Sarah Freeman: 0:00

More and more of the actors target those companies, individuals, organizations, kind of deliberately.

Rachael Tyrell: 0:06

Hello and welcome to Episode 20, Season 1, of your Cyber Threat Intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of Season 1, our host, Pedro Kurtzman, will chat with Sarah Freeman, Chief Engineer for Intelligence Modeling and Simulation within MITRE's Cyber Infrastructure Protection Innovation Center. Sarah provides government sponsors and private sector partners with actionable cyber threat intelligence and innovative security solutions to protect critical infrastructure. She has more than a decade's experience in industrial security and formerly served as an industrial control systems analyst at Idaho National Laboratory before joining MITRE in 2022. This year, industrial cyber named her to its hall of fame. Over to you, Pedro.

Pedro Kertzman: 0:57

Sarah, thank you so much for coming to the show. Thanks for having me Happy to join you. Would you mind telling us a little bit about you and how your journey within MITRE started and where you are today?

Sarah Freeman: 1:09

Sure happy to start there.

Sarah Freeman: 1:12

You know, I think I know we're going to immediately jump into a little bit of my career, but I think the two are kind of linked, Because I actually know I've been at MITRE since July of 2022.

Sarah Freeman: 1:24

But I met many people and started working with MITRE long before I joined it, so probably started working with MITRE directly around 2020. And then I had had exposure, of course, to MITRE in the past, being in the space for cybersecurity and critical infrastructure protection, so new of them. I also had the opportunity when I joined in 2022 to join a team that was already in progress, already being developed, and work directly with a lot of people that I knew from my former life. So I came from Idaho National Laboratory, which is a DOE research lab, and in that capacity I actually work directly with a number of the people that I work with now. So everyone to include probably most importantly, my current director, Mark Bristow. So having kind of that exposure and experience just is probably a good metaphor for what it is like to have a career in ICS and industrial control systems.

Sarah Freeman: 2:32

It is an extremely small community, yeah, I imagine Sometimes painfully small. So the industrial security space is one where people change jobs. People, you know, kind of go into the outskirts. Maybe they go to the government, maybe they go to the private sector work for a utility, maybe they do the research route, but people almost always end up crossing each other's paths again.

Pedro Kertzman: 2:48

Thank you. And within this journey, would you say you saw any differences in the way people used to think or used to do security for ICS and how it looks like today? Any insights around that?

Sarah Freeman: 3:02

I mean, things have changed drastically. So when I started at Idaho National Laboratory, they hired me in 2013. Before that, I had had a little bit of exposure to the space and the challenges of critical infrastructure protection, primarily because I was working in a role doing cyber threat intelligence. So I would occasionally have various customers come up and ask kind of pointed questions about whether or not, the time I was working, russian criminal underground stuff. So they'd ask very pointed questions about whether or not any Russian criminal elements were talking about SCADA or ICS and I'd be like I don't know, I'll check for you.

Sarah Freeman: 3:43

But the interesting thing about it is, at that time, the only people who really worried about non-state actors, the only people that were really hiring my company at that time, were all in the financial sector. And I think it's like a really interesting place to start, because when that whole thing, when cybercrime became a problem within the financial sector, it was originally a financial decision. The original plan was basically to cover the cost of fraud through a series of fees and things, and so it was written into the books as we anticipate that these companies, these credit card companies, these banks will experience X amount of damages based on cybercrime activity per year and so because of that, they kind of ignored it. Beyond putting that line item on the books to be prepared to basically pay out of pocket Over time, I think because they watched the growth, the exponential growth and costs to these companies. They really started 2005, 2010 timeframe to be the forefront of organizations that were trying to do something a little bit more proactive than just waiting until after they had a problem and then paying for it. So that, but, but at that time they were the only sector that was really doing this. Um so that, but, but at that time they were the only sector that was really doing this. Um, when I joined Idaho National Laboratory, which again Department of Energy focused, they were the group I joined at the time.

Sarah Freeman: 5:16

Mission Support Center was very much of the opinion that, well, certain cyber attacks had not happened against the critical infrastructure sectors. They were very possible, they were very feasible and that was actually a really uncommon position to hold. In fact, the common statement when he brought up things like attacks on the US electric grid was that why would anybody do that? There's no money in it, which you can see both sides of that. At the time there wasn't much money into it.

