Ondra Rojčík: 0:00

They are running an organization that can implement the recommendations.

Rachael Tyrell: 0:08

Hello and welcome to episode 11, season one of your Cyber Threat Intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional, or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of season one, our host, Pedro Kurtzman, will chat with Andra Roycik, who is a principal cyber threat intelligence analyst, but he also teaches and do consulting on intelligence analysis tradecraft. Previously, he co-founded and led the Strategic Cyber Threat Intelligence Andra, thank you so much for joining the show.

Pedro Kertzman: 0:58

I'm really happy to have you here.

Ondra Rojčík: 1:01

Hello, Pedro. Thank you very much for having me today.

Pedro Kertzman: 1:05

Usually, I start asking the guests their journey into CTI, how they started, anywhere in between, and how they land into their current role. Would you mind walking us through that, please?

Ondra Rojčík: 1:21

Yeah, absolutely. I have a background in international relations and political science that I studied at Masaryk University in Brno, Czechia. And I truly fell in love there with researching complex topics. My first big topics were proliferation of nuclear weapons and non-proliferations. These were also research areas of my PhD dissertation back then. I later found a job in this area surprisingly i got into intelligence analysis and threat intelligence when i joined first the ministry of interior and later one of the czech intelligence agencies the intelligence agency they had a permanent position at nato where i got into rotation for two years at the what's called intelligence production unit at NATO headquarters in Brussels. I was there in the time of the follow-up to the Arab Spring, basically, especially the Syrian civil war. And I have to admit that I was really impressed by NATO. The quality of people that I met there was just incredible. And I wanted to get a permanent job there. And My idea of how to do a meaningful step towards this goal was to graduate from a prestigious university. So I took basically a sabbatical and went to study security studies at University College London. After that, I was considering either finding a way back to NATO or start to work in the private sector in London. But Instead, a friend of mine, later my boss, Daniel Bage, a big figure in the Czech government cybersecurity, convinced me to help him to establish a strategic CTI function of what later became the Czech National Cybersecurity Agency. It was quite a journey, to be honest. Even the leadership of the agency, they had no idea what a strategic CTI team could do. be good for. But luckily, I had a couple of fantastic analysts in my team and through their analytical work, we managed to convince the leadership that there is a great deal of value in having strategy CTI. The real breakthrough, I would say, was an analysis by our lead analyst Michal Timm regarding the Chinese company Huawei that was very active all around the Czech government sector and critical information infrastructure including telecommunication companies and so on and we managed to identify clear risks to the future of the whole country basically and to our technological sovereignty if you will and Through the analysis, we managed to convince the leadership of the agency that this is a crucial issue. And then, luckily, they had the guts to go against our then, I would almost say, pro-Russian and pro-China president back then. And it didn't stop there, because suddenly, thanks to the agencies activities in in washington and brussels the czech republic was center of the debate about chinese technologies and we sparked and led the discussions in eu and nato and we really changed the narrative because until that point the narrative at least in Europe, was that it's just a technology. And technology is a neutral, no matter where it comes from. And I believe that our little analytical team and the agency contributed to realization, again, at least here in Europe, that not really technology is... This is really not the case. It's not neutral. The technology is actually a pretty political issue, and there are a lot of potential risks if a country that is hostile to your values has access to your critical infrastructure. The analytical team was also behind the first attribution of one of the many intrusions into the Czech Ministry of Foreign Affairs. We later kicked off establishing of a policy and analytical framework for attribution in Czechia. Or we had quite important role in post-incident activities to a ransomware attack on the second largest hospital in the Czech Republic during the COVID pandemic times. I mean, the strategic CTI were not forced hands-on working on remediation of the IT systems in the hospital, but we were responsible for the communication and analysis of all the information between the folks on the side of the incident and the Czech government and the prime minister of the country. Because as I said, it was the time of pandemic. So a non-functional second largest hospital in the country was a big deal. So overall, it was great experience, very rewarding job. But I was realizing that my position as a manager is not that much analytically hands-on, and I have very abstract ideas what information security is about on the, let's say, practical level of an organization. And I was just making up my mind and considering a job outside the government at that time. There is quite a niche job market for CTI-related positions in the Czech Republic, not to mention in Brno, where the second largest town in Czech Republic where I'm located. So I was certain at that point of time that if I want a CTI-related job in Europe, I'll have to move to brussels paris amsterdam berlin maybe but i was very lucky that redhead was just launching their cti team and they uh opened a position in bernard where redhead has a big big presence but my luck didn't stop there as i soon realized that redhead is Definitely a great company to join. And the group of people that I can work with, they have so much to offer. I'm part of the internal CPI team there. It's a very hands-on work. Most of the time, you can see the impact of your work very directly because our main stakeholders are detection engineers, incident response team, product security, offensive security, GRC teams, for example.

Pedro Kertzman: 9:13

That's a very interesting journey. Thanks for sharing that. You mentioned that you didn't start, let's say, on a traditional cybersecurity type of role and then just naturally moved into CTI or something like that. So you came from a non-cybersecurity related background and then pivoted into CTI. Any kind of lessons learned, you know, best practices or something that you learned throughout this pivoting of your career that maybe could be beneficial for people listening to kind of take that experience and maybe shortcut a little bit or kind of know the right path to follow or something like that?

Ondra Rojčík: 9:59

My story probably... would not be very typical today. I was hired to my first CTI job at the agency for, I assume, my research, breadth intelligence, and intelligence skills in general, while I knew basically nothing about information or cybersecurity. I'm sure that the bar at any CTI position today is much higher. But I was lucky and my employer gave me quite a lot of space to catch up and learn. But in general, it's actually quite difficult to give universal advice in this area because it very much depends on your starting point and your background. If you are a technical person with understanding of the technical aspects of information security, let's say you are an incident responder, malware analyst, detection engineer, then your major focus should be your intelligence analysis skills, critical thinking. Learn how to critically consume intelligence reports, learn how to collect data, how to analyze them, how to put together CTI deliverables, such as reports, briefings, and so on. If you have non-technical background, intelligence analysis and research skills should ideally be part of your competence already, and then you should focus on information security concepts and technologies. My way, and by no means I'm telling you that this is the best or the only way, but my way was to do a couple of the basic information security certifications, such as Network+, Security+, Cybersecurity Analyst Plus or by CompTIA. The reason was that I didn't have much space to have any hands-on information security experience when I was working for the government. So to read, to consume videos on YouTube, Udemy and so on was one of the few opportunities to expose myself to the InfoSec concepts, frameworks, technologies. But as I said, it's pretty difficult to give some good general advice to everyone because there are a lot of variations of the types of starting points that you can have if you are considering a career in CTI. It's really a very diverse field that is able to accommodate all sorts of backgrounds.

Pedro Kertzman: 12:44

No, that's awesome. It's good advice. I think, of course, people trying to pivot their career, they will have their collection of advices and make their own unique type of path. That's for sure. But it always helps learning those experiences that worked in the past. So, you know, looking at your overall journey, looks like you have a lot of experience on both public but also private sector. Any thoughts around the differences between working for a public organization and a private organization

Ondra Rojčík: 13:21

yeah so like in general if you are not talking specifically about this tpi that that's that's interesting one i'm i'm not sure if this is a local like a culture check thing but there's this notion of lazy government officials here versus the hardworking people in the large corporations. My experience is that this is not exactly like that. And it's not also the opposite as well. There are a lot of passionate, hardworking folks on both sides. And the CTI jobs can be quite stressful both in the public and private sector. I have a very limited, very personal perspective. I've never worked for a CTI vendor, working for clients on an incident, for example. So I can speak only based on what I've seen and on my personal experience with Red Hat and some secondhand stories from other organizations. But to be honest, What surprised me at Red Hat, considering it is a large US-based international corporation, is that there is a lot of emphasis on life-work balance, for example. And they really mean it. It feels like it's a big priority for the company to make sure that you have time to take care of your family, yourself. And that was not always... the case while working for the government. If there is an unexpected request for information because the director general of your agency is meeting an ambassador, minister or prime minister in a week or even better in two or three days, you suddenly have to work on that full steam. And in my position at the agency, which was the head of relatively small unit, the strategic CTI, it was not unusual to have two or three business trips a week. And of course, it's not just going on business trip, enjoying some nice travel, but you need to perform, you need to... do briefings, take part in negotiations, go there with prepared and coordinated positions and so on. And that could keep you busy and your work-life balance quite off balance, to be honest. So my, and I need to point out, very limited and personal experience is that there's a bit more predictability in the private sector. And you also might be lucky to have an employer that takes it as a long-term priority to have happy and satisfied employees with the right work-life balance. Although there might be times and, of course, situations when this is simply not possible, even with this type of company.

Pedro Kertzman: 16:38

Do you think this difference could translate into the CTI work being done?

Ondra Rojčík: 16:43

It's very much my personal experience. But what I was doing for the agency, there was a lot of reactive work. We had long-term plans for the CTI. production, but they were very often interrupted by the demands and requests for information. While in my current role, the mix of the requests for information and working on some longer term strategic projects have a slightly different balance. I certainly, or the team needs to be flexible, needs to be open minded, needs to react to what's going on out there in the threat landscape and needs to react to various incidents and so on. But at the same time, we are trying to follow We have the private intelligence requirements, for example. So we are trying to follow that for our longer term production.

