Alex Keedy: 0:00

How do you show the ROI of the attacks that you stopped or the threat actors that you profiled?

Rachael Tyrell: 0:06

Hello and welcome to episode 23, season one of your Cyber Threat Intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional, or simply curious about the digital battlefield, our expert guest and host will break down complex topics into actionable insights. On this episode, our host, Pedro Kurtzman, will chat with Alex Keady, who is a seasoned CTI expert with over a decade of experience leading global cybersecurity operations and customer success team. She's held senior roles at organizations including Flashpoint, Zero Fox, Intel 471, Deloitte, and Booze Allen Hamilton. Alex has been widely recognized for her impact in cybersecurity, including being a 2025 finalist for Cybersecurity Woman of the World and a 2024 top 40 under 40 honoree. Over to you, Pedro.

Pedro Kertzman: 0:57

Alex, thank you so much for coming to the show. I'm really happy to have you here.

Alex Keedy: 1:02

I'm thrilled to be here. Thank you so much for having me. I'm excited to talk to you today.

Pedro Kertzman: 1:06

Amazing. If you don't mind, we usually we start uh asking the guests about their journey into CTI. Would you mind walking us through that, please?

Alex Keedy: 1:15

Absolutely. So I did not actually set out thinking that I would ever go into cybersecurity. I have a pretty traditional background. It's actually in political science. So my official bachelor's degree reads political science, bachelor of arts, and then my master's degree reads uh security and intelligence. What that means is I had an interest in going into security post-9-11, which I feel like a lot of people they were interested in a lot of like either uh international terrorism. I started in uh domestic terrorism, actually, uh, which is kind of not something that most people focus on. Uh cyber, I mean, graduating with my bachelor's in 2015, cyber was not even on my radar. So I knew I wanted to do something that protected people that I could make a difference in, but I didn't know what exactly that was. So, fast forward in a couple years, I'm finishing up getting my master's in security and intelligence, and there's an opening at Homeland Security within the cybersecurity division. Had really no coding, no computer science background. I thought this is really interesting. I've already done a lot of like the domestic terrorism uh in my internship for homeland security, transitioned over there, got some really good exposure at the state level, and then took some uh courses and when I finished my master's program in cybersecurity. So got some academic background. I started reading in my spare time, just learning like the early Silk Road, early uh Dread Pirate Roberts, Cybercrime uh 101. Just like, what is this? What is Bitcoin? So I from there never looked back. I then graduated and looked for a position within cybersecurity and found cyber threat intelligence analysts as my very first role. So started working for Booz Allen, and I always recommend to people looking to get into the field, find a company that will help you grow, help you train, help you cross-train, uh, really devote your first years to learning. It doesn't matter what you want to do in five, 10 years, if you can really just sink your teeth in and learn as much as you can in those first couple years, I think the rest really takes care of itself. So started writing a lot of reports, looking at nation state to cyber criminal actors, profiling, tracking campaigns. I thought malware was the coolest thing ever and learning in different different um terms of like a worm or a virus or what is an info stealing malware. So it's just learning all of the technical terms and learning how it's actually adapted and people use it from a geopolitical standpoint or a financial standpoint. So I thought this was really truly a next dimension of how we will be fighting warfare and dealing with other countries because we're so dependent on the internet that cyber is just it just included in every single aspect. So that's where I kind of kind of in a roundabout way realized that I was gonna make a difference and also learn something new every day because I don't really see it as a job. I'm truly so interested in learning all because every day you can have a new variant, a new nation state, or a new cybercriminal group that nobody has seen before, and you can make your mark identifying or profiling.

Pedro Kertzman: 4:38

Malware is the coolest thing ever. Oh my god, I just love this quote. Thank you. So, and I and I could not agree more with you. First years of our career focused on learning. Nobody's expecting you to come in one morning and uh have a huge impact on the organization. You're there to learn, to help, and then create that body of knowledge that's down the road to help you create more impact. And how is that uh like your trajectory going to uh more CTI? Because I think you changed as well along the way from a more hands-on CTI uh analyst type of role, and then off of that type of role. Any like learnings uh uh with those uh changes?

