Bianca Miclea: 0:00

We know this control has a gap. You might not be aware of that.

Rachael Tyrell: 0:06

Hello and welcome to episode 13, season one of your Cyber Threat Intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of season one, our host, Pedro Kertzman, will chat with Bianca Miclea Thanks for having me, and is passionate about empowering women in STEM and advocating for diversity and inclusion in the industry. Over to you, pedro.

Pedro Kertzman: 0:55

Bianca, thank you so much for joining the show. It's really great to have you here. Thank you.

Bianca Miclea: 1:00

Thank you so much for having me. I'm excited to be here.

Pedro Kertzman: 1:02

I usually start asking the guests about their journey into CTI. Would you mind walking us through that please?

Bianca Miclea: 1:09

Yeah. So I guess it's a bit of a non-traditional journey compared to people who have studied computer science, cybersecurity, any way it performs. So I've studied politics at university. It's always been one of those industries that I thought this is really cool, but I could never do that. But then between my undergrad and my master's degree, I actually took a gap year and I was working at a consultancy, kind of doing anything and everything that was not related to cybersecurity in any way, shape or form, but they actually had a client-facing cybersecurity team. I just got curious and on my last two weeks with the company I actually asked hey guys, can I just shadow you for a little bit? Can I see what you guys do? What's this cyber thing about? Because it sounds very cool and I'm very interested. So I spent two weeks with them and I loved it. I absolutely fell in love with it. They were doing threat intelligence for clients or kind of reporting what's out there, just had the platform where they would update on a daily basis, create historical, all the cool stuff, all the good, all the good things. So I got really interested into it. I still went on and did politics, though, so because that was what my master's was about. That's what I was planning to do Again. It was one of those. This is really cool, but I could never do this I was planning to do Again. It was one of those this is really cool, but I could never do this. But whilst I was doing my master's actually the last the manager from that team emailed me and said hey, we've got an opening for an internship if you want to join our team. I got really excited and obviously I said yes. So for a period of time I was doing the internship as well as my master's, finishing that off, and that was a three months internship with the opportunity to get a full-time job at the end, which I ended up getting. So I ended up being a researcher, from a researcher to an analyst, so kind of moving up the ladder from there.

Bianca Miclea: 2:53

I've spent about three years, I think, roughly, in CTI, and then I just got curious about what other areas of cyber are there, what do the other teams do, what's? You know what are the ins and outs of vm, of supply risk, all of these other interesting areas that make up the cyber family and I went and did consulting. I went to a couple of big fours, moved around a little bit project based. So it basically touched on everything under the sun because he was you know this client is this for six, nine months, two weeks, whatever he was. You know this client is this for six, nine months, two weeks, whatever he was. And then you move on to another project, another project. So it was really really good overview of how things work and what else is there, and at the time it was GDPR was a hot topic, so he was all getting into that GDPR area and suppliers and all of that interesting, interesting data.

Bianca Miclea: 3:45

But after about two and a half years I think again roughly three years I just really miss CTI. I thought, right, okay, I've done all of the other bits that I could think of doing. I know I love CTI, so I'm going to go back into it. So I did Ended up again kind of touching on CTI throughout my consultancy life anyway. So I did Ended up again kind of touching on CTI throughout my consultancy life anyway. So I was helping set up a team alongside other people initially, whilst I was also being a consultant doing other bits.

Bianca Miclea: 4:14

But then, when I decided to move back into CTI, I decided to make a change and actually go from client facing to internal, and I've moved internally to a large financial sector organization in the UK but also globally, and that was basically setting up their CTI structure from scratch.

Bianca Miclea: 4:32

So CTI team from scratch. They had a process for ingesting IOCs and kind of the basics of what would keep the lights on, but they had kind of no official CTI team or structure. So that was me coming into that and helping set that up and build that up, done that for about three years as well build a strategy, build up the team processes you know all of the good stuff. And where I'm currently sitting is security engineering. So moved a little bit away from CTI. However, because I loved it so much and, as my career has shown, can't stay away from it for too long, because I loved it so much and, as my career has shown, I can't stay away for it for too long. So I actually ended up now looking after both the security engineering team and the CTI team.

Bianca Miclea: 5:11

So I'm still doing a little bit of CTI at the moment.

Pedro Kertzman: 5:13

Yeah, that's awesome. Would you say that your background on politics, your master's and all that are helping you, or helped you in the past, throughout this CTI journey?

