Scott Scher: 0:00

Being an intelligence professional first and a cybersecurity professional second.

Rachael Tyrell: 0:06

Hello and welcome to Episode 9, Season 1 of your Cyber Threat Intelligence Podcast. Whether you're a seasoned CTI expert, a cybersecurity professional, or simply curious about the digital battlefield, our expert guests and host will break down complex topics into actionable insights. On this episode of Season 1, our host Pedro Kurtzman will chat with Scott Scherer, who is a CTI Associate Director but is also a trained CTI analyst with expertise in nation-state threat actors and cyber criminal groups. Scott spent many years combining his education in international

Pedro Kertzman: 0:36

Scott, thanks so much for coming to the show. It's great to have you

Scott Scher: 1:01

Yeah, Pedro, thank you so much for inviting me out. I look forward to our conversation today.

Pedro Kertzman: 1:05

Awesome. Usually I start asking the guests their journey into CTI. Would you mind walking us through that, please?

Scott Scher: 1:14

Yeah, of course. So actually, I might be one of the few people who could say I knew I wanted to go into CTI or at least the cyber kind of policy world before actually kind of starting that journey. My journey really started, I spent a handful of time living kind of in a non-technology based kind of environment. I'd spent a few years kind of living off the grid for a little bit. And after doing that, kind of realized that most people weren't really prepared to survive outside of modern convenience, right? The technology we use every day. And then I started asking myself, okay, well, what do I want to do with the rest of my life? And, you know, what am I good at? You know, it's, hey, politics and policy is kind of my background. And then... realized hey you know like into technology and cyber and knew that cyber kind of existed and knew this was a thing right this was late 2012 2013 time and it was okay well i think this is what i want to do so i went to university for you know to study political science international security policy and public policy all with a focus on cyber security uh so that was really kind of my journey was kind of roundabout, but directed towards cyber and everything that I did kind of moved me towards moving, getting into a CTI analyst position.

Pedro Kertzman: 2:34

Oh, that's awesome. That's awesome. And, you know, if we were thinking about like pivoting from like a, political or studies background and general Intel type of role into more specific into like a CTI specific type of space, like Intel first and the cyber aspect of it second. Any insights on how to do that move or that you learn doing that move?

Scott Scher: 3:06

yeah absolutely so uh yeah i like you know you use the term that i that i kind of like to talk about and say a lot the way i was taught and trained to do uh intelligence and do cti work uh and my team my one of my old teams we really kind of all kind of focused in on this was we are intelligence professionals who do cyber security we're not cyber security people who do intelligence and kind of what we mean there right is uh intelligence has been around for decades right the the intel community the way you do intelligence processing analysis the life cycle all of that is really well developed and not new uh and that is the foundation of really of all the the intel side right even on the cti perspective it's really understanding how to do that intelligence, how to process the information that you're getting, turning it into something that's actionable, relevant, timely for your stakeholders. That's really the key. And then you learn the cybersecurity aspect of it as you go, right? You learn the technologies, which are super important and you need to understand how computers work and that foundation there, but you do it from a lens of here's the process of intelligence and analysis work.

Pedro Kertzman: 4:17

Got it. And then you add up the cyber aspect into that solidify.

Scott Scher: 4:20

Exactly. You add the cyber, the specific threat actors, right? It's really the idea that you can, as an intelligence professional, right? Intelligence can happen in lots of different industries, different subject matters. It could be a geopolitical intelligence analyst. You could be, you know, a cyber analyst. You could be a you know, in any of these kind of spaces and kind of move around. And it's really the process that is, that that's driven by it. And then you can, you know, you have to add in that, that topic there, who the threat actors are, who the, you know, how they do what they do, their behaviors, their tactics, techniques, procedures, all that

Pedro Kertzman: 4:55

kind of stuff. Yeah. Military weapons,

Scott Scher: 4:58

military technology assessment. That was, you know, some of the education background, you know, that I spoke about was specifically around, you know, how do you compare systems to each other, right? Like take a, you know, is it important to buy a, new F-35 or buy 15 F-15s, right? Like where's the like technical capability there. So the analysis is really the same.

Pedro Kertzman: 5:18

Awesome. And then you're mentioning about your teams and building that around the intelligence framework and expertise. From a CTI specifically, any like... do's and don'ts or best practices, how to start like a good CTI program, solidify it, and how to make sure CTI is properly understood across the board?

