Mary D'Angelo: 0:00

The value of cyber threat intelligence.

Freddy Murre: 0:02

Really, really valuable.

Alex Keedy: 0:03

The value of

John Doyle: 0:04

value proposition.

Charlotte Guiney: 0:05

Why it's valuable.

Josh Darby MacLellan: 0:06

Proven their value.

Pedro Kertzman: 0:08

Hello and welcome to your cyber threat intelligence podcast. As you probably noticed, today is a different episode. It's season one finale, and I have the impossible task to pull together some of the best moments of season one and guide you through this journey where our guests share their experiences, their lessons, and how they think about CTI. But also, as a special episode, I would like to tell you a little bit about myself. I'm your host, Mr. Kurtzman. I'm a security architect. And CTI is one of the hats I wear. And honestly, as you can imagine, probably my favorite one. Out of everything I've touched on my cybersecurity career, CTI changed the way I think. And my goal with the podcast is simple. If you're new to CTI, I hope you have a better understanding of why it plays such an important role in cybersecurity. And if you're a citizen professional, I hope you've got some insight that will make your day-to-day easier. I really hope you enjoyed season one, and I'm gonna take a break next month to start planning and recording the next one. Season 2, we're gonna get deeper into cyber threats and intelligence. With that said, let's get it going. Alright, one of the key elements CTI can bring to the table is prioritization under uncertainty. If you work on cybersecurity for some time now, I would guess that you faced situations or incidents that you didn't have the full picture on your hands or all the possible logs on your hands, and you had to decide something based on that partial information. And that's normal. That's that happens a lot of time. So CTI can help you do that, uh prioritizing under uncertain scenarios. A few guests touched on that, and I would like to share again some of their thoughts around it.

Mary D'Angelo: 2:01

If it's done correctly, it'd be permeated in every single aspect of an organization, really in order to reduce uncertainty. And that just makes it better for strategic planning, better risk assessment, and it sets you up to be more of a proactive organization as opposed to being reactive when it comes to cyber threats.

Josh Darby MacLellan: 2:22

Rethinking CTI as supporting decision making and taking it a step further by viewing it as an essential tool in organizational resilience. Right now, I've noticed some CTI teams are going through layoffs and cutbacks and they're having their tooling reduced because number one, they're expensive, but number two, they haven't been able to translate their value into a language that that decision makers and business leaders understand. So for me, um the it's an ongoing struggle, but incredibly important for CTI teams to be able to demonstrate their value, um, do good work, and then tell everyone about it. I think it's again why communication is so important. It's because if you're doing like the best high-quality um analysis and assessments, and that's um helping to prevent uh uh different attacks and future intrusions, if you aren't giving that message to the right people, they'll still hold that perception that the CTI team is not as essential as our other cyber teams and more nice to have that we can get rid of if we need to. So that's one of um the biggest pitfalls that I see with CTI teams is they're struggling to communicate, well, we'll first quantify and then communicate their value. And I'm glad that that this is starting to get recognized more and more because I've started to see more conversations around um KPIs, metrics, and uh and KRIs, and CTI teams are starting to adopt them, which I think is definitely needed if we want to um avoid and develop through these pitfalls that CTI teams are facing.

John Doyle: 3:49

What's the best value proposition for an internal CTI team? And then what is the value proposition for intelligence vendors who may service internal CTI teams? And and this is something that when I'm working with clients who are building their CTI programs or trying to mature it, these are all decisions that they're trying to make, these are all complex situations they're trying to navigate is how do I convince the business that we have the ability to provide proper level support to service these needs that are measurable, that actually show impact both at the bottom line of the company, but also shows efficiency gains. So it's um my boss at one point in time said something to me, and I don't think that he he meant it as like this wise sage advice that was super impactful, but it actually was. He's like, Look, look, John, like organizations use CTI for like one of three reasons. One, it's you've saved the company money, and money could translate to like brand reputation loss, um, or a whole host of other kind of things that are associated with risk. It's making the company money or you're improving efficiency in some way, shape, or form.

Alex Keedy: 5:09

I think there is a disconnect between showing the value of what cyber threat intelligence can do for you because it's uh largely predictive. Like, how do you show the ROI of the attacks that you stopped or the threat actors that you profiled? Well, you can show I devoted to this full-time resource in a way that matters because this threat actor was targeting my organization, my industry. I stopped these amount of attacks, and we can compare them to industry standard that they average cost 50K, or even in some cases, if it's ransomware, millions of dollars. So it has a real world impact. And I think translating that bottom line ROI is sometimes difficult, which is where I've always felt that's a kind of a niche or a hole to fill in the industry.

