Adam Goss: 0:00

The innovation in the cybersecurity space comes from people who have those cross-domain expertise.

Rachael Tyrell: 0:07

Hello and welcome to Episode 15, season 1, of your Cyber Threat Intelligence Podcast. Whether you're a seasoned CTI expert, a cybersecurity professional or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of Season 1, our host, Pedro Kertzman, will chat with Adam Goss, who is a cybersecurity practitioner and educator with experience in security operations, security engineering and threat intelligence. He has worked with MSSPs, international service providers and within the UK telecommunications sector. Additionally, he runs Craven Security, a CTI education and consulting firm that offers affordable training for individuals and provides bespoke services to help companies enhance their CTI capabilities, leveraging his years of industry experience. Over to you, Pedro!

Pedro Kertzman: 0:58

Adam, thank you so much for joining the podcast. It's really great to have you here.

Adam Goss: 1:03

Yeah, thanks for having me. It's great to be on the podcast. It's really great to have you here. Yeah, thanks for having me. It's great to be on the show.

Pedro Kertzman: 1:07

Awesome. Usually start asking the guests their journey into CTI how it all started your path to maybe pivoting into CTI and then what you're doing currently with CTI. Would you mind walking us through that please?

Adam Goss: 1:21

Yeah, of course. So, yeah, my path into cti was a little, um, unconventional. Uh, starting out, I really wanted to get into penetration testing and the offensive side of things. So when I was taking my graduate degree in cyber security, I focused a lot on the penetration testing certifications. Okay, uh, so things like the oscp and e-learnings, ejpt and ECCPT, yeah, and I was looking for an entry level role in penetration testing.

Adam Goss: 1:53

As a lot of people who've gone down that route know, it's not an easy role to find. And that led me to join in ASOC for a large MSSP over here in Europe, which was fun. It was managing a lot of different clients and, yeah, with different clients comes different challenges and yeah, it kept me, keeps you on your toes. Yeah, um, from there, um, they were looking for someone who specialized in cti and it kind of kind of the skill transfer across from c fromC role into a CTI role was quite, yeah, quite a natural one, I guess. So I decided to take on more threat intelligence work, which was fun, and I guess I enjoy being at like the bleeding edge of security, seeing what the bad guys were doing, and it kind of fueled me in that regard. You know, it scratched that itch of penetration, testing and offensive side of things. It was a nice blend of roles.

Adam Goss: 2:49

So once I finished up in that MSSP role, I moved into a specialist CTI role at a large international services provider, which was fun. It was, yeah, it allowed me to spend more time doing the CTI work that I really enjoyed and a lot of the focus was on more the operational side of things. So things like threat hunting, detection, engineering, translating those TTPs or IOCs into actionable intelligence that our SOC team could work on, could work on.

Adam Goss: 3:28

Unfortunately, as many people who work for large organizations know, it can be difficult working in that corporate environment. There's a lot of red tape everywhere. There's a lot of processes that don't get done or are badly implemented. So, yeah, I guess I kind of got a little fed up of that and moved to a more tech-focused organization. Here in the UK we worked in the telecom space, so that gave me a lot more freedom and flexibility. They were kind of, yeah, focused on a lot more on innovation and moving fast rather than big bureaucracies, which was fun, rather than big bureaucracies, which was fun. But again, with security, there's always that culture clash of having things move fast and having things be secure, so that was another challenge to work on.

Pedro Kertzman: 4:13

That's nice.

Adam Goss: 4:14

Yeah, and I guess from my work in the field, it kind of got me excited to teach others what I've learned and help other businesses grow. So that's where I started Craven Security, who's offering training and consulting in the CTI space, and it's more focused on making CTI accessible. Working at a lot of these organizations, a lot of people didn't know what cti was, let alone how to use it. Uh, so I yeah I wanted to teach people more about cti and allow them to get the most out of it, um, for their business as well that's awesome if people want to check more about.

Pedro Kertzman: 4:52

Uh, yeah, craven securitycom, perfect, perfect. I'll make sure I'll include that on the description of the episode as well. And um, during that, uh, you mentioned the transition from a, like traditional sock role into the more specialized cti. Any like learnings within that pivoting from the sock to a cti role, any things you learned throughout that process that you think it would be nice to share with the audience as well?

Adam Goss: 5:20

Yeah. So I think the biggest thing was bias. So in SOC you kind of want to be a bit biased and you want to act on that bias because it makes you, it allows you to make fast decisions. So say, if you see a bad IP address you jump straight to blocking it. And that bias kind of helps you do your job fast. And especially working at MSSP, you've got to get through a lot of alerts fast. So if you know where they're going to go and jump to that, then it saves you a lot of time and a lot of headache down the road, whereas in a CTI role it's more the opposite. You don't want to be biased, you want to combat that bias and ask a lot more questions around it. So like, if you got a bad IP address, you want to know, like, where it's coming from, if you guys have seen it before, and you kind of get more strategic about the questions you ask rather than jumping straight into the action to the action.

Pedro Kertzman: 6:16

That's very interesting Difference between being biased and not being biased from a SOC versus actual CTI perspective. Thanks for sharing that. Anything else like why that change happened? Any other learnings, how that all played out?

Adam Goss: 6:35

Yeah, so I think for me personally, I got a little bored of the day-to-day SOC roles, so just dealing with phishing threats or someone playing a game on their laptop and you don't want them to be playing.

Adam Goss: 6:50

So, yeah, I think it's more a natural progression as you move up those SOC levels from L1 to L3, and you get more interested in the detection side of things or the engineering side, and I think cti is one of those things that you kind of specialize in. So it's it's more of a like a natural transition, moving from a sock analyst to a cti analyst, um, and wanting to be more at the bleeding edge, dealing with those emerging threats, rather than just playing whack-a-mole on those ones that you see every day any like cool things?

Pedro Kertzman: 7:22

what's your like currently day-to-day into the cti uh role going out nowadays? Any nice things to share? Can you walk us through that as well, please?

Adam Goss: 7:33

yeah, so at the minute I am yes, pretty much what time between a um, a small telecoms provider here in the UK, and teaching CTI to individuals and businesses. So, yeah, a lot of the work I do for this on my day job for the small telecoms provider is focused on the engineering aspect of CTI as we're looking to build out our program. So it'll be things like helping build out the threat intelligence platform we use, making sure the processors are in place to get those IOCs and TTP based threat hunts going, sharing that threat intelligence. So, yeah, there's not many people in our, in our security team, so a lot of us wear a lot of different hats. Uh, and yes, a lot of my work is being involved at all those stages of the cti life cycle. So, from collecting to analyzing to disseminating, it's um, yeah, it's quite involved that's.

Pedro Kertzman: 8:35

That's. That's awesome. How do you like, uh, once you move to that more consulting CTI role, how you do your upskilling, you know understanding better CTI trends and techniques and how to teach CTI and all that.

Adam Goss: 8:52

Yeah. So I think we're quite fortunate in the CTI space that a lot of people like to publicize their work, so, be it small bloggers online or be it big CTI vendors who love to share what they're doing. So I think the best way to stay on top of all the latest trends and goings on in the CTI space is just, yeah, being online, being on those blog posts and reading them up, following along with them, and then on social media platforms as well. So things like linkedin or x, and keeping up with the day-to-day uh, what's happening at the ground level, you know, I think that's the best way to stay ahead in the game and keep on learning that's awesome.

Pedro Kertzman: 9:32

how would you, because you mentioned you started, uh, wanting to go on a threat hunting kind of journey, and how you would relate those two things like CTI and threat hunting nowadays with the experience that you have already?

Adam Goss: 9:48

Yeah. So I think CTI can mean a lot of things to a lot of different people. It could be focusing on that strategic work of delivering reports to stakeholders, or it could be turning those operational indicators into things that you're sort of going to act on. A big part of my background came from turning those operational indicators into threat hunts or detection rules, and I find that, yeah, quite a fun challenge really turning technical indicators into things like sim or edr queries and rules that make a tangible difference to our day-to-day operations. Um, yeah, I think really I found my passion for threat hunting and the technical side of cti from my time working for mssp. Um, I don't know if you remember this, but a while back there was the Log4J vulnerability that was doing the rounds.

