Gert-Jan Bruggink: 0:00

That is all, paradoxically, part of the problem. These efforts overlook, like, the human element.

Rachael Tyrell: 0:06

Hello and welcome to episode 16, season one of your Cyber Threat Intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of season one, our host, Pedro Kertzman, will chat with Gertie and Brugink Thanks for having me where he pioneers the field of scenario-based cyber threat intelligence deliverables. Previously, he co-founded innovative startups, fulfilled a cyber threat intelligence leadership role at a big four accounting firm and held security engineering roles at a security integrator. Over to you, pedro.

Pedro Kertzman: 0:57

Gertjan, thank you so much for joining the show. I'm really happy to have you here. Excited to be here, pedro. Awesome. When I usually start asking the guests about their journey into CTI, would you mind walking us through that please?

Gert-Jan Bruggink: 1:11

Sure Journey was pretty straightforward Started in security engineering after having a long time interest in doing the technical stuff we do in cyber, and then slowly moving into more consulting based effort, helping organizations out why they do certain things, why they want to implement a certain solution, why why is that? That got me into consulting and at a certain point in time, I was constantly curious, constantly constantly searching, constantly learning, and a big part of that was the reason why people implement certain solutions is because there's stuff happening all around the world, so I tried to understand that as well. That led me on a journey of leading a CTI team at a big four company, just being overly curious, interested in all that. Um, yeah, and in a nutshell, I'm fast forwarding a lot of years, but that is how I got into the journey and the journey went on from there that's awesome and uh.

Pedro Kertzman: 2:18

So you mentioned you kind of, uh, you knew already, right, you went straight up to detection engineering, but what was the like spark, let's say to drive you to that particular area of the cyber security space?

Gert-Jan Bruggink: 2:33

yeah, to be honest, um, when I, when I was still in college, I did not have the desire to go into cyber security, um, that it was great at that time. It was definitely something. You got all the the young talent being pulled out of college with a big, fancy lease car and all that stuff, relatively high salaries, right and I was like, oh man, I'm not gonna do that, I'm just gonna keep on studying and all that. And then a mate of mine, uh, one of my best friends, he basically went into. He's like you gotta have take a look at this.

Gert-Jan Bruggink: 3:08

This is like cyber security, uh, bachelor's program, to go into that, and I'm like it's gonna be big. I'm like, oh, that that indeed sounds very interesting. So, um, yeah, that's uh, that's how, that's how the story began. But I realized over the years that this is a very fundamental thing, fundamental problem set, if you will. And fast forward to now, like 20 years later, this problem set still is and will be. And you know, looking backwards, since the dawn of mankind, you had these kind of problems, not in the format of cyber, just to clear, yeah, but like there's always these kind of problems because it's all about humans, and that actually sparks me and keeps me doing what I do every day yeah, no, that's.

Pedro Kertzman: 3:56

That's a good point, good analogy. We always go for the uh, innovation advancements first, since the you, the old empires, and only then we think of all the consequences. So one of the things that I kind of got to know you and saw your online posts and things like that was related to the CTI maturity model. How did you first came across the team building that? What's the, the story kind of behind that one?

Gert-Jan Bruggink: 4:31

yeah, so one of the things I learned in the consulting world is that we try to measure everything right. And then it's just the basic nature of human behavior. We try to measure everything because that makes sense, that is just a rational thing to do. And how you transpose that into wider concepts in cyber, you will get to a framework, you will get to some kind of common sense which you can measure everything against, because that it all makes sense right. Because then we have logical buckets where we can put everything in and classify everything and say how mature we are right you know,

Gert-Jan Bruggink: 5:11

well, in reality, it's not always that black and white, it's usually always gray and people are often you know, just, you know that there's, there's a reason why not everyone uses a compliance framework. But still, people love clarity and people love the fact that you can have some kind of measure to say, okay, so this is some kind of ladder. And this is where I am Now. A couple of years ago, well, many years ago, I've contributed to numerous frameworks, including that of my employer at the time. We basically built our own maturity framework, because you kind of learn, specifically for CTI, a lot on. You know, this is how it works. This is what makes a mature team.