Sarah Freeman: 5:40

But I find that usually when market forces are huge things and where if there is an opportunity, there will eventually be somebody who's asking to pay for it, so the thing that has really changed over the years is having to constantly beat that drum to put that message out there that critical infrastructure is at risk. And we're now finally entering a phase sadly because of some cyber attacks but we're finally entering that phase where we no longer have to push as heavy on that message that says that this is at risk, but rather we can start to talk about who needs to address this risk and how to best address it. And so it's really shifted from kind of a conversation among governments, of like government organizations, to one that is really grassroots. Now, very, very many companies, utilities, asset owners I talk to not only are aware of this risk, but they're actively pushing forward. They're at the forefront of trying to address it, which is completely different from where I started.

Pedro Kertzman: 6:44

That's great to hear. I feel like in general, as an industry, we shifted from having to justify the importance. You know, everybody knows it, and we're just kind of a go to work now we don't need to justify why we are here anymore. That's awesome and a broad topic all over the place. Awesome and a broad topic all over the place, but have you seen any like AI also coming into the ICS conversations? How is it like? How's the current state of AI at MITRE?

Sarah Freeman: 7:14

So AI is 100% a nearly daily topic of conversation even within the critical infrastructure space.

Sarah Freeman: 7:28

There's kind of a running joke and series of memes. You only need to know. It's been kind of true for a couple of years. But you go to some of these conferences, like RSA, for example, and the number of people on the vendor floor that are pushing AI-based solutions has just gone through the roof. It is a difficult thing to avoid right now. You'd actually it'd be impressive if you could. That being said, it's become popularized in the last couple of years, but it's not a new phenomenon. So, if you go back to even, what does it mean to talk about adversaries leveraging AI? And what does it mean to manipulate data flows and things like that?

Sarah Freeman: 8:02

Machine learning and how that data is being integrated has been a topic of conversation within the security and the hacking community for a long time. So, even going back to DEF CON circa 2017, 2018, there were actual presentations about manipulating data flows to these kinds of systems so that they don't perform the same way to these kinds of systems. So that they don't perform the same way. So part of this is I think you know my colleagues in the AI Innovation Center would want me to highlight some of this has been going on for a really long time and, depending on where you are in as a historian of all things computer, you may mark the dawn of AI in 2010,. You may mark it all the way back before you know 1980. But the reality is it has gone from a thing that was, I don't want to say notional, but it was not something that most people dealt with in every day, and now suddenly it has become this thing that people are just being inundated with. But there was a very similar arc that happened within the cybersecurity space or critical infrastructure that particularly popularized in the nuclear community Again, a little bit of a nod to INL here again.

Sarah Freeman: 9:19

But there was a period of time where there were not digital control systems. There was a period of time where there were not digital control systems and most people have never seen a pneumatic control for a nuclear reactor in their entire life. But you can see pictures of it online. It's kind of impressive. But this was the state of the industry not that long ago, in my lifetime. That was the state of the industry In my lifetime. That was the state of the industry.

Sarah Freeman: 9:43

And when there was this big push to move from analog controls to digital control systems, a lot of people hesitated, the same way that when you adopt any technology, it comes with one change and two potential risk, but the reality was the market forces were going that way regardless of what we thought about it, and the whole point of this really is.

Sarah Freeman: 10:06

Similarly, we're on the top the crest of a wave right now that is very AI-centric, and so much of MITRE's work related to artificial intelligence is focused on ensuring transparency and safety and trustworthiness of these systems, as well as being very strategic in how we want to leverage that technology. You've probably heard the stories of people's jobs being replaced entirely with AI. Again, looking back at history, we know that that kind of transition is not fast, but when it does occur, there is a strategic and intelligent way to go about doing it. We want to grain all of the efficiencies possible from the new technology, but do it in a safe, secure, appropriate way. So we're actually in my research with some of my AI co-workers and research partners. We're very much focused actually on what does it mean to bring this technology to help individual humans do their job better and faster and cheaper?

Pedro Kertzman: 11:10

Absolutely! That's the main thing. I think the AI conversation got so popular in our days because of LLMs, so it just brought to the forefront people can interact with it. Back in the day, it used to be like, like you mentioned, more like a numeric engineering type of a back end. Um, one of the things for specifically for ai, at least on my limited view to me, is always, or for the most part, something that will be requiring like a cloud, the ai living on somebody else's data center and all that. On the other hand, ics systems for the most part, they would be on isolated air gap networks and all that. How do you kind of combine those two different universes or connecting them?