Pedro Kertzman: 10:44

Yeah, yeah, I do. I lost my Christmas because of it. I do remember that was a big one.

Adam Goss: 10:54

Yeah, so this was a big one at the time, especially around December, impacted a lot of people's christmases, unfortunately, uh. But yeah, it was a big uh, a big vulnerability in the apache log 4j service, um, and a lot of our clients were using this as a web facing service, um. So, yeah, I guess I was a little, a little bored, maybe over the Christmas period Things were slowing down. So, yeah, I took it upon myself to read a blog article that was doing the rounds about threat hunting for active exploitation of this popular vulnerability. And then, yeah, I decided to spin up my own vulnerable service Thanks to Vaughn Hub, who have a bunch of vulnerable services you can freely download and spin up in Docker or virtual machines and, luckily enough, I found a POC on the exploit doing the rounds as well.

Adam Goss: 11:50

It was, yeah, it was that popular. So I, yeah, aimed at this vulnerable service, I spun up, triggered it and then decided to try and write a threat hunting rule to try and find signs of that exploitation. And, yeah, that little, probably like a week project really got me passionate for that threat hunting. It was very satisfying to go from seeing a write-up on the internet to finding a POC in a vulnerable service and then having your own threat hunting rule that you can push across thousands or tens of thousands of clients to try and find that in the in the wild that's very nice.

Pedro Kertzman: 12:27

Thanks for sharing. You mentioned that more technical aspect on the threat hunting, doing pocs and all that.

Adam Goss: 12:34

Any like interesting case around those more technical details and how you transfer that into into cti um, yeah, so I think the longer you've been in the uh the defensive game, the more and more reverse engineering or malware analysis skills you learn as you as you progress again through those stock levels or if you get into cti and want to compensate your skill set with something a bit more out there. And yeah, I guess my background in malware analysis came from when I was working at a large service provider and we were doing our daily threat hunts and we came across an obfuscated PowerShell command and, yeah, we didn't have a malware analysis team at the time. So it fell upon uh myself and the rest of our cti team to try and figure out what was going on with this uh fileless malware. Um, yes, I guess, long story short, we found it to be a default uh cobalt strike beacon that was uh beginning out to a c2 server.

Adam Goss: 13:40

so, yeah, that'll uh, that'll wake you up on a friday oh, obviously, yeah, yeah um, yeah, and then, yeah, through, uh, through a bit more analysis, we found, uh, the infrastructure that was being used to host this c2 server and we could do some c2 hunting. And, yeah, I found some IOCs that can be blocked by the SOC on a on a follow-up report and, yeah, eventually passed responsibility over to them. Um, so it all seemed. It all seemed good at the time. We closed out our Friday and we could enjoy our weekends.

Adam Goss: 14:15

Uh, unfortunately, the next week we uh found out that there'd been a bit more to this obfuscated PowerShell command and we had a ransomware outbreak. I guess that kind of led me into why I wanted to improve the people and processes that go around with security, because I guess this was quite a good example of so, if you have the three plus of security, you have technology, processes and people. This was quite a good example of having that technology in place that we found this bad thing, but then we didn't have the people or processes to deal with it, and that kind of got me thinking about maybe I should invest more of my time, rather than deploying these technologies, maybe teaching the people and businesses to have these processes in place that they can do with this kind of threat and that's, yeah, kind of kind of the origin story for Craven Security, about more training rather than just buying the latest tech that's amazing, super insightful, thank you, and I could not agree more.

Pedro Kertzman: 15:16

People gotta be aware of the importance of not only the latest shiny tool. If you don't put that into good use, it's just probably a waste of budget, right? So that's uh, that's so important. Probably a little bit of a why the podcast as well, just to make sure people understand all the bits and parts of the cti, or why cti is so important as a whole, not only the technical aspect, but how to implement those measures to prevent that kind of stuff, especially on Fridays, worst day of the week. Yeah, exactly Exactly, and any things that you know through all. I think people now understand a fair amount of your journey and the things you experienced and your, your and your knowledge around around cti.

Adam Goss: 16:09

Anything that you know specifically today that you wish, let's say, you knew back in the day when you first started pivoting into into your cti career um, yeah, I guess, I guess, uh, throughout my career there's been a lot of like learning points where I've had these realizations that I'd wish, wish I could go back and tell my younger self um, I think one of the main ones is around confidence. You'd see senior uh sock analysts or threat intelligence analysts going away doing amazing things and you'd think why, why can't I do that? And I think over time you learn that by repetition and by showing up every day and trying to get better, that it builds that confidence that you can go into these situations and handle them. Because, yeah, that first time we we found ransomware in the environment, it was very, very scary and you don't have the confidence to deal with it, you know. But if you show up every day and you, the more incidents you encounter and the more uh, the more threat intelligence you go through that life cycle, the more confidence you get in your own abilities.

Adam Goss: 17:17

And I think it's important to point out that it's not, it's not a race as well. It's more, more about consistency. That builds a great career. Rather than trying to be the first one to finish or trying to get through 12-hour days, seven days a week, it's showing up every day and not burning yourself out. I think that's what I tell my younger self focus on being consistent, showing up, trying to learn every day and trying to make a difference, rather than just burning yourself out in a couple of weeks. So I think what I've noticed, being in a few different industries, is that the innovation in the cybersecurity space comes from people who have those cross-domain expertise, comes from people who have those cross-domain expertise, so something like a CTI analyst who can program, or a CTI analyst who knows a bit about marketing and can put the word out there about threats. I think that's where the innovation lies. So if you can upskill in those cross-domain expertise, I think you're on to a winner and you can be a real unicorn in the industry and stand out.

Pedro Kertzman: 18:24

Oh, I love that. Funny enough, I think it's fair to say within the last episodes of the podcast we have people from so many different backgrounds and I totally agree with you. Let's say, of course you know we always learn from threat reports and feeds and all the information that we are usually exposed to from a CTI day-to-day perspective. But what about the industry? How the industry is shaping the role of CTI analysts or leaders. Are they shaping or reshaping currently? How do you learn that stuff? Where are your go-to sources for that type of knowledge as well?

Adam Goss: 19:05

that stuff? Where are your go-to sources for that type of knowledge as well? Yeah, so yeah, being cti analysts, we're listed with uh threat feeds every day, definitely, and it's yeah, it's a great, great way to see the tactical stuff and the operational stuff that's happening. But I think a lot of uh there's.

Adam Goss: 19:17

There's still quite a few good uh vendors or cTI vendors out there that provide some good overall landscape reports and a bit more high level rather than just focusing on the day-to-day stuff. So things like Red Canary, who put out a lot of good resources on detection engineering and trends that they're seeing across their space. Two prominent EDR vendors who see a lot of the threat landscape and can provide those long reports about where they see trends going and the business impact across multiple sectors. And then finally, like a big shout out to the DFIR report, who, if you read their articles, you're definitely upscaling in that analysis work and they deep dive into the um, into the finer details of what goes on in an investigation, and if you can mimic what they're doing, I think you think you're onto a winner that's awesome and any other like learning sources that you would recommend as well yeah.

Adam Goss: 20:16

So if so, aside from the industry trends and what's going on in the industry, I always think it's valuable to get hands-on experience with CTI. So platforms like TryHackMe or HackTheBox and their Sherlock's for blue teamers I think they're great platforms to just go and have a play around and get hands-on training with CTI topics, soc topics, malware analysis topics and if you can broaden your skill set using those platforms, it really helps in your CTI work.

Pedro Kertzman: 20:49

That's awesome and any like I don't know, maybe conferences, meetups, other gatherings of CTI folks that you've heard of or been in that you would recommend as well.

Adam Goss: 21:04

So, yeah, definitely, if you can afford it, I'd recommend the Black Hat Conferences. They have a lot of good training and meetups there and it's less focused on the vendors and more focused on training. So I definitely recommend Black Hats. For the community aspect, I think B-Sides is pretty well covered across the world really. So if you can get to a local B-Sides hangout, that's a great place to meet peers and discuss about what's going on and there's a lot of learning opportunities there and networking. So, yeah, definitely try and find your local B-Sides.

Pedro Kertzman: 21:35

That's awesome and any, let's say, books that you remember as well, that you read, that might be worth to people trying to learn something about CTI from from those ones as well yeah, of course there's been three books over the past few months that I've read that found quite, quite useful and quite good for CTI analysts to read.

Adam Goss: 21:58

The first one is called intelligence driven incident response and it relates the feed intelligence lifecycle, which is quite an operational one, to intrusion analysis and incident response.

Adam Goss: 22:14

So it walks you through the steps of the feed lifecycle. So you have find, fix, finish, exploit, disseminate, find, fix, finish, exploit, disseminate, and it walks you through those steps about how you can apply it to an incident response activity and how you can use intelligence to drive your analysis and really scope the environment and make sure that you're clear. Another book I've read is called Intrusion Detection Honeypots, which focuses on the active defence and deception side of things in terms of CTI. So it walks you through how to build out a honeypot infrastructure and trap adversaries in your networks. So it's quite a good hands on book that I found really interesting. And then, finally, one that's more focused on strategic intelligence that I've loved reading recently is called critical thinking for strategic intelligence and it goes through 20 questions that you should ask when you're generating a piece of strategic threat intelligence and it kind of walks you through the steps about how you can take raw data and turn it into something that a stakeholder will find actionable and reportable. Yeah, and it's, yeah, highly recommend it.

Pedro Kertzman: 23:33

That's very nice. From hands-on technical books into more strategic ones. That's super nice. Thanks for sharing that. I'll make sure I include the name of the books as well on the description of the of the episode perfect. Thanks so much, and any other learning sources that you can think of um, yeah, so I think cti can be.

Adam Goss: 23:54

It can be quite hard to get into because the main training course is obviously the one from s and that can be quite expensive for individuals to purchase. So a couple of good, affordable training options that I found are the ArcX threat intelligence courses that walk you from being a beginner to an advanced practitioner. I'd recommend checking those out. And then there's also several courses by by applied network defense that focus on the analytical skills, so things like cyber chef or or intrusion analysis, and I think they're great for any and that and I think they're great for any analyst to get their hands on and and play around with. They really teach you the uh, the fundamentals of doing that analysis work and walk you through an investigation and uh many closing thoughts, uh things about cti you would like to to mention as well uh.

Adam Goss: 24:52

So, yeah, I think in cyber we can. We can get caught up in the day-to-day stuff a lot and forget to have, forget why we got into the industry. You know, I think that it can be. Uh, it can be a bit draining doing the day-to-day work, dealing with that corporate life, dealing with the doom mongering and internal politics, and it can get you down.

Adam Goss: 25:13

And I think it's important to focus on trying to have fun. You know, like it's it's work at the end of the day, but we're not out here saving lives and we can put a lot of pressure on what we do and at the end of the day, but we're not out here saving lives and we can put a lot of pressure on what we do and at the end of the day it's just work. I think we should focus on trying to have fun and bring a bit of lightheartedness to what we do. And, yeah, I guess above all, you should value health and family and treat work as just work. You know, it's just a bit, it's just some fun.

Adam Goss: 25:44

Don't take yourself too seriously and, yeah, remember that it's quite fortunate the work we do. You know, being in CTI and cyber, there's a lot of career perks and not to focus too much on the work and do the stuff that you enjoy in the work. You know I enjoy doing the analysis work and sharing that and I try to do as much of that work as I can so it so work stays fun and I don't burn myself out. There's always going to be the internal politics and stuff, but I think if you approach each day looking at the bright side of things and focusing on the fun aspect of cti, being curious and always wanting to learn that, then it's a great ride. So, yeah, just focus on what you enjoy.

Pedro Kertzman: 26:26

I'd say Perfect. I love that, adam, thank you so much for sharing your knowledge with us. I really appreciate all the insights and I hope I'll see you around, thank you. Yeah, thanks for having me.

Adam Goss: 26:38

It's been great.

Rachael Tyrell: 26:41

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group Cyber Threat Intelligence Podcast. We'd love to hear from you If you know anyone with CTI expertise that would like to be interviewed in the show. Just let us know. Until next time, stay sharp and stay secure. We'll be right back.