A. Stryker: 0:00

Every organization needs threat information in order to make sure they're staying safe.

Rachael Tyrell: 0:05

Hello and welcome to Episode 2, Season 1 of your Cyber Threat Intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of Season 1, our host, pedro Kurtzman, will chat with Stryker, who is a threat intelligence analyst at a US insurance company, where she translates technical research and qualitative intelligence into the so what and what now solutions that keep more people safe and secure. Her previous talks given at B-Sides, las Vegas, def Con and Sector cover career transitions and advanced adversary tactics. Over to you, pedro.

Pedro Kertzman: 0:51

Strucker, thanks a lot for being on the show. So glad to have you here.

A. Stryker: 0:56

Thank you so much for having me, Pedro. I'm really excited.

Pedro Kertzman: 0:58

Would you like to maybe start introducing yourself or mentioning that little disclaimer?

A. Stryker: 1:09

start introducing yourself or mentioning that a little disclaimer. Yes, bless you, most cyber security professionals at some point. It has been my understanding that they will get intimately familiar with their legal department, and so I have been instructed to say hi, my name is Stryker. I work for a large US insurance company that you may or may not know, and the following conversation will be my personal opinions, experience, research etc. And is not necessarily reflective of what we do at work or what my employer thinks, etc. Beyond that, hi, I'm Stryker.

A. Stryker: 1:43

I'm a threat intel analyst working on a team of about five or six people. We are a private threat intelligence group and team within a larger cybersecurity organization, which is quite a privilege for many organizations who often have CTI kind of wound into, either deliberately or just through circumstance and life wound into their overall security operations. So our team is primarily focused on external threat indicators and our job is to read through all of our lovely alerts, all of our different media sources I do a lot of reading, which is fun Boil it down to the pieces that matter and then get that information in different formats and different emphases to the different teams to be able to do something about it or at least have it considered as they work on more strategic projects. One of the key points that we often are focusing on is well, why does this matter to our org versus what we find personally interesting, which can be quite the struggle. There's lots of things I want to know more about that aren't necessarily important to anybody at my organization. And how do we best communicate that information? What format? What are they most interested in? How can we anticipate and be more proactive with that information?

A. Stryker: 3:12

One of the other things our CTI group does as well is we have threat hunters who then our analysts, our intelligence analysts, will give our threat hunters, hey, heads up, this happened. Our threat hunters, hey, heads up, this happened. And they can go into our EDR and our logs and our SIEM and our source and see, hey, have we alerted to something like this retrospectively? And if we haven't, let's get some automations and some hunts in place so that we can make sure that we continue to be covered. That is also kind of a unique function within the Threat Intel program, which I'm really our hunters do a wonderful job perfect.

Pedro Kertzman: 3:46

Yeah, thanks for the overview and, uh, I usually uh like asking the guests uh their journey to cti. Um, you know, for people listening, do they have to go through military first and then only then they will be, you know, worthy uh within the cti industry? Or you know your journey, so people can kind of uh demystify a little bit.

A. Stryker: 4:08

You know how to get into into the industry I am an odd duck and I think that is a good place to start. Um, I did not pick the easy way into the industry. I am a poster child for having to do everything the difficult way. I will agree with people online who say that cybersecurity in general is not an entry-level position. It is not something that most people without years of personal experience I'm not even going to say they need professional experience, but if you haven't been intimately involved with, you know networking, cloud work, um, doing lots of projects on your own and really getting involved in that way it's going to be difficult to prove the expertise you need, not only on an it level but on a cyber level um, in order to get that first position. So that's just setting the standard of the easiest way to get in right, and that is actually how I think one of my colleagues actually got in. She worked in military intelligence. After, to your point about do you have?