Sarah Freeman: 11:59

Yes, the cloud, the evil cloud. Of course, before AI we had clouds, so there's a couple parts and pieces here. You know, it's always the devils in the details. Cloud-based infrastructure introduces, first, a number of advantages in terms of resiliency, in terms of the types of analytics that can be performed, in terms of the quantity of data you can store. However, cloud-based infrastructure is not obligated to be on a third-party infrastructure, so I, as a utility, can run a cloud-based setup and not ever have any data leave my environment. I can also allow certain data streams to leave my environment, and so there's this weird thing that happens where, in general, sounds bad, but you start to look at the details and you're like, okay, not all bad and there's more than one way to implement it. So it's kind of similar pushes for, essentially, ai LLMs as a service. What does it mean to do, which is just a natural extension, honestly, of data, big data, analytics, big data.

Sarah Freeman: 13:09

Before there was cloud, there was big data, this idea that somebody else who's an expert is helping you do these things and very much you know, going back to even the dawn of time, almost, when we talk about initial industrialization in the US. What does it mean to be Henry Ford and produce Model Ts this idea that people have a certain degree of specialization, they are experts in this one thing and we serialize the process so that we can gain efficiency. So there's part of this that makes a lot of sense, and then there's less of this that makes sense from a security standpoint. So, as an industrial security personnel as that being critical infrastructure protection being my focus I have to be cognizant of working with utilities that want the AI advantages but maybe want to do it in a safe and secure way. And what does that mean? I think similarly, again, you know, working with some of my colleagues at mitre who are primarily focused on the construction and design of some of these unique solutions. It's not a given that those things have to be so large that they have to be run on third-party infrastructure, or that they live in the cloud or they're sold as a service. That is just the easiest way today for individual companies to experience the wonder of the AI revolution.

Sarah Freeman: 14:35

I think what you will see is a grassroots effort of a number of different organizations. I mean, even now, if you were interested in it, you could buy yourself, you know, a new Mac laptop and be able to run a number of the open source LLM models on that device. The internal computational resources on that unit are good enough for most applications. The question really becomes one of data resourcing and computational power, and that has a lot more to do with how companies or organizations want to use the technology and how much data they need for that use case, and less about where it lives.

Sarah Freeman: 15:18

Again, pluses and minuses. Not every critical infrastructure sector, utility or organization has the same budget. Not every organization has the same number of staff. In some places they have a separate OT, operational technology security team. Other places it's one guy. He also runs IT security, physical security, and has an HR gig on the side. It's a huge variation here. Has an HR gig on the side. It's huge variation here. And so it's not. I learned that it is not good. The best approach is not necessarily to highlight all of the weaknesses and the bad parts of what people are trying to do, but help them do what they need to do better and safer, absolutely. So it'll be interesting, for sure, because those are definitely two camps. There will definitely because there's a market there now. So there will be people that are pushing to sell big AI in the cloud, probably as a service. I mean, you can already see that now. But the question really is is that what an organization needs and is that the most secure thing for them to be doing?

Pedro Kertzman: 16:26

no, I love that approach. Yeah, I'm looking forward to see next chapters, for for sure, and and uh, you know talking about you're talking about industrial control systems and um ot systems any like best practices around understanding the design of the system, those systems, and uh, nowadays is it like hardware, virtual ones that are the the recommended ones, or digital tweens Any thoughts around that?

Sarah Freeman: 16:47

There is a debate that won't die, that periodically pops up at every conference, and it goes something like if you have to start from zero, what's most important, that you have a good asset inventory or you know what your critical functions are. And by critical functions I mean what are the things that you need to do in your company to survive to the next day, the next week, the next month. So we think critical infrastructure space. If we talk about an electric utility, it becomes really obvious for some parts of this, at least at the top level, in order to survive as a utility, you have to produce, transport and deliver power to your customers. Like that is your reason for being and, yeah, there's some variation about where you are in that ecosystem, but that's your role Now, in order to protect those assets, the things, the technology systems, data that help you do that deliver electricity like what are the most critical things there. And so most people start with a basic asset inventory that may be somewhere between 40 and 60% accurate. It may be missing a vast majority of equipment, but they start somewhere. Then I'd say they kind of understand a little bit about what they need to do on a daily basis to be effective. So that first step is actually really easy. It's what happened.

Sarah Freeman: 18:17

Next. That is kind of complicated is that companies start to then look at what happens when either those technologies or those data flows or those processes no longer work as a result of a cyber attack. Now, you could say, as a result. In fact, I was just reading a paper just now. It's grounded in probabilistic risk assessments and whether or not hazard analysis is sufficient to meet the needs of cyber attacks. It's a little bit dry, frankly, if I'm going to be honest.