Alex Keedy: 5:29

Absolutely, and I think no matter where your career takes you, to start in a more technical role, at least at some point during your early formative years, you're gonna have a much better basis to do sales or marketing or whatever different pivot points. Because at least for me, I can tell if someone doesn't have that technical experience and they're trying to pitch something to me. Because as soon as you start asking a couple questions, you know, that's about the the level, and your credibility goes much, much further if you have that technical level of understanding. But for me, I love and I still read, no matter how detached I am from that analyst role to to this day, still read the reports, blogs, um, still in the weeds and jumping in when anyone has a technical question that I can help with. But what I learned is I love being the person that explains the technical concept to just a wide variety of people. I've always been more extroverted. I've loved doing the client presentations, putting it together, driving that so what factor, because I think there is a disconnect between it showing the value of what cyber threat intelligence can do for you because it's largely predictive. Like, how do you show the ROI of the attacks that you stopped or the threat actors that you profiled? Well, you can show I devoted this full-time resource in a way that matters because this threat actor was targeting my organization, my industry. I stopped these amount of attacks, and we can compare them to industry standard that they average cost 50K, or even in some cases, if it's ransomware, millions of dollars. So it has a real world impact. And I think translating that bottom line ROI is sometimes difficult, which is where I've always felt that's a kind of a niche or a hole to fill in the industry because you have all this noise. People are saying, care about this, care about vulnerability patching, care about malware analysis, care about all these different things. Okay, well, I have this set budget. I cannot go over that. This is what I've set. How do we best spend those dollars? So I think that's a neat place to be in, and that's kind of where my role and my career has taken me is bringing together the technical pieces, showing the stats, the value, the on-proof black and white, what we can do from a vendor solution and what that impact will be. And plus, it's just always fun to engage with a variety of people. I mean, cyber threat intelligence plugs into a number of different industries. And I've worked in a security operations center myself where you're giving the indicators of compromise to like the instant response team or the hunt team, and then you're also identifying the vulnerabilities that have been targeted or you know need to be patched, and so you're passing it on to a vulnerability management team. So it's really cool you get to work with a whole lot of people. I've always found that to be a really good learning experience because I've never worked in vulnerability management in a role myself, but I learn from them every day. And it's always a changing, very collaborative uh world. So if you think you just have to be stuck behind a computer and code to do CTI, no, we there's plenty of people that do just that, but there's a lot of people that love driving that ROI and talking with people and showing the value.

Pedro Kertzman: 8:55

And I think that's probably as an industry, we're starting to realize that if we don't translate that into anything closer to a business conversation, it's really hard for you know boards and C-level and those uh kind of stakeholders to understand the value of the things that we're doing now because more and more people talk about that kind of thing uh nowadays because uh at the end of the day, they're just businesses uh trying to survive and we just need to help them, right? I think that's uh absolutely that's the main thing. So to your point, you know, making those uh business bringing business value. How do you see the value, particularly for like small enterprises, let's say between a thousand and five thousand employees, um like a mid-sized enterprise? Any uh insights around that?