A. Stryker: 5:21

to go military, one of them ended up going into the military and was in Intel for quite a few years and then left and was a consultant at a consulting firm for six years before arriving at our organization. So that's another pathway, too, that many people take to get into private sector intelligence or cybersecurity, frankly, is to start in the military and then move to a consulting firm and then, oftentimes, because they have security clearances, those are very desirable. So then all of the federal contractors like, hey, I can pay you twice what you're making in the military. Just do what you did as my contractor. I have another coworker who also came from the military and then went to a cybersecurity vendor after her time in the military as an Intel analyst, and so that's a second route that many cybersecurity vendors whether that's a managed services provider, a managed services and security provider, managed security services provider, rather, so an MSP and MSSP you have all of your various makers and purveyors of security tech. They all want that military cyber experience. They all want that military cyber experience. So again'm very good at certain parts of what I do. This is not necessarily something I would recommend doing, but I do have lessons from how I approached it.

A. Stryker: 7:13

Long story short, my degree is in professional writing From many years ago. I worked as a marketer for 10 plus years and the fun thing about my brand of marketing is called content marketing. So it's all about how do you make things of value for people that they don't have to pay for and they can use right away. That isn't required for, uh, they don't have to do a demo, they don't have to buy your good or service. It is valuable for them, as you are and as they are. Right then, I spent 10 plus years doing this, uh, and went into a whole bunch of different industries, from K through 12, private school consulting through a, basically an eBay for businesses, where I once wrote up something on how do you sell a chocolate manufacturing line out of Dubai Like a used one. How do you find sellers for that? That was an interesting one, and ultimately I ended up at a cybersecurity vendor.

A. Stryker: 8:14

My husband at the time was a developer, had been for our entire relationship, and I wanted to know more about his world and I had been exposed to it through that, and so I started writing these papers, these research papers, these tools, these webinars for cybersecurity experts, and one of the things you have to do when you're writing these sorts of things. If you if is, you get to know the community, you get to know the people that you're trying to appeal to and work for and it turns. I love them. They are my tribe, my people, um, and I had always felt a little bit weird in marketing, and I I'll pause there and say that almost every cyber security person I have met to a person have not felt comfortable at their first not cyber position, and this often takes the form of they used to work in IT at a help desk and they were tired of just doing things.

A. Stryker: 9:20

They wanted to, one, make more money but, two, to solve the problems of the business, not necessarily by facilitating operations, but by stopping bad guys from stopping the business. Like there is this wanting to do more and not feeling at home or at ease with your original workmates that I think almost everyone I have met who work in InfoSec or cybersecurity, which are different discovered at some point, and so I had that same feeling just in marketing. I never belonged in marketing. I was always asking, okay, so ideally that's what happens, but what about this very obvious risk that you could possibly be having? Or I was looking at the data and saying, ok, this is the thing that we really need to be doing most based on the data, and a lot of organizations want to say they're data driven. Most of the time they're emotional people making data driven decisions.

A. Stryker: 10:17

I found kindred spirits in security who said no, you're right, that that makes complete sense. You should do it that way, or um. Here is all of the reasons why we wanted to do something this way. Um people in cyber also really love to explain how they got from point a to b, which I really appreciate. It teaches me. I uh then paid for um as a marketer. I was still working for this company at the time. Um I paid to go to blackhat and defcon by myself.

A. Stryker: 10:46

Um had a friend go with me so I didn't get lost in vegas and completely alone, but uh, I, uh, I went and I basically found people and said, hey, uh, do you think you guys could use somebody like me who's good with words? And I was told by a lot of really lovely people yes, yes, we could use you. And so I then spent that entire fall blitzing a whole bunch of certifications at least exams and realizing that a lot of the work I had done in my marketing life had been security and had been cyber related, because when you work for smaller businesses and you're one of the more technically inclined people, you just end up either being the IT person or the person running digital cloud services. And so I had done a lot of this work previously. I just hadn't known the words to use for that.

A. Stryker: 11:41

I had done access controls, but I didn't think about it except in the frame of well, if I give this person, god, powers over my database, they're going to screw everything up, so I should probably make sure they don't have access. And that was that was how I thought of it. But it is governance, and there was a lot of examples like that. Another great example I was in charge of updating our WordPress site and I did the cardinal sin of pushing out a patch on a uh right before a weekend. You never pushed a production on a weekend on a.

A. Stryker: 12:14

Friday, rather like right before the weekend, and uh, and that is something most people in it or security have done at some point.

