Cherie Burgett: 0:17

No one person should be responsible for everything.

Cherie Burgett: 0:20

On this episode of Season 1, our host, Pedro Kertzman, will chat with Cherie Burgett. She has worked with the mining and metals ISAC since its inception. As the Director of Cyber Intelligence Operations, cherie is responsible for researching and analyzing the ever-changing threat landscape affecting the mining and metals sectors. With a unique philosophy and approach to cyber threat intelligence, incorporating lessons learned from studies in the arts and humanities, she provides a nuanced perspective on the ethics and human condition relating to threat actor groups and the people defending our critical infrastructure. Over to you, pedro.

Pedro Kertzman: 0:55

Cherie, thanks a lot for coming to the show. It's great to have you here. Thanks for coming.

Cherie Burgett: 1:00

Thanks, I'm really excited to be here Awesome.

Pedro Kertzman: 1:03

Would you mind sharing with us a little bit about your story, your career journey up until your current role?

Cherie Burgett: 1:11

Sure, it's actually, I think, kind of unique. I guess about 10 years ago, maybe 11 years ago, I went to DEF CON just for fun. So before that I was a gamer. I really liked playing video games, played a whole lot of MMOs, I did a whole lot of volunteer work for the military, I was an FRG leader, I did a whole lot of community building and I hadn't had a paying job in 15 years when I just decided to go to DEF CON for the first time. My last paying job before this was working at a Radio Shack. So you know dating myself a little bit, but I worked at Radio Shack when it was still kind of cool. I'm pretty sure I had an A-plus certification out of working for Radio Shack, but I was really good at helping people solve their problems and I love the people that came into the store. So that's kind of my background in a nutshell. And then I went to DEF CON just for fun. It was basically my escape from my real life. It was the thing I wanted to do for fun. So that was kind of my once a year week vacation away from the family. I went to DEF CON and had fun. And because I went to DEF CON a few years in a row and was talking to the same people. It actually led to some mentoring and I got serious about wanting to join this industry, so sort of late in life.

Cherie Burgett: 2:51

And then someone I met at DuckCon was creating an ISAC for an industry that didn't have one, which is the mining and metal sector. They currently didn't have one. They is the mining, mining and metal sector. They currently didn't have one. They had a series of cyber attacks and, uh, the only by the same threat actor, and the only way that that happens is by not sharing information. And when he pitched the isac to me, I'm like well, what can I do to help with that? I have no experience in this. But he's like actually you do, because you know how to get people together and collaborate and solve problems. You have this experience. You're technical enough because you know your gaming experience, you can do this. And you just you know. And so I was brought in as a security program manager and I helped develop the program that is the threat intelligence sharing program that we have today.

Cherie Burgett: 3:47

So, that's basically how I got in. It was what I saw is a vacation and fun time. You know people actually do for a living. So, sometimes the thing that you do when you're procrastinating with your life is the thing you should actually be doing with your life so yeah, yeah, they say uh, you know, do something you love and don't work in your life or something I, I absolutely agree with that.

Cherie Burgett: 4:13

That's uh, it doesn't. It doesn't always feel like work and there's some things that you can turn your hobbies into work and then it becomes work. But this is uh this is something that I actually really enjoy really got into threat intelligence.

Pedro Kertzman: 4:25

Uh, through this I feel you yeah, that's awesome. Thanks for sharing your your story with us and, uh, you mentioned something about collaboration, right? I think it's uh so important within our so part of the industry. If you will, would you mind expanding a little bit more on that please?

Cherie Burgett: 4:46

So basically what I do is because no one person should be responsible for everything, and the industry that I am saddled with the responsibility of building this whole threat landscape didn't actually have a picture to begin with.

Cherie Burgett: 4:59

Building this whole threat landscape didn't actually have a picture to begin with, and so the only way that you can do that is by, you know, building relationships with people in that sector, in that industry, so that we can share intelligence with each other.