Bianca Miclea: 5:26

It did. Yeah, so I guess this is a broader question and this comes down to what is CTI? So I feel like CTI means different things to different people, depending on where you stand In terms of politics and economics and all of the stuff I did at Masters and University. Yes, absolutely, it was helpful from the strategic point of view of CTI understanding the who, the why, the relationships, the tensions, knowing when to spot that actually, I think this will escalate. So Russia-Ukraine was a good example.

Bianca Miclea: 6:00

The war started in February. However, in around December time I believe end of November, december time I raised it to the team at the time and I said I think this will become a problem. I think we need to look into what suppliers we have in these areas a plan for if this was to escalate and, to be honest, it wasn't taken too seriously at first, it was a bit of a I think this will be a waste of resources. I don't think this will escalate, and everyone at the time in terms of actual political analysts well, not everyone, but most people were on the idea that actually this won't escalate to a full-blown war. Fast forward to February full-blown war started, but we were ready. We, by that time had a full-on assessment on all our critical supplies in Ukraine and around the region. How are we connected? Where are we connected? What day transfers are happening? What are we going to do? What buttons are we going to press in case there is escalating to a war?

Bianca Miclea: 6:58

So, yes, to answer your question, it did help in terms of the strategic point of view, but it comes down to what you understand from CTI. So I had a lot of learning to do in terms of the tactical and operational side of things, in terms of understanding threat actors, iocs, the difference between a tip and how different people understand the tip, because if you say tip to someone, you might not necessarily be talking about the right thing. Some people might think threat feeds and the capability to do some custom alerting, whilst other people might think threat feeds and you know the capability to do some custom alerting, whilst other people might be thinking an actual tape where iocs are ingested and you can do malware analysis, investigations and the more tactical side of things. So it it really I think I feel like cti is it is getting better, but it still needs a definition or or that discussion of what do you understand by cti, when you mean CTI, when you mean strategic, when you mean a tip, what are you actually talking about here?

Pedro Kertzman: 7:51

Perfect. And talking about the experience you mentioned about the financial institution building the team from scratch, I think it's not a super common experience around the market. Like I see more the organic growth and then building a CTI program, slowly building a CTI program instead of having, like I would imagine, a fairly big budget and then decided what to do with that. Any thoughts around what was the focus Was that, like people, tools, how, like you build from a scratch, with a reasonable budget, a cti team from from zero?

Bianca Miclea: 8:33

I think in terms of, in terms of the approach, I guess the the initial discussions we had and the decisions we had to make was whether this would be what kind of cti function they wanted to have and what they wanted that CTI function to deliver, and that was one of the key areas that I had to focus on.

Bianca Miclea: 8:53

The questions were around where there is a CTI team in terms of hey, we report every week on what's going on externally. This might be talking about healthcare and retail, and you know, there might be a financial sector attack there or or something relevant but, it's not really linked directly into the SOC, to IOCs, to the processes, into suppliers.

Bianca Miclea: 9:17

So there was an initial conversation around there that, yes, I can do that. That that's. That bit is not hard to do. There's plenty information out there at the moment on all of these kind of attacks there's. You just spend a bit of time and you'll get all the data.

Bianca Miclea: 9:29

The conversation I was having, and where I was trying to get the team to, is actually building that inbuilt sock team that actually provides actionable intelligence, relevant intelligence, things that you can do something with and that you can really get the so what behind this. So you know, bringing in supplier, bringing in the tools that we're using, understanding vulnerabilities, working with the detect and respond team to understand what are we seeing, what are the trends. So that was one of the initial points in discussions that we were having. So once that was defined and understood and the direction was set, it was then easier to say, right, okay, this is what we want to do. So we need to build xyz, we need to understand ioc processes, we need to start from the bottom, which, at the time and where we were at it, meant tactical, and then slowly build your way into operational the who, the how, the why and then the strategic.

Bianca Miclea: 10:27

So the strategic piece around you know what's happening geopolitically, what, what are we looking at wars and politics and economics. And best tool was one of the frameworks I used and I found very helpful in in that scenario. But that came last. That came after everything else was set up, after we understood our crown jewels, our suppliers, our tools, after internal processes were set up that allowed me to reach out to people I needed and get information quickly. So, yeah, that was kind of the journey as I went through it.

Pedro Kertzman: 11:03

Perfect. I'm not sure if it's a controversial topic. Would you say the CTI team should be part of the SOC, not part of the SOC? Any thoughts around that?