Gert-Jan Bruggink: 5:58

Now, two years ago, I had a conversation with a couple of very small people. Some of them are friends, some of them are our friends, most of them are also competitors, just being honest. But we kind of realized we were all facing the same problem and that every single year there's a new framework coming out and that is just absolutely dumb. Why can't we just make one thing and curate that and actually do? What the cti industry should do is learn and improve consistent. That that was the premise. Uh, for me to say, all right, let's go this. I love it, I like the idea, I love what's going on, um and what so the parameters on cti.

Gert-Jan Bruggink: 6:44

Cmm is also based on the capability maturity model model from a us government entity, if I'm not mistaken and we basically transpose that into the cti realm. It is absolutely not perfect and it is designed to not be perfect. It is designed to continuously improve and I think that these two elements that is what, uh, you know, practitioner lad, um and and actually consists constantly improving that. Actually, uh, I think that that is a big part what drew me into this and also that's also what I, what I, what I at least, hope to to contribute to these, uh, this sort of stuff man, yeah, that's awesome.

Pedro Kertzman: 7:26

If I understand correctly, one of the motivations to do the capability maturity model for CTI was collaboration. Right, it's thought that every single different point of view will generate a single model and start collaborating. So we have a more I don't know, centralized, if you will, or agreed upon type of framework which makes absolutely sense. I, I agree with you there. Um, would you mind if we deep dive a little bit into the cti?

Pedro Kertzman: 8:00

cmm sure that's good, okay, any like parts of the framework that you think like stand out, or perhaps any other parts that you think, uh, you see some improvements in the following interactions.

Gert-Jan Bruggink: 8:16

Anything around that, yeah, that yeah yes, there are many, many things to be honest. Um, yes, there are many, many things to be honest, and I have to say that for me it's never good enough. And that is just for me, I think for most of us sometimes what we put in CTI 0 or CTI 1 is already a huge step. So one of the key lessons I've learned and I've learned that already for many years but is that even the first level, going from zero to one, is already a lot for a lot of people. And this is sometimes considered a controversial topic, because when you do CTI, you know it all right, but the CTI industry has to understand that only a small percentage of the actual industry uses CTI the way it should, and sometimes that is also, you know, that dictates the maturity. Even going from zero to one is a huge step for most, going from no person than having you know different roles that do everything from security engineering to detection engineering, to instant response to cyber threat intelligence, so having dedicated roles for that and then having a team that does all of that Right. So that was, that was a big thing of how you know working on CTI with. All these people have tremendous experience in that you know, working on CTI with all these people who have tremendous experience in that you know how they, what they share back.

Gert-Jan Bruggink: 9:51

Another thing that we also go back from the initial versions is again going back to the measurement aspects is how do you measure stuff? How do you measure success and I have to make a little detour to clarify that, because I'm very interested in the measurement aspects and dashboarding and all that stuff just because I find it interesting and I start curating some stuff, like a little Excel file, and all of a sudden, after curating some things for a couple of years, all of a sudden you're an expert. Yeah well, I don't. I don't consider myself an expert in that extent one bit, but I do consider myself very, uh, having a lot of experience in this field.

Gert-Jan Bruggink: 10:39

Um, so one of the ideas that came up like can can we not combine you know, some of these activities from different practitioners also who have been on your show, you know, can we just throw it all on a pile and see what sticks? And that's what we did, actually last year as well. So we created a huge metrics addendum which is not prescriptive, but more. This is something you can use and have some ideas with. It's not perfect by design, but you can get some ideas in that.

Gert-Jan Bruggink: 11:14

Yeah, that was also very, very well received now yeah well, yeah, it's so stupid, but people just want to show, you know they sometimes, you know, what I've also learned is like people sometimes just they can say what they don't like, but they cannot usually say what they like. And what I mean by that is, if there's something, you can formulate an opinion on what that is, instead of coming up with an idea which you never thought about. And, um, I think that is what we're trying to do, is we're trying to open people's mind and say, well, you, you can use this or you can't, whatever.

Gert-Jan Bruggink: 11:56

Just do it whatever you want with it yeah and, by the way, there's's another thing and that's maybe going into the future. So one of the questions you will also get as feedback, so this active feedback loop, is how to then operationalize it. So you have a framework, you have measurements, you have tips and tricks and all that, but it's like what is the little template we use here? And, yeah, that is something we're working on, because obviously there is a huge component of commercial enablement that we keep in the middle and full disclosure.

Gert-Jan Bruggink: 12:37

I run a company that basically works on publishing, you know, templated content and how to's and threat scenarios and all that stuff. But I've been very clear to the team and to everyone like I think we need to, you know, put all our best, all our different things in one basket and just say you know, these are some of the basics we need as an industry and just to set set to get people from zero to one more effectively. I think that that is, uh, that is something we're still working on and that is something it we all have the content. It's not the problem, it's just more like how do we, how do we make sure that every little step works? And uh, yeah, that I think these are three key areas where you know CTI, cmm actually will work and stand out.

Pedro Kertzman: 13:25

That's awesome. Thanks for sharing that. You got me thinking. You mentioned about the different, let's say, material levels within most of the individual CTI aspects that people think they do you know a lot of CTI when they actually only do a little part of it. Do you think that would be related, or have you seen any conversations around that that that could be related to those more quote-unquote, mature pieces of the equation would be the ones that have more cti vendors associated to that particular part. And then, I don't know, maybe must more, more buzz is created around that particular topic and people keep pushing, pushing, pushing that one without actually connecting to the rest of the necessary frame to have a more complete picture of the whole cti framework.

Gert-Jan Bruggink: 14:28

Do you think it could be anything like like that, just maybe brainstorming a bit so I have a um, another unique take on this, but I have a bit of a contrarian take on this. I think that you know, at this moment there's a lot of tool pushing and that has been the same since ever I started and you could. So there's an extensive push on next generation tooling. You know an extensive push on next generation tooling. You know automation, first, build up the perimeter, that that all the craze when I was starting out. Well, I think you know that is all paradoxically. You know part of the problem and you know these efforts overlook, like the human element, the systems thinking, the narrative that connects one problem to the other across different organizational silos, right, and that is actually crucial for integration and adoption. And I think for me this is so crucial that any decision maker, you know, listens to this. He or she had always thought about that. It's like why are things disconnected? Why can't we get that value out of that? And it mostly has to do with these elements being not connected to each other. And you know, for me, I've spent a significant amount of time to get these new ones into industry frameworks like CTI, CMM, and I'm being very honest, like there's a clear disconnect between operational intelligence, like really technical intelligence and other, perhaps strategic applications. I think that is definitely a problem and I would even go as far as saying if the CTI industry does not resolve the situation before 2030, the current commoditized form will become obsolete, Interesting, and I'm dead serious about that. A change needs to happen in this industry and if it doesn't, it will become obsolete. And I can tell you this we are already behind. We are already seeing people saying what is the value of cti? Should we put it in a role? Should we put it in? It is part of a, of a tool, right? So I think you know there's many reasons why, why, and and there's there's also answers to why the situation is as is, but there's definitely a bunch of misconceptions and all that that I think you know. That lead to this and to your first point.

Gert-Jan Bruggink: 17:10

I also strongly believe that most mature security teams you know, quite literally, if you just take a, if you would picture like a hundred percent of the entire world as all the companies in the world, then we tend to focus, the emphasis is mostly on like the well, the more wealthy, uh amount of companies, the bigger enterprises, but the reality is is that that is only a very small percentage of all the companies in the world. So we need to do better in you know, addressing that and educating people that you know, even though that you're a big company, it doesn't matter how many feeds you have. That is not an indicator of quality, that is a an indicator of something else. But, um, I'm not getting into that, but my point is people have to tell that story correctly. If you can explain why you're ingesting all that stuff and then what you're doing with it, what kind of decisions you're actually driving, what kind of impact you're making, then the story basically writes itself. Success writes itself.

Gert-Jan Bruggink: 18:14

Yeah, and maybe one final thing to add on that I also think that there is a bit of a nuance, that teams need to be very big to be successful, and so when I did the presentation of CTI, CMM version 1.2 at first, it was earlier this year. The interesting bit is that some of the maturity is not the bar of the ladder, right, it is actually. You know, either this is that or is it how happy you can make your stakeholders or how much impact you make, but actually it is the values in the eye of the beholder, right, and I think these are some of the. Also, you know some of the specific things that we try to tackle with this initiative, but there's actually some, you know, fundamental things happening in the industry which we cannot tackle alone and we need everyone to do so.

Pedro Kertzman: 19:14

That's a great point and I'm kind of glad to know I might not be alone on this.

Pedro Kertzman: 19:20

You touched on a very interesting point.

Pedro Kertzman: 19:22

People think that, oh, to have proper CTI in-house you've got to have X amount of analysts from people doing reverse engineering, malware analysis to people doing this and that you touched on a very good point. That's only for know. Big enterprises uh can afford having those super specialized teams uh, but on the other hand, I think the small companies or wanting to be mature companies regard, regardless of the size, cti can be more like a mindset if they start looking at things through the cti lenses, I think they would just have a better understanding of the things from a security standpoint, of course, that I think that that are happening uh to them or things how they could prevent certain things just by having that CTI mindset, and that might be part of the maturity within the industry. Cti mindset to connect back to my previous point might not be the most profitable thing to sell, so maybe not too many vendors are kind of trying to stimulate that type of uh thinking so so, pedro, sorry to interject that, I think you you highlight exactly the situation.

Gert-Jan Bruggink: 20:51

Now, if we're being honest, the the, the core situation at hand is, is a shareholder driven value making machine. And don't get me as a socialist or anything, because I run a commercial company as well.

Gert-Jan Bruggink: 21:08

But I think we have to be honest, that we all have to make a living and doesn't matter big or small.

Gert-Jan Bruggink: 21:13

But there is this, this incentive structure, which isn't correct and I think for me, a big part of what I do as a philosophy in business, a philosophy in life, how I treat my own team, how I think others should organize their own cti capabilities is set up people for success, and that starts with the proper incentive structure, and that is that. That also is as part of why I like the metric stuff, not not because of cool numbers and shit, but like I just find that interesting and it's like, yeah, if we can measure how jump, how high you can jump, then we'll know how high you can jump. But I asked the question like what if there is no height, how far can you actually jump? And the reality is that people can do much more stuff if they're enabled and all that good stuff. So, yeah, there is many deeper reasons again why this happens and what you are alluding to. But I genuinely think that the one thing we need to fix and that is not just for CTI, it is for cybersecurity in general is the incentive structures.

Pedro Kertzman: 22:24

I love that. No, that's a really good way to put it. And let's say you see the journey that we need to go through in the next few years, as soon as possible, I would. I would say but uh, when you look in the, uh, when you look to the past, how do you see the, the, the shifts and changes when we first started adopting cti? Maybe danish?

Gert-Jan Bruggink: 22:53

yeah back.

Pedro Kertzman: 22:55

Uh, how do you see that shift the pace, pace of those changes since we started?

Gert-Jan Bruggink: 23:03

Yeah. So let me just say I find this is my bread and butter Scenario planning and thinking backwards, thinking forwards, this is absolutely what I love Awesome. More specifically and I do Sorry, man I do want to plug some of the stuff I do in threat landscaping and build your own threat landscape type of deal. Go for it, call me for that if you need help. But, like, that is exactly the type of questions we get often, and even today I was looking at some messaging on social media, specifically LinkedIn, where somebody was asking, like, hey, I've been informing people about ransomware for the last 10 years and I'm like, yeah, but this has been, this has been a problem for that long. What changed? And I know what changed, just to be clear. But like, it's pretty interesting to hear people's perspectives on that and and, for example, for ransomware, the feedback you I received was like it's gotten much more sophisticated over the last decade, from you know little scrabblings and dumbass encrypting to like multi-billion dollar companies being crippled and completely business shut down. Yeah, so the role cyber is playing in everything and the digital connected nature of it all. That has fundamentally changed and it will continue to change In the next decade. We will see even more integration. Even with AI, agent aspects and all that good stuff, it will go even further.

Gert-Jan Bruggink: 24:39

Now one of the cool things obviously I don't consider myself a scenario planning expert for all the futures for developing a company. I understand the way how that is done. I merely apply it to the concept of risk management, threat management and CTI in particular. Right, so how I then look at these things is like so, back in 2014, when apt1 report got hit, uh, got released, you know, a bit crazed about all that, but what the interesting bit was is, through those years afterwards, there is a couple of things happening that were very interesting and I'm tracking them still. One of them, for example, is about the focus of certain adversarial states on types of infrastructure. So and again, I'm bringing up this example because it illustrates what the value is of tracking these kind of trends long term.

Gert-Jan Bruggink: 25:38

At the time, obviously, there is just teams you know doing advanced, persistent, you know targeting, and it is every country is doing that. You know some have more sophisticated capability. I'm from Netherlands. We have a pretty sophisticated capability, but there's also many other countries who do that. But what I find interesting is if you just take a step back and then look at you know, hey, so there's teams looking at the external footprint, certain teams from China, for example, and they used to be the top players in the point to own games, and then all of a sudden and, uh, if I'm not mistaken, 215 or or 16, and all of a sudden you see them dropping out for reasons of that competition.

Gert-Jan Bruggink: 26:29

And what is interesting is if you track these trends over time and expert look look at them now to today again I'm nerding now, just to be clear but you kind of see that the focus of these kind of Chinese adversaries on technical infrastructure, it started in that little thing. Right there, you know, just a strategic effort focusing on one particular tool set thing. Right there, you know, just a strategic effort focusing on one particular tool set. And they now have dozens of people. You know reverse engineering, uh, you know 40 gates and all that and and that, that stuff.

Gert-Jan Bruggink: 27:03

I find so super interesting. It's like picking up these little threads across and sometimes you can only see them after a period, and sometimes you can only see them after a period and sometimes you can actually see them right now. And that is pretty interesting because obviously this is the work I do. There is a couple of threads I'm now pulling and I'm thinking like, oh, this is not going in the right direction. So, yeah, so there's many things what people can do, should do, and how they should use CTI and some very cool stuff. But yeah, I hope that answered a bit your question with a wider turn.

Pedro Kertzman: 27:50

Yeah, no, absolutely, and to your uh, uh, I think you were going on that direction. If there was, let's say, one thing you could suggest to organizations implementing cti, any particular you know, one single aspect to focus on, any magic pill if will kind of thing that they should focus on.

Gert-Jan Bruggink: 28:17

Yeah, I think I alluded to it before. So for me, the one thing that the industry is lacking is not showing enough value. That is a symptom of something deeper, and to me, there's multiple reasons why that is the case, and what I always recommend people to do is to explore the concept of systems thinking, and what that is is that you look at an organization holistically, that you look at an industry holistically, and, and and that is difficult in an industry where everyone's a scientist and is focused on the here and now, where the amount of indicators and the incidents you're managing now is more important than anything else. So, looking forward, you have to be able to show value and everything is there to do something different and there to open your eyes and have a discussion on. Well, if we take a wider lens, we're protecting this business process and we aren't talking with these people associated with that business process. You know the lapsus kids. They will call everybody in each process, right? They will call the parents of these people. They don't have any ethical boundaries.

Gert-Jan Bruggink: 29:36

By the way, this is also one of these threads I mentioned when, when I was very concerned about certain things. This is one of them. Um, but like, that is exactly what how you need to think right. You need to to let go of that siloed thinking and and systems thinking is one way to do that. I, literally on my desk next to me, I have a ton of books on scenario planning, systems thinking is one way to do that. I, literally on my desk next to me, I have a ton of books on scenario planning, systems thinking exactly. I'm going through them, uh, regularly, and you know, I I deeply recommend people to do so because just sometimes, these ideas just help absolutely.

Pedro Kertzman: 30:09

And you mentioned something that, for me, honestly, whenever we're talking about any type of intelligence in our case, cti, but could be any type of intelligence and talking to books, right, probably one of the most ancient books I ever came across is Sun Tzu the Art of War, right came across, is Sun Tzu the art of war, right, if you don't know your enemy you're mentioning they have no boundaries if you don't know that, you're never gonna be able to properly prepare to whatever they're trying or they will try to to do against you. So that's, that's the fundamental piece. Again, could be cti, but could be any type of preparedness, if you will. Uh, when you're tackling either, sometimes even competition, right, not only enemies or adversaries, but even, even even competition, right, man, that's, that's great, that's great, thank you.

Pedro Kertzman: 31:11

And and um, let's say, on the consulting, you're talking about the big four. What would be like the difference or the different approaches you're seeing on that particular sector when tackling CTI and the value from other sectors? For example, what's the main difference between the big four when they approach cti and the other non-consulting sectors?

Gert-Jan Bruggink: 31:38

yeah, I think one of the changes I also saw in the last decade is that there's more, much more experience and and openness to, to, to to have people who have any background or any experience and translate that to today. So the consulting model in general is real and it's good. People sometimes just need help and that is just a fact of life. So what I've seen change over the years is that people just got more specific in their requirements and the reason why you would hire a big four team is it's not because of sometimes it is because of a badge right that you can say that this team did that, but there's all sorts of other other defense contractors and all that who have that same vibe. Now the difference is is that they that, where are they coming from? And what you often see is that the more um, the big four consultancy teams, they come from a consulting background, so they bring that level of experience with them and there is a plus and pros and cons to that right. The upside is that you get a lot of content quite quickly because they're very small people and but they're expensive. Um, the downside is you're trying to push their whole consulting stack into your organization. That's. People don't like that, but that is the reality and but you kind of see that there's there's definitely consulting expertise in that, but it will always come from the angle of the product that you're selling.

Gert-Jan Bruggink: 33:08

And, and, just to be clear, I have many, many friends in all industries and all sectors, so I totally understand completely how it works. But that is what you need to think about, you know, when you there's also many oh, there's also interesting there's also many people who started self-employment even me, in a sense, in 2020. Just building a company with a couple of uh, friends at the time, and then we started growing and then you know that is something that everyone basically does. Um, there, right now, the founder, the founder-led brands, is definitely a thing. Uh, especially in this, in this field, I consider myself somebody who saw it all and then decided there has to be a different way.

Gert-Jan Bruggink: 33:59

So, you know, also being transparent, my way of working is like I absolutely enjoyed every single moment I had with the big four consulting thing, but I realized that the consulting model is deeply flawed. So my fundamental approach is like can we stack the incentives in the correct way and that is not necessarily product-driven, but that, for example, people get the tools and means to do everything themselves, and they only call me or my team when they actually have a really, really interesting question. And that is how I, for example, try to to to do so, to do it a bit different.

Gert-Jan Bruggink: 34:38

Um, does that work all the time? No, it is a hard journey, uh, and and I think that is also something that people uh often not talk about is we understand consulting and we understand product and I'm digressing a bit from your question. I know that, but that is sometimes we only think in black and white, but there's actually something that can happen in between, and that is definitely something. I've seen change. I've seen small companies. Funny anecdote when I started in the security engineering space, there was one little brand that just released their new firewall. It was called the Next Generation Firewall a little company called Palo Alto Networks. They're now one of the biggest security platforms on the planet fast forward many years, and I think that is also what this does right, no, that's awesome.

Pedro Kertzman: 35:34

And that nuance, uh, you know, not having only black and white is so important, because those overlooked aspects is often the ones that are gonna come back to us in one way or the other, because we didn't have the ability to be flexible and adapt to different, so many different scenarios that we have in front of us. And, uh, so you're mentioning books. Any, uh, how you, you know, learn about the industry in general? It's a. It's a. It's a tricky question sometimes when you're talking about cti, because, yeah, I learned from the feeds because we received so many information through the feeds. But, generally speaking about the industry, the feeds will be on the operational right at that moment kind of side. But what about the broad learning from how the industry is reshaping maturity models as well? Who's coming out with a new maturity model? If that happens, you know how, generically speaking, how you learn about how the cti industry is like, moving in and and all that, any like you're mentioning your books.

Gert-Jan Bruggink: 36:43

If you want to mention the names, I can definitely put on the description of the podcast, but any other you know blogs, events you mentioned uh, first as well that you like to, to be to use to kind of sharp your knowledge yeah, so so I have a bit of an unconventional answer, because there is no right answer to all of this yep, um, a book, a feed, a podcast, I can, I can name some of the stuff I listen to, but in the end, well, and this goes back to, like a previous question, you know, one of some of the common misconceptions is what I see is people not thinking, and I want to encourage people to be curious and, um, ask to get to to a certain set of books. You know, you have to ask yourself the question what do I think is important? What?

Gert-Jan Bruggink: 37:37

do I want to understand and the biggest, the best kept secret of our industry is that there is no one. There is no quick win, there is no quick escape, there is no. All right, let me just roll up this AI summary and then boom, I'm now an expert. No, that is not how this works. So it is absolutely in the trenches it is boring as tease where you will get punched in the face and you have to keep going. That is this work.

Gert-Jan Bruggink: 38:09

So the question is how do you deal with that? And how we deal with that is by asking the right questions and then understanding that there's something fundamental going on around certain threats and campaigns around the organization. So how do I protect my organization? Am I looking at the organization with the right perspective? And if you dive deeper in that, you should explore systems thinking, for example, me. For example, I'm next to CTI scenario planning, risk management. I'm also very interested in scenario planning and that's more of a content thing, but also I'm an entrepreneur, so I'm also deeply curious about new entrepreneurial things, specifically building brands and how does that work? And and very interesting that that journey leads me to basic psychology and there's huge amount of overlaps between behavioral science, behavioral psychology and and cyber security, interestingly enough. So there's also numerous books on that, even cultural, cultural, how to build a team, and all that stuff, um. But when you get into that deeper understanding that you all of a sudden will eventually have to get into the task of today and that could be, you know, tracking what is happening every single day. And there's many tools which you can set up, such as some of them even free, such as using feedly to translate those questions or intelligence requirements into something where you can scrape it from. Even going a step further, you can just set up your own ai, a genetic aspects that just collect everything you need and based on their automatic prompting, as there's many things. But you have to do the thinking, um, and there's a host of people you should follow, but gen generally, when you basically know what you're looking for and you understand it, you will find these people. You will google them, you will find perhaps me, you will find perhaps most of the other people on this podcast or even more. And uh, yeah, that that is usually how I do it.

Gert-Jan Bruggink: 40:21

And then the next question is where do you find them? Well, I find them in two conferences actually many conferences, uh, but most of the conferences I always try to attend to is is first, cti and sans cti. Um, these are more bigger company conferences, but they are very focused on the cti domain. That is where I basically grew, grew up in um, but actually there are many, many more. I even uh for, with a shout out to john doyle, um, we, I think on your podcast.

Gert-Jan Bruggink: 40:53

Oh yeah, we once, with some beers, we made a square, the Gardner Quadrant type of idea for CTI conferences. It's still a work in progress. I've put it on my GitHub but it's just so stupid. But it's so funny to actually have that conversation and think like, so which are the ones we should attempt?

Gert-Jan Bruggink: 41:19

And then you kind of see some pretty interesting stuff around very specific conferences focusing on very specific tasks again, how the industry evolves, and from very big, you know, all over the place items to something like pivotcon, specifically focusing on the technical aspects Absolutely brilliant and or even in the US, some of the more crime focused events, and I can name a bunch more. But I absolutely love that. I actually love that we now got in the space in the last decade where we are able to structure more of the information we have. We have an unprecedented amount of data, an unprecedented amount of structure, and now the question I think for the next couple of years, going into 2030, is like how do we deal with that? And, to be honest, if I would do another education piece, it would not be a master's degree in engineering, it would be a master in philosophy, because where we're going, we're going to need philosophy.

Pedro Kertzman: 42:23

Yeah, that's a good one. You touched on a very good point as well. If we look at the whole CTI, the CTI industry is evolving. For the past few years we never had CTI CTI industry is evolving for the past few years. We never had CTI. Uh, focused conferences right, it was like a part of that conference. They had like a CTI track or something like that. You know, still, I think black hat has a CTI track and other big conferences.

Pedro Kertzman: 42:50

But now we do have, like you mentioned, pivotcon is like I think it's a TLP Red, if I'm not mistaken. So you cannot simply I want to go there. So it's really for, you know, professionals that understand already some of the aspects within the industry. I want to share their knowledge and it's important to, from you know, tlp clear or not to have those conferences creating more, maybe creating more buzz around CTI just to make people think about it. It goes back to my point, and you mentioned that as well we have to think about CTI more. Right, it's not something that you plug oh, now I have CTI, right, so imagine that would be perfect. Right, you plug something in the you know, ethernet cable boom, now I have CTI. That's awesome, I would love that, but that's not, unfortunately, the reality. Yeah, that's amazing. And any final thoughts, reflections, philosophy, things you think it's worth to share with the audience.

Gert-Jan Bruggink: 44:04

Yeah, so I think I'll step off my soapbox and not go into some of the other stuff I mentioned. I think think you know I've, uh, I'm pretty consistent in what, what I think and what I share about. Um, my, my, I think that a lot of people have a voice and I personally try to actually show people that there is some something else possible outside of the normal. You know, uh, it is either a tool or it is a consulting.

Gert-Jan Bruggink: 44:38

You know, it is actually also possible to do something in between. It is good to actually change the state or attack the status quo. That is also fine. And I think the next iteration of what we will see in cybersecurity will not necessarily be a, you know, an AI, a genetic approach or whatever, but maybe it will be a hybrid approach on how people are thinking and supporting that and integrating everything altogether. And, yeah, what you can expect from me is that I'll keep pushing on certain solutions to talk about actual problems and understand that, bring solutions to market for that and also bring that knowledge back to the community through frameworks like CTI, cmm or even radically open sourcing, some content that people can use.

Gert-Jan Bruggink: 45:34

And that is also to end it off. You know, that is also an invitation to everyone listening. If, if you, if you want to contribute on that particular framework, go to the website CTI, cmm, cti, hyphen, cmmorg, if I'm not mistaken, and the reality is is that you can just sign up there for the latest version, for feedback, for participating, and we actually need all the help we can get and we are very appreciative of that, and that will also get you a slot in the document itself, you know. So that is also a win and you can put that on your resume, so that is a huge win and, um, yeah, that's awesome that is uh, that's what I have for you, my friend that's awesome, man, I appreciate it and uh, you know my my little take about the cti cmm.

Pedro Kertzman: 46:24

One of the things, or one of the highlights for me, is that you guys went deep into here are the questions that you need to ask your possible probable stakeholders. So you kind of go from like a high level understanding of this is how you structure, this is all the important pieces, the important components. But here is, this is how you do it go ask those questions, kind of thing. So it's a goes on, uh, from super, you know more management, uh, leadership type of aspects, but also hands-on, here you go, go ask those questions. So it's that's uh, absolutely. I'll put the link, just in case, in the description as well, so people can access the. Please do it the framework.

Pedro Kertzman: 47:12

Uh, absolutely important to get to know in details. Gertrude, thank you so much for coming to the show. Really appreciate all the insights and I hope I'll see you around Sounds good mate.

Gert-Jan Bruggink: 47:24

Thanks so much for being here. I appreciate it. Thank you.

Rachael Tyrell: 47:29

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group Cyber Threat Intelligence Podcast. We'd love to hear from you If you know anyone with CTI expertise that would like to be interviewed in the show. Just let us know. Until next time, stay sharp and stay secure. We'll be right back.