Mary D'Angelo: 0:00

Sets you up to be more of a proactive organization, as opposed to being reactive when it comes to cyber threats.

Rachael: 0:06

Hello and welcome to the very first episode of your cyber threat intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional, or simply curious about the digital Battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of season one, our host Pedro Kertzman, will chat with Mary D'Angelo, who is a cyber threat intelligence solutions lead at filigran, dedicated to helping organizations integrate actionable threat intelligence across silos. She emphasizes the need for a top down cultural shift to demonstrate threat intelligences, Arrow eye to executives focused on Dark Web threats and ransomware attacks. Mary is a strong advocate for democratizing intelligence sharing. Over to you, Pedro,

Pedro Kertzman: 0:54

Mary, thank you so much for coming to the show. It's amazing to have you here. Yes, thank you so much. I'm so excited to be here with you today. One of the main reasons I'm super excited to have you on the very first episode is because of your role. If I heard it correctly, part of it is to democratize CTI, right? Yeah, definitely. That's awesome. And how did you ended up in this role in the first place?

Mary D'Angelo: 1:16

It's interesting how I got to this point, because if I looked back 10 years from now, I would have no idea what even democratizing threat intelligence means, let alone out. I would be here championing it. But when I so my background actually isn't isn't cyber at all. So I came from a business communications marketing background, but I was first recruited to work for a cyber security company. So that was when I was first I got into the cyber space and working with, you know, practitioners, analysts as well as like C levels of organizations of all different sizes and after work, I was working for a company for Dark Trace for a couple years, and after working there, I got recruited to work for a company that specialized in purely Dark Web threat intelligence. And so that brought me into the this CTI world with an emphasis on Dark Web threat and tell and that was so eye opening for me. It was extremely exciting time for me as well, because that was, it was a way of, you know, so often when it comes to cybersecurity, people are so reactive, right? It's like when an attack happens, then incident response team responds and like but what I loved about this company that I was working for was they were all about, you know, shifting left on the cyber kill chain. So if you're familiar with the cyber Kill Chain, it's the stages that a threat actor takes in order to achieve their objective, and where most security teams were focusing on was like stage two or three or four, whereas CTI was like, No, we need to shift as far left as possible. And as they would say, far left, left of boom, because they use a lot of military terminology in the CTI world, and so that was so amazing. I expressed a lot of interest with company I was working for, and so they led me down more as a technical path. So they did a ton of training for me to work, not only to do investigations within the dark web, you know, understand how the dark deep web work, how it's like criminal underground for threat actors, and the importance of monitoring it. And it was only until I was with him for a couple years, but it was only until I was at an event, and at this time, it's, I think a year or so ago, lockbit, the rights of our group was was going crazy. They were targeting majority of hospitals in America, and that's it, to me, it's one thing when you're targeting hospitals, and it's nothing like targeting like insurance firm and financial farmers, right? Because there's real lives at stakes when you're focusing on hospitals. And some of these ransomware groups were very, like, very malicious, like they were going after children's hospitals, yeah. And so the stakes, the stakes were much higher. And I remember because we were monitoring the dark web and we were receiving notifications of the movements of these threat actors, I remember seeing so many like initial access broker selling per. Essentials for hospitals, like every single day, and so how sort of part of their process of how they worked, or the TTPs is like someone gains access to hospital, maybe through insider threat. They take that information, they sell it on the dark web. But they're very, very vague of the information they have. So they have some type of credentials. They won't name the hospital. They'll say, like the area at the hospital, the revenue size of the hospital. And so if you are that hospital, oftentimes they don't have threat intelligence teams. And if they do have a threat intelligence teams, it's so hard for them to, like, sift through all this intel, right? Because we get alerts constantly. And so it got to a point where, I think, in this particular example, dark soul was the name of the initial access worker who was just selling all of these credentials, which then were purchased by lockbit or other ransomware groups who then used it to exploit and attack these organizations. And I just remember seeing all of this intel out there, and there was absolutely nothing we could do about it, right? It was just like, this is like, what's the example? It was like, you see a train about to crash, you know? And like you're on the sidelines, and there's nothing you can do, but just watch it crash. And so that kind of brought me more into Okay, there. There needs to be a shift here in terms of how we share threat intelligence, you know, and I think, and I will say it has over the years. I don't want to say that, you know, it's sharing threat intelligence has been, hasn't been great, because it has been, it's changed so much, especially within the past five to seven years, especially, you know, with the involvement of ISACs, you know, various government agencies that help with it, and also private firms that set up their own, their own communities for threat and self sharing. So that's kind of after going through that. It kind of led me to Philo grand, where I work now, the solutions laid and it was awesome. It was like it seemed like all the stars aligned, because Philo Grande was exactly what I was looking at. They were all about the CEOs, all about democratizing Cyber Threat Intelligence like, you know, we as a good guys, need to work together, you know, with also all of our resources to be able to, you know, essentially protect ourselves from the threat actors out there. Because cyber threat intelligence is like a puzzle, right? It's a puzzle. You need different you need all pieces of the puzzles in order for it to be productive or effective. And if you, if organizations are just holding on to one piece of the puzzle, you're not sharing it with each other, then it's, it's renders useless. And so that's where how I landed here. And I've been here with, with Phil grant for about eight months now, working very closely with with our clients. So I did a lot of on site trying to understand their threat intelligence, their requirements. You know where, you know where their industry stands and what their landscape looks like, and then making sure that they're getting the right Intel they need and building the workflows they need in order to protect and mitigate any sort of risk.

Pedro Kertzman: 9:03

through your your journey here. That's amazing. And you're talking about the your day to day, work with your with your customers, trying to leverage the best on threat intelligence. Any thoughts on why is that so important to companies to be on the top of cyber threat intelligence?

Mary D'Angelo: 9:20

Yeah. So I think like so, I guess I could start it by saying the value of cyber threat intelligence, right? So really, the primary function of CTI is to reduce uncertainty for stakeholders, and that could be stakeholders from a full range across an organization with completely different objectives. And so the CTI role is to make sure that they are providing Intel for those, those various stakeholders. So we from like a strategic level, an operational level and a tactical level. And I know I talked about this a few times before in the past, like when it comes to threat intelligence, the main three buckets are your strategic, tactical and operational threat intelligence. So strategic being more of your executive level, trying to understand making informed decisions of long term security risk management, regulatory compliance, understanding your overall threat landscape. Who are the threat actors targeting my organization or my industry? Operational has to do more with supporting stocks, improving detection response, mitigation of cyber threats, using threat intel for those purposes. And then tactical is more, I think, if it is like right here and now, you know, having considered response, understanding the adversary, CTPs, tactic, techniques and procedures, in order to be more, more proactive. And so if you have CTI permeated, if it's done correctly, it'd be permeated in every single aspect of an organization, really, in order to reduce uncertainty. And that just makes it better for strategic planning, better risk assessment, and it sets you up to be more of a proactive organization, as opposed to being reactive when it comes to cyber threats, excellent. And any insights about companies that perhaps could be seen as competitors because they are from the same industry, they serve the same population. Should they share threat intelligence? Yeah, any insights about that? Yeah, that's a kind of a it's an interesting question, right? Because there's also, like, sort of, like, a moral dilemma behind it as well, because if you are gatekeeping this intel, like, like, the hospital is a great example of this. If a commercial company, like a commercial feed, has this intel that could potentially help hospitals, right, like from stopping an attack, and when a hospital gets attacked, you usually, more often than not, lives are at stake, right? And so it, it's, it's kind of, it's hard to navigate, because we understand these companies are trying to make money, too, and there's also sharing Intel isn't always effective, right? If it's not done properly, it could get in the hands of the wrong people. And it also, you know, as much as we are tracking our adversaries, they are tracking us as well, and they're tracking us very closely. So if we are sharing this intel, we have to make sure we're doing it in a very secure means. And so I think, to start, I will say, you know, it's changed so much within the people are always talking about how we need to, organization needs to start sharing and democratizing threat intelligence, making it more available. And it's gotten so much better. I mean, especially with, you know, the role the ISACs have taken how FBI has played a big role in this as well. And there's a ton of different group like, I know, at least for open CCI, we have a Slack channel with over 4000 users, all practitioners. And in that is to, you know, may a big part of it is to share Intel amongst various, you know, like different oil oil gas firms, to share with other oil and gas firms. So in that sense, if they have, let's say, like a commercial feed, and I've seen this before, where, like, a large oil and gas firm will have receive like commercial feed of saying this, you know this oil gas firm is being targeted. What they will do is and share that piece of Intel with the rest of their those in their sector. And so that's important. So I don't think it necessarily the onus needs to be on the commercial threat intelligence firms, but they need someone to be sharing this out. I think if it's done correctly, it'll eventually get to the right folks. But also, Ben talks about the timeliness of Intel, right? Intel, a big, important aspect of Intel, is the timeliness of it, right? If it's, if it's even a day too late, it's, it's rendered useless. And so that's also, you know, another factor that plays into it.

Pedro Kertzman: 14:55

Got it? Do you think it would be fair to say that when building a. CTI program, for example, companies should at the very beginning, think about how they could potentially share information with their peers, in case they receive any relevant CTI information that actually shows them one of their peers is being targeted, so they know the channels how to share that information instead of running screaming and trying to find the right person to share that information?

Mary D'Angelo: 15:27

Yeah, I was on that side too. I think I was when I was working for the dark web threat intelligence company. There would be times when I saw there's like a major airline, someone had, I forgot the type of access this initial access broker was selling for this airline, but it was just out there, but they didn't and of course, they're very threat actors. Are incredibly sneaky about how they put this information out there. So if you are in airlines and you're only monitoring your name of your company, you would totally miss this piece of Intel, because the threat actors are sneaky, and so they'll just put, like, the revenue size of the company, where the company is based. And so since you know, I came across that, that piece of Intel, and I was like, Okay, this is huge. This is something we need to share. I just reached out to the cybersecurity, the CTI team at the airline, letting them know about it, and they they were so taken by surprise with it. That's just one example. There are, you know, again, with the ISACs really, really plays a huge role in this. There's a ton of different communities out there that you can join. Another plug is, we have women in CTI that started by me and another colleague at Pedro grand and so it's another great place for people to share Intel that's awesome in a safer space.

Pedro Kertzman: 17:08

Yeah, okay, thanks for sharing that. So imagine you see so many examples throughout your previous roles and in the current role as well, what would be like do's and don'ts when it comes to implementing a CTI on a company and advancing that practice within those companies.

Mary D'Angelo: 17:28

I have some do's and don'ts that I like to give but they're not they're kind of all over the place, but they're very important. So just bear with me as I go through some of them, but basically, the main purpose of CTI is to block emerging attacks, right? So you want to make sure the intelligence that you're using is to help stop the in within the cyber Kill Chain. You want to stop it as early on, so that the attacker will have to start from the very beginning. And so in order to do that, you want to make sure that the intelligence that you're receiving is accurate before you actually apply it to threat intelligence. So sometimes, off, you know, you'll always hear threat intelligence practitioners complaining a lot about false positives, and oftentimes, what this do when, when you get a lot of open source Intel, some of it will be some of the IOC is maybe a little bit identifying, it'll say something like CloudFlare, AWS or Google infrastructure. So that's not what you want to action upon, because then you're shutting down your Google infrastructure, which is like lifeblood of an organization. So that's something you know to be is very high priority, and it was also expiring your outdated data threat intelligence is as you know. It loses relevance over time, and so you want to ensure you know your fireworks security systems don't rely on sale IOCs, so making sure you're cleaning through it. I know I have some clients that do it on, like, a couple months, I think kind of like, if I like, a couple months, they go and they clean through it some even sooner than that. So it just depends on how your organization is structured. Very importantly, too, so you're not wasting anyone's time. Is you want to meet with the stakeholders you know you want to meet with all the various stakeholders across the organization. Really define their CTI requirements, because your intelligence must serve a very clear business security perspective. And then lastly, this is big as well. It's very differentiated between data. In intelligence. So threat feeds is not intelligence. IOCs alone are just raw data. Right? Intelligence is processed, it's analyzed, and it makes assessment about future risks. So having that understanding, because they know a lot of people who say CPI, they think it's just data, it's IOCs, no, it's not. It's it's already been processed. It's been analyzed. It's you. It has a fundamental purpose behind it. Um, okay, so some don't, okay. So the first one is, I would say, don't blindly trust vendor provided attribution always, always verify intelligence before action. Oftentimes, to teams will have you want to make sure everyone on your team is on the same page in terms of how you define your confidence metrics or your likelihood your confidence levels, right? And so having very precise numerical values for consistency across your organization that must be established so that you're all speaking the same language, and it just helps communication across the team. And then also, like, don't push out CTA that doesn't benefit stakeholders kind of goes back into what I was talking about, about making sure you have an understanding of what the stakeholders needs are, building a CTF program around their use cases. And at the same time, if you have intelligence that is not related to stakeholders, don't push it out if it's not relevant, if it's not actionable, it's just noise. And as everyone in this CTI world, security world knows like it's everyone is. What is it? Noise? Fatigue. Alert. Yeah. So, yeah,

Pedro Kertzman: 21:56

that was super insightful. Thank you. Any other best practices worth sharing?

Mary D'Angelo: 22:01

Yeah, so I think, and this is something that I've been looking into more recently. So when it comes to, so when you're building out a Cyber Threat Intelligence Team, right, you'll have your cyber threat, your intelligence analyst, and then you have your very your technical analysts, so these people that will probably work on SOC, SOC teams now, when they're working together for your CTI program, communication can be extremely difficult, because the CTI folks have a strong understanding of how intelligence or how to gather the intelligence, how to analyze intelligence, and how to properly communicate that intelligence, whereas when you're dealing with technical information security professionals who are also trying to get into Intel, there's a big gap, right? Because the communication, because they, they're not, they don't know how to communicate with each other, and so that's something to be aware about, because you'd want to make sure that you're working on making sure you can work through the differences in communication so that both parties are more effective. Otherwise it could become, you know, bogged down with so much noise and miscommunication and ultimately ineffective got a little chaotic, yeah.

Pedro Kertzman: 23:43

Do you think MITRE ATT&CK Framework, or any industry recognized common body of knowledge could help on this type of communication issue, or any other best practice on how to make sure that's not happening with your organization?

Mary D'Angelo: 24:01

Yeah, I think, Well, I think it's, I think it's very important for organizations to have a strong understanding of their vertical landscape. So not only so you know, if you are like, again, back to the hospital, example, if you're a hospital, having strong understanding of what that landscape looks like a cyber perspective, and then aligning that intelligence with the minor attack framework in order to map out gaps in coverage against those targeted actors. So I think that is it's not, and it's also, it's not that hard to do, but it just requires more upfront work of trying to understand what my front landscape looks like here, and then align that with the matter attack framework so that you can find the gaps more easily. And then, now, then you can probably. Prioritized. You know where you need to spend your time, perfect.

Pedro Kertzman: 25:05

And what about sharpening your CTI knowledge? What do you like to use? Blogs or social media or books?

Mary D'Angelo: 25:12

Yeah. So there is this saying in the CTI world that if it's already printed, if it's already booked, then it's out of date. Which makes sense, although I will say there are a few, like trusted source sites that I will that I'll receive notification on, just to keep me updated on, on the political climate, cyber climate, and there's also a few different articles I think that I found recently that was extremely helpful, especially as it talks to some of what we were talking about today, about the gaps between the technical analysts and the Intel analysts and their their communication barriers, and so I think that was from karnegi Mellen article, which is a great so trade craft report, state of cyber threat intelligence, I am going to plug to open CTI, the company that I work for. They send out very they send out emails on a weekly basis of you know, like what we might be seeing in the threat deal world, some of the challenges that various sectors might see, is it for customers only or general public as well? No, general public. Is it just going to the Philly gram website and subscribing to the newsletter or something? Okay? Yeah, awesome, yeah, subscribing to that. And we so we're an open source company at at at heart, right? And so most of the information that we try to provide is by our community of people, of people so real analysts, real practitioners, what they find to be valuable. And

Pedro Kertzman: 27:14

if any of the listeners wanted to follow you or see more of your work, get you know, more information about CTI from you. What would be the best way to do that? A blog, social media.

Mary D'Angelo: 27:26

Um, so LinkedIn is my best my go to right now. So I've posted a couple of articles on there, mostly around democratizing cyber threat intelligence, you know, making it as I mentioned, the whole lock pit story, the importance and the value of making how we need to stand together as organizations against these threat actors. Yeah, so feel free to add me on LinkedIn. Send me a message, and I have some articles and other interviews on there as well.

Pedro Kertzman: 28:00

That's great, Mary. Thank you so very much for coming to the show. Really happy to have you here for the first episode, and I hope I'll see you around.

Mary D'Angelo: 28:09

Perfect. Thank you so much, Pedro, great speaking with you,

Rachael: 28:14

and that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions, connect with us on our LinkedIn group Cyber Threat Intelligence podcast, we'd love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know until next time, stay sharp and stay secure. You.