Sam Flockhart: 0:00

which is really important for CTI teams to do that.

Rachael Tyrell: 0:05

Hello and welcome to Episode 14, season 1, of your Cyber Threat Intelligence Podcast. Whether you're a seasoned CTI expert, a cybersecurity professional or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of Season 1, our host, Pedro Kertzman, will chat with Sam Flockhart, who is a former military intelligence operator with expert knowledge in leading teams in intelligence operations, risk management, geopolitical analysis and cyber threat management. Sam spent 10 years within the UK's military and Ministry of Defense and now, as the head of threat management of a large global bank, he brings his wealth of CTI knowledge not only to keep the institution protected, but also to help aspiring CTI professionals to join the industry. Over to you, pedro.

Pedro Kertzman: 0:55

Sam, thank you so much for joining the show. I really appreciate you sharing your knowledge with us. Thanks for coming.

Sam Flockhart: 1:01

No, thank you, Pedro. Thank you for having me. It's a privilege to be asked to join. Thank you.

Pedro Kertzman: 1:06

Usually I start by asking the guests their journey into CTI the first time they heard of it, how they came to the position they are right now. So would you mind walking us through through that, please? Yeah sure.

Sam Flockhart: 1:19

So my kind of background, my career, was with the British Army in the military intelligence part of the army, which is sort of the intelligence corps so effectively. You know I was a sort of trained quite a high standard in military intelligence. But this was much more kind of focused at the time. It was kind of, you know, counterterrorism and sort of contingency operations and things like that. And then sort of over my military career, that kind of transitioned more towards sort of conventional threats like from Russia or China, for example, so kind of nothing to do with cyber. Really, whilst I was in the military, more sort of focused on some of those operational deployments that we did in more traditional military intelligence type stuff.

Sam Flockhart: 2:05

And I think in the last year or so of my career, when I kind of knew I was probably going to leave and try and join the private sector, one of the areas I was looking at was cyber, because it was just like super interesting, super cool to somebody who had no cyber knowledge whatsoever, but primarily kind of linked in a lot with some of the experience I'd already gained. You know, in the last two or three years I spent a long time looking at Ukraine, russia and looking at some of those intelligence groups operating from there. So obviously, you know, cyber espionage was a big component of that type of activity as well. So that kind of then got me interested in some of those groups and and, yeah, when I was leaving the army, you know, it's just a natural kind of transition to then try and take that intelligence experience in the conventional sense into the, into the cyber, with the private sector, right. So that was kind of um, how I got into, how I got into it.

Sam Flockhart: 3:02

And I'll just repeat when I first started, you know, leaving the military, looking for jobs, I had absolutely no cyber knowledge whatsoever, um, and it was more kind of picking that up as I've kind of went along this journey. So, um, I guess that's one of the things for for people that might be in a similar position, when, when you're trying to get into cyber, it's like you know, don't worry, the, you know the path has been well trodden and, um, you don't always have to have that sort of guru, expert level knowledge of all things it or cyber to sort of get a job in cyber that's amazing.

Pedro Kertzman: 3:32

And uh, talking about that transition from from military to cti, any like I don't know, lessons learned or something like that, the type of training that you decided to have to kind of fill some of the gaps and all that, any thoughts around that? I?

Sam Flockhart: 3:50

guess like there's this. One of the things that I've learned is that there's this fixation in cyber on these like qualifications. So you know there's obviously different disciplines inside over then. You know you can get these quite expensive sometimes really the qualifications like cisp and cism, and there's that sort of fixation on having to have the qualifications first before getting the job. And my experience was really different to that where you know I'd done some whilst I was leaving in my last year. We're quite lucky in the british army where you get, you know, you get a year to kind of transition out and they do help you with qualifications and I'd done some of the very basic you knowals like comp, tsec, network plus that type of stuff. I've done some um kind of q, radar, seam type courses but effectively that was just a foundational type type type qualification. It wasn't really that that impressive and so one of the things that really when when I was interviewing for some cyber roles and things like that, it was more like it of the things that really when I was interviewing for cyber rules and things like that, it was more like it was the knowledge that was important. It wasn't.

Sam Flockhart: 4:49

Sometimes these little qualifications might be ticking the box in terms of your CV. But I think the knowledge is the most important bit. So it's almost when you come into the interview, kind of trying to anticipate the questions that you might be asked and having sort of examples and things prepared. So even if it's like, okay, I've never done a cyber job, but I actually have a lot of cyber threat intelligence knowledge around these subjects and I can talk a little bit about them, that really worked for me to sort of then kind of lay that groundwork, say, look, I do know quite a lot about this subject. So I think even now, while I've been in sort of different CTI teams hiring and doing the recruiting, that's kind of what I like. The big tips I can give people is yes, the qualifications are great to have and nice if you can get them, but often you have people that have all these qualifications that then when, when you ask the question in the interview, the knowledge just isn't there. So I think it's more about how you prepare for that interview. I think that's one of the sort of key lessons learned is sort of doing that research and that knowledge which is actually just available to everybody.

Sam Flockhart: 5:52

You know a lot of the if you're looking to get into cyber threat intelligence. You know, I'm guessing that most recruiting firms, most orgs, are asking the same types of questions. Most orgs are asking the same types of questions. You know. They're asking about what top cyber threats, who the top cyber threat actors are, whether that's, you know, ransomware groups, ddos, activist type activity, nation states, um, so just having kind of like an example there of you know a group that you that's that's taking your interest, how they go about doing these types of attacks or ttps and and that type of thing.

Sam Flockhart: 6:22

And then you know, I remember when I was being asked, it was always asked like, okay, tell me about the malware. And so having like one in your back pocket, you know, I think I remember I really was interested in the russian gru groups, like fancy bear, you know, um, sandworm and stuff like that, because they're just kind of cool, right, um, and so having like, okay, here's an example of the malware. I think it was hammer toss. They use steganography in terms of command and control and all these dislike little things that, okay, I wasn't an expert on. But you know, when you've been asked at the interview, it shows knowledge, it shows passion. So I think that's kind of. One of the lessons learned for me is that people try to get into cyber threat. Intelligence is really going with that, that research in terms of anticipating the questions, top threats, top threat actors. Having some examples in your pocket that you can just kind of talk about, I think that will go even further than having just like a crest call or a sans call on your CV.

Pedro Kertzman: 7:14

No, I love that and I would say especially, you know, my little two cents is that when you go and do that type of research, you're not only showing the necessarily the best answer possible, because the person on the other side might have even, like a larger or better answer, deeper knowledge on that topic particularly, but it shows that you're willing to do the effort, you're willing to go and do research, you're curious to do that stuff and that's like our day-to-day activities. They're like all around doing that kind of digging, digging, digging right, and I think that's uh, that's super important. For sure you mentioned something about the prior near or near military experience. The uh focus on some of the other military groups or attackers, or maybe now known as APT groups, any particular knowledge about the Russian side or the way they usually target other organizations or countries or something related to their country, culture, history, many things related to them.

Sam Flockhart: 8:23

I think so. So this is where I tried to use that military background and intelligence experience really to help me get these the cyber threat intelligence roles when I left and I might not have known quite a lot about cyber, but I did know a lot about Russia and Ukraine, having served in sort of on a orbital which was the British military's training mission for Ukraine. I think I was on that in and out for three years, probably longer than almost anyone in the British Army at that time I had quite a lot of exposure to sort of Russian culture as well, with family from there. So yeah, I didn't know a lot about cyber, but I did know a lot about sort of Russia. That was my area of expertise whilst I was in these roles within the military. So you know how do you use that to your success and it's kind of like well, you know, well, you've got all this. You know technical cyber frameworks and technology and you know very complex ways of doing all these attacks Right. But at the end of the day, it's a human at the end of the keyboard, whether that's a military unit or whether that's a ransomware operator. So the cultural aspects in terms of understanding you know their behaviour and understanding. You know sometimes their slang and the language which they're speaking to each other on these underground forums can be really important. You know, understanding if you're having to negotiate with a ransomware operator working for you know, some of these cti companies, you definitely need to have that cultural understanding of you know um of of that. So you know, I tried to use a lot of that experience that I did have and bring that into cyber and there's loads of good examples of this. So probably I would say for most orgs, um, if you ask them, you you know the private sector, you know. If you ask them who the top threats are, they're probably going to say something like ransomware, right, because it's such a prevalent threat. And you know it's kind of like the key components of ransomware.

Sam Flockhart: 10:16

Ransomware primarily kind of comes from Russian-speaking regions in Eastern Europe, mostly sort of Russia, but also Ukraine, moldova, you know, sometimes Central Asia as well, you know. So you know why is that? It's kind of like an interesting question, right? Why is it that, effectively, this ecosystem that is built on the dark web, you kind of have to really have that ability to speak Russian to kind of get by. There is some Chinese and some, you know, iranian groups and things like that as well. But most of the Russian developers, most of the Russian sort of ransomware strains, are coming from these Russian-speaking regions. So you know again, like you're able to sort of bring that.

Sam Flockhart: 10:54

Why is that?

Sam Flockhart: 10:54

Well, it's because Russia really offers this kind of unique environment where government law enforcement are able to sort of profit and benefit from the ransomware groups themselves, whether that's through sort of protection and kind of racketeering and that kind of thing, where you sometimes see some of the leaks that have come out right, where I think it's the Conti leaks, for example, where you can see some of the sort of inner goings of what these guys are chatting about and how these guys operate.

Sam Flockhart: 11:22

And there's quite a lot of references in some of these groups, whether it's Lockdown, the leagues you know the Conti leagues about a word called Kresha, and Kresha is basically the Russian word for roof. So it's kind of like they're using it as like it means top cover and what that means is Russian ransomware groups will use these intelligence services, they'll probably pay them off and then that offers them an element of protection and as long as they've got the right creation in place, then they can kind of operate as they want and as long as they don't target within, within russia or cis countries, and they kind of continue to sort of plague and, um, victimize, you know, western countries, um, so you kind of get these little concepts, that kind of transfer that have translated from mine, you know, my understanding of ukraine and russia, into that ransomware space, which my understanding of Ukraine and Russia into that ransomware space, which is kind of cool and you can kind of use and you can talk about some of the sort of human element on the other side as well.

Pedro Kertzman: 12:12

Very interesting. Would you mind expanding on that please?

Sam Flockhart: 12:15

I think one of the things that's just interesting is that, like I said, you know most of it. A lot of the cybercrime, a huge portion of cybercrime activity comes, comes from those regions. So you kind of want to be able to understand, you know that type of environment. You know like if, if you were a military intelligence operator, um, working in a conflict zone, you kind of have again like a structured process right going through these things. So you kind of look at your, your battlefield first. You look at the geology. You, you know, as an operator, military intelligence might be expected to know how fast that river stream runs, because Ultimately the commander needs to know can I get you know tax across it? Or you know, is it a natural barrier to the enemy, etc. Etc. So you kind of have to understand your environment, forced and To be able to sort of really do a complex threat evaluation down the line when are your weak points, where's vital ground? On the cyber side, your network is exactly the same. You want to understand what devices make up that perimeter VPN connections, firewalls, which ones have you got? So when there's vulnerabilities coming out, the concepts are again quite of in terms of things like that. But you know, with the russia, with the russia stuff, you kind of need to know, like, who are these operators? Why are they able to operate in this environment without really fear of arrest? What does that mean? You know how do you kind of um try and disrupt or have an impact? You know um. So I guess it comes down to like knowing a little bit about culture but also known a lot about history, right?

Sam Flockhart: 13:48

So when you're looking back at Russia in the 1990s, when the Soviet Union collapsed, you kind of have like two of these major forces that kind of emanate. One is criminal, the criminal organizations. You know the sort of some of these Russian groups. They kind of have a huge amount of power and sway. And the second political faction is kind of like the political sphere under Boris Yeltsin, but he's kind of dominated and surrounded by these oligarchs. So people like Boris Berezovsky, you know roman abramovich and yukunin and all these different um. You know mikko korokovsky, all these kind of figures that emerged because they were basically buying up all these businesses and they they basically had a lot of financial clout and they would have this what they call like a symbiotic relationship with these criminal groups, where it kind of they both mutually benefit from each other, right, because you've got the muscle and then you've got, you know, the political and the financial and everyone kind of benefits from this ecosystem and the political organs kind of just oversee that and let that happen.

Sam Flockhart: 14:57

But that when when putin comes to power in 2000, it completely sort of changes where he kind of turns on a lot of these oligarchs. He makes sure that they understand that he is the power vertical now and you know, anyone who wasn't willing to comply with that regime, whether it was criminal, whether it was the oligarchs, you know they would effectively be taken down. So they all have to pay homage to the state. Some of these oligarchs obviously decide that they're going to do that um, and some of those don't, like likezovsky or Khodorkovsky, who then effectively kind of lose their power and influence over a period of time. But that's kind of like that ecosystem had already been built and established with this symbiotic relationship between organised crime, between the political units and between private businesses, banks, you know, energy companies and then ransomware kind of comes, emerges.

Sam Flockhart: 15:45

You know, many decades later really, you can sort of companies and then ransomware kind of comes and merges many decades later really, and sort of, I guess ransomware as a server kind of merges as a big big thing, big global threat, in about 2015-ish right With Game Over, zeus and sort of the elements that move that. And they're all coming from Russia because you've got this nice environment for it to you know really flourish ransomware as a service and you know they don't really have that, that fear of prosecution for some of those reasons we talked about. So this is kind of like why we have this problem and it. You know you're looking ahead.

Sam Flockhart: 16:18

Sometimes threat intelligence is also about trying to predict what's going to happen next, and really you can't solve a ransomware problem without solving the Russia problem. So this is kind of like we're all kind of interlinked in knowing that political history, knowing the geopolitics of the situation and how that is changing then in the cyber environment, right. So all these kind of elements mix together. So this is where you kind of have to be, you know, knowledgeable on all these subjects and then be able to explain to some of the cyber threat intelligence that you might deal with as a CTI team.

Pedro Kertzman: 16:55

That's amazing. That's amazing. I didn't know about the whole ecosystem and how they would relate to each other within the country and then get the way we are right now with this massive amount of ransomware all over the place. That's cool. Thanks for sharing that and any other insights from things you brought from the military into the CTI maybe frameworks, other kind of knowledge, anything about that as well.

Sam Flockhart: 17:26

Yeah. So that was kind of the other part of when you try to sell yourself. Coming out of the military, it's like a lot of the time I was working in what you would say is big intelligence organizations, whether that's NATO headquarters, sometimes SF headquarters, etc. So you're kind of working with these world-class intelligence agencies that have had these frameworks and structure and operationalized processes established for decades, right, yeah, so you kind of get a really good understanding of how intelligence operations work, not in the cyberspace, but in the kinetic space, and what is going to happen really. Over the last 10, 15 years, however, cti has emerged as this big thing is. A lot of people have left the military and have taken those frameworks from their military experience into CTI. So a couple of examples of that even anyone who is interested in CTI needs to understand TTPs tactics, techniques and procedures which effectively is just an acronym for how cyber attacks happen. That word itself has been taken from military intelligence. In terms of a TTP might be how you can seal IEDs. Or sometimes, you know, in Afghanistan they started making IEDs out of plastic and they kind of changed the TTPs so that they avoided, you know, violent detections and things like that. So you know your adversaries are changing their TTPs. That's what that's going to, and cyber's obviously adopted that angle.

Sam Flockhart: 18:55

Second example intelligence collection plans, or icps. So this was just a. It's just a very structured way of kind of looking at what, what is it you want to collect it on, right? Um, you know you can't have a cyber team that's just been given complete freedom. There needs to be some sort of structure, some sort of direction as to what they're supposed to be.

Sam Flockhart: 19:11

Collecting intelligence on things that add value to your own organization top threats again, how these attacks are happening. So you have an ICP is basically a structured way of collecting and planning out that intelligence and then looking at okay, where is that intelligence going to come from? So, have you got your data? Web monitoring, is it your malware analysis or open source? You know, could you do a lot on? You know, ip and sort of NetFlow type investigations and things like that.

Sam Flockhart: 19:40

So it's basically that concept comes from the military intelligence.

Sam Flockhart: 19:44

I remember, you know, in my military career, having to create ICPs as part of battle groups, whether it's in real life operating environments or just on exercises, and coming up with that template and that plan and sort of working with the commanders and things like that on that.

Sam Flockhart: 20:01

So again, it's kind of one of those things where, even though I had no cyber experience coming into a cyber team, it's kind of like you know how to operationalize that intelligence and structure it and try and deliver the value and the so what's to your sort of stakeholders and your consumers within a, within an organization, which is really important, um, for cti teams to do that, um. So these are kind of come some of the examples. You know, priority intelligence requirements is another one. Right, these are all things that have stemmed from military intelligence, that a lot of the real forerunners coming into cti particularly, I would say, in the uk, but obviously massively in the States as well, you know they're coming from these big, big intelligence organizations and they're kind of they're just taking what is a tried and tested intelligence framework and structure and bringing that into the cyberspace.

Pedro Kertzman: 20:47

No, that's awesome and I imagine for sure you know the reality. For example, related to Intel, sharing in the military will be super particular. Right, you have to know the other, maybe military forces like NATO, whatever other groups you can actually share Intel with or get Intel from. How about, when you transition to the private sector, how that changes? Isaacs for certs? You know other in between type of organization, uh, have you had the chance to interact with those? Any thoughts around that?

Sam Flockhart: 21:28

it's kind of like a wee one because there's obviously a little bit more freedom in the private sector. So obviously if you work for the government, you know, um you might have you get security cleared, you might have access to sort of confidential secret, even top secret information, right. So there's obviously huge legal constraints about sharing, um, you know, and you know national security implications and things like that. So there's it's much more control, there's much more structure to that and there's there's massive strangulation and limits on what you can do, what you can share. And so that's kind of the art of intelligence is knowing that, knowing what would be what and being able to do that.

Sam Flockhart: 22:06

Moving into the private sector, there is a little bit more openness in terms of, you know, an emphasis on proactive intelligence sharing to protect the wider you know whether it's the financial sector, for example, or the wider um, you know critical national infrastructure. You know there's the types of sort of external organizations and partners you may be working with. There's more of a willingness and openness to do that, I would say. But then there's also quite interesting constraints too. So you know, a lot of the time you might have an intelligence feed that kind of resembles like human. It's kind of like that dark web, underground ecosystem type thing where you've got potentially, you know, confidential sources sitting on some of these forums gathering intelligence on some of these cyber criminal actors. Those sources still need to be protected, right. So there's that. You know you can't just go willy-nilly share whatever it is if it's come from sources like that. So you have natural caveats and restrictions on some of that intelligence sharing. It could be, you know, legally privileged information in terms of you. You know, maybe there's a third party that might have an incident you don't want the whole world to know. It's non-public information, and so again you can have a custodian of intelligence that isn't isn't available to the wider public, or you might be aware of it before the wider public, and so again there's that that's one of the, the real sort of your trusted intelligence operator for a reason because you know when and what to share, um, and then you kind of a lot of orgs will have isaacs, as you mentioned. So whether it's a financial sector isaac, or sometimes you know, manufacturing or telcos might have their own, you know section-based intelligence sharing, um, and there's kind of that you know emphasis that you should be sharing more about. You know whether it's just incidents, near misses or again compromise third parties or something like this, where you're kind of sharing within trusted circles. So you kind of got these established structure forums where you can access some of that type of thing.

Sam Flockhart: 24:09

Um, you know where, uh, a lot of you know the organizations I've worked for. Some of the best intelligence is coming from those types of isaacs and partnerships, so, um, but there's that there's still. You know, um, as an intelligence operator you're still trusted with. You know when and how and you're still kind of responsible for, for the sort of knowledge that you might have now in your head. That actually, um, you kind of want to trust and protect some of the relationships that you're building or some of the confidentiality and where that intelligence has come from. So it kind of there's a crossover still, um, but in the private sector, you know it's, I think there is more of a unwillingness to share oh, I love that super insightful thing.

Pedro Kertzman: 24:50

Thanks for sharing that. Any final thoughts?

Sam Flockhart: 24:53

no, I guess. Like I mean, one of my passions is obviously helping people trying to get into cti, right, so it's about you know that experience that I had no knowledge of cyber. But what sort of questions and things. As now, as a recruiter or someone who tries to hire, you know cti analysts what would you be asking? And it's getting cti is not really that hard if you've got good answers prepared for these questions.

Sam Flockhart: 25:17

If you were applying for a bank, who would those top threats?

Sam Flockhart: 25:20

What is the top cyber threats? Can you give an example, a recent example, of a big cyber threat? Obviously, in the UK at the moment we've got some retail typeset of targeting for ransomware Globally. You've got North Korean IT workers and insiders and then you've always got China APT groups and the target and the telecommunications things like that. So all these things are like okay, here's a nice example, provide that recent example, have a group of the different types of cyber threats and threat actors that you've got. So whether it's ransomware operators, initial access brokers, apt groups and have an example of how they're operating.

Sam Flockhart: 25:57

But then also kind of think about like, okay, you're going to come in as a CTI analyst, who do you think your stakeholders within an organization are going to be. Is it going to be vulnerability management? Is it going to be your detect and threat hunting teams, your purple teams or red teams, you know? Is it going to be sort of security architecture, cisos and risk teams and governance and compliance? And have a little think about who do you think is going to benefit from the types of intelligence you're going to produce and at what different levels do you have to tweak or keep the product?

Sam Flockhart: 26:25

And then, I guess, the different types of intelligence feeds. So I think we've kind of touched upon it Dart web in malware analysis, you've got open source intelligence and just the different types of intelligence feeds that you might be dealing with as a CTA analyst. Having a little bit of knowledge about that, I think, really makes a difference, even if you've never used those products before, to just kind of be able to talk about. These are the types of questions that, as a recruiter, you can ask and I think if you prepare some of those answers as a CTI candidate, then I think you're going to be in a good place. So I think that's kind of probably my top tips or advice for sort of getting into CTI, in the same way I did for those who are passionate about getting into it.

Pedro Kertzman: 27:10

I love that. I love that. Perfect Sam, thank you so much for coming to the show. I really appreciate all the insights and I hope I'll see you around.

Sam Flockhart: 27:20

Yeah, no, cheers for having me, Pedro, and I'm sure we'll catch up at some point.

Rachael Tyrell: 27:26

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group Cyber Threat Intelligence Podcast. We'd love to hear from you If you know anyone with CTI expertise that would like to be interviewed in the show. Just let us know. Until next time, stay sharp and stay secure.