s interesting. I think anybody can do it, to some degree, right? It’s just about how you apply it in your organization. Yeah, it means different things to different sizes of organization, for sure.
Wes Shriner:
All right, let’s take that and have a look at our next slide. This one’s kind of fun. This is that how others see it and how I see myself kind of picture, right? On the left-hand side, how others see it. We do the hard things, the cool things, the geeky things, and then the boring things: direction, collection, analysis, and dissemination. Mike, you brought up earlier that the threat report is really the only thing that is the output of this organization, but this is really a process, and you may be delivering threat reports, one every day, or even multiple times in a day, depending on what kinds of reports you’re delivering.
It’s very possible that, as you drop into a process where you work the cycle, you may be delivering and then improving your processes each time, right? Here is the Joint Chiefs of Staff diagram for how the process of intelligence reporting might go with planning and direction, collection, processing and exploitation, analysis and production, and then dissemination and integration. That all gathers around the mission with evaluation and feedback happening continuously. I just want to call that out as the intelligence process that delivers each of these reports. Thoughts on that? That one was pointed. All right, we’ll just keep running.
Gary Brown:
Well, sorry. I thought you were asking Mike. I have thoughts, but I…
Mike Sheward:
I was waiting for you, Gary, so go for it.
Kip Boyle:
Go, Gare. Go, Gare. Go, Gare.
Mike Sheward:
Go, Gary.
Wes Shriner:
We were all waiting for you, Gar.
Gary Brown:
Well, so yeah.
Wes Shriner:
Oh, Gary arrived. This is great! Gary’s got something to say.
Gary Brown:
Let me first say that the collection part and the processing and exploitation part of it are actually where there’s a lot of work involved and a lot of steps. To me, the analysis and the dissemination are actually the culmination of what you’re going to, if you think of these as kind of stair steps.
The planning and direction, you’re taking a step up. Now you’re getting to do the collection. The processing and exploitation, where you’re processing the information, maybe you’re normalizing data in an Excel spreadsheet. How fun is that, right? It’s the analysis and production where it starts to all come together, but it doesn’t matter, if you don’t disseminate it out, right?
It’s extremely important to have the planning and direction, because those are where you’re going to get what we call requirements. We’d have priority requirements. We’d have ad hoc requirements, where a new one is put on you suddenly, but that’s actually where you get your direction on how to go about doing your collection about what’s important to the business, in the case of a business, or what’s important to the mission, in the case of the military.
Then you have your collection, based on your resources. The military has far more resources for collection than business does, far more of what we would call collection platforms, and far more capable, to some degree, but not in all ways either. Government budgets can be weird.
Then processing and exploitation, that’s a little bit the grunt work to try to make sense of the data, so you can get to the analysis. That’s where you’re creating the information from the data, basically, processing and exploitation. Then the analysis and production, to me, that’s where you really earn your paycheck, right? That’s where you differentiate yourself from the rest of the crowd, maybe, in terms of what you’re able to come up with or give to your leadership.
Then the dissemination and integration, also, that’s where you get the visibility, right? That’s where they actually see it, and in some ways, the most important, final step, because you have to do it in order to make a difference.
Wes Shriner:
There’s something you brought up to me in previous conversations, Gary, is understanding commander’s intent. I think that’s really falling into planning and direction, but it’s really understanding the mission. If we understand what our business customer needs, what our commander’s intent is, then when we go do all of this work and we deliver a result, we’re delivering what our business needs to help it grow.
Gary Brown:
I might add that the business may not always have security as a priority, an absolute priority, because they have to do this thing called run a business and make money, right? That’s a constant balance of things that a security organization needs to understand.
Kip Boyle:
Definitely.
Wes Shriner:
Cool. Mike, you’re on mute. He knows. He’s happy.
Mike Sheward:
Yeah. Sorry, yeah. To follow on Gary’s point, they’re not in business to… Early on, in my U.S. career, there was some major vulnerability in some financial system, and I needed to borrow a bunch of engineers to go patch this thing. I sat down with our CIO at the time, and I said, “Hey, I need to borrow X, Y, and Z just to tighten us up. I know they’re working on something else, but can you help me out?” The response came back with, “No. They’ll be available in three weeks.”
I said, “Well, that’s kind of a long time.” They were like, “Well, they’ve got this other thing that’s more important. We’re here to run this business. We’re not here to be secure, all right? We’re here to be secure and we’re here to be in business.”
Wes Shriner:
They didn’t say that.
Mike Sheward:
Yeah, yeah.
Wes Shriner:
Oh.
Mike Sheward:
In a way, they’re right, right?
Kip Boyle:
Don’t act like that’s the first time you’ve ever heard that, Wes.
Mike Sheward:
I sat back and initially I was kind of annoyed, but then I was like, well, they’re right, and so I went away and figured out a compromise, like one person for a bit longer or something, to get it taken care of. Yeah, every time I have come across a similar situation since then, in regards to threat intelligence… There’s an old expression that I can’t remember who wrote it, but I’ve referenced it many times, and I’ve put it in a footnote somewhere, but, “If everything is important, then nothing is important.”
It’s true in threat intelligence and in incident response, as well. You can become scared or nervous about what I like to call pulling the alarm cord too much or giving up too much information to people, because then you just get numb to the volume of it. That’s probably part of the analysis, production, dissemination, and integration piece, right? Being selective and making decisions, especially in smaller companies and smaller organizations, about when you decide to deliver certain pieces of information or pull that alarm cord and say, “Hey, I really need help now because of X, Y, and Z,” that’s something you have to learn, as well.
Kip Boyle:
Thank you, Chicken Little.
Wes Shriner:
I think that’s great. We get an understanding of what the model is and where the priorities are, and then we understand how you can fall off on either side of it. This has been a good conversation. I’m enjoying it. I’m going to take you to the-
Kip Boyle:
I really appreciate the human factors aspect there, too, but-
Wes Shriner:
Yeah, yeah.
Kip Boyle:
Not crying wolf every time you think you see a wolf.
Wes Shriner:
Indeed, indeed. It’s an interesting road we walk. All right-
Gary Brown:
So.
Wes Shriner:
Go ahead.
Gary Brown:
Yeah, I was just going to say, regarding some of that, one thing that’s really useful is to understand biases out there of different sources. One source that we regularly look to is security researchers. Security researchers have a bias to dramatize whatever it is they’re presenting and make a name for themselves, because that’s how they make money, and that’s how they make a living. Part of them are in it so that they can have a platform and make a difference in the world, right?
Always take that, for example, into account when you read some of these stories about the latest ability of a laser to eavesdrop on your Alexa device or whatever, right? We have to evaluate what the actual risk is of these things happening when we talk about how we prioritize our resources because, as Mike said, you can’t go after everything.
Kip Boyle:
Wait a minute. If a vulnerability has a fancy logo and a cool name, that’s not enough?
Gary Brown:
Not necessarily, no.
Kip Boyle:
It’s happening more and more.
Gary Brown:
Yep. Right, right. It’s not how we base our decisions on what vulnerabilities to pursue and/or spend limited resources on. That’s where intelligence comes in with regard to vulnerability management, right?
Kip Boyle:
Love it.
Wes Shriner:
Nice. All right.
Mike Sheward:
I’ll just say, some of the things… I triage about 15 to 20 bug bounty reports a month, and every bug bounty report that comes in is the most important thing in the world to the person that submitted that report. Of the 19 or 20, 19 or 20 are incorrect or wrong or out of scope for a particular thing or in somebody else’s service, right?
Every one of these things comes in, and when I hired a more junior person on my current team, every one of these reports would come in, and they’d freak out, like, “Oh no! What should we do?” I was like, “Just read it through, understand.” I’m like, “Here’s a rule. If somebody submits a report that says it’s an authentication bypass and the first line of that report is, ‘Log in with valid credentials,’ chances are it’s not going to be a valid finding.” Yeah, it’s the same sort of thing with threat intelligence, as well.
Wes Shriner: Outstanding. I want to take you to an eye chart next. This is brought to us by our friends at Recorded Future. This was a presentation done by a fellow named Greg [Reid] from the Seattle area. I have seen this presentation by him, and I remembered this slide, because it brings a lot of information together.
We are not going to drain this slide today. I do just want to call out a couple highlights, right? If we’re looking at the different threat actors that we could be dealing with, in our environment, there are six levels, as they’re broken down in this diagram. The most simple of attackers might be your script kiddies and your nonmalicious actors, right? That’s going to be your green level down here.
Then you’re going to move up to maybe crime groups or hacktivists or maybe cyber mercenaries. Then you move all the way to advanced persistent threat nation-state attackers. If you can categorize your actors into these different six levels, then you can start to understand what controls you might want to put in place and what threats are really coming from each one of those, and which you have to address and not. This is kind of an eye chart here, but do you guys want to add anything to this one before we jump to that next slide?
Kip Boyle:
Would you use something like this? Do you use something like this?
Gary Brown:
The current-
Wes Shriner:
It helps… Go ahead, yeah.
Gary Brown:
The current intelligence picture is a lot more complicated than this.
Kip Boyle:
Aw, come on.
Gary Brown:
Yeah, no seriously, right?
Kip Boyle: This is super complicated already.
Gary Brown:
Yeah, the slide is pretty complicated, I agree, but just looking at the central-
Wes Shriner:
We lost you, Gary.
Mike Sheward:
I believe the intelligence services have intercepted him to stop him from…
Wes Shriner:
Gary’s audio is gone. Gary, can you see us? No audio from Gary.
Kip Boyle:
Let him troubleshoot. Mike?
Wes Shriner:
I’m sure he was going to say important things. What you got, Mike?
Mike Sheward:
Yeah, do I use this kind of classification? Sometimes, honestly, in a smaller organization, it’s just about… It’s usually just an insider/outsider type thing. It doesn’t really matter, like any more detail than that, but yeah, it’s something that I think we’ve become more aware of the top of this pyramid, in the post SolarWinds world, and we’re talking about supply chain stuff, as well.
I think that that has actually opened the eyes of a lot of more senior folks in organizations to the fact that the top of this pyramid. Nation-state, state [inaudible] will go after whatever they can, because there has always been this perception that we’re not that much of a target, right? Who wants to go after X, Y, and Z?
If you have a presence anywhere, then you are a target, and you have some value. There will always be some obscure link to somebody in your organization that somebody wants to exploit for some reason at some point. I think SolarWinds has brought that to the fore of it more, and have seen smaller companies and midsize companies do this classification more often.
Kip Boyle:
Mike, I can tell you’ve been in the U.S. for 10 years.
Mike Sheward:
Really?
Kip Boyle:
Yeah, you didn’t say zed.
Mike Sheward:
Oh.
Kip Boyle:
Welcome.
Wes Shriner:
It is Z.
Kip Boyle:
Glad you’re here.
Mike Sheward:
Me, too. I like it. It’s good. Health care is kind of a problem, but we’ll fix that.
Kip Boyle:
Please, get on it. Gary, are you back? Oh, man! Audio trouble.
Wes Shriner:
This is the best meeting I’ve had with Gary all week. I’m not going to lie.
Kip Boyle:
Well, everybody who watches this podcast knows that this is like live radio. Sometimes things happen. I disappeared because I had an equipment malfunction, but a little troubleshooting, I’m back. I think we need to move on. Sorry, Gary.
Wes Shriner:
We’ll get a chance to catch some more from him in a bit.
Kip Boyle:
Yeah.
Wes Shriner:
I do want to jump ahead to this next slide that I think is actually really interesting, because it takes the concept of the six layers and it applies it to a series of specific threats, targets, and controls, right? If we start at the bottom in the green space, we have nuisance threats that might be phishing or viruses, and that might affect some of your internal employees, and that may be prevented with firewalls, antivirus, endpoint detection and response, some of your common security controls.
Then you may have a mid tier attack, and that may be more of a spear phishing or ransomware. It may be targeted specific to your organization. That may be after specific PCI data or personal health information or potentially any of your sensitive data assets, your intellectual property, right? That may be protected through behavioral analytic tools, your analytic endpoints, but it’s really going to take a next level, next generation quality control in order to protect those assets.
Then if we start moving toward the APTs and the nation-state threats, we’re really going to be looking at military quality defenses, right? We’re going to be looking at integrated intelligence and response counterintelligence programs. I think this kind of brings to light and helps us understand that chart from the last page.
Kip Boyle:
Yeah, yeah, and I think it also underscores the fact that if you’re working at a small organization, you’re working at a midsize organization, I mean, you’re just… There’s real limits on how much you can do here, how much time you can spend understanding the stuff as opposed to just playing whack-a-mole, which is what a lot of us end up doing.
Mike Sheward:
Yeah, there are a lot of companies out there that cannot give you an easy answer or a straight answer to how many devices do you own? What’s your asset management look like? How can you expect them to climb this ladder and have some of these things in place? In which case, my recommendation to those kind of companies is always try and keep everything as simple as possible and rely on the old classics, like segmentation and decent firewall roles and just knowing what normal looks like, and then you can kind of pick up some of the gaps you miss because you don’t have some of these fancier things.
Kip Boyle:
Yeah.
Wes Shriner:
It comes back to blocking and tackling, right? If you can do the basics, and you can do the basics well, you’re actually going to prevent 90% of the attacks.
Kip Boyle:
I also want to take a moment and just acknowledge that the fact that threat intelligence is so difficult and yet really crucial, actually, if you really want to protect your digital assets and so forth, really underscores the fact that we have this massive gap right now between what government can do, what police and law enforcement, and the judiciary and the legislative and the executive. What can they really do to protect us?
I mean, they’re really good at stopping bank robbers with guns showing up on the corner and trying to grab some cash, but try to steal $100 million with a piece of malware, and there’s nobody there to stop them. I mean, the risks of getting caught are very, very low. Anyway, there’s just… We’re on our own.
Wes Shriner:
You just made the business case for a life of crime and danger, right?
Mike Sheward:
Yeah. I think-
Kip Boyle:
I don’t think I’m the first one to point it out.
Mike Sheward:
I think one of the problems, especially in the U.S. with the way things are structured in the Federal Government is that there are so many agencies, and I wish we could hear from Gary, because he probably has an opinion on this, but there are so many agencies that overlap and compete, right? Is it the Secret Service? Is it the FBI? Who does what? Is it Space Force, Cyber Command? Who is it? Who’s in change of these things? I think that’s part of the challenge, and I think for all these different agencies that we have competing to be responsible, one thing that we actually miss is there’s no NTSB style agency for cybersecurity incidents.
National Transportation Safety Board obviously go investigate marine and aircraft accidents and things like that. If we had that for massive data breaches and after there were big investigations and there were actionable things that came out of those investigations that different places have to do, depending on how much data they have, I think that would be a huge thing and would definitely help people feel like they are getting some level of protection from the government. I just think as it is now, it’s all very segmented and everybody seems to be fighting at each other, or fighting over who gets to call this name, and that kind of sucks a little bit.
Wes Shriner: Well, and I’m going to pick up on that and talk about the ISACs for just a second, right? I agree with you that it’s difficult for three different retailers to share information about who is attacking who, or who’s being attacked, because we’re in direct competition potentially, and so I don’t necessarily want to share with you how I’m being attacked or what attack is happening.
It’s not because I want you attacked. It’s because, if I share with you how I was attacked, you’ll see into my internals and how I operate. I’m not sure that I want to share how I operate with my competitor. There’s a lot of times a hesitancy to share what vulnerability was exploited and how did the bad guy get in?
The Information Security something Council, ISACs… Are you guys familiar with it? Help me out with that. What’s the name of that?
Kip Boyle: I don’t know.
Wes Shriner:
There are multiple different ISACs that the U.S. Government sponsors. Each ISAC is for a different industry, and so if you’re in the financial services ISAC or the retailing ISAC, you would be able to share information with a mutual NDA in place for that. Information Sharing and Analysis Center is what the ISACs are.
Kip Boyle:
Ah. [crosstalk]
Mike Sheward:
I was going to say Illinois Student Assistance Commission, because that’s what comes up first on Google, but that’s wrong.
Kip Boyle:
I’m over-acronymed. I don’t even try.
Wes Shriner:
All right, that takes us… That is one way that organizations do share information between companies. I want to call out something that I think is an incredible accomplishment. We are 45 minutes into this podcast episode, and no one… We’re talking about threat intelligence the entire time, and no one, I mean, no one has said the phrase dark web. We haven’t done it. We haven’t said dark web.
Fortunately, my friends, on the next slide, we have an opportunity to say dark web. I know. You’re excited. This is our inputs, processes, and outputs. It begins with our suppliers. Three of the suppliers could be government sources, including those ISACs. It could be Internet sources. Most of our threat intelligence is actually open source intelligence information.
We also may be getting information from our partners, specifically, if my business is selling shoes, I’m not going to be an expert on what the wild is doing and what the wild may be attacking me with next, but Mike brought up earlier that there could be data feeds that I can subscribe to that will provide me information for my business, for my retail business specifically, so that I can be better prepared with threat intelligence that I didn’t have to create myself.
Those threat feeds are usually available through your antivirus tools, through your endpoint detection response tools or your network protection tools, and oftentimes through other vendors, right? There’s a lot of places for your data feeds. We’re going to-
Kip Boyle:
Are you saying Reddit’s not the dark web?
Wes Shriner:
Reddit’s an incredible source, but it is not the dark web, no.
Kip Boyle:
Speak dark to me.
Wes Shriner:
We’re going to use OSINT. We’re going to use the RSS feeds. We’re going to look at antivirus and related tools. We’re going to pull in our government agency information, because the FBI is a great source of sharing information about where attacks may be. I do recommend, if you’re going to work with the FBI, work with them before you have a crisis, right? You don’t want to meet the firemen on the day the building’s burning down. That’s just not how we want to do it, right?
Kip Boyle:
And it’s really easy to meet them. They’re very friendly. Just call them on the phone.
Wes Shriner:
Pretty much, yeah.
Kip Boyle:
That’s what I do.
Wes Shriner:
Yeah, it’s an easy way to go. The dark web… Do work with your organizational leadership, right? Don’t just call the FBI as your threat analyst and say, “Hi guys, my name’s Bob, and I was just hoping to talk to you today.” Do it with your organization’s blessing, permission, and probably with your legal team’s awareness, right? That’s not something you’re going to do on your own.
Then Reddit, actually, is a great source of chatter about what’s going on in the world today. We mine that, and we can get a lot of business intelligence from our threat intelligence information. We’re going to use those sources and many other sources. We’re going to analyze, prioritize, recommend, and report. We saw that intelligence process cycle already.
Then we’re going to create tactical, operational, and strategic reports. Those reports are going to go to our infrastructure teams to protect our infrastructure. They’re going to go to our security team, so that we can better manage our incident response, our vulnerability management priorities, and even our architecture and design strategies. It’s also going to go to our organizational leaders, so that they can understand where it’s safe to travel and where we need to prioritize our organizational assets to be best positioned as a business to be resilient in the long term.
All right, so that’s the SIPOC of the threat intelligence process. My guess is the folks who’ve been doing this a long time… I love it. Gary, you look like you’re in the dark now. You’ve got that even… If you had a hoodie on, I would know for sure you were a threat analyst.
Gary Brown:
It was my theme for the dark web portion of the conversation, yeah, yeah.
Wes Shriner:
You’re back! Tell us everything you can tell us about what you would add to these thoughts.
Gary Brown:
Well, increasingly what we’re seeing, and this is both good and bad, is government agencies are actually stepping in and providing more information, so like the National Security Agency has access to a lot of resources, where they have forward presence even, out in networks maybe of what might be attackers, that corporations can’t legally engage in or do. They’re increasingly providing information to us, and that’s where the government agencies source comes in.
They’re also partnering with the Department of Homeland Security, which does have more direct responsibility for helping defend critical infrastructure in the United States, and they’re providing through an organization called CISA, C-I-S-A, more information to us, as well. That’s good, but that can also be misinterpreted or help prioritize information sometimes in the wrong way, because it has the government imprimatur on it, and therefore, with that, comes the idea of possible government oversight and enforcement. Leadership can get influenced by that, and so that’s a… Helping try to steer towards what the actual threats are, based on all the information, is still an important thing, not just what the government says, and how that applies to your specific operational environment, which you might have a better understanding of, in some cases, than leadership does.
Wes Shriner:
I will build on that, Gary, and say that the U.S. Government has the NIST cybersecurity standard, and that NIST standard calls out specific areas of critical infrastructure for the United States. It’s because I believe the U.S. Government is recognizing that private industries are going to be a part of any future war efforts as economic aspects of every war that may happen in the future, right?
The U.S. Government is working with private industry to shore up the security posture of critical infrastructure areas. One of the ways they’re doing that is through InfraGard, right? InfraGard is a private-public partnership with the FBI for specifically protecting the infrastructure of the U.S. I think that InfraGard also has some threat feeds that may be useful for you as you’re building out your threat intelligence strategy.
Gary Brown:
Then, calling out the suppliers side of things, when you’re talking about suppliers of threat intelligence processes, a lot of times it’s more efficient to get somebody else, an outsider, to do anything on the dark web for you, because the dark web takes, a lot of times, built up relationships, where somebody has to come across as a legit criminal, and they have to have a long history and a record of actually producing cash, for example, to pay for things, as the case may be. That’s not necessarily for the novice to engage in. Unless you’re doing it on a full-time basis, it’s not very efficient, because whatever’s going after your company is probably going to be sporadic, so you’re going to be spending most of your time looking on the dark web for stuff that’s probably not going to be there a whole lot of the time; whereas somebody else can look at it for 50 companies at a time and let them know when something pops up that affects them.
Kip Boyle:
Or you can just read Brian Krebs’ blog.
Gary Brown:
Or read Krebs, yeah.
Kip Boyle:
He’s out there doing that, I know.
Gary Brown:
Sure.
Wes Shriner:
If you did end up on the dark web, what would be some rules about the dark web you’d want to tell the rookie?
Gary Brown:
Well, stay away, as far away as you can from any hint of kiddie porn and report it immediately to your superiors and to the police if it’s found, because…
Wes Shriner:
Well, that’s one good advice, but don’t even look at it from work, right? If you’re-
Gary Brown:
Yeah, well that’s the starter, right? Yeah, go ahead.
Wes Shriner:
You don’t want to be looking at it from your company machine, because that’s going to be broadcasting all sorts of company information, including your source IP address, so just not a good plan.
Gary Brown:
Yeah, right. That’s fundamental and basic. You’d want to use non-attributed browser capabilities, or non-attributed, where it’s not going to be traced back to who you are, which is one more reason to… that it’s not always efficient for everybody to do that. You don’t want them coming to your house, either, by the way.
Wes Shriner:
Mike, did we leave you on mute? Do you want to help us here?
Mike Sheward:
Yeah, I mean dark web stuff, so I haven’t done an awful lot in the space, to be honest. I mostly just strolled around looking for specific things in response to specific events. To be honest, for most organizations, the data that they’re most concerned about losing is on the normal web, and it’s usually poorly secured, and the dark web provides just a more secure backup of it, to be honest, so the less people can find.
It’s like when you get ransomware, and you can finally answer the question, “Do you store your data encrypted?” with a yes. It’s-
Kip Boyle:
Not that you’re cynical.
Mike Sheward:
Yeah, I’m not at all. Yeah, I mean, it’s something to be aware of. It’s something to know how to access and know how to go look up safely if you get very specific things, I think, for most small to medium size companies. Obviously, if you’re in a larger company, you probably have more capability to go do that stuff more frequently.
Yeah, be aware of it. Understand the technology, right? It’s a very useful defensive technology to understand, for intelligence collection, but it’s not something that’s in my top 10 things that I monitor constantly. The other thing I’d say is, like anything, as soon as it falls into the realm of being marketable, like credit reporting agencies that offer to go do dark web scans… Most credit reporting agencies have been breached, so they’re the ones that have lost the information, which they’re now going to tell me is on the dark web, because it was stolen from them, so thanks, folks. I appreciate the insight.
Now that it’s marketable, like anything like that, be aware of the fact that people will try to scare you with those terms and things like that. Always approach things with a fair degree of cynicism in that space, for sure.
Wes Shriner:
Thank you.
Gary Brown:
Most of what you see that’s probably of interest on the dark web is sales of breached information, sales of credentials, because credentials are pretty much top source, along with phishing for attacks happening effectively, and credentials will actually take you further, because they’ll allow escalation, potentially, as well, into applications that somebody has access to with their credentials, in addition to network access. To be honest with you, to me, the dark web stuff is the least interesting part, because it’s very repetitive.
Some people think it’s all like wiseguys, criminal underground, and you get to do deep detective work stuff, you know? For the most part, it’s a bunch of loser criminals, a lot of them from foreign countries, that are selling information they’ve stolen and hoping you’ll buy it sometimes.
Wes Shriner:
[crosstalk]
Gary Brown:
Go ahead. Oh, there’s some malware, too, for that matter, as well. Actually, one of the reports that came out today that they were selling malware that the malware developers are actually lacing with their own back doors and their own web shells to actually access the systems and basically take advantage of the other guy’s effort, the other criminal’s effort, to actually, A, sell the other criminal product, and then take advantage of his work to go ahead and plant their own malware and steal the data themselves, as well, right? No honor among thieves.
Wes Shriner:
What you’re describing right now is that there’s a business that creates malware and a separate business that distributes the malware, and that these are full-time jobs for organizations that are literally in for-profit business in these areas.
Kip Boyle:
Mm-hmm (affirmative).
Gary Brown:
Increasingly, what we’re seeing, especially driven by ransomware and because of the fact of being able to monetize through cryptocurrency and do it anonymously is a specialization within the criminal community, where they’re becoming a much more advanced economy or ecosystem, and they are specializing. The latest thing actually seems to be specializing in doing reverse engineering Zero-Days of applications, including, like mobile banking applications seems to be a target.
Wes Shriner:
Which is why you’ve got to patch your stuff.
Gary Brown:
Well, and secure coding, secure coding, right?
Wes Shriner:
Secure coding, and then patch quickly. The other thing that I heard from this team here in the last couple of minutes was when you steal a physical asset, you have to fence that physical asset, sometimes by laundering it through multiple businesses in order to get it to a place where it is now a clean asset and can be sold again on the common market.
In the same way, when a criminal steals digital assets, those digital assets need to be marketed. Now, just like we talked about a business that creates malware and one that distributes malware, there’s actually auction houses that sell stolen data, as well, right? Those auction houses don’t have to sell the data just once. The beauty of digital data is that it is brand new every time you sell it. In fact, the more times I sell it, the more money I make, but the more times I sell it, the harder it is to attribute to me as the person who took it. It is now multiple copies on multiple different continents, and it is no longer attributable to a specific thief, at least in a lot of ways. I give that to you as we look at the dark web. Don’t think you’re buying the only copy of that digital data.
Gary Brown:
Every time it’s sold, it’s worth less. It’s less useful.
Wes Shriner:
Less useful to the buyer, but it’s more useful to the seller.
Gary Brown:
For the buyer. Very useful to the seller. I agree. Yeah, that’s right.
Wes Shriner:
Right. Right. All right, let’s jump ahead. I don’t see any of you saying, “Hey, Wes, I’ve got one more,” so we’re going to jump ahead into this. This is the fun slide. This tells us a little bit about what the people, the skills, and the tools will be for a person who wants to step into this role, right?
You can be a junior threat analyst, a senior threat analyst, or as Gary described, a principal threat analyst, or principal threat engineer. Sorry. I want to get that right for you, as I’ve watched you grow, right? This can be done at many different levels. The skills are research and analysis. There’s automation and scripting, because the more you can automate, the more data you can process. The more data you can process, the more valuable you are in some ways, right? Your analysis but also the data you process are the two keys there.
I called out influence without authority as one of the key skills. That’s because you don’t own the resources, but you’re making recommendations to your executives as to how resources should be applied. Lastly, we’re translating technology in business. If we can’t translate technology in business well, we are not speaking in the language of our business partners to communicate technical threats.
The tools that we may be using, social media. We may be using the dark web. We may be using Reddit. I think, Gary, you’ve said to me that the most important tool you use is the telephone. I got a kick out of that, because I use voice over IP for everything, but sure, we can call it a telephone if you want.
Gary Brown:
Given my audio problems, given this is practically a telephone, right? Yeah.
Wes Shriner:
Right. Our tools are scripting and data processing and report writing. My point here is that the entrance criteria to step into threat intelligence is not a high bar, but it is a science and an art that comes together to be a very difficult field that we can get better at every day. What would you guys add to that, skills, tools, and experience?
Gary Brown:
I would say oral and written communication, your ability to communicate concisely and accurately information, which honestly, behind that, is the idea of intellectual integrity and a commitment to factual presentation, a commitment to what’s true are very, very critical. Yeah, I mean, that’s the part I was talking about, dissemination, where briefing out the information or writing out that information is very, very, very important, as well.
Wes Shriner:
It is. It is. Kip, Mike, anything you want to add to this?
Mike Sheward:
I was going to say, one of my favorite hires, who I’ve worked with at three different companies, comes from a law enforcement background. She has a lot of these skills from that background that she transferred into a more technical security engineering role. I remember the first time we met, and she was worried that she didn’t have some of the technical skills, but I was super impressed with some of these other things, like the ability to just interrogate and figure things out and be unrelenting.
She came on board that team, my first team there, and then came with me a couple of different companies, as well, along the way, and it’s very similar, right? She has a bunch of experience doing interrogation, being able to study things and figure things out. Then she found that her law enforcement experience doing those things just translated super, super well to IP streaming into logs and doing that kind of threat work, so if you’ve done any of that kind of stuff…
The other thing is forensic accounting or CPA type stuff. If you can spot abnormalities in that kind of data or an interest in trends and things like that, then it’s very transferrable into the information security world, for sure.
Wes Shriner:
Nice. Nice.
Gary Brown:
To further build on that idea, also, that the idea of influence without authority, that boils a lot of things into that, as well. There’s the communications skills, but a lot of times, as we discussed, you’re the messenger, and you’re going to be communicating with a lot of other people, other than leadership in some cases, and lines of responsibility aren’t always clear.
How do you get somebody to accept responsibility for remediating something, for example, when they don’t think it’s their job, but there’s nobody else to do it, because they’re pretty busy as it is, right? That’s an example of you have to figure out how to use your influence and, in some cases, pull strings. Relationships end up being, obviously, a huge, huge part of all this.
Yeah, the research and analysis part, there’s a lot of skill that goes into that part. When you talk about analysis in this… I think where I was getting towards building on what Mike said is that the ability to weigh evidence and also the ability to assess risk, which means you can weigh the threat, which means capability and intent, you can weigh the vulnerability and how it applies to your assets, and then the potential impact on those assets and probability. Those are all very, very useful skills when it comes to this.
Wes Shriner:
Cool. You just dropped a couple different definitions for us. The definition of threat is capability plus intent. Is that correct?
Gary Brown:
Yeah, and you can actually-
Wes Shriner:
Opportunity, capability and intent?
Gary Brown:
Yeah, you can add opportunity in there, as well, for sure, because that’s one of the things that we try to prevent. A threat can have capability and intent, but we’re going to try to prevent that opportunity. That’s where we get power in this situation.
Wes Shriner:
Nice. All right, I’m going to take us to the next slide, because this one’s kind of fun. We’re going to go pretty quickly across it, so we’re not going to get to drain this one, but if we were doing a threat intelligence report for the Empire, reporting on the potential threat of the Death Star being destroyed by some ideological adversary, Skywalker off of Tatooine.
Gary Brown:
Jedi skills, right.
Wes Shriner:
We might start to look at the adversary, the infrastructure, the victim, and the capabilities against a sociopolitical axis and a technical axis to understand their capabilities. Yeah.
Gary Brown:
Yeah, so a lot of times, how you can understand… The easiest way to understand who a threat might be, without knowing much else, is look at who the victim is, and who would want to attack the victim, because usually people don’t spend resources attacking people that they don’t have any interest in attacking. Part of that victim, part of that, is what are they going after, in terms of what the information is, right?
Sometimes you can tell that by even the specific victim. For example, if they’re going after a specific person they found on LinkedIn that might have access to intellectual property, for example, like a lawyer for a company, for example. That’s the first and easiest way. The other things are a little bit more hard, hard won and a little bit more shift in changing, and that is you figure these out over time, and that is what their infrastructure is.
In this case, when we’re talking about infrastructure, we’re talking about how they use infrastructure, like what services they use, what fake websites or typosquat websites they use, what email addresses they use to send email, and then sort of along with that, what their different what we would call indicators of compromise are, which would be, for example, the types of malware that they use, or specific malware that they use, and then their capabilities would also kind of… Malware sort of blends there both ways, depending. Their capabilities would include the tactics that they use and how well they use them, their operational security and how good that is.
Nation-states will tend to have really, really good operational security. They can do that, in part, not just from skill and training, which they can really invest in, but also because their timeline or horizon is a lot longer. They can be very quiet, like in the SolarWinds attacks that happened recently, which were a supply chain attack on a piece of very widespread software. They waited like 13 days after they got access, 12 to 14 days, I think it was, after they got access before they made their first little move, just to avoid detection; whereas, a crime group wants to get to that money right away, so they can get on to the next target normally, so there’s that difference.
Wes Shriner:
And-
Gary Brown:
Go ahead.
Wes Shriner:
What’s really interesting about this threat is that this is going to fall in that 100 year flood category, right? This may be 100 years this might happen, but not even likely to be every 100 years. What are the chances that some rogue squadron womp rat shooter from Tatooine is going to take out a mighty Death Star, right? We would’ve actually probably ignored this threat.
Gary Brown:
Absolutely. Yeah, not a threat.
Kip Boyle:
Grand Moff Tarkin did ignore it, right?
Gary Brown:
Right.
Kip Boyle:
Remember the intelligence officer, “Sir, there is a threat.”
“What? In a moment of triumph?”
Gary Brown:
May I have your estimate of the Jedi hackers?
Kip Boyle:
You can be the best threat intelligence person on the face of the planet, or the space station, and the decision makers still might tell you to go pound sand.
Gary Brown:
It’s all about weighing risk, right.
Wes Shriner:
On that, my friends, we’re going to jump ahead to giving our guests the last word. I do want to hear from both of you today. What have been the keys to your success? What was, for you, your keys to success?
Gary Brown:
Mike?
Mike Sheward:
Okay, I’ll go for it. Keys to success: Don’t take yourself too seriously. Enjoy it. If you ever find yourself frustrated or unable to solve a problem, walk away for a few minutes or an hour, or whatever it takes to do something away from a screen, and you’ll probably figure it out. Sometimes that happens at like 3:00 a.m., and you just wake up and you’re like, “Ah!” And you have to go resolve that instantly, which makes you very successful, but can also annoy your partner, so just be aware of that.
Kip Boyle:
It’s almost 3:00 a.m. as we record this, so we had to give everybody some problems.
Wes Shriner:
I used to keep a notepad beside my bed, because I didn’t want to have to stay awake and think about it or try and remember it for the morning, so you just jot it and go back to sleep, which is great for intel response, as well.
Gary Brown:
Yeah, that’s thinking. Good in the shower, too. Good thinking time, right?
Mike Sheward:
Yeah, exactly. Yeah, for the other questions, so if my mentee were in school currently and interested in the fields, what would you tell them to focus on? I’d say, whatever you find interesting, but don’t be so closed off that you stick to that forever. I’ve kind of gone backwards and forwards over the years. Now, I’m obviously in a security leadership role and I started out in pen testing and forensics, and then incident response. Then I still considered myself more of a forensics person, but then I really considered myself more of a pen tester again, just because of what I’ve been able to do, and obviously being in a leadership role, you get to do a bit of everything anyway and do all the managery stuff, as well.
Wes Shriner:
There’s another new word.
Mike Sheward:
There have been a lot of pluses. Yeah, managery.
Wes Shriner:
Is that from 52, as well?
Mike Sheward:
That’s actually from, yeah, that’s from an upcoming book on random, made up words for leadership conversations that help you.
Wes Shriner:
Nice.
Mike Sheward:
Yeah, pick a thing if you really want to focus on it. Never be overwhelmed by… Information security is a huge field. There is no single expert in it. There are people that have expertise in very specific areas. You’ll see them on Twitter. You’ll see different people. There’s kind of the old school celebrities in the space and things like that. Never be… There’s a lot of gate keeping that goes on. Never be put off by that. For every one that does the gate keeper kind of thing, there’s like 52 million other people that will help you succeed, so focus on them.
Then, I guess, for the last one, what do you know now that you wish you knew then? I would say that one thing that I didn’t consider early on that I now consider a lot more is the human factors and the fact that the computers didn’t just start up, just didn’t start up in attacking themselves and each other, or decide to do a bad thing one day. There was some human directing them.
One story that I like to tell a lot when I talk about what I mean by this is when I did a forensics exam on a machine, basically the person had been… The person had allegedly stolen a file containing a bunch of PII for their whole organization, all the payroll information, all that kind of stuff. The way that the company had found out that this information had been stolen is because it appeared in email. Basically, that person claimed, “Well, it was an accidental thing. I accidentally emailed the wrong file to myself at home.” In order to clear that up, they asked to do forensics on that person’s personal machine to prove that they’d accidentally got it and then deleted it straightaway.
When I went in to image the machine, I was literally sat in that person’s lawyer’s office, opposite that person and their 17-year-old son, who came along for reasons that I don’t fully understand, and they just stared at me the whole time, like they wanted to destroy me. That was very early on in my career, and I was very young. I remember texting my fiance and saying, “There are people staring at me while I image this drive.” Of course, it was like a one terabyte drive, and it was the early 2010s, so it was going along very slowly.
Yeah, people are behind a lot of this stuff. Never lose sight of the fact that people are involved, and always consider your people skills, as well. Sometimes it’s nice to be able to hide in the tech, but where there are computers, there are people directing them, so remember that.
Kip Boyle:
Love it.
Wes Shriner:
Nice. Thank you. Gary, Gary, what have been the keys to your success, sir?
Gary Brown:
This is the part where I get to say all that stuff Mike just said-
Kip Boyle:
Ditto.
Gary Brown:
And just build on it. Right, yeah. Yes, thanks for the opener there, Mike.
First off, what do you view this job as? Do you view it as a job, or do you view it as a profession, or do you view it as a calling? I’ve had jobs. I’ve had a couple professions, but I always felt like my calling was actually to do threat intelligence. My Command and Control work was on the way there. My risk management work for insurance companies before I got in the Air Force was building towards that. That was a job. The next one became a profession, and then I got to my calling.
Your calling should obviously be something you’re passionate about, but the key there is going to be persistence because, although you’ve had probably more opportunity these days than I had when I graduated from school. You’re not going to have immediate success, nor do you necessarily deserve immediate success.
Wes Shriner:
Oh, you can’t say that!
Gary Brown:
Just because-
Kip Boyle:
Arrogance.
Gary Brown:
Right? What you really need to learn how to do is you need to learn how to work hard. I got my start picking strawberries in a strawberry field actually, so yeah, work hard. Don’t be afraid to tackle tough jobs and work hard at them, because there’s a lot of different things to work as you learn.
Don’t be entitled. You’re fortunate to live in what I believe to be the greatest country on earth at one of the best times to have ever lived, for all kinds of reasons. You have an enormous number of reasons to have gratitude and to adopt that gratitude as a constant attitude that you take on. That will massively contribute to your building something that is otherwise going to be hard to build, called humility, that you’ll never really know when you have it, but other people will.
If you take that attitude, and then move forward in what I would say something that drives me is intellectual curiosity, that I consider pretty much mandatory for this field for you to really succeed, then I think you’ll be a success.
Then, so that’s question one. If my mentee were in school currently and interested in fields of cybersecurity, what would you tell them to focus on? I’m going to go broad with this one, and then I’m going to say something that affects every field in cybersecurity that I think not enough people understand well is the discipline of how to understand and evaluate risk, and to think about that. That includes things like weighing evidence, that is in itself a discipline that you have to train your mind to do, that enormous numbers of people out there do not do.
Then, focus on learning things accurately and conveying them accurately. Force yourself to do that, and you’ll be on the road towards being a good analyst, because we don’t have any use for analysis that’s not based on facts. I’ve seen it happen, actually unfortunately probably got somebody fired one time, because I challenged their analysis-
Wes Shriner:
Oh no!
Gary Brown:
Which was based on essentially lies. Yeah, don’t do that.
Then, what do you know now that you wish you knew then? I would say, stick your neck out. Take some risks. The field of cyber intelligence is incredibly broad and still not entirely defined, not just at the corporate level, but in a lot of people’s minds.
Like I said, I think, in the opening slide almost, there’s a very tactical view right now of cyber intelligence in corporations, but the world of intelligence and cyber intelligence is much, much broader than that tactical view. If you do take some risks in this field, I think people will be surprised, and they’ll see something new, and take the initiative.
Wes Shriner:
Outstanding. Outstanding. Thank you. Thank you, both. This is really good recommendations for our audience, for the 13 people who are left with us [crosstalk] discipline. All right. It is getting late, or maybe early, depending on how you measure it.
There are three takeaways for today. Threat intelligence is an emerging capability in the private sector, emerging in every way, and you have an opportunity to help define it, as you define it for your organization. It’s not just a technical discipline. This is a business strategy organization, as well, and opportunities exist for people who love to take data to the next level of detail.
With those key takeaways, next week we’re going to have a lot of fun with identity and access management. Once you understand what your threats are, we’ve got to understand what we need to protect, and that’s that next step. We’ll take a look at identity and access management next. Kip, what’ve you got for us today?
Kip Boyle:
All right, so we’re going to wrap up this episode. Did you know we have a free guide for you, to help you figure out what your dream cybersecurity job is, and then how to actually go and get it. It’s a free guide. It’s yours for the taking. You can see a little screenshot of a couple of the pages right there on the slide.
It’s called Play to Win: Getting Your Dream Cybersecurity Job. If you’ve ever played capture the flag, what we’re going to do is teach you how to take those skills and put them towards getting your dream job. It just is super helpful. We’ve gotten some good feedback on this. It’s 20 pages, very visual, step by step. It just tells you what the big blockers are and how to overcome them, how to go over them, go around them, go under them, bust on through them. The way you get it is you go to YourCyberPath.com/pdf, and you can snag it for yourself.
Thanks for being here, everybody. Thanks to our guests. Thanks, Wes. Just remember you’re one path away from your dream cybersecurity job. We’ll see you next time.
YOUR HOST:
Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
YOUR CO-HOST:
Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.
Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!