Alex Keedy: 9:45

Yeah, really good question, and that's one that I see every single day, where I either get a response of, we're too small to be targeted. Like it doesn't matter, we don't need CTI. Or how do we build that budget? I need some talking points and ammunition to go bring back to my leadership, but I don't know how to make that business use case. I hear this all the time, and I feel like more now, so where budgets are being cut, you have to really fight for every dollar. So, one, I think just the easiest way is throw throwing out the industry stats and showing the proof. You know, the proof is going to be within the pudding of one, some things you can't actually tangibly put a number on, and that's brand reputation and trust and lost business and just your reputation within the industry. We see that a lot of times where there's no safeguarding of proper data, uh, your customer information, your health protected health information, PHI, uh PII of individuals, personally identifiable information. So all of that kind of data, you lose customer trust and you see like stock prices fall, or you see just the overall customer sentiment. That's harder to put a tangible dollar amount on, but you can show case studies where you've actually prevented different incidents. Um, two is showing where do ransomware variants target. We keep uh stats and at a couple of different dark web vendors that I've worked at, we've tracked and shown that every single industry is targeted. You may think that you're a small, uh small regional hospital or a credit union in the middle of a random state and you don't have any value. But a lot of these ransomware operators operate spray and pray type attacks where there's just indiscriminately sending out malware. So you may be targeted. You uh may not be the intended recipient, you may not be a large Bank of America, but you still have access to email. People are still uh sometimes the weakest link where they're you know shopping for Christmas and they don't pay attention that it's a uh phishing email and they think that they're doing the right thing um when they are not having proper cyber hygiene. You know, there's a lot of training down on like the human element or just the proper security stack that maybe small companies don't have. So I think for any of those examples where smaller companies think they're not going to be targeted, I'd say bring the stats and vendors can help with a lot of that. You can just um find out which companies are some case studies in the news that were targeted that are smaller. Uh, we see this all the time. And then just start slow with that budget, like the easy, immediate ROI. I would say you can offload a lot of um tasks to some of these vendors that you would have you would never have to pay like a full-time employee to have a lot of like AI is being automated to action on or alert on these keywords. So you wouldn't have to have like a full-blown security operations center. There's managed service providers that also operate and offer that kind of coverage. Uh, I've worked in scaling and building up these smaller companies to where if you find the value, you demonstrate to leadership the ROI year over year of these small increments and like trying to build that budget, you can kind of scale up and demonstrate how much further you can be preventing any issues by being more proactive, looking at cyber threat intelligence as like a more uh overarching protection. Um, you wouldn't just be reactionary, but you know, proactive on those types of measures that you would take. So it kind of doesn't happen overnight, but you know, there's a lot of introductions I've made from smaller companies to other ones that are similar size and said, you know, what are different areas like fraud protection that you can have at a bank and just having them talk to each other and saying we've implemented this because we saw a vendor gave us information about uh how-to manual of fraudsters uh doing different ATM cash out schemes or different ways to create fake uh checks or uh different cash fraud rings that we've actually led to uh handing over that information to law enforcement and making those kind of arrests. So when you can show, like we would save these small companies, you know, pulling out a number like half a million dollars a year and just uh fraudulent checks, then you have that budget. You if you pay for that 100k solution, you have 400k at least an extra that they're saving you. So finding the wins here and there is a good way to tell the story, uh, and then the intangible benefits of like, you know, having people trust you more because you've got better security in place.

Pedro Kertzman: 14:32

Yeah, no, absolutely. Have you had any moment that you you had to like uh have a big picture? How large is like cybercrime kind of thing?