Sarah Freeman: 18:46

But that aside, this idea that you can then start to say, hey, what are all the disruptions I anticipate seeing? And have I properly considered a malicious and deliberate cyber actor? Because cybersecurity, particularly within an operational technology space, is almost entirely grounded in this concept of resiliency. So what things can I cut? What is my minimally viable process that I need to survive as a company, and how do I ensure that that continues? And so, again, start by asking yourself what do you have, what do you need to do and how can I anticipate these things would break in the future? There's more nuance to it than that, but that is definitely the starting foundation for, I would say, most successful security organizations within the critical infrastructure space.

Pedro Kertzman: 19:41

That's great within the critical infrastructure space. That's great, and so you mentioned about those critical assets, depending on the specific end goal of those companies. Do you see any differences? Maybe in the past or nowadays that everybody knows critical infrastructure, even though they don't necessarily will pay ransom, but that's not the end goal of the threat actors on the other end but do you see any differences how people are trying to reach those infrastructures from an attack standpoint, maybe linking to the ICS matrix. Is this through the SCADA systems or the ICS systems, or they will be now like the crown jewels, they are the end goal kind of thing and not like the entry points anymore.

Sarah Freeman: 20:33

Sure. So kind of highlighting what I was just talking about. One of the reasons why step three is understanding how the threat actors can attack or disable your systems. Part of the reason why people focus there is because there were certain trends in the in the attack space and the attacker space that we've observed over time. So if we talk about miters, attack for ics frameworks or some of the attack uh other, you know the other frameworks not even ATT&CK for enterprise, att&ck for mobile the point of that historical review is to understand the trend analysis about what actors are doing, what threat actors are doing, what capabilities they have, what their interests are.

Sarah Freeman: 21:17

The interesting thing that has happened since, comparing basically where I started in 2010 to where we are today, is that there was a lot more fear at the time because we had a smaller subset of attacks, that we were going to see a run on attacks against the core crown jewels of the SCADA system. That the systems that were supposed to be isolated, not internet connected, have multiple security protection layers, that they would be the target of cyber attacks. Now what has happened since I started at International Laboratory and today, as I find myself at MITRE, is we've seen, as always, the market forces come into play, and so we started to see things like ransomware as a service pop up. Now, ransomware as a service is one of those things that was kind of unfortunate if you were a cyber threat intelligence analyst such as myself, responsible for providing weekly updates to some of my sponsors about what was going on in the world, because the weekly updates got more and more boring the more weeks, months, years we got into this process. About 2017, an enterprising individual released SamSam and, as ransomware as a service really took off and suddenly something that was being done in onesies and twosies as an unfortunate day, but not necessarily targeting critical infrastructure, asset owner operators just blossomed, just turned into this whole market space and suddenly, as a as an asset owner, somebody who's working with asset owners to protect this infrastructure, I now have to include basic questions like where are your data backup storage? Do you have instructions about how to respond to cyber incidents on paper? Like, do you have gold copies of your SCADA system?

Sarah Freeman: 23:06

And it's certainly less exciting or interesting than some of the other cyber attacks we've seen that are purely in the realm of operational technology, but I think it very much highlights the reality of the environment we see today, which is still the majority of attacks are on information technology infrastructure, data and resources, and most attacks are enabled via internet connected systems. That being said, there is a small subset that if, again, if you're interested in tracking these actors and, frankly, you don't want to be bored by just repeating every ransomware attack by the way, there is a ransomware database where you can get them all now. At the time we didn't have one of those, but if you're curious I can share those resources. But now we have this subset of trend activity of kind of the upper echelon in terms of skill set of attackers, where they're actually targeting third party providers, suppliers, integrators. These are companies that historically, when we look at a security profile, were kind of left off the discussion because it was a different company. But we're seeing more and more of the actors target those companies, individuals, organizations kind of deliberately.

Sarah Freeman: 24:17

It makes a lot of sense from a cyber attack operations standpoint because a lot of these companies are providing services, technology, engineering, design, you know, assistance to multiple companies and so by compromising this one entity, they have theoretically access to all of these customers, all of these end users. So it's a lot of hacking smarter, not harder going on. That is interesting because it challenged for many years a lot of how we thought about security, including things like regulations. So everything was was. As an electric utility, I am responsible under nurxip to make sure that electricity is being delivered in a safe and secure way. But the onus fell on the utility and now we're starting to say there's more parties that are responsible within this ecosystem for ensuring the technology is secure. And how do we bring people together in a way that, again, is effective and efficient to make sure that we're making the best technology and we're deploying it in the best way?