Scott Scher: 5:46

Yeah, that's a really good question and something that luckily a lot of my work experience has kind of been around. A lot of the teams I've been on and joined have been either brand new or fairly new, and a lot of it is around building that program. Awesome. So the first thing I would say, probably the most important thing is really getting a handle of your process. And that can be something as intricate as, you know, going through the entire Intel lifecycle and building specific processes for each step, you know, and going through. But it's really getting your idea of, you know, how you're going to do intelligence as a team. And, you know, that's sometimes bespoke. You know, every shop kind of has a different way that they sort of do intelligence, but it's all based on that, you know, what we talked about earlier, you know, that foundational, you know, analysis process. But it's really defining all of that, getting, you know, and now in into the CTI spaces, defining your data models, right? Like how are you defining terms? You know, how are you doing the analysis work to, you know, link threat actors together? Like what does attribution kind of look like for you? How much of a, you know, kind of like thinking quantitatively is like how much of an overlap do you need in order to understand that this might be related to this other threat actor? It's really that first piece is that is building that process. Some other really good pieces there are just your pipeline from your collections all the way to your finished and your output. Really being able to understand that whole process start to finish, what it looks like, where you're pulling all your data sources from, and then what you're doing with them because that's the most important. A lot of places we tend to collect a lot of stuff and then it's, oh yeah, there's these 150 reports that I have on my desktop that I've never opened and read them over, you know, I'm reading them here and there. It's, you know, making sure you have that, you know, start to finish. And then it's really understanding your stakeholders, right? And I think this will lead into that last piece of, you know, that question of how do you, you know, kind of make it understood across the board, you know, from your stakeholders is getting to build those relationships and understanding your stakeholders, right? We talked about in CTI intelligence requirements, right? You're, hey, how are you understanding what it is that your company agency, whatever it might be, does what it does, and how do the individual teams that you are there to support, how do they do what they do? What are their main metrics of success? What are their obstacles in order to achieve their mission? Really getting an understanding of what Intel can provide to make their job easier, better, more effective, because that's really, in the end, we as Intel professionals, we're a support function, right? I know, and I more so maybe than others. Like I like to be a Intel's in the lead and we were in the front and we do, and we do everything. And that is kind of the model now, right? That like threat informed defense and intelligence led penetration testing and all these new things that are coming down from regulators and frameworks and all that. But, uh, even with that being said, yes, we may drive that action, but it's really to drive the capabilities of those teams that we're there to support.

Pedro Kertzman: 9:08

That's, that's great to hear. And, uh, if I can maybe break down in two separate topics that I heard you mentioning that are super, I think are super important. First one is like, doesn't matter the amount of information you're receiving, if you're just piling that up, it's not actual intelligence per se, you're just receiving feeds and reports and all that. If you don't actually transform that data into actionable something it's not actually intelligence right so you cannot produce an action coming from that pile of of data any pitfalls around that you name it, open-ended feeds, piling up feeds or piling up reports, any pitfalls on those aspects or any other consumable source of information that maybe avoid this or focus on that type of approach?

Unknown: 10:19

Yeah.

Scott Scher: 10:20

That's another good. Actually, I really do like the way that you broke it down there, drilling that question down a little bit more. With pitfalls there, I think the first and foremost is the over-collection piece of it. I think that is a big pitfall that we all fall into is we need to collect everything or we need 100 data sources and we need every threat Intel vendor and we need all these things. If you're not doing much with it, your point right it's not actually intelligence right you're collecting data you're collecting information but you haven't transformed or you haven't analyzed it and turned it into that uh so really that first piece and the best way to kind of you know, approach that is, you know, kind of narrowing your sources down, go through your sources and, you know, do an efficacy of them, evaluate the, what you actually are collecting from them and how often you're using it, what it's being used for, right. To what we talked about a little bit earlier of having that start to finish, uh, you know, end to end understanding of your process. If you are tagging your reports with their sources, you can go in and see, Hey, How often do I use this source? Maybe I don't need it anymore. Maybe it's, or maybe it's a, it only gives me a little bit of data that's actionable every once in a while, but the actions are really, you know, high value. You know, those are all kinds of things to think about. What I would also say is when looking at that is you know, I always kind of move towards a little bit more on the quantity over quality piece of it is, you know, even if you only have a handful of sources you can, if you're, if they're all providing actionable, you know, data that you can then turn into intelligence or at least turn into something that is usable for your stakeholder, then they're of value. And you may not need more. Obviously, the more mature you become, the more data you can be able to consume. But until you get to that point, it's always better, I think, to start slower than it is to start and move too fast. Yeah. Yeah, was there any other questions around that, kind of like the collections and the pitfalls or anything that I didn't

Pedro Kertzman: 12:28

answer? Now that you mentioned this particular piece, if there is any recommended frameworks on how to analyze the efficacy of a given data source? NIST? Yeah. Any other publications around that that you would recommend to the people listening that want to kind of fine-tune their collection of data and trim it down to the most useful ones? Any recommended frameworks or standards to put as a filter through their collection of data?

Scott Scher: 13:03

Yeah, that's really another really good kind of drill down on the topic for the audience. So what I would say is the first piece on just the value of the intelligence and how much it's being used in action, that's really something you probably want to build internal, right? Because action is, you know, relative, right? Like, or like value is kind of relative to your organization. So, you know, an IOC feed could be valuable, even though like we always say, IOCs aren't, you know, always valuable. They have a value. They're just not maybe as valuable as some other things. And if you're feeding your defense teams with good actionable indicators of compromise, that is a valuable piece of intelligence that you're providing, right? So it's not always good, bad there. So one piece, make it internal, but The advice I would say is, again, mapping it to actionability and relevance and that seed. The other thing in terms of actual frameworks, not so much for the value of the source, but really a little bit more in the reliability of the source, but it also gives you... inputs for value as well, right? Like, it kind of is built in there, and it's the Admiralty Code. It's what NATO uses for their sourcing. It's all public, open, you know, you can kind of pull it down, something we built in, right? And it basically gives you a ranking system to say, this source is reliable, this source is highly reliable, right? Like, it breaks you down all the way to where, you know, value as well like they're trustworthy same thing we use it not just on sourcing but i've used it and recommend using it for uh you know when you're evaluating threat actor claims, right? We deal with a world where there are criminals, cyber criminals out there who are saying they do things and they don't always tell the truth, right? So there are times when, you know, a threat actor posts someone's data on the internet and says, hey, we compromised this organization or we did this website defacement or this DDoS or whatever, you know, their kind of, you know, bread and butter is as a, you know, their MO is a threat actor. And it's, I've used it for validate or, you know, evaluating their reliability, their trustworthiness. How often does this threat actor actually have the data that they claim to have? How often are they actually, have they done successful operations against a sector or things like that? So you can use it that way as well. That is what I would say is the best framework for evaluating how much this source provides you value.

Pedro Kertzman: 15:33

That's awesome, thank you. I heard the other day somebody say, how could you not think threat actors would sometimes try to sell snake oil as well. So all those claims like, oh, we got X amount of terabytes of information. Like, come on, you have to validate that.

Scott Scher: 15:51

These are criminals, right? Like, should we always trust them? Maybe not. Unfortunately, sometimes they're the only source that we have to go off of. But again, it's while you're tracking, right, which is part of your analysis and, you know, the core of your CTI function. Like, you're probably tracking threat actors, you know, even, you know, depending on the maturity of your organization, the individuals in forums talking, you may know and track certain ones. You can evaluate them in the same way as you do your legitimate sources and say, this third actor is usually telling me the truth. They're an initial access broker and they usually do have access. So when they make a claim, I'm going to trust it a little bit more than I would someone else or something like that.

Pedro Kertzman: 16:32

Absolutely. Yeah, that's a good point. If they are one of those... pieces of the puzzle, like just an info stealer, initial access broker, so on. So those guys trying to sell stuff to other bad guys, yes, they might rely more on their credibility, so they need to be careful, but still, they are bad guys. So you need to always validate if their claims are actually true or not. Coming back to the first initial breakdown of that previous topic, you were talking about stakeholders, right? And how would you mind expanding a little bit more on that? Like how to quote unquote sell CTI internally for different stakeholders, strategic level, executive level, when it, you name it, internally, in general, any best practices around that?

Scott Scher: 17:36

Yeah, so in terms of just kind of, right, like selling CTI, right, that is, it's the nature of the Intel space, right? You, even internally, we're doing the same things that all the other, you know, customers, you know, salespeople and vendors and all that are always doing. How do you sell your service? Because, and that's really the way we should be thinking about it. And the reason I say that is because that gets at the heart of answering this question of think of yourself as the same way marketers think of like the marketing team and the communications team. Your job is to market CTI, right? Like you need to get your stakeholders to understand that this is something that is valuable and that this is something that they want to consume and they want to participate in and they want to go to you to ask questions instead of going to somewhere else or figuring it out on their own. and like you need to sell it, right? So part of that is to, you know, what I mentioned earlier is understanding their needs. Right? Like again, think of yourself as a support. You're there to sell your service. So one, your service needs to be pretty tight, right? That you need to have a good understanding of what it is, how you do what you do so that you can sell that. Second, that process piece, right? Like having that process really understood and defined, it's very easy to go to a stakeholder rather than, you know, which is what, how a lot of us do intelligence requirements gathering, which is kind of how you get at understanding your stakeholder and their needs and their pain points and all of that is Instead of, like, a lot of times we go to them and we say, what are your intelligence requirements? And they say, I don't know what an intelligence requirement even is because this is the first time I've ever talked to someone who's got intelligence. I don't know what you mean. So not always directly asking them. Sometimes, right, the maturity of your organization, you may be able to go in and just ask for or eventually get to a point where you can just have a conversation about intelligence requirements. But it's selling it that way. So using the terminology they may be familiar with, it's getting them kind of like we're doing right now and just having a conversation about, well, what do you do here? How do you do what you do? You know, all that kind of stuff to get those intelligence requirements. But it's also around, you know, what makes it easier sometimes is when you do have that process built out is going to them and saying, we offer this, right? Like we, as the CTI team can do, you know, cybercriminal underground monitoring, right? Or DDW, depending on who you talk to, they may use a different term. Or, hey, we can provide threat actor profiles on the most relevant threats to our organization. Or, you know, we can do, you know, enrichment of case data that you're seeing for the actual, like, you know, incidents that are happening or the activity that's coming there. Basically offering your services the same way you would in a catalog, in a menu, in a vendor, you know, system. This is what we offer rather than always coming and being like, tell us what you want from us as the CTI team. Because a lot of times they don't know. So again, it's No, I love it.

Pedro Kertzman: 20:49

Yeah, it reminds me of the famous Henry Ford quote. If I asked people back in the day what they wanted, they would say faster horses, right? So that's super interesting, insightful to understand your kind of audience own goals.

Scott Scher: 21:06

Absolutely. Understand your audience, right? That is the key. And I think that dives into that last bit of, you know, particularly how do you do this to senior leaders or in a more like executive or strategic kind of a stakeholder. It's really, what I would say is, and sometimes some people may think of it this way, sometimes it kind of gets lumped together, but when it comes to intelligence work and CTI is, there's your tactical, your operational, and your strategic, which is kind of what we're going to focus in on. But there's also a piece that could be kind of sub-strategic, which is executive. I know sometimes that might not seem like they're different, but they could be if you want them to be and they don't have to be kind of thing. It's, you know, kind of how you guys, how your shop may do things. But in terms of, you know, the idea of executive is it's what is most relevant to the business in terms of business, right? And what I mean by that is what is it that you're, company, your organization, what do you do from a business perspective? And how does all of this CTI stuff that you're talking about, how does it translate to business? Is it business impact? Is it, you know, hey, we're talking about ransomware, we're talking about this, like, what's the dollars, right? Like business likes to talk about money, right? Like a lot of your senior stakeholders, your executives are going to be, if it's not the CFO, right? Like you're going to be tied into what the finance officer is thinking. And they're thinking, how much is this going to cost us in whatever, you know, stands that might be? That could be resources downtime whatever like and then how do you translate it into that how do you translate what you're talking about from a cyber threat right threat actor is you know likely to target our organization because of blah blah blah like what is it like how does that translate to business risk right like one of the team key stakeholders is your risk team uh and it's understanding like what's the except what what's risk for for the organization how do you translate threat into the business side of uh of your organization. And I think that's really what it comes down

Pedro Kertzman: 23:05

to. Perfect. No, that's super insightful. Thank you. To maybe follow up on that, you're mentioning risk, right? And that's, I would say, with risk, combining risk with dollar value, sometimes it's, quote unquote, easier to communicate with the higher levels of the organization.

Unknown: 23:29

Yeah.

Pedro Kertzman: 23:31

How you explain the differences between threat and risk? How you start migrating maybe from threat to risk or tying those things together when you're going to explain this to the stakeholders?

Scott Scher: 23:48

Yeah, so that's a really good question. That's a really good one that we should definitely talk about. First thing I'll say is threat doesn't actually equal risk or doesn't always equal risk. They're not always the same. They can be, but I think they sometimes get misused or become synonymous for each other and they're not always. a key element of understanding risk, but it's only one piece of that, right? It's not the same. And in terms of that, right, like that kind of what that really means is, you know, something could be a high threat, but it might be a low risk, right? Like threat is really the idea that, you know, and I'll break the formula down just because it's the kind of look at threat and this may be different for everybody, but threat is in a combination of the intent, so it's understanding the threat actor, it's their intent, their motivations, like why they're doing what they're doing, what is it that they're trying to do, their capability to do said thing, and then their opportunity to do it, right? Like those are really like the three, like the intent, capability, opportunity. And that kind of breaks down to any number of things, right? You have the motivation of what they're trying to do, whether they're financially motivated, espionage, whatever it might be. Their other component of intent is would they do what they try to do against us as an organization, right? Like if they're an espionage actor who's going after, you know, grants and research. Maybe if you're a finance organization, you don't act like they're not likely to want to target you specifically because you don't have the thing that they want. So they may be capable and they may have an opportunity, but they don't have the intent to go after you. So, you know, that's how you kind of do the threat. The risk piece is really, okay, let's say they have intent, capability and opportunity, some, you know, measure of that. And now you've come up with a threat assessment and now it's, well, what is the negative consequence of this thing happening if it happens. And that's really where you get into the risk, right? The traditional is just the impact, right? Like that's kind of how you talk about risk. But what I would also say is impact and likelihood, which is very much the major components of risk. play a lot into threat as well. I use those for my assessments also with like, you need to have some understanding of that to say that something is, with whatever confidence you have in the data that is the level of threat that it is. So it's not exclusive to risk, but the thing that I think is exclusive to risk is, how does this what's the negativity from or like you know the the consequence here for us right if threat actor has intent capability opportunity to do something and they do it what is the actual like outcome of that is it reputational harm is it financial harm is it our business goes is down and we go out of business forever is it you know lives lost in certain situations right like depending on the industry depending on you know the threat actors and you know where this is if it's you know kinetic space if it's a hospital things like that uh you know working in government for a little for a while right like this was like you know you're taking care of like the energy you know or the water for for a company and things like that uh you know for for city they uh you know there could be very high risk, then it can be very low risk, right? Like if, hey, this is a threat actor and they, you know, deploy malware or whatever, but they target HR systems, right? It's like, okay, cool. maybe that's not as bad for you as an organization than if you're ICS, if you're also in like, you know, that space goes down. So that's really where the risk is. It's like how critical is the thing that's going to be impacted or the action on objective that the threat actor takes? How is that going to impact us?

Pedro Kertzman: 27:40

Yeah, no, that's perfect. And kind of reminds me, we spoke a few times on other episodes Of course, especially when we're talking about the cybersecurity space, CTI got to have a lot of technical understanding of what's going on. So technical people, you know, reverse engineering sometimes and all that. But if you don't understand your own business and is able to translate stuff back and forth, especially when you're talking to stakeholders, you're mentioning there are probably more aware of risk only not threats but risk only and dollar value associated to risk if you're not able to translate there you're gonna probably be talking gibberish uh to people and they won't basically get your back right

Scott Scher: 28:35

that is exactly right to to you know a lot of i think a lot of what we've talked about kind of led us to where we are right now in this in the conversation right is uh That is right. Intelligence needs to be actionable. If you don't put it into and you don't understand your audience, you don't understand your stakeholders and what they the business piece that they do or their component of your organization, then it doesn't become actionable. Right. If they can't understand it or they it doesn't translate, not physically translate, but it doesn't like translate in their minds to the thing that matters to them or their, or their grasp of it, then they're not going to action it. They're not going to know how to action it. Right. Like there's any number of things where it's not, you know, you never want to tribute malice to, you know, a mistake, like, but there's always that piece of it of it can't. And then it's not intelligence anymore. Right. If it's not actionable, like even if you write this amazing threat Intel report and it's hits every mark of what CTI should do every single component, everything in there. And then you give it to the person as a senior leader or, you know, right. We're talking executives and strategic and you give to somebody who needs to make a security deployment decision on like, should we buy a tool, should we not, you know, or whatever, and they don't understand all the stuff that's in there, then it doesn't really matter, right? Like, it's cool, you wrote this awesome Intel report and other Intel analysts are gonna read it and be like, this is great. And then the person making a decision is like, ah, yeah, I didn't understand that this, oh, you meant this meant that if we don't deploy this technology that we're gonna lose a million dollars, like, oh, I get that.

Pedro Kertzman: 30:05

Yeah,

Scott Scher: 30:06

exactly.

Pedro Kertzman: 30:06

That's a perfect example. Next time you write a report, you put something like this. if we don't do this, people in the hospital will die, right? So, or, you know, we're going to lose a million dollars if we don't do this. So if you write, you start with something, everybody probably heard of it, executive summary, you start with that.

Scott Scher: 30:30

That's the risk. Yeah, always, right? Like for Intel writing, we're the bottom line up front, right? Like put the most important piece of information in the very first sentence of every single paragraph that you write, right? People usually think of it, oh, executive summary. You put all the important information in the top and then you talk all the rest. And that is absolutely the structure and truth. But you should be, especially as Intel analysts, right? Like we're writing, you should be writing every paragraph as a bluff, right? The first sentence of everything you write should be the most important thing they need to know. So if they don't read any of the rest of the six or seven sentences in your paragraph, they know the thing they need to know, right? Hey, this is going to cost X amount of dollars or this threat actor is going to cause this impact or whatever it might be.

Pedro Kertzman: 31:09

Yeah, and I agree that you can never control their decision after they're reading a report, but at least you know they saw that, right? That's the quote-unquote main goal. Make sure they know it, right? That's the risk. If we don't do this... The likelihood of having this risk coming to fruition is this or that, or that's the consequences that we could face if that happened kind of thing. No, that's perfect. So you're mentioning about understanding your stakeholders' goals, their metrics, their own metrics. Do you think it would be valuable for other CTI leaders to actually go in and of quote-unquote interview their peers or the other stakeholders to better understand what are their motivators or triggers metrics so on and so forth

Scott Scher: 32:09

Yeah, absolutely. So that's actually, you know, if anyone who isn't a CTI person is listening to this, you know, in the future, what you just asked is what the term intelligence requirements gathering really means. It means go interview your stakeholder and find out everything you can about them and the things that they do and why they do it and how well they've been doing it, what's been causing them, you know, problems in there for their team. You know, one of the things I always like to ask about is their pain points or their obstacles. What is preventing you from doing the things that you need to do? Because there may be a place for CTI to be like, oh, actually, we can help. If you're not getting something you need, maybe CTI is the team that can help give you that. Is there an obstacle that CTI can help support? So yeah, the interview piece, that is really the key there. And it's around building a relationship, which is the first piece of it, but then it's asking the questions to get to really understand their function, because that's really what it comes down to, right? It's understanding what your stakeholder does. And then it's also trying to understand how they do it. And then it's understanding what causes them to do it right their triggers their inputs whatever it might be uh because then from the cti perspective you want to tailor the way you support them into that right you want to say okay your function is you know if you're a sock it's you know first line defense of the organization uh so that is the function that you do right and that could how you do it here where's your run books where what are your playbooks what are you know you all what is your actual process from start to finish of hey an alert comes in what do you do with it like what's the process and then the other piece is okay well what triggers your action for the sock it's easy right it's an alert comes in you see some kind of malicious activity whatever it might be so then from CTI we understand that we can then go in and say okay we wouldn't necessarily be a trigger or an input because we're not going to give you alerts and things like that but maybe we can come in somewhere in your process right like this is where CTI should be and this is where our intelligence should go and depending on what that process is and where it is uh we would tailor and that would dictate the format that we give you intelligence or the type of intelligence that we give you right the sock it's going to be more tactical but is it tactical in a report maybe not right that's not probably not super useful for the sock animals trying to determine if the activity they're seeing from an alert is bad or not is to go and that'll be okay let me read this report right even if it's a short report it's like i don't have time to do that uh maybe it's you know maybe it's you know here's a detection rule, or here's, you know, TTPs that are associated with, you know, the types of alerting that you're getting, right? Like, and I use the SOC just because they're an easy example. They're an easy support from CTI to their team. But one of the things, and I can give like a concrete example here of kind of how we can do this pretty well is working with the SOC to understand, well, what types of alerts are you seeing on a daily basis, right? Like, take a month of activity, like sit with your stock manager and talk to them and be like, okay, over the last month, alerts were investigated right let's what true positives were actually looked at right not incidents you know depending on how you are you may classify something an incident someone else might not like let's just say like the things that were activity that caused your team to investigate and look at and make a decision on uh what you want right like the intel should be supporting that right if we as the intel team are constantly writing reports about you know some key loggers or like some random threat actors who do something and none of the alert activity that the organization sees over x amount of time that you review ever has anything to do with those third actors or that type of malware or whatever it might be then you're not really providing much support for that team now that might be useful for a different team but maybe you don't need to give them all of that maybe you're seeing which every sock is seeing right loads of phishing activity loads of weird logins like all this weird stuff right like maybe the intelligence you provide to those teams should be geared towards those type of alerts. Because then it actually, hey, we actually have intelligence that might help us make a decision on, is this bad? Is this good? Like, what does this activity look like? Is it something we need to escalate? All of that. And that example actually feeds me into, right? Like an example with another team, right? Like is you should also be working with your detection engineers, right? The people who are designing the alerting rule and the detections and security policies you have in place because your intelligence should be geared towards that right like you should be helping them design true detections for the type of activity that is coming across the wire on kind of a daily basis or you know whatever the cadence is uh and you do that across your stakeholders right now you you go up to your executives right whether it's if it's the cso right a lot your your cso is going to be i mean obviously he's in charge of all the security right like from the technical standpoint but he's also in charge of resources tool deployment, you know, all money that gets allocated, budget, like all those things. So what you need to tell him or her, right? Like, and what and how you tell them is really, is going to change. And you need to understand what their key function is, right? We understand what their key function is from a business standpoint, but sitting and talking to them and saying, hey, CISO, what is it that you, like, what is your real, like, action, right? Like, what do you need to do? Oh, I need to make budget decisions. I need to allocate team resources. Do we need a new hire? Do we need, you know, a new piece of tool, right? And it's okay, cool. Here's how intelligence could support those decisions. Because that's really right. Like he's a decision or, you know, the CISO is a decision maker.

Pedro Kertzman: 38:03

Awesome. Great examples. I appreciate it. That's super insightful. And, you know, we spoke a lot about stakeholders and other things, where would you learn all that? Because that's not coming from a CTI feed, right? That's more like how CTI should work in a real-world scenario. Any books, conferences, blogs, you name it, sources to learn CTI overall, not necessarily, again, feeds and threat reports?

Scott Scher: 38:41

Yeah, so that's always, I think, a challenge. Not necessarily a challenge, but it's always a good question. It's always a good thing that people are kind of like, well, how do I figure all this stuff out, right? The first thing I would say is this is also something that I would... Back to our very, very first question, right? Like all the collection stuff is sometimes more isn't better. So, right? Because information overload is a real thing, right? Like there's... hundreds of blogs there's hundreds of reportings there's thousands of people to follow there's all these things uh so with that being said those are all things that i do right i follow blogs i follow people i read reports right uh i will say that like the learning aspect of it one piece is you know, it's not always the, you know, it's kind of the like joke of the world, right? Like you learn on the job, right? So some of it is you learn by messing up really is the true answer, right? So you learn by going into a hundred stakeholder meetings and saying, tell me your intelligence requirements. And then for six months, you have absolutely no idea of how to service them. And then be like, CTI doesn't provide me any value. And like, we don't want this. And like, what good is this? Or give me IOCs because that's all I think you can do for me. So you learn by doing that. But yeah, and I know, right? I didn't give any like concrete examples there, I know. But just because there's so many people to follow, there's so many influencers, right? Like there's so many different things. But what I would say is reading vendor reports, reading the people and the like voices in the community who are constantly putting out good analysis work, you know, and that can be on LinkedIn, it could be on social media, it can be, you know, wherever. So like there's a lot of resources there and it's not always the most popular and like the biggest thing, there's a lot of obscure things out there out there is constantly on a daily basis. I'm on LinkedIn and someone's like, oh, here's this thing about like a CTI process. And I sit and I read it, right? Cause I may not know it. I may even, even when it's this things I know all the time, right? Talking about intelligence requirements, all that stuff. It's like, it's still super valuable because there's always a different perspective. You know, I think that's a key thing in CTI or in intelligence in general, across cyber, across all these things is diversity of thought, right? So there is a lot of different people who have come at this from a lot of different ways. and they see the exact same thing in a lot of different ways than you do, right? So even when they talk about the exact, like, let's talk about the Intel life cycle, right? There's a million reports if you look at Google, right? And a lot of them, there are some that are gonna be unique, right? There's gonna be even one piece of it that's unique. In terms of like books and things, you have me kind of looking at my bookshelf to see if I have anything like title wise to like really tell people, but, In terms of, I mean, just in general cybersecurity things, right? You know, reading structured analytic techniques to like learn how to do analysis work, that is always super important. There are, you know, intelligence-driven incident response is always a really good one, right? Because again, that's a lot of what we talked about before is our function is to support these other teams and lead from, which is kind of weird because it's not usually the best way to lead in my opinion, but leading from the back almost, but not that you're leading from the back and that turns more like leading from the, you know, from the shadows, right? If we want to talk cool Intel stuff, right? Saying, you know, things like that. It's we're leading action and driving action, but we're not the forefront of it. We're not the ones doing the action, but more importantly is we're not always the one getting the credit for it, right? And that is totally okay. I mean, we should get credit and Intel needs to get credit that we drove action, but we don't, we're not telling people people to do stuff right we're not saying you have to do this it's really this is what you already do this is how we can support and make that better and and here's you know a more threat centric approach uh which is actually another book uh threat centric approach uh and uh there's another you know intelligence analysis uh there's a there's a bunch of different you know there's a lot of resources out there uh listening to you know podcasts like this i'm sure you've had many a better uh resource and and speaker than me before me and you will probably have even better uh after so oh no i think you're awesome

Pedro Kertzman: 42:55

and

Scott Scher: 42:56

uh oh no i appreciate that i that wasn't a self-deprecating or downplay me that was more to say that there are definitely good people in the industry that you're bringing you know together that that people should be listening to and talking to

Pedro Kertzman: 43:08

oh i'm trying my best definitely trying my best um Yeah, I know. I appreciate it. It's super insightful and also those sources. It's interesting. I heard the other day, one of our episodes, we were joking a little bit about if it's printed, it's probably outdated on the CTI world. When it comes to threats and techniques and all that, I agree there. But when we are talking about frameworks, strategies, intelligence in general, Then I would say probably you have really good books and you mentioned some of them that I think it's super important to people pay attention to. Cause that's like frameworks, you're not writing a fresh new framework every week. Imagine that. It would be super. Yeah,

Scott Scher: 43:59

no, you're, you're totally right. And I think making that distinction, right. I think sometimes, and I think this gets back to, you know, two things we've talked about over, you know, the, the, this whole conversation is one is, uh, you know, being an intelligence professional first and a cybersecurity professional second, you know, is it from I think sometimes people get too caught up in the over technical piece of this, right? Like, and they are absolutely correct in saying, right? And I say it all the time, right? Like by the time we get a report from a vendor or the time the government shares something, or we see IOCs like associated with a campaign or even that, you know, tactics, techniques, procedures, all that kind of stuff. By the time we're looking at it, reading it and then writing a report on it, it's outdated, right? Threat actors moved on. They're not doing that anymore. Sorry, like they're gone. So they're totally right when it comes to all that stuff or, and then the technology piece even quicker, right? Like every day that some technology technology is outdated. So that is 100% true to the point of, hey, intelligence has been around for a while. And the way you do analysis and the way you do processing and the way you do collections that hasn't changed much. The mediums you might use to do it have, and your ability and pace and scale and scope have definitely increased as we've gone into cyber. But your analytic mindset, your, hey, I mentioned structured analytics techniques, right? process for doing intelligence, that doesn't really change, right? Like alternating competing hypothesis, that's always been a thing. And even when you didn't know it was a thing, other businesses are using this, other industries use those terms without knowing. They just, right, it's coming up with, every possible idea that you have that this could be the answer and give me all the evidence that supports each one. And then whichever has the most evidence is the most likely. Uh, so, uh, those foundational things don't change. Uh, yeah. Frameworks don't change too often unless you're talking about MITRE and then there's a new version every so often, but those are pretty good updates and good changes that you want to see, you know, uh, in those frameworks. So, uh, Yeah, there's a lot of resources out there. I would say definitely pay attention to the written resources, even the old stuff that come out of the intelligence community from 30, 40, 50 years ago. The process is still important.

Pedro Kertzman: 46:19

Yeah, I could not agree more. I would say some of them probably evolved a little bit. They've evolved and they've gotten better. Well, like upside down kind of thing or drastic? Probably not. I agree with you. The methodologies to do intelligence are probably more modernized or digitalized. Exactly. The process is fairly similar.

Scott Scher: 46:43

And for the most part, those frameworks, even the old ones, they don't, at least in the intelligence world and the way that like for CTI, they don't become obsolete anymore. you build on top of right so like we had the point so we had the lockheed martin kill chain right that was the standard framework you know process for evaluating incidents and threats uh from that for a long time and then mitre came out that didn't mean that lockheed martin kill chain wasn't still useful, right? Like you should still be using the steps across the kill chain to understand when and where your threat actor does something across their attack life cycle. But now you've built on top of that methodology and say, well, now let's understand the way they do the attack in each one of these steps and stages and so forth.

Pedro Kertzman: 47:31

That's a great example. Scott, thank you so much for coming to the show. I really appreciate the super insightful conversation and I hope I'll see you around. Thank you.

Scott Scher: 47:43

Yeah, no, Pedro, thank you so much again for having me and being willing to listen to me and prod me to ramble on and then talk about CTI, which is something I do enjoy doing.

Pedro Kertzman: 47:54

Yeah, no, I love that. Thanks a lot. See you around.

Unknown: 47:59

Thank you.

Rachael Tyrell: 48:00

Until next time, stay sharp and stay secure.