Alex Keedy: 14:42

Oh gosh. I mean, I I'd have to look and see if this is still true, but I last set I saw was cybercrime makes up the world's third largest economy. I mean, it is massive, and it it really is so diverse too. I mean, when you look at cybercrime itself, like you're primarily looking at the financially motivated cybercriminal activity. This is gonna be the like ransomware as a service affiliate grant uh groups where you're gonna have a single operator that designs the malware. This person is gonna have a lot of technical experience. Then you have all the affiliates that just want to sign up and uh pool the shares with the with the creator of that malware variant. That way they don't have to devote sometimes it's months, years, etc., developing a very sophisticated malware, but they get to you know still reap in the benefits of having that malware be deployed. Uh, it could be anything from like DDoS services that are sold, compromised credentials that are sold. Russian market is a popular market that we commonly monitor for, and you've got credentials being sold on there for six, eight, ten dollars. Those are you know used in in infoseiling malware variants, then sold to other operators with more nefarious uh types of attacks that are being used, more destructive malware, but that's the way they gain the initial access. So that $10 credential is then later sold, and maybe they'll have a $50 or a $50 million ransomware incident for a major hospital. So that it's kind of crazy, just the end of the extreme there. And just like the recent scattered spider incident where you had the individual being arrested and he's just 19 years old. I mean, if you ask me what I want to do when I was 19 years old, I think it was just have fun in college or something like that. But you've got ransomware operators and cyber criminal actors operating and at a very young age. So cybercrime truly is very pervasive across all borders. There are certainly hot pockets of cybercrime and the activity that is allowed to uh to persist. So you do have some countries that the law enforcement will not be super receptive to warrants from um or international pressure to arrest those individuals. Sometimes they are moonlighting as a cyber criminal actor and then uh working as a state-sponsored actor per day. So uh that kind of is like a little gray hat area that you see. Uh I would say, like a lot of the former Soviet states, uh, you see a whole lot of hotbed of activity, but you see uh truly every language is represented in cybercrime. You've got different forums that specialize in German and Spanish and Arabic, English, no matter what. You've got all sorts of cybercrime across all of those uh state and international borders there. Um but truly it does comprise a very large industry. And uh I think we've gotten to a point now that you know we've got some cyber laws like uh GDPR laws and privacy protection in Europe. The US is not there yet. Like I think it's very interesting to watch how these laws are uh still a bit Wild West, but starting to shape up. It's the same way with how are we gonna deal with cybercrime? You see a little bit more cooperation, you see large international entities like Interpol taking action. Uh, so I think that's the next hurdle is how do we actually make those arrests and deal with uh individuals in countries where maybe they aren't gonna hand over these individuals and aren't gonna hold them accountable. Because if there's nothing stopping so long as you're using the internet, um, someone in uh you know Belarus from attacking someone in uh the middle of nowhere, um, you know, Caribbean, pick your country. Like it truly, you're no you're not safe as long as you're connected to the internet. So people always ask me, do I just unplug the computer and call it a day and be safe? But it's like at what cost? That's that's your trade-off. You just have to figure out what's your level of risk.

Pedro Kertzman: 18:48

That's right. And uh, you're mentioning about Interpol and uh law enforcement uh uh operations. Have you ever had the chance to um relate it to a certain threat actor or anything like that, work with law enforcement on any campaign or action?

Alex Keedy: 19:05

Absolutely. Just to name a couple, um, I've had a pleasure of working for a couple of uh vendors that specialize in uh doing a lot of dark web research and intelligence and then handing it over to law enforcement. So uh DOJ and FBI specifically um are ones that we work with a whole lot. Uh vendors like Intel 471, where I spent about three years, they do some awesome work in investigating and profiling actors. And then I'm currently at a company called Flashpoint, which also is a dark web vendor that uh hands over this data. Of course, these vendors don't have law enforcement regulatory powers. So we have to hand over that Intel once we get it. We hand it over to the rightful organization to make those um arrests and question and questioning those individuals. Uh, we've been in the news uh quite a few, and I've I've known a lot of people that have uh testified in cases. They were the analysts involved in a in a case looking at different. Cyber criminal actors. There was some like Chinese nationals in a recent case that we were profiling and identified them and actually demonstrated the total volume of cybercrime that they were involved with, handed that over, and then was involved with a case with the FBI. So it's very satisfying. Additionally, we do a lot of human trafficking work. So on the other side, a much more, you know, uh personal and uh very rewarding job where you're identifying these rings and potential um victims and handing over that information to the FBI and other uh law enforcement entities. So whether it's just the you know you stole money from a bank or an organization or it's more personal, these vendors do put it upon themselves to hand over that intelligence that really makes a difference and make sure that those people are held accountable.

Pedro Kertzman: 20:51

That's that's uh that's amazing. Yeah, some some uh it's hard to say, but like some crimes are just I don't know, it seems like even worse than others, kind of thing. Like human traffic is like, oh my goodness, it's one of those. Um and uh so you're mentioning about profiling threat actors and and and all that. How is it like to work like focused on doing that? I imagine like a lot of dark web as well. How how's that kind of uh from a day-to-day perspective?