A. Stryker: 12:22

And and I killed the website and then had to bring it back and roll back to last known good right. And that is a uniquely IT and security idea that I had done just because it needed to be done. And so I spent a lot of time that fall recontextualizing all of my previous experience in such a way that I realized, hey, these specific areas of security could probably use somebody like me who likes to write and won't shut up. So I ended up being recruited by another cybersecurity vendor's internal research team Threat Intelligence and Research, and I helped them figure out how to speak to technical prospects, using the research and delivering the research in such a way that people were asking for more of it. And then I found my way to my current intelligence team, where I'm doing much the same, as I learn how to stand up a MISP threat intelligence platform, or TIP.

A. Stryker: 13:27

I'm learning how to triage alerts within other types of platforms that we have and input indicators of compromise. I'm learning how to best assist and how incidents work and how to offer the information in the context that they need that can assist without being overly burdensome. How do I? I want to get much more into digital forensics and learn how to really parse through the metadata and the logs. I do some of it now just to see if I can see what I see read in the incident reports, just kind of reverse engineering it.

A. Stryker: 14:02

But that kind of work our threat hunters will often show you how they. They happily, once a week, will show how, how they do their different scripts and their different tools. So, um, the long and short of how I got into cyber was I was a precocious marketer who worked her butt off to be able to codify my previous security experience that I didn't realize I had while leaning into the strengths of writing and analysis and research that I had from my previous career. And it took a lot of work and a lot of luck and a lot of applications. But I've landed in cybersecurity and this is where I firmly plan to stay for the foreseeable ever.

Pedro Kertzman: 14:48

Oh, wow, that's awesome, really interesting story. Thanks for sharing with us. I'm probably biased because I didn't have like a traditional path to the cybersecurity industry, but I think if you really love it and that's your, let's say, end goal, you can make your way to it. Your, let's say, end goal, you can make your way to it. There are so many certifications, labs, hands-on projects you name it blogs, any source of information. You can get there. Create your own, let's say, personal experience, projects, certifications and so on, and then you're going to have a better shot to make into the industry and growing, uh, within the industry it.

A. Stryker: 15:29

It doesn't. It's a bias and I'll say right now there is a definite bias in cyber security hiring managers and infosec hiring managers, where they are looking for people who came up through the pipeline just like them and they don't understand that people can pivot in. It's not an entry level position. I'm not an entry level candidate because of my years of experience and these other things that your team because they all came up through this pipeline lack, and the hiring managers who would appreciate the skills that I have understood that that was a gap in their current team that they needed resolved and I was uniquely qualified to do so. So it's.

A. Stryker: 16:09

It's very difficult to overcome that bias and you have to be that much better than everybody else in order to overcome that, and I've talked about this previously. But there is what's fair and there is what is, and you can rail forever that it's not fair, that X, y, z, well sorry, it's what is, and until you're hiring people, you need to be able to withstand that. You know, cry about it for a night and then you do what you can to confront it. Certifications will never be seen as well as experience.

Pedro Kertzman: 16:45

That's right.

A. Stryker: 16:45

Personal projects can do a lot for you, depending on the project and what you do. I accidentally stood up a tip because I got tired of losing links for all of my different resources. I accidentally made a library and was like, hey, anybody else get tired of re-downloading the NIST password guidance for like the fifth time here. You can just grab it from here. So it's a lot of what you do on your personal time. It's acknowledging that it's not fair, that your previous experience isn't weighed the same way, but, at the same time, understanding that's what makes you a unique candidate and I think actually to that point, and I would love your take on this. Actually, it's my opinion that one of the weak, one of the worst parts about people trying to break into cybersecurity is that they just want to. They just say, well, I'm going to work in cyber and they're like, okay, great, what? And they just kind of blanket you and they don't know what they want to do specifically. I mean, I was there, right, I found all of these different bits and pieces of cybersecurity really interesting. I got two auditor certifications because I thought, hey, that seems like something I could do and be good at. I was halfway through taking the CISA the Certified Information Systems Auditor Exam, and I realized that I would die if I had to do this on a regular basis. So understanding audits is really useful for me because then I can give my teams and I know compliance a little bit, and and risk and and I can offer up information to them that and know that that will be useful and what they need. Um, but it turns out I don't want to be an auditor. So, yeah, I want to move into cyber security, but I don't want to do that. Or I'd love to be a SOC analyst. I joke around and say like I wanted to use my superpowers for good instead of email, so like I want to do.

A. Stryker: 18:37

And a SOC position seemed like one if any position is entry, it's SOC. If any position is entry, it's SOC. And two, it seemed like a good opportunity for me to get a lot of experience and actually really helping people with what I did in my analysis and such. It turns out that's where a great bit of the IT pipeline really comes into play, to be able to remediate those immediately. And frankly, I don't have that yet I don't.

A. Stryker: 19:01

And so even if it is an entry-level security position, I'm not suitable for it and I hazard a guess. There are entry-level cyber people, people who want to get into cyber, who think that they can apply for that because it is entry, and they just don't have the skills required for it. So you need to niche down and decide what are you good at? What is in demand? What are you good at what is in demand and how can I focus on finding that? And and I think people need to niche down and focus on something, if they want to move into cyber and have it, be that perfect uh isekai moment between what's in demand, what they're good at, and what they want to do. So awesome.

Pedro Kertzman: 19:41

Uh, specifically about the, the cti expertise you got through all your past roles in the current one, but I imagine you saw a lot of teams building CTI programs or trying to get better at it. Any you know do's and don'ts.

A. Stryker: 20:00

I think to me, one of the most intriguing things I learned about CTI as a speciality within cybersecurity is exactly how intimidatingly niche it can be from providers, from organizations. There are very few organizations that have the both maturity and the bandwidth and the resources to hire the kind of very experienced and and each in their own way, um but very niche personnel to say not only am I in tech and not only am I in cyber security, but I'm in threat intelligence and I am so specialized that I'm just doing this one little tiny research and communications bit within this bigger niche. And it takes a very mature and well-resourced and well-prioritized program to have a threat intelligence program, and for me, I'm not sure that's a bad thing Doing it now. For the last couple of years, I think I've come to an understanding that every organization, in my opinion, needs a threat intelligence source. Every organization needs threat intelligence or information. Rather, I guess, if you want to be more specific, every organization needs threat information in order to make sure they're staying safe and secure. Does every organization, however, need a threat intelligence program and a threat intelligence analyst who's dedicated to that? I don't think so. I think it's a maturity level, so you can start off with. Okay, here are the top five resources we're going to grab in general to make sure that we're abreast of the latest intrigues, and maybe one or two researchers specifically pertaining to our tech stack that we're going to subscribe to in an RSS feed or a feedly right, and we're just going to look through that every morning and if something comes up that's interesting, we'll dig into it and that's it right. That's like your baseline, in my opinion, what people need.

A. Stryker: 22:02

Then you have the program where you have. You're slowly growing. You've gotten your cybersecurity team and you have an analyst or two who are in charge of modifying your WAF, modifying your EDR, programming automations into SOAR, and they start to need more discrete indicators of compromise and more, and then hopefully, they're thinking more strategically into something like the MITRE tactics, techniques and procedures, ttps you have, and at that point they can then start to synthesize a little bit more discreetly on. Ok, so I'll spend like half of my time plugging in indicators into a central dashboard and putting that out, or I'll spend half of my time looking through all of the research reports and digging into well, we just saw this. Is this really a problem?

A. Stryker: 22:55

Like that's your middle kind of maturity and at the far end then, and at that point as well, you'll probably also be receiving services from, for example, an MSSP that has a threat intel unit inside of it, who provide monthly or quarterly threat landscapes for you or have a certain number of retainer hours that you can grab and ask them to do a more personalized analysis. Maybe you have an incident response on retainer, like a Mandian or 42, where you can ask them and you can then participate in that. Maybe there's an FS community sharing, excuse me, an ISAC. So since I'm at an insurance company, for example, we have an FS financial services ISAC membership.

A. Stryker: 23:41

Those are open to organizations that don't have a threat intel.

A. Stryker: 23:45

It's just a matter of sharing information.

A. Stryker: 23:46

So, like that's, that's middle secure, uh, middle maturity, final maturity, or a more mature, the most mature program, uh, outside of a dedicated threat Intel consultancy or the military uh is going to be standing up your own threat Intel dedicated team, um, and there are levels of maturity within that.

A. Stryker: 24:05

But when you have people working full time just collecting information and sorting information about your organization, that is a mature program and no organization should feel discouraged that they don't have that. It is a sign of that you're doing something right, that you can afford to be proactive in that way, and so keeping the rest of your house in order, using the rest of your resources well and that includes your time and your budget is really important. I used to be the kind of person who would be like yes, give me all of the toys. I once asked for a very sophisticated toy early in my career, had my boss sign a two year contract and then realized that in order to make proper use of this toy, I would have to dedicate half of my time at work, and I was already struggling to finish my full workload.

A. Stryker: 24:57

So, since then I've been a lot more understanding of just wanting all of the toys, wanting all of the features, wanting all of this resource. But you have to. It is a mark of maturity to be able to resource that appropriately. So that would be my what I think the most important thing of do or do not, when you're thinking about setting up a Thread threat intel program do you have enough of your basics covered right now that you can afford to have someone dedicated to this, and then at that point can you afford to resource them properly? Dark web based intelligence platforms cost tens of thousands, if not more, monthly, yearly. It is a huge expense and dedicated resource for a comparatively small team. And so it's okay it is really okay if you're not there yet, and making sure you have the mechanisms and the information distribution in place to know what you would do with a team like that before you hire them, before you do that, I think that's that's really important perfect.

Pedro Kertzman: 26:11

Yeah, you touched on a very good point. You have to have your basics covered, otherwise you're. If you're thinking about spinning up, skipping steps and going straight up, let's build a cti team but you don't have your basics covered, it's gonna be like a really complicated. You touched on the other uh aspect throughout these material levels of cti programs, the kind of outsourcing slash, partnering with more mature providers, uh, mssps and so on, it could be a shortcut a little bit if you don't have all in-house resources. Any insights on that? The kinds of MSSPs, cti kind of mindset, using those external companies to help them navigate that new journey, kind of thing.

A. Stryker: 27:12

I think one of the best things you can do when you're sussing out a third-party vendor or service is to think to yourself am I asking this because I have a checkbox I have to fill for some reason, right? Do I have an audit or a compliance requirement that I want to apply for cyber insurance? And if I don't have a SIEM, which you should have a SIEM. But if I don't have a SIEM, they're not going to pass me and so I can't get cyber insurance. So I just want a cheapest bit of technology I possibly can to just check off that box. Is that why you're looking for advanced security capabilities? Or are you looking for security capabilities that will not check a box but will address underlying risk and concerns? There's an ongoing debate in some of my circles concerns there's an ongoing debate in some of my circles, for example, about the value of GRC and auditors. I am firmly on the stance that I think governance, risk and compliance. Grc governance in particular is really important to cybersecurity because it helps security prove business value to doing the things that we know we all should do, despite the inconvenience and the expense. We are a cost center Showing how this matches compliance, which would be a bigger cost center if it's not met is a great way to justify it in business speak. And I think and that's really important to me as kind of a bridge between somebody who used to work strictly in business ops versus now in security I think that's really important. But so many people, so many businesses, just see something like a SOC 2 or an ISO as a checkbox right. It's just something that you have to get in order to get this type of contract or to fulfill this type of requirement as a supplier in the EU or whatever. It is a darn shame when it's just seen as a checkbox requirement and, on top of that, when auditors themselves are uneducated within the reason for why they're asking for that control, why they're seeking out that control.

A. Stryker: 29:20

There is a very funny story of a friend of mine who was letting me peer over his shoulder, in a manner of speaking, on their SOC 2, his startup's first SOC 2 audit, because I had never gone through it and wanted to. I was asking lots of questions and trying to contextualize my theoretical knowledge with what he was doing in the real world and all of that fun stuff. Right, god bless him. I owe him a lot and he was complaining to me that his audit he did not have a perfect, every control met score and I said, well, why not? You worked really hard on this. And he said, well, I refuse to put in place. He subscribed to a very military concept, though he had never been, which is you never issue a command you know won't be followed. He does not subscribe to policies that just won't or can't be enforced or followed or just culturally not going to work, because that's a false sense of security and that's just a checkbox. Right On the auditor's list was the requirement for a clean desk, which makes a lot of sense.

A. Stryker: 30:20

On-prem does not make a lot of sense. Remote. There is no way to enforce that. Your associates are scattered everywhere, often at home. Yes, there is of course, risk of somebody going in and popping in a USB or leaving something on a desk or taking something right, but it's less than when you are in office, where they're all centralized and so a threat actor can know exactly this is where, etc. It does not make sense in his case to have a clean desk policy.

A. Stryker: 30:52

Now, this has been debated between friends when I've brought this up so clearly there are two sides to this, but in his opinion. This was a stupid ask and his and they had different remediations available for that, for example. Uh, the part of their one of the other controls and something that I think applies here was the fact that they had no removable memory permissions, like that was a control. That's part of the risk of having a clean desk that you're remediating by having a clean desk. So the auditor was so literal she would not take alternative controls and because he did not have a clean desk policy written up, because he's not going to issue a policy that's not going to be followed. It was there, and so the reason I bring up this story and going back to your original question of how do you pick an MSP or an MSSP, of how do you pick an MSP or an MSSP, think about does this provider offer true cybersecurity advice? That's been contextualized on a per environment and per client maturity level basis.

A. Stryker: 31:59

Do you have to sign writers, for example, if your IT and security people go in and change things that the MSSP has to do? I had put in place because they're going to be the ones who have to fix it when somebody screws it up, and you know people who are just checking a box don't really care on the efficacy of it. Mssps, who will be ultimately responsible for that security program, will say, oh no, you are assigning something that if we have to go in and fix this, you're going to pay for that. This isn't you know, you've, you've, this is this is our domain.

A. Stryker: 32:35

When you ask for the SOC 2 controls, when you ask for the ISO audit, are you just asking to see if they have it because you've been taught that that's something you can ask for, or are you going to read it and see if the controls that they have are things that you would want to have echoed at your organization? Are they things? Can they walk you through? You have this control at your organization. Is it possible to do it at my organization and listen for the ones who say no, and here's why. But here's what you can do instead. And that is the sign of an organization that wants to be a partner and will give you the context that you need. And that's the sign that any intel they give you as well will be contextualized Versus a. Here's a roundup of every different industry ever, and you work in this very niche one, for example. So that that would be. That's a very long winded answer to say if you're looking at outsourcing this kind of work in security, whether it's intelligence or otherwise, consider do you need a checkbox and that's also okay if you do or do you need somebody to advise you? Checkboxes will say they advise, they won't.

Pedro Kertzman: 33:53

No, that's great insight, Thank you. That's a good one to digest how you sharp your CTI knowledge sources of information where you like to go to blogs, other podcasts, you name it. Where you like to go to blogs, other podcasts, you name it. Where you like to go to learn more about our industry so I think there's there's two different angles to that one.

A. Stryker: 34:11

Uh, where I go for cti content, there's how do I learn more about cti? And then where do I get my intelligence feeds, my information feeds, um which, uh, by the way, there is a difference between threat information and threat intelligence. Threat information is simply the data that threat actors or researchers are providing. Intelligence is the synthesis and contextualization of that data. So there is definitely a difference between whether or not you have a threat information analyst, which is also important, or a threat intelligence analyst, which takes a little bit more nuance.

A. Stryker: 34:46

Yeah, where I go for the latter is I'm thinking back to when I stood up my personal threat Intel library when I was looking for sources and trying not to redownload Things all the time. I Basically had to reverse engineer it. Nobody at work is in marketing at the time knew any sources. They knew the things that their CISOs read or where they, which mostly boiled down to where they could pay to put in a half hidden article ad, and that wasn't the information I wanted. That wasn't where the real meat of it was. So what I did was I asked my cybersecurity friends okay, can you recommend general media outlets for me to be able to reverse engineer? And among them many I did. I still pay for a Wall Street Journal cybersecurity pro subscription just to keep a handle on board and compliance and true CISO exec enterprise kind of stuff, because it trickles down eventually and people you know everybody rips off of that.