Bianca Miclea: 11:15

Controversial topic indeed. So I think, again, it depends on what you want to achieve. So, obviously, if you're a CTI team that's client-facing and provides reports and stuff like that to a client, that's a different story. But if you are an internal team and you're looking to build up a CTI function, my personal experience is that it works best when it's aligned to the SOC, when it's integrated in the SOC, when that team has the capability to talk to detect and response engineering, vm, supplier risk, when that person it's almost the way I see CTI is it's like a bridge between the SOC and the organization and that bridge would mean, hey, detect and respond team might not have the time to speak to supplier risk or ISOs or, you know, have a look at whatever decision was made on the board level or business level on a regular basis, but the CTI team do and should. So that should be.

Bianca Miclea: 12:20

That integration piece of this is what the business needs. This is what we're seeing on a tactical level, on the ground. This is what I think we should do and that, from my experience, worked best. That's what actually drives value from a CTI team, because you're not just providing noise and again, this might be controversial but you're not just providing news feeds or alerts that actually nobody does anything with and that that comes back into another. I suppose quite difficult thing is around. How do you actually measure, then, the effectiveness of a CTI team?

Bianca Miclea: 13:01

and reporting and KPIs, and having it as part of a SOC helps with that, because you can then start having a look at false positive rates, you can have a look at mean time to detect, you can have a look at what or how many changes were done based on a cti report or recommendation in the last six years, or six months, sorry, or one year, so you can kind of start to quantify cti in a way. That is a little bit harder to do if that integration with the SOC was not there.

Pedro Kertzman: 13:34

That's a great point and with that experience as well, from building the CTI team from zero, any top three, five KPIs almost every CTI team should have on their KPIs list.

Bianca Miclea: 13:52

So I think yeah, I think I mentioned some of the critical ones there it really depends on how mature the team and the function is. If you are just starting off and if you are, you know, 100 days into building up the CTI function, those KPIs are not going to be existent. You will need to build up historical data, you will need to work on actually getting those processes in place to be able to monitor and measure, for example, false positive rates. But yes, if we are talking in a generalized average CTI maturity, let's say like three, five years down the line, then I think some of the critical ones that you should have is, as I said, false positive rates in terms of IOCs. What is actually the team and not just IOCs? But are you doing threat hunts?

Bianca Miclea: 14:43

Are those threat hunts reaching the right points? Are you looking at the right tools? What are the false positive rates on that? Other bits is meantime to detect. How quickly is the team actually detecting what's going on externally or internally? Are most of the news feeds coming to you from exec? Is the board asking you hey, I've seen this in the news, what's it about? And then you're reactive. Or are you actually proactive to things?

Bianca Miclea: 15:09

And that can be difficult to do because everybody reads the news and a CTI team is more than just reading the news, especially if it's integrated with the SOC. So it can be difficult to achieve, but it should be one of those. How long does it take us to pick up things? How long does it take us to escalate it?

Bianca Miclea: 15:26

And the other thing is around making it actionable again a difficult KPI to have, but I think every cti team should have it, otherwise you lose focus, you lose the so what and the why, and that makes making it actionable can take different forms. So you can look at um, as I said, how many controls have been improved in the last six months based on recommendations that we have made or um, I don't know how many sessions have we delivered, training sessions or awareness sessions to the business, to the board, to whoever your audience is. How many engagements have we had with suppliers team, or with VM team or other external teams, and what impact has that had? So I think, again, it really depends on where you are, but I think that that actionable intelligence where is what you're doing, where is it going and what are people doing in it it's something that every cti team should keep in mind and have a look at and review on a regular basis awesome.

Pedro Kertzman: 16:26

No, I love that. And one probably common topic I hear from many other guests is that CTI teams. They need to do a better job on selling their value upstream, which is difficult it is.

Pedro Kertzman: 16:40

It is so. That's why I wanted to hear your take on the best KPIs or how to sell value to the organization and things like just to share with the community. Because, again, it's a, I would say, rare experience to have you know, building from the ground up a CTI team on a larger organization already mature cybersecurity organization, I'm sure and then building that within that organization. So that's great, thank you, and you built it. It's up and running. What's next? Any lessons learned on the maturing part of the process, maturing that CTI program?

Bianca Miclea: 17:22

Yeah, definitely so again, reviewing those KPIs are a key lesson learned there is right now. The team is functional and we're doing reports and we're doing this. Let's review KPIs and make sure the team understands the value, understands where we are. I guess a CTI team is never really mature because the threat landscape changes all the time and you need to as a CTI team, you need to stay in as an organization in general, but CTI even more so.

Bianca Miclea: 17:53

I guess the expectation is there because you are CTI that you are on top of everything, you're never really going to be mature because things will always change. New tools are being implemented, ai is coming down. What does that mean? How can you use it or can you use it? Are you allowed to use it? Should we use it? Are you allowed to use it? Should we use it?

Bianca Miclea: 18:11

It's all of these questions around, not just what's changing in the threat landscape, but what's changing in the way CTI works in terms of processes, in terms of people, in terms of skills. You know, as more people understand CTI and as the CTI, I guess, journey went from a little bit of a buzzword when it first started and a regulatory requirement and you know one of those hey, this is the cool new kid in town to now people actually having this more and understanding what it is and more people doing it and more skills being built that way. Then you have to consider how are skills requirement changings based on this as well? More people require malware analysis, a malware analysis, for example, fret hunting. Not everyone has the capability to have a cti team and a fret hunting team now whether that should be separate, it's a whole different discussion.

Bianca Miclea: 19:03

But you know those skills that are required in in a majority of cases, or at least are expected to some extent that the cti analyst would be able to. So, yeah, I think overall in terms of what, what is, what does it come after maturing, keep maturing, keep reviewing those kpis and making sure you're hitting the right spots and you're measuring the right things and that the company can still see the value from you on a constant basis. And also just integration with the rest of the company. So if you are integrated with a SOC, that's the first step. That's not the end of the journey.

Bianca Miclea: 19:43

Once you're integrated with a SOC, once the team is in place and the processes are in place and you've got some kind of tip, now you need to start talking to the business. Now you need to start talking to all of the you know, identifying stakeholders outside of the, your initial SOC team or your initial sphere of influence. Let's put it that way who else can talk to what else? What do they need from us? Because then intelligence requirements might change or adapt or you might find things that actually we this isn't a crown jewel as we thought we are. I think this was a priority for someone but not for someone else. So it's. It is a constant. It's almost like a constant review of the maturity.

Pedro Kertzman: 20:23

You're never really mature, I think yeah, environments change right, so the company, business, even business model, might change as well. Exactly that review is super important, for sure. You know, between all those changes, I think it's fair to say we have one constant within CTI, which is the Mitre ATT&CK frameworks. Yes, and any within that journey, any like Mitre map exercise or things related to the Mitre knowledge that you thought was important to use at that time.

Bianca Miclea: 20:55

Yeah, absolutely, and actually it's a really nice transition from CTI to security engineering and I think one of the lessons learned I guess from after maturing is work closely with your security engineering teams, because those MITRE maps and this work that cti is doing in identifying control gaps and providing recommendations, it is very useful if you then actually have a team to to apply it to. So one of the lessons learned I had from doing loads of mitre maps in in my career, from my career and gap analysis and heat maps and you know, going from hey, let's do it in a spreadsheet in Excel to actually how can we automate it and all of that journey One of the biggest learning points I guess for me was actually how do we take this forward in a regular way in a way that engages and reaches the right people and that gives the CTI team the right information? Because one of the things I found in my assessments in my CTI life is that, right, ok, I've done a CTI, a MITRE map. I understand what reactors are using. I now know what controls we have against it. I now know what controls we have against it. However, there is no, or CTI team often do not have the assurance. Let's put it that way of how effective those controls are. And this is where doing work with other teams works really well.

Bianca Miclea: 22:27

So what we've started doing recently is implementing a monthly MitemUp exercise that involves various themes within the SOC, including security engineering, detect and respond, threat hunting just various themes. The CTI person will go off and do the mitemapping and find out what the key attack types are and techniques and where the gaps are, as per where we think we are, and then we all get in a meeting together, in a workshop, face-to-face or virtual, whatever it is, and we sit down and talk through those controls one by one, through each of those identified gaps or identified coverage even. Because even if they say, oh, we've got a phishing button, so we're protected against fishing, this might not be the case. So it's just bringing all those um people together to to say, actually, that has a gap. We know this control has a gap.

Bianca Miclea: 23:20

You might not be aware of that because you haven't seen what we do, but we are aware of it. So it's just yeah, it's just bringing all these people together and doing that exercise has been extremely helpful and has found, you know, mini gaps and things that we could then go on and make making it actionable. It comes back to that making it actionable piece, because then you actually know what is coming out of these meetings is going to be. You are responsible for patching that gap, or we are responsible for accepting this risk, or whatever the action is. There is an action coming down from those meetings.

Pedro Kertzman: 23:55

Awesome and maybe stitching a few of those points together. So you mentioned the phishing for the users and also changing, sometimes, the stakeholders and having those mitre map recurrent meetings. And having those mitre map recurrent meetings have you seen like times, for example, you, through attribution, you see like a specific threat actor poking on your perimeter, on your environment, but then they're not. One of the techniques they use is not phishing, but they are really good on leveraging stolen credentials. Have you gone all the way to change your stakeholders? To go back to whoever or maybe HR is responsible for user training, like regular phishing simulation and all that? I know companies vary, sometimes it's HR doing that, sometimes it's IT doing that. It changes a little bit. But have you gone down this path to actually chase, because of that gap, a new stakeholder?

Bianca Miclea: 24:55

yeah, yeah, absolutely. We have um and we have opened risks, um against gaps that we identified as well. We saw an attack, we identified a gap in control, we opened the risk. So it was almost like putting the accountability and responsibility into those stakeholders' hands and making them understand that you can do nothing, but if you do nothing, you'll have to accept this risk. So, yeah, we have gone down that path multiple times in multiple forms and ways and I guess the recent news around service desk social engineering is a good example, for example and we've done a couple of exercises internally around that and found improvements and went and made that improvement.

Bianca Miclea: 25:42

So, yeah, absolutely, and this is where my lessons learned. There have been times in my career where that wasn't the case and I found something and proposed an action and nothing was taken. And this is where that experience and lessons learned come from around making sure that what you do is actually actionable and someone does something with it and if not, then that is recorded somewhere as a risk. Or the next month you do a MITRE map. If the previous month's gap haven't been patched, then you bring it up again, and you bring it up again, and you bring it up again and that continues to be a constant story in your threat assessments that this is what needs to change awesome and any like network or resource groups that you participate, that you would recommend uh to the listeners as well yeah, absolutely so.

Bianca Miclea: 26:35

I am, and I have always been, a strong advocate for women in cyber um, not least because obviously we all know there's not enough of us in the industry um, but actually there's some really good learning opportunities and groups out there that can offer training, that can offer mentoring opportunities.

Bianca Miclea: 26:52

So, for example, I am the partnerships lead for the Women in Cybersecurity UK and Ireland and it's in the UK that's a free membership.

Bianca Miclea: 27:01

In the US it's a small amount per year that you have to pay. However, the benefits you get are absolutely amazing in terms of training and free training opportunities, in terms of mentoring, in terms of actual just getting it out. You know, getting out there and networking with people and seeing what other people are doing and learning from um, yeah, absolutely, I think generally and I guess I'm coming from this as from the perspective of being a woman, so this will apply to women listeners, um, but, um, yeah, generally, any women in cyber network absolutely valuable, because you just get so much um information and and and guidance and even a almost like a, if you can see it, you can be it um kind of kind of a view and and that has guided me throughout my career as well, you know, being a woman in cyber is hard sometimes and you do get ignored sometimes, but having those support groups and learning opportunities are amazing I love that.

Pedro Kertzman: 27:57

I had the chance to interact a few times with women in cyber security groups local here to my city and and it was always amazing like the support network they were able to build here is just, you know, amazing, to say the least yeah, absolutely, and I mean they are called women in cyber groups.

Bianca Miclea: 28:13

But most of the time, male allies are very much welcomed and encouraged, and I think um from my experience because I used to I created one um and I, you know, I I had events for male allies as well and encouraged them to join, and the feedback was also amazing from from the male allies as well.

Pedro Kertzman: 28:28

So it is a good networking opportunity and an additional resource to everything else you have as well, for everybody yeah, it's a very list we we could do for sure, and I'll make sure I'll paste the link on the description of the episode and from an industry standpoint. Of course, we learn a lot, uh, on the daily. You know CTI reports and feeds and from the industry. But how do you learn about how the CTI role or CTI frameworks are reshaping or the news around around that?

Bianca Miclea: 29:03

that's a really difficult question actually, because, um, funnily enough, I've never actually taken a CTI course per se or certification or anything like that. It was one of those. I want to do this, but I never got around to it because other courses were more interesting or because I was already kind of learning what I was doing. So I thought, well, I need to know that more than this. But I think there are plenty of resources out there.

Bianca Miclea: 29:27

One of the one of the useful ones that I actually used um in terms of when I was building up the cti function, in terms of actually defining what some of the skills for the team might be and then aligning that to our intelligence requirements. Um, it's the nist framework and nist and icss, so they have aT like task skills responsibilities section that lists different capabilities that a CTI function should have, in terms of both tooling capability as well as people skills, and I found that quite useful and even if you don't meet all of those requirements, it's a good indication as to where you would want to be or what you accept, as we don't need that, because this isn't within our capability and that's not what we're trying to achieve with our CTI function, so it almost gives a bit of a checklist, like, yes, this is what we need. We don't need that because we're not aiming to do that.

Bianca Miclea: 30:30

This is what we need. We don't need that because we're not aiming to do that. Other resources, I guess it's just having an intelligence background in general really helps, and I found a lot of, at least from my career. A lot of the CTI people I've met have often come from a public sector work, so doing some kind of intelligence in the police or some kind of intelligence, the military. So that is, you know, having having that intelligence background per se and having that mindset of criticizing, I guess in your in your head whenever you read something, the why, the what, the how, and constantly questioning whatever you read, is something that you develop through that intelligence and it is hard being a CTI person without that thinking. I have met people like that before. It is you know you can learn those skills but you would have to train yourself or force yourself a little bit more to question everything you read yeah, no, that's a great point.

Pedro Kertzman: 31:27

I think sometimes it feels that cti folks might be the most susceptible ones. You know burnout because the amount of information if you really decide to tackle every single thing, you're reading as like a real thing or not noise it's it's just comes from everywhere and it's.

Bianca Miclea: 31:47

It's then managing that stakeholder expectation as well. Right, because you and in so many cases I've heard people in CTI say this that you know board asked about something that they read in the news that, realistically, will never really happen or it isn't really what you know. The BBC reported on something and that wasn't the full story or that wasn't going to happen or whatever the backstory of that event actually was, and it's having exactly as you said, having that historical knowledge almost of I know this won't happen or I know this will happen because I know the usual TTPs of this threat actor or this usual behavior or this tends to happen.

Bianca Miclea: 32:28

It does take time and it does take a lot of reading and a lot of critical thinking and, yeah, burnout at times because there's just so much out there and even when some someone brings something up that you haven't yet had the chance to read because it was five minutes ago and you took a tea break and someone's questioning you about it, that causes in itself a lot of pressure and a lot of stress, especially if you're just starting off. So yeah, absolutely on the burnout and on the skills piece, it's just yeah, you learn it as you do it really.

Pedro Kertzman: 32:59

Exactly exactly. And it's funny you mentioned the board because of course there is a lot of interaction with the CTI reports and risks and all that to the board. You know, talking to people the other day it's like if it's well written it's gonna almost sound like a james bond related type of statement, because it's got to be not technical but just threats and all that. And I think that's that piece kind of also gets the board super excited. They didn start coming back to the CTI team. Oh, I saw this. What about that Kind of things?

Bianca Miclea: 33:35

Exactly.

Bianca Miclea: 33:36

Yeah, I love working with the board, to be honest, and you get interesting questions from them sometimes, but that relationship is so important because they are the people who make the decisions and they will know stuff that you don't know as a low-down person, as a CTI person, and it's so important to keep that conversation going and to keep honest and open communication.

Bianca Miclea: 33:58

And yes, the way you phrase things has to be very careful and you know technical jargon needs to go out the window and if you're in a small team like I happen to have been numerous times and I was doing both tactical and strategic and operational and you have to switch mindset between I need to provide this malware analysis to the tech and respond team or threat hunting team to look if there's something internal to now I need to present something to the board Having that mental switch between leaving the technical jargon behind and actually explaining risk and so what and really focusing on what matters. It can be quite difficult, but it is really important in maintaining that, I guess, whole cti picture yeah, no, I love that.

Pedro Kertzman: 34:39

You have to understand your audience right. So, exactly, this shift is super important and, um, no, that's, that's awesome. Any Any closing thoughts for the audience? Any nice things about, or tips about, not tips, tips, yeah, I should rephrase that, maybe, but yeah, any suggestions for the audience related to CTI?

Bianca Miclea: 35:07

Yeah. So I guess it depends who's listening. But if you're listening from a management board perspective, then I think use your CTI teams, speak to them and really drive down and make those intelligence requirements clear, because the value that you can get from a well-integrated and kind of communicated with CTI team can be absolutely invaluable in keeping it up to threats and up to recommendations and, you know, just generally threat informed decision making. If you're listening from a CTI perspective, there's a couple of tips per se that I guess I would have. One of the biggest one that I found useful in my career is have a reporting threshold. I call it a reporting threshold. You can call it whatever you want.

Bianca Miclea: 35:55

What it actually is is have some kind of threshold that when someone comes to you and says, hey, have you seen this and why haven't you written a report on it and why is there nothing done on it? You say because it doesn't meet our criteria. Yes, I've seen it, it doesn't meet our criteria. That criteria is defined. As for business need, what you know are your financial sector, then you might not care about retailer tax or you might. It depends what you care about. You know it.

Bianca Miclea: 36:19

Defining that criteria takes understanding the business and what the business risk appetite is and where the business wants to go. But actually having that criteria saves so much of the burnt out that we talked about, because you can easily say yes, I have seen this five hours ago or last week or a minute ago. I haven't done anything on it because it doesn't match our criteria, it doesn't cross our thresholds, there is nothing for us to worry about at the moment. It doesn't cross our thresholds, there is nothing for us to worry about at the moment. And on top of this as well, have various points and links to the criteria as well.

Bianca Miclea: 36:58

It's have various points of escalation depending on what that threshold is. So, has it met your threshold? Okay, what are you doing with it now? Are you going to write a full on 10 page report that's going to go to go to you know board and stakeholders and whoever? Are you going to do an email? Are you going to I don't know raise a threat to detect and respond team, or to threat um, threat hunting team, or just have that level of right, this, this, reach, this level?

Bianca Miclea: 37:26

so now we need to do xyz, because having that clarity again it saves a lot of stakeholder management time and pressure and you know stress but, it also saves a lot of time as a cti team in terms of prioritizing what needs to be looked at and how fast you can respond to things, brings back into again kpis and reporting and and you know how do you actually measure the value and and what you do. So a couple of points there, I guess. But yeah, having a generally I call it a reporting threshold, but having some kind of threshold that you will then take or don't take action on, I found extremely helpful throughout my career oh, I love this reporting threshold idea.

Pedro Kertzman: 38:07

It's uh just prioritizing the most important thing, exactly. Unfortunately, no team will ever be able to cover everything. Uh, we wish right but it's just not the nature of the industry we are and, uh, that that's a really important idea to make sure we're focused on the most important things, that's and that's and that's the other point as well it touched on briefly there.

Bianca Miclea: 38:31

But actually speak to your industry. There are plenty industry groups around there and that's the best thing about cti is one of those teams that are not isolated. Cti team is supposed to talk to people. You're supposed to go to conferences, you're supposed to be part of information sharing groups have, have those regular meetings, build those connections, and this isn't one of those. You know, cliche, you have to be connected to get X, y, z. This is one of the almost one of the requirements of being a CTI team is to be out there to talk to people, to share information, whether it's open sharing, closed sharing, closed forums, whatever it is. You need to be part of various groups that provide this information because oftentimes you'll get faster information and firsthand information that you will not get in the news ever or for a very long time. So having that will provide so much value in terms of being able to be reactive.

Pedro Kertzman: 39:30

That's a great point, yeah, being in touch with your peers, similar companies, you can get firsthand information of the things happening to them before it reaches the news.

Bianca Miclea: 39:42

And there are groups out there that you know you can say, hey, this is the LP Red, don't share it, don't attribute it to us. But this is what's happening and that information is just absolutely valuable. I know some companies are a bit protective over what they share and how much they share and where they go and talk to and speak to and what they actually put out there, and that's fair enough. There are legal restrictions, there are intellectual property, there is sensitive data. However, a CTI team with the right kind of measures and you know structure in place can get so much value from this.

Pedro Kertzman: 40:16

Absolutely, Bianca. Thank you so much for so many insights, loved our conversation. I really appreciate sharing all that and I hope I'll see you around. Thank you.

Bianca Miclea: 40:28

Thank you very much for having me. Best of luck.

Pedro Kertzman: 40:30

You as well. Bye.

Rachael Tyrell: 40:34

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group Cyber Threat Intelligence Podcast. We'd love to hear from you. No-transcript.