Alex Keedy: 21:22

Honestly, it's like I tell my parents all the time, it's like uh spies but technology. You've just got some really cool tools you at at your disposal. So it's it's really neat. Uh the dark web people have a kind of if if they haven't accessed it and checked it out, they kind of have this like nefarious, nebulous view of it. Honestly, a lot of it is just nonsense. A lot of it is just like conspiracy theories and people that don't want to be tracked and they just want to be anonymous online, uh, or they just want to buy their illicit drugs or or you know, counterfeit items at a discount, whatever it may be. Uh, but then you do have some more nefarious organized groups that are using like Telegram uh for a whole host of different communication. Uh, just a couple examples to work with a lot of logistics and shipping companies where uh it kind of will bleed over from the cybercrime realm into the physical realm, where you have individuals that will actually uh reroute packages and then go and pick them up and so stealing people's packages. Or you have these mules, as they call them, of people that are going to uh, or walkers that they call them also as well, like that will walk into banks and actually pick up the cash or go to an ATM, and after the malware hits the ATM, they'll be there standing to get the cash after it falls out because of the um ATM malware that has been infected on that machine. So it's very interesting. Uh, you see a lot more of like the cybercrime as a financial focus. You don't tend to see much of the nation-state discussion. A lot of that is, you know, super secret squirrel behind the scenes. They're not gonna discuss their attack beforehand, but you do see more of like the dark web uh discussion and advertisement. And the one thing that is very, I think, unique uh because on the dark web you don't have an identity, you have a username. People don't know where you're from, who your true identity is. So everything relies on your uh rating and your credibility is built up from other cyber criminal actors. So people have who have been endorsed by other, so to speak, bad guys or cyber criminal actors, they're more revered and trusted on these um on these different forums. So that's kind of where the vendors come in, where they will gray hat it or pretend to be a black hat actor, where we are pretending that we have done nefarious things, we're seeking to gain the trust. And in this case, we can act on behalf of the clients and ask the questions that the clients would want to ask because no way are they gonna respond to your inquiry coming from a bank. They would just say, you know, I I don't trust you. You're a researcher, you're the victim, we're you're not gonna engage with me. But then by acting as someone who has built up cr uh trust and credibility on different dark web forums, we're able to get the proof, relay that to the client, demonstrate how they gained access, maybe show the stolen data, verify the claims. So, in a way, making it more safe by you know kind of pretending to be a bad guy.

Pedro Kertzman: 24:33

That's that's amazing. Any like you mentioned you're still like super active on the like CTI analyst type of environment. Any favorite learning sources or ways to learn anything related to CTI?

Alex Keedy: 24:49

I've got a couple of free resources, so I'll start with those because everyone likes to save some money and not have to shell out to get those. So uh SANS is a great SANS org, uh S-A-N-S uh O-R-G. So great resource that is truly the golden standard of cybersecurity. They have a lot of great summits, they have webcasts, they have amazing speakers, great resource. You can sign up and join a lot of these for free. Also, vendors love to demonstrate their knowledge. So, any of these vendors that specialize in open source collection, dark web, um, profiling actors, tracking malware, they all have blogs and you can subscribe to the blogs and get that free content. And they a lot of times they have these external uh webcasts where they bring in a researcher and demonstrate how they have done an investigation or do they or do their research. These are all free resources, and I always tell people, especially as I talk to a lot of uh students at my alma mater uh University of Kentucky, uh, do a lot of uh mentoring there, and I say you don't have to spend a lot of money to get the knowledge, like it's out there, and that's one good thing that I love and never had uh when I was younger, you had to go to a library to learn a lot of things, but now you can get a lot of that knowledge just from the comfort of your own home. So I would start there, and then kind of like that next, if you were looking to get into the field, looking to bulk up your knowledge, really understand like what is a RAS group, uh ransomware as a service group, or what is PII, what's an IOC. You want the basic terminology, and a good way to get that credential and understand that basis of knowledge would be to consider studying for an exam like Security Plus or Network Plus. That will also help you get that great resume boost and say, I'm credentialed, I'm actually serious, I know this terminology. You can do a lot of these uh self-studies on like uh Learn As You Go type platforms, uh Udemy. Uh, pretty economically feasible to do that. Uh, if you do join a company such as like a Deloitte Booz Allen, a lot of times they will also pay for your uh certification from SANS. Those are a bit pricier. I would not recommend doing that. I certainly wouldn't do it on my own, but a lot of times they will pay for their employees to go and take one of these courses. They're generally about a week-long course, and then you have an exam at the end. They are phenomenal. Um, so in that kind of order, I mean, you you have tons of knowledge out there. Uh, and one interesting thing about cyber that I think is unique is you know, you've only got a few decades of experience of it even existing in a field, right? You've got hundreds of years of medical and law, um, if not thousands, but you've truly got just a few short decades where the internet even existed. So it changes very rapidly. And so I think you just don't ever stop learning. And the best way that I've learned is read reports, uh, work alongside someone who does something different from you if you have the opportunity. Do an internship. Uh, I know tech has gone through a lot of changes, layoffs, such over the years. So if that is not feasible, you know, first start with those free resources, making yourself at least having that bare uh base level of knowledge, and then see what kind of internships. Uh, there's great Skillbridge internships for people who are transitioning from the military. There is a lot of different resources, like um different conferences. Uh, one of which I have helped uh co-host over the years, which is Uniting Women in Cyber, they actually pay for students to attend the conference. So you can attend um uh free at um if you receive a scholarship, or if you are a student, uh first responder of military, you get a discounted rate. So a lot of good ways to attend conferences like that. And there's a B-sides conference, there's uh others that aren't, you know, hugely preventative in terms of like entrance fees. And those are great ways to see what the latest and greatest are. And I think that just puts you in a better position to know what's actually going on in the field, and you're better informed to talk about these different types of tactics and threats.