Pedro Kertzman: 17:57

That's very interesting. Thank you for that. It's interesting to see how the employer, quote unquote, behavior works. can have an impact on the production of intelligence or even on the team, right? The things they're producing and all that. And from talking about CTI production and intelligence, analytical skills, how do you see the differences between those sectors? What are the things that you can produce or have access to in different private and public sectors?

Ondra Rojčík: 18:35

Well, there are some noticeable differences. It may also have to do with in between private sector and government. It may have to do also with what we could call a maturity of intelligence culture in organizations. In government, there is a lot of threat intel and CPI customers that are motivated to to learn how to read intelligence products let's say a minister or deputy ministers they usually understand the the position of intelligence in the in the whole policy cycle they understand that you provide assessment occasionally recommendations and that they are running an organization that can implement the recommendations. When they are reading the reports, they understand the intelligence jargon, things like words of estimated probability, likely, highly likely, unlikely, and so on, or confidence levels of the assessments. And if not, it's worth educating them because they will be reading intelligence reports on a daily or weekly basis. In the private sector, the spectrum of the intelligence cultures of organizations can be much wider. You can have leaders and executives with government or military background who consume intelligence reports, including CTI reports, on a regular basis, and they clearly understand what to do with them. At the same time, many of our customers in the private sector That is something that I'm seeing quite often. Getting to touch with this type of reporting very, very rarely. And the whole organization outside of your stakeholders, your infosec buddies, let's say, IR detection, red teamers, and so on, all those that are outside the circle, they don't necessarily have to be ready to Translate mainly the strategic CTI assessments into mitigations, new policies, new controls. Because they don't know how to do it. Where to start? Because they are not that often exposed to this type of intelligence production. They have other words. They have the business to run. So you need to help them. And I believe, or actually we at Red Hat, the Red Hat CTI team, because this is how we operate. We are trying to be as much helpful to our stakeholders, to our customers. And so the best way is to provide as much operationalization, that's a terrible word, as much as possible. So ideally provide... not just assessment, not just what are the implication, not just list of possible mitigations in your CTI reporting, but you should understand your organization well enough to understand how you can help to translate the mitigations into reality of the new controls or policies in case of more strategic products or into practical let's say red teaming scenarios or new detections in case of more practical CTI outputs.

Pedro Kertzman: 22:32

Excellent. Excellent. Thank you. And if I understood correctly, especially related to intelligence analysis, you also do lectures, right? Would you mind mentioning a little bit about how those lectures are and anything related to it?

Ondra Rojčík: 22:53

Absolutely, yeah. After I joined the intelligence production unit at NATO, I was confronted with how little prepared I am for the intelligence analysis job, actually. As I said previously, I always enjoyed research, I enjoyed analysis, but I also realized how little I know about the analytical tradecraft when I joined NATO, and the principles and standards. I had to work hard to catch up and be on pair with the colleagues from all these amazing intelligence services from all around NATO. And later I decided that I would like to make it easier for the future generations of the Czech analysts. I didn't have the... opportunity to work on the situation at my then employer. But as I joined the cyber security agency that had great cooperation with the local university here in Brno, I decided to open a kind of boutique course for intelligence analysts or introduction to intelligence analysis, tradecraft and intro to OSINT as well, for a very limited number of students. And this is something that we have been doing with a colleague of mine, Michal Miklin, for some eight years now. I believe that we are on a little mission here to encourage new talent into threat intelligence and potentially also into CTI and to give them some preconceptions about the tradecraft of intelligence analysis. And I keep doing the FRED intelligence analysis tradecraft workshops for a couple of Czech government and military organizations or colleagues from Red Hat and other private companies. The goal there is to promote the FRED intelligence analysis tradecraft and principles mainly to folks with technical background who oftentimes are very passionate about going deep down in their research and they are having this tendency to admire problems instead of delivering actionable intelligence occasionally. So what I'm trying to point out at these workshops is that we need to understand who we work for what our stakeholders really what they really need to give them what we call implications in in other words answering the question so what once we understand the problem of course we need to explain what the problem means for the stakeholders and a part of of that we discuss at these workshops how to define problems through questions and how to identify information gaps so that we can better plan our data collection. We learn to accept that information is often imperfect and that we need some strategies to mitigate these imperfections like using words of estimative probability, for example, or levels of confidence and so on. Or we discuss, and that sounds maybe super academic, but it's actually not. It's simply a reality of how we process information. We discuss cognitive biases and how to overcome it to form some objective assessments.

Pedro Kertzman: 27:05

That's very nice. Is there a People want to learn more about those workshops. Any websites or website they can go to?

Ondra Rojčík: 27:15

There isn't a dedicated website at the moment as this is more of a part-time passion project for me. But if you are interested in learning more about the workshops, feel free to connect with me on LinkedIn. I'm always happy to chat and share more details. I also occasionally post on my Medium blog where I cover some of the ideas explored in the intelligence analysis tradecraft workshop as well as other cti topics

Pedro Kertzman: 27:42

okay i got it um so you mentioned one a very important aspect about learning more of the tradecraft that is not something for example you would learn sometimes people think about learning cti They need to read reports and analyze threat feeds, but that's not all of it. So you mentioned about the tradecraft, analyzing intelligence or communicating upstream decisions that need to be done based on this information, so on and so forth. Where do you go to learn other aspects of the CTI process? broad spectrum like again not necessarily feeds and reports but i don't know trends in the industry or new interesting ways to to analyze uh or to convert information into intelligence, you name it, anything that's not related to the feed or report, where you learn the other things kind of thing.

Ondra Rojčík: 28:48

Yeah, yeah. I mean, my general approach to learning, I love the concept of learning by doing. So if I have to learn how to use, let's say, a new CTI platform, platform or how to start using a new concept. I prefer start really use it, try to use it. And if there is a good, I don't know, for example, webinar that goes with it, I like to go back and forth between showing me how to use it and me trying it actually. And at the same time, I would also say I'm quite old passion and how I consume information, especially some long-term knowledge or concepts that I can use over and over again. So I love books. Recently, I spent more time listening to them than reading, but whenever I finish an audiobook that I like, I go and buy it. So I'm probably a great customer of all these publishing houses. Should I go ahead and recommend some Books that might be useful for...

Pedro Kertzman: 30:09

Honestly, I love books as well. When I'm not here in front of my lab and all that, I don't want screens. I want good old-fashioned paper, and that's it. I prefer to unplug a little bit. Even though I'm reading about technology, but I prefer to consume it in an unplugged

Ondra Rojčík: 30:30

Yeah, I have to say, man. So, yeah, speaking about books, the first... One is a phenomenal book that is basically an international bestseller and I don't understand how I managed to keep avoiding it for such a long time. It's Thinking Fast and Slow by Daniel Kahneman. It's highly recommended to any CTI analyst. It will give you a perspective on how we consume and process information and how embedded these what we call cognitive biases are in our thinking. And therefore, how important it is to find some strategies to fight the bias. Another is Critical Thinking for Strategic Intelligence by Katherine and Randolph Persson. This book It will help to any CTI analyst to find a way how to approach complex issues and how to communicate more effectively. And the last one is that I would mention here is Storytelling with Data by Paul Nussbauer-Knaflik. It's a great resource for effective data visualization, which I believe is an important but often overlooked skill among CTI analysts. And for those who are completely new to CTI or are considering to go into that career path, if somebody like this is listening to us today, I would mention Visual Threat Intelligence by Tomas Rozia. It's a good first intro book. But if you would prefer more depth, and you are taking your journey to CTI more seriously than intelligence-driven incident response by Rebecca Brown and Scott Roberts is a must-have resource.

Pedro Kertzman: 32:45

Excellent, excellent. Yeah, I know a few of those books and they're really good, really good. Thanks for sharing that. No, that's excellent. And any closing thoughts for the listeners? Any extra thing to mention?

Ondra Rojčík: 32:59

Yeah, especially... If you are someone who's transitioning to CTI, and that's very typical from deeply technical background, be mindful that we are talking about C, T, and I. So there is the cyber aspect, the information security concepts and technologies and the whole technical side in general. There is the threat aspect. So you should understand how the adversaries are operating and what is going on in what we call the threat landscape. And then there is the intelligence part, for which you should be familiar with the principles and concepts of intelligence analysis. And in your continuous training and education, always try to keep some kind of balance among all of these major concepts in CTI. Because, for example, the last part, the intelligence tradecraft part, it will prevent you from losing dozens of hours of research in ineffective reports and briefings. It will allow you to communicate clearly and deliver the message to your stakeholders if you work on that bit as well, because that's quite often over. by folks in the CTI industry.

Pedro Kertzman: 34:29

That's very nice. I love the way you broke down the C, T and I pieces and so people can understand the importance of every single one of them. That's very nice. Super insightful. Andra, thank you so very much for coming to the show. I really appreciate all the insights and I hope you'll see you around. Thank you. Pedro,

Ondra Rojčík: 34:53

thank you. Thank you so much for having me here today.

Rachael Tyrell: 35:00

Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group, Cyber Threat Intelligence Podcast. We'd love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure. b