A. Stryker: 35:56

I eventually found you know your dark readings, your info securities, your bleeping computers, your Krebs on security Bless that man. Your bleeping computers, your Krebs on security, bless that man. And from there and I found different cybersecurity communities to lurk in. So I'm a member of a telegram chat called Lonely Hackers Club, for example, that has a whole bunch of first time hackers going to DEF CON, which is a large, not InfoSec conference, it's a large hacker convention on the tail end of quite a few cybersecurity conferences out in Vegas every August and there's lots of people in there who aren't in cyber and there are a lot who are. So if you have questions, I would ask my friends there hey, where do you get this? Who is worth listening to that kind of thing? And over time you start to build up this list of personal references. One of the other places I also started with was looking at tech stack vendors who were relevant to a large portion of my audience and I was constantly looking like that would bring an exclamation point.

A. Stryker: 37:04

So I would go and find the security bulletin center of all of my major tech stack vendors that I wanted to follow and put them into my rss feed okay over time, as I started parsing through um bleeping computer, for example, would publish something, or wall street journal would publish something, and they'd researchers at this place discovered this cool thing I went, great, you are a secondary source, now I want my primary. I always want my primary sources and I hammer this home I need primary. Don't give me some sort of roundup, give me primary. So I would go and click and click and click or do searches if they didn't have a hyperlink, which is bad form. Every media outlet who does not hyperlink to their original source should be drawn and cornered.

Pedro Kertzman: 37:54

That's right.

A. Stryker: 37:55

But I will go online and look up using the clues in that search that I had to see if I can find an open source blog or whatever that original source was, and then they are added to my feed and over time you will collect all of the researcher, the original sources on that and you're always adding more. But but that's one of the best ways to kind of start developing that go to the generalized media outlets, um, and when they pick up a story that is relevant for your organization it is interesting to you go find that primary source and then put them into your RSS feed and then you will always have primary sourcing on that and it'll be faster and over time you'll only use Bleeding Computer for the weird one-offs as opposed to as your primary. There were several media outlets, by the way, it's not just Bleeding Computer, there were several media outlets, by the way, it's not just bleeping computer. Um. I also made a point of subscribing to a lot of um intelligence and cyber security government agencies, both at within the united states um also abroad. So the? Uh, the national security center out of australia, uh has some great resources. Um. The um, england's cybersecurity Center as well. I am blanking completely on their names right now, but I have both of them in my feed. I can recognize their logos pretty much off the bat. And there are others too. Look internationally for those kind of partnerships and that kind of dense work, particularly if your organization is national, and that kind of dense work, particularly if your organization is national, and you'll be able to start to pick up some of that as well. And finally, I have a personal project on examining the public SEC reporting on required breach notifications and then reconciling it with the Maine Attorney General, because any organization that operates in Maine is required under certain circumstances to send out breach notification letters to Maine residents. So you'll often get both public and private letters with more details than they'll put in the SEC reports because they lawyer weasel, word it into different types of breaches and different moments like that. So if you're looking to stand up a threat intelligence, a threat information feed, that way I would start there.

A. Stryker: 40:14

As for where I get more information about how to stand up threat intelligence organizations and learn more about my craft that way, honestly, it's a lot of asking my coworkers and not being afraid to ask questions, so I'm very confident in the things I do. Well, right. I write really well. I have a very strange ability to write a subject line that I know will be opened. 10 plus years of work means that I can effectively internally fish my coworkers to get them to actually do the things they need to do, and I use that power wisely. I am not as strong in a lot of the other ways, and so I go to my coworkers and say, hey, can you help me use Power BI to automate this dashboard? Hey, can you teach me how to use our EDR system to do this hunt? Can I shadow you for this? Or I'll ask my boss instead of saying boy, why are we doing it that way? That's stupid. We should do it this way.

A. Stryker: 41:17

I've learned that the first question to ask is okay, is there a reason why we're doing it this way? What was the historic? How did this start? Why is it like this um, is there somebody we're appealing to? Is there a team or something? And you'll learn a lot of this context for why seemingly inefficient or odd ways of doing things became coded into de facto procedure. From there, you can also be much more politic and saying this is dumb. You should do it this way and pick your battles a little bit more wisely. I wonder how that happened. Uh, yeah, I haven't stumbled into that lay on mind more than oh, once a month, uh, but by taking a moment and remembering to ask why is something like this, regardless of whether you think it's be improved, by asking how something came to be, you can better understand the drivers, the motivations and the context. It's all about context.

Pedro Kertzman: 42:17

Agreed, awesome.

A. Stryker: 42:20

Oddly enough, when you asked me how I got into cybersecurity, I'm like boy howdy in April. So if anybody is in the Baltimore Maryland area in April, besides charm, so the locals cybersecurity conference series, besides, where individual geographic regions can, can choose to run a cybersecurity conference using besides resources. It's about a thousand people, a lot of fun, two days. They recently accepted a talk and a workshop that I run called career campaigns, so it's where I actually tell the entire story of how I transitioned into cybersecurity, but using a a dungeons and dragons or tabletop RPG metaphor.

Pedro Kertzman: 43:05

That's awesome.

A. Stryker: 43:07

So pretend for a moment that your resume is a character sheet in one of these role-playing games. Right? No way. So why are you not being accepted to your first cybersecurity campaign party? And what can you do to either reskill or reclass your character, borrowing from the skills you previously had and all the work you put into that character sheet like not ditching at all? How do you figure out what to keep and then what do you rebuild to be more appealing to that particular character?

A. Stryker: 43:39

So there's a talk version of that and then I actually walk people through like an entire three stage mini campaign of a modified tabletop gaming. So if anybody really wants to come in, uh, and join us, uh, that's that's. That's been a lot of fun. I've run this a couple of times at some different conferences and people have a good time. So if you're more curious about how do you break into cyber security or, even better, how do you break into a different cyber niche, uh, after you've been working and you're tired of being pigeonholed and want to try something else, um, come and have a good time, see a different perspective. We'll roll some dice.

Pedro Kertzman: 44:14

It'll be fun oh, my god, I love that and, uh, you know, back in the day not let's not talk years uh, I used to be a dungeon master myself, so I love dungeons and dragons. I used to have, like all the rule cyclopedia all the rule books, the wrath of immortals, and all that as well. I used to, yeah, play a lot, so I love the idea.

A. Stryker: 44:33

I have the lore book on my coffee table right now for fun awesome any blogs if people want to follow you, learn more from you.

Pedro Kertzman: 44:40

Blogs, linkedin, any other social media. You often publish stuff.

A. Stryker: 44:45

Right now it's my LinkedIn page so you can just look up Stryker S-T-R-Y-K-E-R in Thread Intel and I'll pop up. I have a personal, if you're curious about a lot of the other talks I've given, I spoke at DEF CON 32 on an adversary village panel about adversarial tactics and what my cyber vendor was seeing for a lot of smbs and that kind of work. That was a really great panel. Um, I have links to that. I have links to some of my other talks, um on my linkedin and in my personal portfolio, which is striker s-t-r-y-k-e-r. No n-o. Striking s-t-r-i-k-i-ncom, which is a yes, it is a pun on Dora the Explorer. My son was four and going through a Dora phase, so you can go there.

A. Stryker: 45:39

Also, the Lonely Hackers Club on Telegram. It's a community again for first tim timers to defcon or just people who are interested in hacking. Uh, we highly encourage people to give it a try first and then ask us questions. And no, we will not hack your ex's instagram. Do not ask us to do illegal things. Some of us have clearances and we will not risk other people's uh performances. I go by striker there as well. Just feel free to come on, say hi and be prepared for lots of really silly things and some very smart and caring people who want to share our love of both security and, more importantly, how to hack things with more people.

Pedro Kertzman: 46:22

Stryker. Thank you so very much. What an insightful conversation. I really appreciate you coming to the show and I hope I'll see you next time.

A. Stryker: 46:30

Yeah, no, thank you so much, Pedro. Anytime Give me a ring. This was fun. Thanks so much.

Rachael Tyrell: 46:36

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group Cyber Threat Intelligence Podcast. We'd love to hear from you If you know anyone with CTI expertise that would like to be interviewed in the show. Just let us know. Until next time,