Pedro Kertzman: 29:12

That that's amazing. I I love this uh you know, working with uh organizations also helping people come to the to the industry. We we need that. I think it's fair to say, besides if you don't have an every single state, you're gonna have like right next door kind of thing, right? Because we have a lot of them. Yeah. Alex really loved our conversation. Thank you. Any final thoughts for the listeners?

Alex Keedy: 29:37

I would just say uh, you know, don't think that you have to be super technical to go into the field, and also uh, you know, being a woman and also being one of the only females on a team of of guys many times at different teams, uh, it's a great field. And don't feel like you can't ever uh become involved in it. There's marketing, there's sales, there's technical, analytical, geopolitical, there's all sorts of different possibilities in the field. And uh just overall for the the future of cyber threat intelligence, it is just growing. I mean, the industry is projected to grow. I think I read stats of like 20% in the next five years. Like it is immensely growing. There is a need for qualified individuals, there is a need to also pay attention to cyber threats because we are so reliant on it, and it truly does bleed into every industry. You know, you've got to safeguard your planes from cyber attacks, you've got to safeguard your money in a bank from uh being stolen by cyber criminal actors, uh, your uh power grid from turning off in the dead of winter, and we've seen that actually play out in instances. So I think it's just such an amazing field. And at the national level, we need to, if I can ever get someone to pay attention to me, you have always got to have the budget for training the top talent, investing in proper security, because cyber's here to stay. It is ingrained in everything, and it just really matters so much. And cyber threat intelligence is kind of like the the director that you know helps with the other teams that tells the vulnerability management, the threat hunt, the remediation, uh, the sock, all the different teams what's important. So they all kind of work together, and I guess you could call it like an orchestra or a car, all the parts moving together.

Pedro Kertzman: 31:32

So that's amazing. And uh, I often like have to explain to you, you know, family, and I often translate in the like cyber threat intelligence probably the closest we get from working smarter than working harder. Agreed, especially if you have a good person or a good area on your company, it will help you focus your energy, efforts into that space because they know what you're up against. Absolutely, uh, and not trying to patch every single thing, every single host, just not reality. So, you know, focus here, focus there. Alex, really appreciate you coming to the show. Very nice conversation. Thanks for all the insights, and I'll hope we'll see you around.

Alex Keedy: 32:14

Oh, absolutely. This was such a pleasure. Really appreciate the time. Thank you so much.

Pedro Kertzman: 32:17

Thank you.

Rachael Tyrell: 32:20

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group, Cyber Threat Intelligence Podcast. We'd love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure.