Josh Darby MacLellan: 0:00

CTI is supposed to inform decision-making and enable decision-makers to calibrate defenses to protect an organization and make it more resilient.

Rachael Tyrell: 0:09

Hello and welcome to Episode 5, season 1, of your Cyber Threat Intelligence Podcast. Whether you're a seasoned CTI expert, a cybersecurity professional or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of Season 1, our host, pedro Kurtzman, will chat with Josh Darby-McLellan. Josh is a cyber threat intelligence professional with experience in CTI and geopolitical risk in the North American and European financial and tech sectors. He has spoken at conferences, including SANS CTI Summit and FIRST CTI Conference, and holds the CISSP and CCSP certifications. Josh enjoys contributing to community by publishing articles, mentoring and has held leadership roles in industry associations, including ISC, Square, tier and ASIS. Over to you, pedro.

Pedro Kertzman: 0:59

Josh, thanks so much for coming to the show. It's great to have you here.

Josh Darby MacLellan: 1:05

My pleasure. Very happy to be here today.

Pedro Kertzman: 1:07

Awesome, and usually I start asking the guests how their career started maybe early start on their career and all the way to the CTI, current CTI related role they might have today. Would you mind walking us through that please?

Josh Darby MacLellan: 1:24

Sure Right. So this takes me back a few years. My career started in quite an interesting fashion. I originally was studying in the UK and then one day stumbled kind of aimlessly into a departmental talk which was all about doing a second master's degree over in Canada. And this ended up being one of those small dominoes that set off like a really big cascading effect and I ended up doing my second master's over in Canada and this master's was more vocationally focused than the average one and there was a component of it where you could go and do a co-op semester and this is essentially like an internship in industry for one semester. And that was my kind of way through the door.

Josh Darby MacLellan: 2:18

And I did that internship in the finance sector, but specifically working in a corporate security department, and I was focused on geopolitical risk and that was my first experience with private sector intelligence.

Josh Darby MacLellan: 2:31

Prior to that I thought that you can only really enter the Intel space if you went national or military and I knew that companies had security departments but I didn't realize there was really space for Intel there. So this was like a huge eye-opening experience. And then I realized through networking conversations that pretty much every household company has a corporate security department and infosec department and typically they'll have one or two or sometimes three Intel teams, depending on their configuration. And after that I was hooked and that led me to my first. So the co-op internship led to my first short-term contract, which led to my first full-time job in threat intelligence. And then, after a couple of years working on the physical geopolitical risk side, I pivoted over into cyber threat intelligence. So I came up more from the non-traditional route and it was definitely a bit of a zigzag journey to get into CTI and it's been a blast ever since.

Pedro Kertzman: 3:37

Awesome, awesome. Thanks for walking us through that. And you mentioned that, the non-traditional route, that the non-traditional route, anything that you used, let's say, to fill some gaps, through all those reflecting about your career, the things you need to have to jump on a more CTI related role, any strategy you used to maybe fill some gaps you found along the way.

Josh Darby MacLellan: 4:03

I hadn't studied cyber in university, and the thing that really helped me once I started to explore a pivot into CTI is I invested a lot of time reading and studying up on cyber threat intelligence. There are a ton of textbooks out there. There are free resources online. A bunch of the CTI vendors publish reports and guides that you can use, and then it was just doing as many webinars as possible I'm getting involved in industry associations, go into educational and informative events, attending conferences, both physical and virtual. I'm missing something. Oh, certifications as well. That also helped me to ramp up my CTI knowledge, because not only are you studying a particular domain or multiple domains, but you're also tested on it. So part of that is you need to memorize certain aspects of cybersecurity. So once I decided, okay, I jump over into the CTI space, all those things helped me with that pivot over, but it was definitely a lot of like evenings and weekends because you were, because I was essentially retraining for a job whilst also moving into that job.

Pedro Kertzman: 5:11

So, um, yeah, a lot of, uh, additional time had to go into it I imagine, I imagine and uh, do you think still nowadays you use some of the more specific knowledge that you used to have before your, let's say, cti migration, kind of thing like the more physical intel and stuff like that. Do you think it's still helpful to you nowadays?

Josh Darby MacLellan: 5:37

Yeah, it's kind of come full circle a bit because with the last few years, we've seen so many geopolitical disruptions that have bled over into the cyberspace.

Josh Darby MacLellan: 5:49

I really started to see this resurgence in geopolitical risk with the pandemic and then, straight after the pandemic, we had the invasion of Ukraine. Then we've had the Middle East kick off and people are getting worried about China and Taiwan. Each of these crises and situations has had implications on cyber or IT infrastructure, and I've started to notice more of a demand for CTI teams to also be analyzing the geopolitical drivers of different cyber attacks and more of a ramp up in strategic intelligence and then an overlap and blending of geopolitical teams with CTI teams. So yeah, a lot of the knowledge, a lot of the subject material that I studied back in university. It's proven itself as very relevant and, beyond this, working in risk as well has also had a lot of benefits in CTI. Understanding the risk equation, how we address risk, how we treat risk, what are our options and then also how to manage risk. All of this has ended up being very relevant for the CTI space.

Pedro Kertzman: 6:59

It just helps illuminate more domains that you can bring in to ensure that you're a more well-rounded cti analyst cool and uh, you know, after now, after a few years, uh into specifically, the cti space, any uh type of advice or things, uh, or a thing you would like to know way back in the day when you first decided to do that pivot to the CTI industry.

Josh Darby MacLellan: 7:25

One thing that I wish I'd realized sooner is that you can gain hands-on experience in CTI without having a CTI job. Nowadays there are so many open source tools, open source data that you can use inside of open source tools, like tips, for example, that you can actually go through the kind of analyst workflows that cti analyst does on a daily basis and you can run through investigations. You can run through intel analysis and assessments and you can practice answering um, pirs or priority intelligence requirements, and rfis or requests information, and you can actually essentially play the job of a CTI analyst in a much lower stakes environment. Before you start to apply to CTI jobs, I always thought that there was kind of a barrier to entry, like you can't start to do CTI until you have access to very expensive commercial tools or until you've done an official training course or certification. But nowadays, just with the abundance of open source information out there and open source resources, like you can do it today.

Josh Darby MacLellan: 8:32

One reason why I also wish I'd known that earlier is because it gives you so much evidence and proof of your passion and interest in CTI A hundred percent, for example, like nowadays. I do a lot of interviews with people 100%, but they say that you know this is what I've always wanted to do. I've dreamed about moving into CTI. If that's true, then there's normally some kind of evidence they can point to, like blog posts. They've written analysis that they've done or online courses that they've taken that are either cheap or free. So doing the job before you move into CTI, I think it just gives you so much practice and so much evidence that you can point to when it comes to those interview type situations.

Pedro Kertzman: 9:29

Awesome. Uh, that's my fault. I'm sorry I didn't release the podcast or didn't think about the podcast two years, five years ago maybe, because, uh, funny enough, that's a common theme. Uh, honestly, so far with all the guests oh yeah, everybody's talking about, uh, hands-on experience with open source platforms. You name it like spin up a MISP server or anything like that. Right, getting hands-on experience. And we have so many OSINT. You name it like a bunch of threat intel information out there now, podcasts, so on and so forth yeah, 100, and like it's something which it's kind of a shame.

Josh Darby MacLellan: 10:10

You often don't realize it unless you know people in the industry or until you you start to work in it and it's like what, once you have the job, um, it's almost like the, the the information is coming in, um, like a bit too late. I think. Often receiving that information that you can go and get practice right now is super valuable before you start to consider moving into a job in cybersecurity, especially because there's no greater way to find out if you are actually going to want to build a career in a certain job specialization than actually doing the job beforehand. Agreed, and I think with cyber there's almost this like unique position that because there are so many open source tools and open source data that you can go in and run through the day-to-day workflows that you would do when you eventually get that job, but you can do it beforehand and then you can assess like, okay, is this engaging enough? Is this going to keep me captivated for the next two, five, ten years?

Pedro Kertzman: 11:06

100. Agree, and that's probably one of the reasons. Uh, I have the podcast now because it's honestly cti. We can get going forever. It never stopped. You mentioned, like the geopolitical interference now on our day-to-day activities and all that, so it's just fascinating ever ending learning, um, and that's really good yeah, I'm sorry to interrupt, but um it.

Josh Darby MacLellan: 11:32

It sounds like one of the motivations for the podcast is that you're making the podcast you wish you had earlier on. Is that right?

Pedro Kertzman: 11:39

uh, yeah, I mean I think the. As a subset of the industry, cti is probably not the most mature one, so it feels we have to have more blogs, podcasts, people talking about it, conferences, just more buzz around CTI. It's such an important part of the whole cybersecurity equation. I might be biased there, but to build a proper cybersecurity program without CTI as a guidance where to focus, how to prioritize, it's just going to be like way more effort and you might not even get into the best possible result. That's, you know, my little two cents, definitely.

Josh Darby MacLellan: 12:33

I attended a webinar by SANS and they were talking about the origins of CTI and apparently the first Google searches for CTI started around 2013, 2014. So you're absolutely right Like it's a young specialization and I definitely think that CTI as a field has gone a long way already, but there is still things that we can do to further professionalize the field, and it's great to now see some certifications that are focused solely on CTI, like the G-CTI. That's really cool because there are so few rigorous certifications that are focused solely on cti, like the gcti. That's really cool because there are so few rigorous certifications that are solely focused on cti. And uh, and I really commend the folks who came up with that one because it was much needed in our industry and I think it just helps mature cti even faster I agree, I agree.

Pedro Kertzman: 13:21

And uh, other areas of expertise, you name it firewall endpoints. I see those areas as like pillars, you have to have those, but they at some point might look like more mechanics or logistics. You got to just do and lift that stuff up. You got to just do and lift that stuff up when, on the other hand, cti will be more in the planning, strategic, where to focus and how to use that brute force, fireballs, endpoints to do something that you need to focus on, kind of thing.

Josh Darby MacLellan: 14:04

So, yeah, I could not agree more with you, Josh, yeah on On that vein. I think that that's one of the big value adds of CTI. It's like when InfoSec departments want to move from being reactive to proactive, Perfect. You need those teams that can bring you information and intelligence on attacks before it hits your environment. Otherwise, you're always just going to be one step behind the attacks and constantly in that firefighter mode, which I know is burning out a ton of teams right now.

Pedro Kertzman: 14:28

Yeah, that's a great point. So instead of waiting for people to hit you, analyze the logs and then react, you can do things before that happens.

Josh Darby MacLellan: 14:38

Yeah, exactly Like analyze the fist that's coming towards your head so you can dodge it quickly.

Pedro Kertzman: 14:43

That's a good example. Yeah, You're talking about conferences as well, or certifications. Any top of mind either conferences or certifications that you think it would be important for the listeners to know about?

Josh Darby MacLellan: 15:01

If you're early on in your cybersecurity career journey and maybe you're considering moving into cyber or you're looking to kind of like move around inside the industry, zans does a really good one new to cyber and this is one that's, I believe, virtual only still, and they publish a lot of the talks on YouTube. So I came across this when I was quite early on into my like pivoting journey and I just went back through and watched pretty much every single talk that they published under the New to Cyber conference and that, I think, is a fantastic resource for those slightly newer in their journey. Now, if you're already in CTI and you're looking to find conferences that are more focused on CTI specifically, then SANS CTI Summit is a great one. It was just held in the US, in Alexandria, virginia, and that was at the end of January to the start of Feb time. And then there's also first CTI conference.

Josh Darby MacLellan: 16:10

Last year it was in Berlin in April. Those are two conferences that I found that are CTI focused, and I'm on the lookout for others. So if any listener, if you have heard of any other like pure CTI conferences, please let me know. I've definitely be interested in attending. But those would be my top three recommendations if you're either new to cyber or if you are moving more, or if you're more specialized in cyber threat intelligence specifically.

Pedro Kertzman: 16:39

That's very interesting. Yeah, I didn't know that. Thanks for sharing. So we mentioned quickly about skills from a CTI standpoint other than or including malware analysis, any other top of mind skills that you think are important for a basic CTI analyst or CTI advisor, any anyone on a CTI related?

Josh Darby MacLellan: 17:06

role. So the clue is in the job title. If you're going into a CTI analyst role, learning analysis based on best practices is super important, and I think there are different ways to approach analysis, but the ones that I find are most rigorous in teaching really good analysis are structured analytic techniques, and this is a best practice in the CTI field that is gaining more and more exposure. More and more people are talking about it, and these are techniques that can really teach you how to approach thinking about information, analyzing it and turning that information into a relevant, actionable intelligence.

Josh Darby MacLellan: 17:54

How much and how often you will use SATs does also depend on your job focus. For example, if you're a tactically focused CTI analyst and you're there to support incident response, the time you have to produce intelligence is going to be very limited, so you're less likely to go through some of the like deeper SAT exercises whereby you're thinking of different competing hypotheses. But for those who have a bit more time to do more finished, polished CTI products and services, that's where I think SATs can play a really strong role. So for people who are more focused on CTI, on operational intelligence and on strategic intelligence, I think taking time to learn about SATs is going to be super, super valuable, and also just operationalizing them in your day-to-day role will really help your analysis skillset.

Pedro Kertzman: 18:49

Got it. Just to make sure everybody knows sats, structured analytic techniques, got it, thank you. And uh um, do you think any uh cti hands-on type of role for I don't know analysts, cti analysts on a more hands-on approach would ever need to double check or criticize or have a second guess when it comes to attribution the information they're receiving from you know a feed, osint, a vendor, anything like that Do you it's like a cti teams in general would go that deep to double check attribution, make sure if that uh threat actor, for example, is really the one trying to poke into their environment or do anything?

Josh Darby MacLellan: 19:41

I've picked up, uh, quite a controversial topic attribution cti. Uh, this is a big debate over whether or not it's actually worthwhile and whether or not attribution is just a distraction. I know that we kind of have this obsession with knowing who did what. In particular, there are recipients of cyber threat intelligence who will ask okay, well, who committed this? Do we know about them? And you'll get those like threat actor attribution type questions.

Josh Darby MacLellan: 20:11

I think everyone in their own respective, like team and role needs to ask themselves like the so what? Question if we are to attribute a certain intrusion data set to a known threat actor, what's the so what? If it can provide value, if that can actually help you, um, do additional pivoting and analysis and understand broader campaigns and operations, then, yeah, it makes sense to dive into attribution. For many of us, it can be a bit of a distraction and we get a bit obsessed trying to name or pin an intrusion to a certain threat actor, to a certain threat actor, and often that process can be riddled with cognitive biases whereby there's pressure to say or to label a certain threat actor and then we go for one that we think it is or that we have a suspicion it is, as opposed to one that we can prove with all of the available evidence that it is that particular threat actor it brings up a good point prove, uh, with all of the available evidence, that it is that particular threat actor, and it brings up a a good point.

Pedro Kertzman: 21:13

Um, what do you see about like collaboration? Uh, I think one of the things that would solve this type of problem would be more collaboration with people receiving that raw telemetry or breach information, if you will and instead of just doing attribution and releasing part of the information. If more stuff could be properly, safely shared with other vendors, researchers and so on, it could prevent this type of mismatching when it comes to attributions and so many other problems. How do you see collaboration happening right now between, again, researchers, vendors, end users or companies with CTI teams? How do you see collaboration nowadays?

Josh Darby MacLellan: 22:05

I think collaboration is a very important part of cyber threat intelligence and I actually think in the security industry at large we're quite uniquely positioned to collaborate with other organizations or companies that would otherwise be our competitors.

Josh Darby MacLellan: 22:19

So this is a link that I experienced in particular in the finance sector. I worked for one of the major Canadian banks and there are five banks which are typically competing over everything Market. They compete over different markets, over market share, over different types of products, and they'll be trying to win over each other's clients continuously with, like new deals, new promotions, new credit cards. But with the security departments we had full permission to go and actually collaborate with these other banks and go and speak to their intel teams and we would set up these information sharing groups kind of more informally. Some are more formalized, thinking about the FSI sects of the world and it's created this space of collaboration whereby we're sharing information and intelligence on the attacks and intrusions we're seeing on our side, because we know that typically organizations in the same country, same industry, they're going to be facing very similar threats. So if one organization gets hit, it is uniquely positioned to warn the other organizations about a threat. That is more pertinent versus more generalized intelligence being published out there.

Pedro Kertzman: 23:35

Cool, awesome. And you see any collaboration on the vendor side, or research side, or more on the customer and user side, like you mentioned.

Josh Darby MacLellan: 23:43

I do see some for sure. I think it varies though of some CTI vendors are essentially in commercial competition with each other, so they'll be less inclined to collaborate. But saying that, I have come across numerous reports that are collaborative, either because they analyzed an extended data set together or because one organization published based on their intrusion data and then others took that and then, kind of like, built upon it. So there is an element of collaboration. But I see a lot more with the kind of in-house nuclear CTI teams, whereby it's a company that has its own infosec department own a CTI team and they are collaborating between other companies that have a similar profile to theirs, um, or function in the same region or industry cool.

Pedro Kertzman: 24:34

I think it might be part of the maturing uh in the industry as well. Uh, yes, where I see vendors collaborate, collaborating like you mentioned. It's like a dark web scraping vendor plus an endpoint security vendor, because they're not super overlapping each other. Then they feel more comfortable about collaborating on a certain research or or anything like that, which is not perfect, but maybe it's the beginning, right yeah, definitely, and it does raise a good point.

Josh Darby MacLellan: 25:07

we we are seeing a lot of integrations between different, let's say, like Intel feeds and different threat intelligence platforms, or integration between threat intelligence platforms and SIEMs or SOARs and a lot of these tool-based collaborations and these integrations. Are they recognizing that integration between two tools can be mutually beneficial as long as they aren't like a direct competitor? So, yeah, good point there. When it comes to the tools ecosystem, there is also that opportunity for integration outside of a direct competitor Awesome.

Pedro Kertzman: 25:45

And, from a skill or learning standpoint, any important soft skills, hard skills you think are a must-have or should have for anybody in the industry or trying to get into the CTI industry.

Josh Darby MacLellan: 26:04

Yeah, let's start with some of the hard skills or the technical skill sets. I think there are certain foundations that are super important to learn in CTI, in particular, learning how to analyze intrusions, how to take information and move it through the Intel cycle those things are super important and then understanding cyber attacks. So I think there are a couple models out there that are super useful and still foundational in CTI, such as the diamond model and the kill chain. Getting to grips with these two, I think, will position you very strongly for CTI. And in terms of the other hard skill sets, being a good investigator is super important and this kind of strays soft and hard skills, but having a curious mindset, combined with knowing how to pivot from indicators of compromise into other IOCs, building up more of an understanding of an attack and then pivoting into understanding tools, malware, and then moving more into attacks and campaigns and then understanding different threat actors. I think that that whole process of taking a small piece of data from an intrusion, knowing what tools and processes you need to run against it in order to add additional context, and then running through the whole process of continuously pivoting and analyzing is super important. Now on the soft skills side. You know, ironically, they often say that soft skills are harder to teach, and I think that's definitely true in CTI. Your entire CTI process will fall completely flat if you are not able to communicate that intelligence in a way that lands your stakeholders.

Josh Darby MacLellan: 27:57

I think investing in communication whether that's written, verbal presentations etc. Is so important because our function is a support function. Generally speaking, cti is supposed to inform decision making and enable decision makers to calibrate defenses to protect an organization and make it more resilient. You won't be able to provide good support if you can't communicate in a way that works for your stakeholders, or communicate in a way that the intelligence is received positively or received and used effectively. So learning communication skills is super important.

Josh Darby MacLellan: 28:31

Beyond that, relationship building this is a big topic. I don't like to say networking, because networking is kind of transactional and super corporate, but building relationships is something that has helped my career in every single stage. It's super useful in CTI because, as mentioned, it's a support function. We're supposed to be supporting other teams. Without building relationships, it's a lot harder to provide that support and it's much harder to build a reciprocal relationship whereby you're receiving relevant information, that timely information, and then also able to give good quality intelligence when it's needed. The ability to build good relationships underpinned by communication, I think, are two incredibly important aspects of CTI Awesome.

Pedro Kertzman: 29:12

Now I feel you. I was on a meeting the other day and somebody brought up that a big university actually has a meetup, how to make relationships and friends for, you know, young students, and I'm like, oh my God, it sounded like a it's.

Josh Darby MacLellan: 29:32

it's an interesting one because I think it like it shouted about a lot. You know, you go to linkedin. You look at like uh, different posts and like articles published about careers and career advice. Everyone's saying, oh, you know, like, make sure that you network, build a brand. Um, you know, expand your, your network and impact, but so few people take the time to really walk you through like like how to, how to quote, unquote, network and how to build relationships.

Josh Darby MacLellan: 29:56

To me it's like training any muscle. So few of us are born naturally gifted at communication in all of its different facets or are instantly good at building relationships. And, like a muscle, it takes work and it takes continuous practice. It takes feeding your body with the right information to fuel those muscles and then it also takes going out there into the industry or the gym to work it out. And then it's just constant repetitions and things only improve if you're constantly gaining that exposure therapy and working through every single relationship building opportunity, awkward or not awkward, to a point whereby you've gained good practice to be better at that particular skill set 100% Awesome.

Pedro Kertzman: 30:46

And one big topic, especially within the overall cybersecurity industry nowadays it's AI. Any impact insights you name it specifically about the CTI space that AI is having?

Josh Darby MacLellan: 31:05

Yeah, ai Everyone's favorite buzzword of the year. Yeah, it's an interesting topic. I think the most concise way to think about it is it's a double-edged sword and I think it's got benefits for defenders and those in CTI, and it also has benefits for attackers. I don't think AI machine learning has proven today to make cyber threat actors exponentially more dangerous. That could happen in the future, but right now we aren't seeing as many. I don't think cyber criminals and threat actors are fully utilizing the full benefit of AI, so I don't think we're doomed by it. But I do think it's incredibly important for CTI analysts to learn how to leverage AI and machine learning tools.

Josh Darby MacLellan: 31:53

I was listening to a podcast with Scott Galloway and he was talking about that. Your job won't be replaced by AI, but it will be replaced by someone who can use AI. So when we think about a CTI analyst, it is an incredibly tough job and there is so much information to process and exploit that if you're doing this all manually, with minimal automation and with minimal assistance by machine learning tools, it's going to be incredibly challenging, and then you'll be out-competed by someone who's faster because they are taking full advantage of the full suite of tools out there, so I would say it's a double-edged sword. It presents a risk to CTI analysts, who are more resistant to using AI tools, and I think it's got huge potential upside for organizations and teams who are looking to incorporate it to speed up their pace of work and make them more effective.

Pedro Kertzman: 32:50

No, that's a great point, I think. Uh, on the other topic as well, uh, we were talking about communication. Right, sometimes, especially now, the llms we have can help writing better emails more engaging emails, more better communication. If you're not, if you're just attacking a co-guy super nerd, but you're not there yet, from a communication standpoint, maybe they can leverage that to write down good you know emails or engaging emails and so on.

Josh Darby MacLellan: 33:22

Yeah, yeah, I I do think that it can help do some of the heavy lifting when it comes to writing.

Josh Darby MacLellan: 33:31

It's also a great way to edit and check work, but what I've noticed is that nowadays, currently, people can spot when something is AI written or generated, generally speaking. So I do always recommend use AI tools for the heavy lifting, but make sure that you're still adding your own kind of humanized flair to it and give it your own style, your own tone and your own voice. The other thing that I should add is AI tools are incredibly helpful for people whose first language is different to the language they work in, or vice versa, and they're cut to come up with reports that either translate um a material from other sources or they are trying to come up with reports in a language which which they've got less practice in. Ai tools are a great way to translate things and to also act as your own editor. They can do it incredibly quickly. So that, to me, is one huge benefit is it does kind of open up different opportunities to to work in languages that might not be someone's strong suit.

Pedro Kertzman: 34:39

Got it, Thank you. Any pitfalls you've seen along the way either creating a CTI team or trying to advance the team to like a higher level? Any pitfalls or things to mention that people maybe don't repeat?

Josh Darby MacLellan: 34:54

One of the biggest things I think CTI teams are being tested on right now is proving their value and shifting the perception that they are a cost center that that's expendable. This was one thing that I really liked that came up at the SANS CTI conference this year is rethinking CTI as supporting decision-making and taking it a step further by viewing it as an essential tool in organizational resilience. Right now I've noticed some CTI teams are going through layoffs and cutbacks and they're having their tool-in reduced because, number one, they're expensive, but, number two, they haven't been able to translate their value into a language that decision makers and business leaders understand. So for me, it's an ongoing struggle, but incredibly important for CTI teams to be able to demonstrate their value, do good work and then tell everyone about it. I think it's again why communication is so important.

Josh Darby MacLellan: 35:52

I think it's again why communication is so important. It's because if you're doing the best high-quality analysis and assessments and that's helping to prevent different attacks and future intrusions if you aren't giving that message to the right people, they'll still hold that perception that the CTI team is not as essential as our other cyber teams. They're all a nice staff that we can get rid of if we need to. So that's one of the biggest pitfalls that I see with CTI teams is they're struggling to communicate. Well, we'll first quantify and then communicate their value, and I'm glad that this is starting to get recognized more and more, because I've started to see more conversations around KPIs, metrics and KRIs and CTI teams are starting to adopt them, which I think is definitely needed if we want to avoid and develop through these pitfalls that CTI teams are facing.

Pedro Kertzman: 36:39

Awesome. It feels a little bit that trying to think on an org chart for CTI teams and if we have, across the board management, even the highest rank for a cti uh leader in the organization, if we're just looking for people from technical backgrounds, super technical, skilled people, but they don't know how to properly quote, unquote, sell the value or the worth of their team, it might not be like a long-lasting uh initiative. What do you think?

Josh Darby MacLellan: 37:18

yeah, that's a really good point. How many folks in cti know how to sell and obviously vendors different story. But thinking about the the like in-house nuclear cti team, how many of them have got practice at selling the value of their program to people outside of cyber? And I think that's also why there is a role for translators in CTI teams the people who pivoted from other sides of a business into a cyber threat intel team, because they will know a language outside of CTI and outside of cyber and typically a lot of decision makers and executives. Their language is around risk and dollars. Their language is less around threats. So having some people on your cti team who who can speak that language is is incredibly important. And then again having people who can sell, that's massive awesome.

Pedro Kertzman: 38:12

Um, and what about the future of CTI? What would be your vision for it? If you're going to throw some predictions, you name it how you see the industry moving, some trends around.

Josh Darby MacLellan: 38:27

CTI. I think CTI is going to go through a bit of a struggle in the short term. I think the next four years are going to be incredibly volatile and I think that there could be some economic pain and in those situations, some CTI teams will come up to battle with the problem of proving their value, of proving their value. But once we have worked out and refined ways for CTI teams to communicate their value effectively, I think CTI has some very green pastures ahead of it. Thinking about the threat trends we're seeing cyber attacks aren't going away. They aren't decreasing in their volume or severity. We're seeing the opposite and at the same time, we're seeing a more fractured geopolitical landscape and with more fracturing comes more potential tension points and flash points. So, with that in mind, I do think that CTI does have a very strong future and through these crises, it's gonna be in demand, as organizations will always want to have foresight and understand situations that could impact their organization.

Pedro Kertzman: 39:42

Awesome. Any technology in particular or type of technology, I should say that you think it's something to look at for CTI teams.

Josh Darby MacLellan: 39:50

I would take full advantage of the machine learning and AI tools that are being made commercially available at a very inexpensive price. Test them to see which of your workflows they can help speed up and what the limitations are. I don't think any of the tools like ChatGPT, reflexity, claude, et cetera.

Josh Darby MacLellan: 40:16

I don't think any of them can do useful, actionable intelligence analysis that will help your organization, primarily because they don't have all of the data and the understanding of your internal organization, but there are certain aspects of the Intel cycle they can really help with and it's worth exploring how you can quicken your collection, structuring, processing and exploitation of data. That gets everything ready for the human analyst to do the analysis stage. I think that's where there's a lot of potential value add. I think that's where there's a lot of potential value add. So I would encourage teams to take full advantage of these tools that are being published continuously, because threat actors certainly are, and we need to be moving at least in lockstep with them, ideally one step ahead.

Pedro Kertzman: 41:08

Awesome, Josh. Thank you very much. Super insightful conversation. I really appreciate it. Any closing thoughts?

Josh Darby MacLellan: 41:16

My closing thoughts are cyber threat intelligence is an incredibly interesting field. The threat landscape is shifting so much and you spend your time analyzing new types of attacks and new types of attackers and this, I think, keeps it incredibly stimulating intellectually and challenges you to be continuously increasing your skills and your tradecraft, because you aren't just in competition to meet certain quotas or to hit certain revenue each quarter. You're in competition with the threat landscape and with threat actors, so it keeps things incredibly interesting. So for anyone who's curious about CTI, I strongly recommend diving into it, learning more, spending time on some of those online conferences, online courses, taking advantage of open source threat intelligence platforms and open source data feeds, and really get to grips with what the day-to-day looks like for a CTI analyst.

Pedro Kertzman: 42:18

Awesome. Thank you Again, really appreciate it. Super insightful conversation and I hope I'll see you around. Thank you.

Josh Darby MacLellan: 42:26

Definitely Well, thank you so much. Bye for now. Bye.

Rachael Tyrell: 42:31

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group Cyber Threat Intelligence Podcast. We'd love to hear from you If you know anyone with CTI expertise that would like to be interviewed in the show. Just let us know. Until next time, stay sharp and stay secure. We'll see you next time.