Pedro Kertzman: 25:22

That's perfect, thank you, and you touched a little bit about like programs and maturity as well, overall how you see the ICS programs maturing over time since you started working with companies to like help them on that on that journey as well.

Sarah Freeman: 25:39

Well, as I mentioned before, one of the first kind of big shifts and how companies were addressing this was recognizing that there was a bad guy on the other end. A lot of people when I first started just didn't want to believe that they were actively being targeted by anyone. They really struggled with that concept, good or bad. All of the cyber attacks since then have made that argument much easier for me to make. I no longer have to. Sometimes I have to put together a slide deck that just highlights the sheer quantity of attacks that have happened, because I think it's hard to keep them all in your head. But the good news is people have moved beyond that hurdle.

Sarah Freeman: 26:16

So then it kind of becomes this question of what does it mean to do proactive security? Because you can do things around resiliency planning. So there was a large swath of time where that was the primary focus and we've kind of evolved a lot of that thinking. But now we're at the stage where all of the proactive security and resiliency planning is resource intensive. For many companies it was untenable anyway. But we've kind of gone into this space where there is so much security nobody can do it well, and that's regardless of whether or not it's regulatory or some of these proactive measures, if you were to say. Consider the number of vulnerabilities that have been disclosed. There's been a massive increase, just even the last three or four years, to the point where I think there was something like 40% increase from last year of vulnerabilities identified.

Sarah Freeman: 27:11

These are vulnerabilities that are given CVEs which side note, there's actually a lot of things that are exploited that technically aren't CVEs, but we'll just count the CVEs for the purposes of this conversation.

Sarah Freeman: 27:23

It is more difficult every day for organizations to maintain even a basic patching schedule, let alone the fact that some of these are critical infrastructure systems, cyber, physical systems that are not typically taken offline, so they actually don't have patching windows unless they're scheduled.

Sarah Freeman: 27:39

So the plan now and the push is really to do something that's a little bit more targeted. So if we can get ahead of the threat actor instead of waiting until after the threat actor has manifest themselves in a certain way and attack these systems, maybe then we can be a little bit more strategic about what systems we patch and in what order. Or maybe we can identify security controls that are not manipulatable by a cyber adversary, a way to understand what the future adversary capabilities will be, as a kind of cyber forecast within infrastructure susceptibility analysis, so that we can prioritize mitigations or potential weaknesses for organizations, so that they can come in and really just focus on those areas that they're likely to see the greatest risk from adversary attacks. So I think that whole shift between let's identify all the vulnerabilities, first of all, there was no bad guy there were no attackers and then, oh no, the attacker is attacking everything.

Sarah Freeman: 28:53

Let's find all the vulnerabilities To. Oh no, we found all the vulnerabilities. There's too many to address To now circling back and let's ground what needs to be done. Let's triage, based on what the actor is actually interested in doing and capable of doing, which is really helping to reduce the burden on security teams.

Pedro Kertzman: 29:12

No, I love that and, honestly, the idea about cyber forecast for sure. If you can anticipate what your opponents will be doing in one month or year, and so on and so forth, especially as the technology evolves as well, it would be absolutely important. I agree, and I love the way you, you, you frame it. We cannot handle everything, so let's focus on the things that sometimes things are vulnerable but not really exploitable, so let's focus on the ones that pose a greater risk for the overall company. No, I love that approach, thank you. And for the CTI folks, any preferred learning sources when it comes to the ICS space for the CTI audience?