Cherie Burgett: 5:14

And you can only do that by going to places, going to the conferences, going and talking to people and meeting them face-to-face, because there's a whole lot of trust that's involved in sharing information that becomes intelligence People. We have a security culture and a privacy culture that we're used to dealing with, and when we're talking about, we want to keep a lot of these things secret, but when we're talking about bad guys, the criminals that want to do us harm, we cut ourselves off from the ability to crowdsource the collaborative defense, because if we're only seeing one part of the picture, then maybe somebody else actually sees more of it and we can, and maybe we know experts that that have like a special niche that could actually help solve that problem. And so that's basically what I do is I I help link up people with people that can help solve their problems.

Pedro Kertzman: 6:22

And you mentioned about ISAC, what Would you mind sharing with the folks listening if they're not 100% sure what it is the role they play within the CTI industry?

Cherie Burgett: 6:33

So an ISAC is an Information Sharing Analysis Center. You can also. There are also organizations that are called ISAUs, where it's an information sharing organization. Basically, the two are the same, depending on what acronym they chose to use. Every sector has an ISAC and that, if you're new to a certain sector, you just started, you're responsible for a team and a company. If you never worked in, say, mining metals, or you know the water industry, the first step that you should be doing is reaching out to that sector's ISAC, because they have people that are experts at what they do. They have people that have been working in that sector for years and there's a shared knowledge that you can get by joining that ISAC.

Pedro Kertzman: 7:25

What kind of collaboration you have. Is it threat feeds, data feeds, reports, meetings?

Cherie Burgett: 7:31

A lot. Yes, all of the above. So what we do is we have a newsletter that goes out. We have a threat intelligence platform that we share articles and indicators of compromise through. Those are like IP addresses and hash values at the very lowest level of what we share, but what we really like to share is the finished intelligence. So those are the things that we put. We put it all together, it's, it's analyzed and we tell you why this is important for your business to pay attention to.

Pedro Kertzman: 8:11

That's awesome. Yeah, Thanks for sharing, sharing all that. How do you call them? Like associates? Customers for the ISAC?

Cherie Burgett: 8:19

So we we call our members members and we're very particular about what we use. We don't like calling them clients or customers, because we want it to be more of a collaborative organization where the member has ownership of the organization, and so if you don't like your ISAC, you as a member should be able to do something to change it or improve it, and so the ISAC is only as good as its members.

Pedro Kertzman: 8:48

Makes sense.

Cherie Burgett: 8:49

Yeah, that's super interesting and you know, talking with all those folks from different geographies, I would guess levels of experience any like type of skills or skill sets that you see that are super valuable for people within the CTI industry. So I think one of the ways that you can tell if someone is actually really good at CTI is how well they research things. Like if they are someone that is the person that wants to know everything about a product or a person and they can dig up information that you didn't know existed on them, they're probably good at cti yeah, curious by nature, yeah yeah, yeah, and I think, uh, uh, like you all know that person that is better than the fbi detective at figuring out.

Cherie Burgett: 9:44

you know, uh, what everybody is up to. They're probably decent at CTI because they know how to Google. There's you know a lot, of, a lot of the tools that I use are just search engine tools. You know, because you're you're looking at, you know the open web and you're looking at the dark web and you're looking at what's available in your threat intelligence platform and you're looking to feed that and so, basically, the internet is your whole playground.

Pedro Kertzman: 10:16

Yeah, it's one of those people that won't rest until they get to the very bottom of that. They want to solve the puzzle. Yes.

Cherie Burgett: 10:28

If you're, if you like, solving puzzles. But then again you also have to kind of keep an open mind, like because you can intentionally add bias. And so if you, you know, if you have this idea in your head that it must be the Russians, and so everything that you dig up about them is like, oh, this also leads back to the Russians and you're convinced that it's the Russians and it's because you've already created that bias.

Cherie Burgett: 10:54

But if you have an open mind and you let the data speak for itself, when you do the analysis, then you can say oh actually, if I didn't see that this one thing you know was different to this outlying you know incident instance, I would have believed that, and so it's being able to keep that open mind when you're doing the actual analysis portion of the CTI, especially because the sometimes super clever threat actors they can try actually to make you believe that they are somebody else or so I think a very good example of this is, um, the use of ai.

Cherie Burgett: 11:38

Now, um, and because we have really awesome ai tools that can even change your accent in real time, someone can call in and have a North American accent and call center use these all the time. Now it's sometimes you pick up the phone, you think you're talking to a robot. It's actually a human with AI, altering AI accent, softening software that they're using, and if they're using the software and it's not tuned correctly, it can sound robotic, but if it is tuned well, their accent will be like a very natural sounding accent and so uh, the it makes attribution to the types of threat actors that you're dealing with even harder, because they are able to. You know it's not just vpns that they're using to change their um and their uh, their ip addresses. Now they can actually change their voice and that's uh cool and uh and interesting and also makes our jobs harder yeah, no, that's, that's a good one.

Pedro Kertzman: 12:50

Honestly, I never I didn't know about these ones. Um, I think I should try those to see if alleviates my accent a little bit or I don't get too bored with my own voice?

Cherie Burgett: 12:59

Yeah, absolutely, you can try them. They're. You know on all of their websites that I've seen there's a you're supposed to only use it for ethical reasons, like there's a code of ethics, but you know threat actors won't pay attention to that. You know their code of ethics is their own.

Pedro Kertzman: 13:19

Yeah, exactly no, but that's good to know. Yeah, attribution is probably one of the most complicated parts on this whole threat research CTI, because sometimes if they're really good on obfuscating the original, if they have a massive botnet between the real guys triggering stuff and the end user or client or host being attacked or victims, uh it's really hard to pinpoint who this is coming.

Cherie Burgett: 13:49

yeah, and and also the um, uh, the the threat actors have are kind of uh, specializing in, uh, what they do, and so maybe their specialization is in initial access and then they sell that access to another group that will install the malware or do the exfiltration, because they have their supply chain already established. You know, it's its own business model, own business model. And so if you only have the indicators for the ransomware, you don't have the. You know you don't have the initial access. And so that's why I think collaborating and seeing you know what other people are seeing and their behaviors and being able to put that whole picture together is so important, because their ecosystem is much more complex than it used to be. It used to be one threat actor that would get in and do the job, but now they have their own supply chain.

Pedro Kertzman: 14:53

Yeah, they used to do the whole thing start to finish and now they just need to specialize in one little uh part of the equation. I remember, uh, some college students asking me, um, some time ago, with the proper cyber security knowledge, how damaging could you be to a company? They were asking me that and I'm like, even if I didn't have as much knowledge, because I can basically buy most of that stuff out there. Yeah, you know initial access brokers, info stealers, ransomware packages and all that. I mean you need to know how to manipulate that to ransomware yourself, I guess. But it's just like the barriers just lower way, lower right now.

Cherie Burgett: 15:47

If you, you know, wanted to set up a ransomware operation right now, you could, and with very little like. It takes a lot more skills to defend than it does to attack. It takes it, you know, because they have. They even have customer support and step-by-step instructions and like, if only cybersecurity was this easy.

Pedro Kertzman: 16:11

It's funny For exactly the same students I mentioned about the customer service and they were like dying laughing, thinking I was joking, I'm serious, unfortunately, they do'm serious, unfortunately, they do have it. They do have it. I remember the I think it was children's hospital in toronto, canada. Yeah, they got ransomware a few years ago and because of the hash, everybody was jumping on attribution that particular threat actor. But it was actually one of their customers from the ransomware service offering. They had that, uh, send a package to to the children's hospital and because of the hashes and and all that, people quote unquote, started publishing articles about how those guys would be able to target like a children's hospital. And they came publicly say no, we don't do children's hospital, wait up. And then they found out, oh, it's one of our customers, so here's the decryption key so you can. But up until that point I don't remember how many days uh that they were really in trouble uh, in the hospital. So I guess even, yeah, some bad guys might have some lines.

Cherie Burgett: 17:36

They they don't cross there there is kind of some people don't have lines they cross. It depends on which country you're coming the attack is coming from. There are some countries that absolutely hate certain countries and so there's nothing off limits. You know, providers, they actually do kind of have like a code of conduct. We don't do this, you know, and they, they have their affiliates agree to that and sometimes, depending on the affiliate or you know the script kitty, they might not even know who they're ransoming.

Cherie Burgett: 18:14

They, you know they just they just happen to have access that they bought to something and they didn't know what it was because they didn't bother to do the who has look up on them like you know, like you should probably know who you're, who you're attacking, but sometimes, like they're not, they're not all great, um uh, they don't all possess the technical skills or, you know they, they just kind of wanted to make a quick buck yeah, yeah, exactly so.

Pedro Kertzman: 18:44

Yeah, what about, um, you know, we, I think we have given a fair amount of background information to everybody at this point. Um, and super important, this skill you mentioned, right, the curiosity for for people, uh, in the industry, and what about overall for protectioners or CTI teams, any do's and don'ts that are top of mind, kind of thing.

Cherie Burgett: 19:13

I have a few, some things I'm actually pretty passionate about, but I think the most important thing to remember is what you're doing and why, and so it is your job to get. The most important thing to remember is what you're doing and why, and so it is your job to get the most relevant and actionable information into the hands that need them and in the method that is most that they can use it. Times when I get on some of these sharing calls with different organizations and they uh, it kind of goes into what some people refer to as story time, where they're basically just reading off headlines and uh, and not saying anything about the headlines, about why they think it might be important or why they should pay attention to it, or they're reading, worse, cve lists, and the CVE lists are the ones that I think are just kind of ridiculous to share on a phone call, because you can't do anything with that information just by hearing it. It's not the best way to share that information. An email or a tip would be better. An email or a tip would be better.

Cherie Burgett: 20:27

Something is something that, but your job as a CTI analyst is to actually analyze like it's not just to share, pass forward information. You have to. You have to be able to decide whether or not it's information worth sharing to that person and that they can use it, and you can throw everything you want into your tip. Um, that's, that's what it's there for you can. You can have that as a catch-all, but what you're actually sharing out to the people your team, the executives you want to make sure it's tailored for them and they know exactly what to do with that information actionable.

Pedro Kertzman: 20:57

Yeah, no, that's. That's a good point. I think it also brings the don'ts as well, like just don't go on a start time mode, I guess.

Cherie Burgett: 21:08

Well. So I think sometimes we get way too focused on the granular the CVEs, the IOCs, mapping it to the ATT&CK framework, and I think there's just so much more, because I think a lot of that work can be automated. You can have AI scrape a lot of that information and they can sort that for you. That's not real analysis work. I think the real analysis work is figuring out why this is important and what we can do about it, and so I think that's the real analysis is. I've kind of made a rule that I don't share anything with anyone unless I can tell them why I'm sharing it with them, why this is important, and I will put that reason right up at the top of the page, and that's how I share things. And because of what it does is it forces me to make sure that what I'm sharing with them is actionable, is important, and they know what, but they know why it's important oh, that's, that's great insight, thank you.

Pedro Kertzman: 22:17

Anything that you know today that you wish you knew back in the early DEF CON years, that is super either knowledge or skill that you have now that you wish you knew that back in the day.

Cherie Burgett: 22:32

So this is very general for cybersecurity, I think, is I wish I knew that I belonged to this industry back then, wish I knew that I belonged to this industry back then Because and I think that was the hardest thing for me to learn was that my skills were actually valuable, that I was good at what I did, and and it was because you know of I think a lot of people discount their life skills, as you know of. I think a lot of people discount their life skills, as you know, as actual skills that are useful in this industry, especially since we're like hacker culture. You know, things that you do in life like hacker is more of a state of mind, it is a lifestyle. They're the people that kind of bend the rules or they, when they get a shiny new you know game, uh, they look for ways to break it, or they look for ways to, you know, turn off the guard rails or they look for the t codes. You know that's that's kind of hacker mentality and your life skills, uh, that you, you know.

Cherie Burgett: 23:38

Um, I I went through a brief time where I was extreme couponing because to me those were exploits in real life, like just it's a lifestyle and I think a lot more people belong to this life than actually realize and I think the gatekeeping that we have in this industry is kind of a shame because there are so many people that I think would do such have an amazing impact but they don't quite feel like they belong because they didn't join.

Cherie Burgett: 24:14

They didn't, you know, join the traditional way or they didn't start out as you know a SOC analyst to you know they didn't start out with the pen testing technical roles. That people think that at CTIR is that when I meet them in person, it doesn't matter what background they came from, they think, like me I'm always shocked and blown away that they have shared interests because we didn't have this club. That kind of all got together and predetermined what cyber threat intelligence was, the person that kind of works in cyber threat intelligence was going to be like, and I'm not sure if you noticed as a, as a podcast host, but we share similar traits and that always like surprises me, the people that work in it, because we don't interact with each other a whole lot that's right, you know, funny.

Pedro Kertzman: 25:24

You mentioned that and probably because we are already entirely on the CTI industry or surrounded by it or part of it, the curiosity that you mentioned. It's really common.

Cherie Burgett: 25:43

Yeah, I think we are the people that get excited when we see a torch network. We are the people that get excited when we see a torch network, like I don't know. It's sort of like a I'm not sure the right word for that but there's definitely a trait where we see some, we don't mind seeing a little bit of destruction. We kind of like, ooh, what's that? It's like driving by a fire. We're the one who wants to see how, we want to know how it started.

Pedro Kertzman: 26:12

Yeah or the pattern.

Cherie Burgett: 26:15

Yeah, we're curious about the destruction that just happened.

Pedro Kertzman: 26:19

Yeah, well, we can take some teachings out of any single episode, good or bad out there. If it's bad, maybe the learnings you can get. It's's avoiding the next one, and probably that's the most important thing.

Cherie Burgett: 26:36

Uh, well, you're exactly right. I I really think it's about preventing the next one from happening and learning uh, learning from our mistakes, or learning why it was. You know why it happened. Maybe. Maybe we can course correct or put you know, put a little bit of mitigation into it or write a new playbook that is specific to this thing, so that if it happens again to another company, then they already have the playbook written for them, they know how to respond to it yeah, yeah, uh.

Pedro Kertzman: 27:11

Well, I think at this point, if uh people had the opportunity to listen all the past episodes, they will see that so many different backgrounds and everybody is doing, I would say, really well within the, the cti industry and, most importantly to me, is adding a lot of value to their teams and their you name and members, customers, partners and that and that's I think it's so important, especially life skills in general writing, like one very specific part of the cti role or teams will always be writing reports. If you don't have, if you only have across your team the best mauer researchers, reverse engineers and one of people only focused on numbers, who is gonna write that report?

Cherie Burgett: 28:16

so you have, as a, as a cti leader I think you should pay attention to this multiple skill sets that you're gonna need to have a winning, winning team yeah, um, yeah, definitely, the verbal and written communication are key, um, because it's it being able to uh put your you know, um analysis into words and explain to people why they need to do something. Um is is the whole, uh, uh, is the whole reason for CTI in the first place is so that they can make decisions, so that they can know what might be coming. So that they can. If your information that you're sharing with them is not having any kind of impact on the, the role or or their decisions that are being made um, then you're doing it wrong.

Pedro Kertzman: 29:14

You're not sharing the right information, or you're sharing it, um in a way that's not consumable for them, so you have to change that yeah, I think you mentioned right the reasoning why you're sharing that it's so, having that in mind, uh, all the time is super important to decide what to share, how to.

Cherie Burgett: 29:35

Yeah, one of the things that kind of in my background. So, from before all of this, in a past life I actually went to Bible college, and so one of the things that you learn in Bible college is hermeneutics, which is the art of interpretation, which is something that I recently connected to. How I actually analyze written text is by using these interpretation techniques, and so that's one of the things that I'm actually working on writing more about, so that more people can you know. Oh, maybe someone who in a past life did you know study theology?

Cherie Burgett: 30:22

Maybe there is a path for them to work in cybersecurity security um, maybe someone who, uh, is into philosophy or psychology or, um, even the arts, I think are are all things that can be used. Uh, threat intelligence to me is the most human of cyber, of the cyber disciplines, and so, I think, bringing a lot of humanities into it, because we're dealing with people, we're communicating with people, we're working with people. We're not protecting systems, we're protecting people, and so they have safe operations. So so that's what? And we're protecting them against people. And I know, even with AI, it's still. It's still person versus person. Just because you have software in the middle doesn't make it any less yeah, I, I like the um, we're protecting people instead of uh systems.

Pedro Kertzman: 31:15

That's. That's really nice because, uh, it makes a lot of sense. It makes it. It's a very good way to to put it. And what about your knowledge about uh, cti? I'm not, you know, data feeds and things like that, but how you update your knowledge across things happening across the CTI industry, any specific blog, book, podcast you like to use to sharpen your knowledge?

Cherie Burgett: 31:43

So I'm constantly in the CTI or intelligence feeds and reading articles. I subscribe to a few that I constantly read, you know the general ones, like bleeping computer and the hacker news. They're usually fairly current. They don't have a whole lot of content that is specifically mining focused. So a lot of the intelligence that I get is through our members.

Cherie Burgett: 32:15

But I would recommend to someone who is new to CTI is to start following some of the cyber security blogs, and there's an interesting one that's actually a Russian site that I like to go to that has, uh, ransom, ransomware notes and samples of those, because I like to see how the notes are being crafted and I I read ransom notes for fun, so some other people might actually do that too.

Cherie Burgett: 32:44

But, um, I like to see how they are threatening, what kind of psychological tactics that they're using. But I would just recommend going, having a list, you know, bookmarking them and maybe coming up with like a sample question for like a sample business like and just sort of practice answering those questions like and you can actually have AI come up with some of those questions. A lot of people in CTI actually use AI. Now to what's a good question to come up with for this specific instance, and they'll come up with some questions and then you can practice answering those questions and if you find anything cool or interesting, what you can also do is share it. And you can do all of this without having any CTI background whatsoever, without needing to get the job first, and you can actually just share your passion for cybersecurity and cyber threat intelligence with the world on LinkedIn and that may get you noticed.

Cherie Burgett: 33:51

As you know someone who's passionate about cybersecurity at CTI and I don't know a CISO in the world that would pass up the opportunity to have somebody work for their team that would actually do it for free on LinkedIn. So there's your path to getting you know. Noticed is is to you. You know, come up with some sample questions and answer them and share them on linkedin no, that's a great, great advice.

Pedro Kertzman: 34:16

Yeah, nice and um, still about like sharing your or collaboration. If anybody happens to be listening to podcasts and happens to to work on the mining industry, that is not 100 sure how they should first, uh, get in touch with isaac. What's the best way?

Cherie Burgett: 34:39

so, uh, so you can look up all the isaacs. You know, um, whether it's uh water or uh health or mining um, you can just Google it. But our website is mmisacorg and most ISACs will have a similar naming convention. They'll usually be either a org or a com. Just look up your, look up your industry's ISAC and you know they should have a contact page and contact us. But definitely reach out to your ISAC. They are your best resource for people who are in that sector that have probably already solved the problems that you're trying to solve.

Pedro Kertzman: 35:31

Yeah, awesome, don't try to reinvent the wheel, kind of thing.

Cherie Burgett: 35:35

Well, we don't need to put ourselves at any more disadvantages than we're already at. We're already on the short end of the stick being defenders. We don't need to create more walls and create more silos and create another paywall for intelligence. That should be free and that's. That's a bit of a rant, but the and and there are security there. There are companies that are monetizing cyber threat intelligence for open source stuff that I think should just be free, which is which is to, is crazy. If it starts out with a traffic light protocol clear, it should stay clear, like there's no reason to pay for all that.

Pedro Kertzman: 36:18

Awesome. And what if people wants to learn more from you? Follow you articles, blog posts, linkedin, you name it how they do that.

Cherie Burgett: 36:27

So some of my articles are actually published on the MMIS sec web page, um, and you can go to mmi secorg and read them there. Um, we also have a monthly newsletter that is available for everyone. Whether you are part of the mining sector or not, you can sign up, and you can sign up through that page. Um, and we also have, or I also share regularly on LinkedIn, posts and articles that I publish and those are all available. So definitely connect with me on LinkedIn. I'm usually not super particular about who connects to me. If I see that you are actually a human being that works in cybersecurity, odds are I will accept your request.

Pedro Kertzman: 37:12

Awesome, Cherie. Thank you so very much. It was great having you here Super insightful conversation, and I hope I'll see you around.

Cherie Burgett: 37:21

I definitely hope to see you around. Thank you for having me, it's been a pleasure.

Pedro Kertzman: 37:25

Awesome, thank you.

Rachael Tyrell: 37:29

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group Cyber Threat Intelligence Podcast. We'd love to hear from you If you know anyone with CTI expertise that would like to be interviewed in the show. Just let us know. Until next time, stay sharp and stay secure. You.