Pedro Kertzman: 5:58

ROI people, I know it's not as exciting as reverse engineering or malware analysis, but you gotta do that, right? You gotta prove upstream that the CTI team is bringing extra value to the organization. But how you understand what the leadership needs? How you understand their values?

Ondra Rojčík: 6:18

We need to understand who we work for, what are stakeholders really, what they really need to give them what we call implications. In other words, answering the question, so what? Once we understand the problem, of course. We need to explain what the problem means for the stakeholders.

Cherie Burgett: 6:43

What we really like to share is the finished intelligence. So those are the things that we put, we put it all together. It's it's analyzed, and we tell you why this is important for your business to pay attention to.

Scott Scher: 6:56

Go interview your stakeholder and find out everything you can about them and the things that they do and why they do it and how well they've been doing it, what's been causing them problems in their for their team. One of the things I always like to ask about is their pain points or their obstacles, like what is preventing you from doing the things that you need to do, because there may be a place for CTI to be like, oh, actually, we can help if you're not getting something you need. Maybe CTI is the team that can help give you that.

Bianca Miclea: 7:22

And it's so important to keep that conversation going and to keep honest and open communication. And yes, the way you phrase things has to be very careful and you know, technical jargon needs to go out the window. And if you're in a small team, like I happen to have been numerous times, then I was doing both tactical and strategic and operational, and you have to switch mindset between I need to provide this malware analysis to the tech and respond team or fret hunting team to look if there's something internal, to now I need to present something to the board. Having that mental switch between leaving the technical jargon behind and actually explaining risk and so what and really focusing on what matters, it can be quite difficult, but it is really important in maintaining that, I guess, whole CTI picture.

Sam Flockhart: 8:07

And coming up with that template and that plan and sort of working with the commanders and things like that on that. So again, it's kind of one of those things where even though I had no cyber experience coming into a cyber team, it's kind of like you know how to operationalize that intelligence and structure it and try and deliver the value and the souls to your sort of stakeholders and your consumers within a within an organization, which is really important um for CTI teams to do that.

Freddy Murre: 8:34

Clients, on the other hand, are the ones that you are delivering to continuously, and it's the reason for you existing. So if you work with CTI, those are your key clients. And the the challenge here is that for one type of topic or question, you might have a set of key clients and some customers that you have delivered to, but for a different topic that changes, and understanding and being able to engage with the different stakeholders at different levels and understanding what their needs are, that's a huge, huge thing.

Pedro Kertzman: 9:10

But if you don't know how to start, or if you don't want to start from the scratch, John has a suggestion, which is the capability maturity model for CTI, CTI-cmm.org. Let's hear it.

John Doyle: 9:28

So here is incident response, here's SOC, here's Hunt, here's Red Team, here's third party management, etc. What does their organizational function do? And how can CTI support it? And then it breaks it down over a spectrum of maturity levels. What they just done in the past month is actually created metrics. So I'm an internal CTI team. What are good metrics for me to measure against if I am supporting incident response, if I am supporting purple team, if I am supporting red team exclusively to help with because it's hard, right? Metrics creation is not something that like me as a deefer practitioner have been trained to do, or even like somebody coming into a management role, they've not gone to you know university or taken professional training on like how do I create effective metrics, but my boss is asking me to create something, so I have to create something. So this framework is actually designed to bridge a lot of these gaps to help with that value prop for intelligence uh teams as a whole. So, like, if I didn't have that organically, I don't have to create it from scratch, it now exists. It's something that I could take and pull from.

Pedro Kertzman: 10:39

It was really interesting while you're editing this episode to notice that there are a lot of commonalities between the challenges and insights the guests brought to season one. And of course, it's not a coincidence. So let's listen to a few more of them.

Sarah Freeman: 10:53

If we can get ahead of the threat actor instead of waiting until after the threat actor has manifested themselves in a certain way and attacked these systems, maybe then we can be a little bit more strategic about what systems we patch and in what order, or maybe we can identify security controls that are not uh manipulatable by a cyber adversary. So you'll see a lot of pushes like that, including one that uh we're working with Mark Bristow that we we push pretty heavily here within MITRE, looking to use threat intelligence as a uh a way to understand what the future adversary capabilities will be as a kind of cyber forecast within infrastructure susceptibility analysis, so that we can prioritize mitigations or potential um weaknesses for organizations so that they can come in and really just focus on those areas that they are likely to see uh the the greatest risk from adversary uh attacks.

Pedro Kertzman: 11:51

I know it may sound repetitive, but how many times we heard anything related to be more proactive, less reactive? Hopefully, you noticed throughout season one, it's also about the journey. Uh, CTI is not the most mature subset of the cybersecurity industry. So each company is also building their own CTI journey, of course, learning from maybe other companies from the same sector, learning from Isaacs, CERTs, you name it. But let's talk about journey now. I would like to bring some of those journey-related conversations we had throughout the season.

Bianca Miclea: 12:30

The conversation I was having and where I was trying to get the team to is actually building that inbuilt SOC team that actually provides actionable intelligence, relevant intelligence, things that you can do something with and that you can really get the so what behind is. So, you know, bringing in supplier, bringing in the tools that we're using, understanding vulnerabilities, working with the detect and respond team to understand what are we seeing, what are the trends. So that was one of the initial points and discussions that we we were having. So once once that was defined and understood and the direction was set, it was then easier to say, right, okay, this is what we want to do. So we need to build XYZ, we need to understand IOC processes, we need to start from the bottom, which at the time and where we were at, immense and tactical, and then slowly build your way into operational, the who, the how, the why, and then the strategic. So the strategic piece around you know what's happening geopolitically, what what are we looking at, the words and politics and economics and pestle was one of the frameworks I used um and I found very helpful in in that scenario. But that came last. That came after everything else was set up, after we understood our crown jewels, our suppliers, our tools.

Freddy Murre: 13:52

Every report should have a bluff, a bottom line up front. Why should I care about this report? Every report should have an introduction, sort of introducing the problem, introducing sort of why uh this is important to discuss, maybe not to everyone, or I mean not to you specifically, but in general. But the bluff is to you.

Alex Keedy: 14:11

If you find the value, you demonstrate to leadership the ROI year over year of these small increments and like trying to build that budget, you can kind of scale up and demonstrate how much further you can be preventing any issues by being more proactive, looking at cyber threat intelligence as like a more overarching protection. Um, you wouldn't just be reactionary but proactive on those types of measures that you would take.

Josh Darby MacLellan: 14:37

I would say overall, the answer to that would be practice, practice, practice. Again, my method, I was very passionate. I started learning so much that I started to teach colleagues on what I was finding. So, you know, there's different avenues again, like how somebody would go from, you know, this point to that point. But if you're not only you want to practice the things that you kind of read about and continue to get better at, but in those instances, you might even uncover ways that are unique in how you're using open source. And that, like, and I mean, people write blogs about it, people uh will teach other colleagues about it. So for me, I really once I got into it, I got really comfortable and I felt I had a few things to share with colleagues. I started teaching open source. And honestly, you learn a lot even when you're teaching. And I always say as an instructor myself, I don't know everything, but I'm kind of I'm open to learning and I learn things from participants, from students all the time. Um, but I also have a lot to share.

Tammy Harper: 15:41

There's so much happening right now, and it could really feel intimidating to get started in learning like threat intelligence or specifically like ransomware. But the way I treat it is really learning about the lore. It's no different than like studying the lore of Lord of the Rings or Dungeons and Dragons or like Pokemon or whatever. It's very, very like the or even like learning the statistics of sports teams. If you have a passion for it, you can learn anything. Definitely, you need a passion for this. If it's this is not your thing, there's no point in going into it. Threat intelligence is not necessarily like an entry-level position, it is definitely something that um requires uh you to have various different skills. You need to understand a little bit of coding, you need to understand a little bit about network security, a little bit about psychology, a little bit about a lot of different things. It's definitely a role that you work your way into.

Gert-Jan Bruggink: 16:37

People have to tell that story correctly. If you can explain why you're ingesting all that stuff and what you're doing with it, what kind of decisions you're actually driving, what kind of impact you're making, then the story basically writes itself. The success writes itself. And yeah. And maybe one final thing to add on that. I I also think that there is a bit of a nuance that teams need to be very big to be successful. Um, and um so so when I did the presentation of CTI CMM version 1.2 at first in uh what was it earlier this year? The interesting bit is that some of the the uh maturity is not uh the the the the bar of the ladder, right? It is actually you know either is it that or it is it how happy you can make your stakeholders or how how much impact you make. But actually it is a the the values in the eye of the beholder, right? So and I think these are some of the also you know some of the specific things that we try to tackle with this initiative. Um, but there's actually some you know fundamental things happening in the industry which we cannot tackle alone, and we need everyone to do so.

Sarah Freeman: 17:51

But the onus fell on the utility, and now we're starting to say there's more parties that are responsible within this ecosystem for ensuring the technology is secure. And how do we bring people together in a way that again is effective and efficient to make sure that we're making the best technology and we're deploying it in the best way?

Kees Pouw: 18:10

Two kind of uh different approaches you can take, right? So, more in the line that I suggested and that I frankly like it more is is to expand an existing capability. So it would start with your uh Secure Operations Center team and expand expand those functionalities into attack service management, as I said, the threat feeds and grow from there, right? Um, I think that that's a kind of organic growth, or you you could um just go to the market and and acquire uh a cyber intelligence team, right? You just say, okay, I'm gonna get somebody who has the experience on this, and then bring a person, and then they they start building a team that's high specialized. So it's a question of a budget. Very rarely in my career. I said, okay, oh, now you have a couple million dollars to start this program, but it does happen, right? If that's the case, that's kind of a different approach where you can then build the program with that intent of building a sophisticated cyber threat intelligence as opposed to growing what what you have.

Jason Chan: 19:20

And we would we did the same thing, I would say, with um not just CTI, but you know, to use as an example, is is you think about okay, if you want to create uh you know a program where to allow you to better understand your adversary, um like a CTI program, like what do you decide to do yourself? Um, what do you decide to outsource or use a vendor for? And you know, frankly, even above and beyond all that, what are you going to decide to do versus not do? Because I always, you know, I've I've said many times is like the it's really about what you're not going to do, right? Because if you had unlimited time and resources, you just yeah, sure. Do it all. But nobody has no nobody has the time or resources to do all that. So you have to be really strategic about saying, look, these are the things we're going to focus on. We're going to maybe lean on a vendor to do some of these other things. And then these other things we're just going to be, you know, we're not saying they're not important, but as of right now, we're not going to do those. So you know, we really we really worked in a way of of you know kind of going back to the beginning when I was talking about storytelling and kind of, you know, what are the big buckets of adversary groups? We really focus there to be like, hey, who are the you know, what are the and this is kind of more from a from a quantitative perspective, is like what are the threat scenarios that we're most worried about that we think can have the biggest impact. And then you sort of match up, okay, well, what are the adversary groups that could actually enact those threat scenarios? And that's really where you'd want to focus. And, you know, again for us, it's like most of when when you think about how can things really go wrong for a large-scale internet service, there's really kind of two main things that can go wrong, right? One is your service cannot be available, right? And like somehow it's whether it's DDOS or any other any other reason that your service goes down and people paying users can't use it. Uh, and then you can, you know, you can lose data, right? You you you you have some kind of data breach or things like that. So, really, for most uh large-scale consumer internet services, those are the two main things you're trying to protect. So that's really where we began with focusing our uh Threat Intel program was around how do we make sure that we are investing to preserve those two primary functions, those, you know, whether it's keeping the service available, uh protecting customer data, and then kind of work out from there to your adversaries and and things like that.

Pedro Kertzman: 21:42

So I wanted to show to you this particular topic, I wanted to put them together so you can see how many of the problems that we have from a tradecraft standpoint are very similar. But also, if you look back to some of the episodes, I could highlight many other commonalities we have across CTI practitioners and within our industry. Another, let's say, myth that we have that CTI is only for folks coming from the military, from a military background, yes, we do have that, and it does help a lot, but that's not by far a prerequisite. If you remember, Mary, Stryker, and other guests had different backgrounds from marketing or even from military, but then from not from a cyber uh standpoint, you have to work your way up to CTI. That's the main thing. If you really love the topic, you have to study for it, and then you're gonna have some chances to really join the industry. And with that, I would like to thank you for listening in, but also would like to thank every single guest who brought their experiences, their journey, their knowledge to the show. I hope you enjoyed season one, and I'll see you in March for season two. Thank you.