Sarah Freeman: 30:05

Sure, I guess I would recommend first that because of the nature of cyber physical systems big moving objects, large safety-centric designs so things are designed a little bit differently over there in operational technology land. Because of that it's kind of important that people interested in being cyber threat intelligence analysts in that space really embrace the differences between IT and OT. There are a lot of similarities in every day where the two fields are looking more alike than they are different, particularly with the adoption of AI, big data, all those cloud services, all those things you mentioned. But the core of operational technology comes down to this concept of a cyber physical system where there is a digital system that's controlling a large usually large, but frequently a physical object. So disruptions of that technology result in physical manifestations. Again, electric grid outage on you know, disruption in a substation means that you don't have power. So recognizing that reality is kind of core, because if you show up and then try and kind of extrapolate what a cyber threat actor is doing without any knowledge of those systems, you can oftentimes misunderstand the potential risk, because thankfully there is still. Frequently it occurs that a threat actor who also doesn't understand the underpinning cyber physical systems will come into a space and try and manipulate these systems ineffectively. And, as a cyber threat intelligence analyst, it's critical that you not be in the business in my mind anyway of propagating fear, uncertainty and doubt, and so recognizing what is actually possible based on the technology or the typical processes within these spaces is paramount. A lot of times we have people transition from traditional threat intelligence spaces into the ICS land and they don't recognize that difference. They also will sometimes go too far over, so they will immediately jump to the sky is falling mentality because somebody manipulated a thing in a certain way. And it's important that you be really careful when making those pronouncements Because, again, there's a safety implication for many of these systems that is not present when we're talking about a data center. So the other part of this is okay, great. So it's challenging, it's different. How do I learn more about it?

Sarah Freeman: 32:43

The good news is there is, I would say, a fairly robust, small but robust industrial security community that really goes out of their way to help people understand the differences between these technologies and the mechanics of how these cyber attacks can occur. So conference resources and you don't actually have to secret secret here. You don't actually have to secret secret here, you don't actually have to attend the conferences. You can actually watch most of the conference material on youtube after it's been presented, if you are in a position where you can't afford some of these conferences because they can be very expensive. But things like s4 is one that always comes up. Uh, traditionally held in miami. I think they may be moving it in the future.

Sarah Freeman: 33:26

Um, the sans, industrial control system security summit, traditionally held in orlando again, a lot of resources online there. Also, sans does a lot of uh free webinars and things all the time. Um, the rsa committee does have a cyber physical systems committee. So if you're you're interested in in um you know, kind of an alternative perspective, there's a lot of good material in that subset there. Uh, besides, which is a distributed security conference, but they will frequently have um ics specific or industrial security specific speakers. Again, you have to kind of look on a case by case basis.

Sarah Freeman: 34:08

But we're coming up against, you know, def CON besides Las Vegas, as far as I know, they still have free admittance. It's been a while since I've been down there, but. But a lot of people will go down there and then go to DEF CON, even if they don't go to Black Hat, because Black Hat can be be on the little little bit expensive side. Def CON is is very accessible and it's not nearly as scary as as you may have been led to believe. So all of those resources and, frankly, the artifacts that those, those conference organizations have put out there are, you know they're, they're all kind of very accessible for people getting into the field.

Sarah Freeman: 34:48

There are also new ones that are either returning to their ICS roots or industrial security roots, or have touched on the topic in the past or are new and emerging. So there's a new conference called Level Zero, very accessible. There's QSecCon, very accessible. There's Recon, which, granted, is a little bit more technical, that's a reverse engineering conference that's based out of Montreal, but again, many, many resources available on YouTube and elsewhere. For people who that may have been a really long list and somewhat intimidating. The other piece of advice I would provide is that if you find a speaker who you like, they will often have presented at multiple conferences. So even if you're not familiar with all the conferences, you can look based on those individuals and find their research for many, many years. So that's another way to go about doing it as well.

Pedro Kertzman: 35:45

No, I love it Like follow the trail right. You go through a speaker kind of all the posts and all that you might find the resources that you want. No, that's perfect and Sarah, any like? Closing thoughts for the listeners.

Sarah Freeman: 36:01

I guess I would only add one thing that the industrial security community is really accessible and there's many, many friendly, very friendly people in there. So if people are interested in learning more, they can certainly reach out. They can reach out to me. They can also reach out to the community of people who kind of accepted me and brought me into the fold all those years back when I came from financial threat intelligence land, all those years back when I came from financial threat intelligence land. I'm also a big proponent of what is the sometimes unfortunately named Beer Information Sharing and Analysis Center, which is an informal group of industrial security community members that's very open and welcoming to anyone who would like to learn more.

Pedro Kertzman: 36:41

That's amazing, sarah, thank you so very much for so many insights. Really appreciate you coming to the show and I hope I'll see you around. Thank you.

Sarah Freeman: 36:49

Thank you, it was fun talking to you.

Rachael Tyrell: 36:54

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group Cyber Threat Intelligence Podcast. We'd love to hear from you If you know anyone with CTI expertise that would like to be interviewed in the show. Just let us know. Until next time, stay sharp and stay secure. We'll be right back.