Welcome And Guest Introduction

Joshua Copeland 0:00

Just because you've seen this thing for a long time and it regularly occurs does not mean that that is what should be happening.

Rachael Tyrell 0:07

Hello and welcome to episode five, season two of your cyber threat intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional, or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insight. On this episode of season two, our host Peter Kurtzman will check Jupiter Coke Limited, Cybersecurity Executive, CSCO, Board Advisor, and Graduate Professor at Tulane University, with over 25 years of experience across federal, state, and private sectors, including a 22-year Air Force and State of our career. Joshua is the creator of the viral LinkedIn series Unpopular Opinion, an author of the book Unpopular Opinion, Burning Down the Bullshit to Rebuild Cybersecurity, a numberful manifesto challenging certification theater, fear-based marketing, and broken security culture. Over to you, Pedro.

Pedro Kertzman 0:57

Joshua, thank you so much for coming to the show. I'm really happy to have you here.

Why Most CTI Becomes Useless

Joshua Copeland 1:02

I'm happy to be here.

Pedro Kertzman 1:03

If we can start straight up on the unpopular opinion brand, what about when it comes to CTI? Any particular things on the unpopular opinion that you would uh call out on the on the CTI side?

Joshua Copeland 1:17

Yeah, um, I've found across the industry CTI is a lot of shiny PDFs and not a lot of actual intelligence. We say that we do CTI, we you know go out and buy all this, you know, vendor stuff, pump that in and literally do nothing with it. So we say we have it, or say that we're doing threat intelligence, but we're actually just buying information that we don't do anything with. And if it's not something that you actually make an action or a decision point or changes the way that you function in your organization, it's not really CTI, it's just information, and information on its own is useless.

Pedro Kertzman 1:59

That's great. I I agree. It's not I wish it was you know as simple. It doesn't work that way, right? On the other hand, have you seen you know people kind of understanding similar things that it's not only a tool issue or not just buying reports or feeds? Actually, companies, you know, uh organizations, you know, public sector operationalizing CTI. Have you seen like any move on that direction?

Baselines, Threat Hunting, And Low Slow Attacks

Joshua Copeland 2:27

Uh, I've seen some companies do really, really well at looking at their threat space, uh, particularly ones that are active in their industry ISAC, whether it's auto, water, um, the multi-state ISAC, financial services, where they're truly looking at what is happening in their their field, what's happening to their near peers, and making decisions based off of that. So I know some folks in the auto industry, and when the big Jaguar attack happened a few months ago, they actually took a really hard look at what threat intelligence they had, what they were had in their environment, and did the one thing I think is truly critical when you talk about CTI is a lot of times we tune everything for what's normal in our environment. And what's normal in your environment is not necessarily what's good in your environment. Just because you've seen this thing for a long time and it regularly occurs does not mean that that is what should be happening. Um, that could absolutely be a threat actor who's doing you know super low and slow data exfiltration, and it's just been happening for so long, now it's part of your baseline. And what I seen in this particular uh auto industry was that folks were going back and taking a harder look at that stuff and doing real threat hunting based off of the threat intelligence rather than just create a new alert and call it good. Yeah, but the alert doesn't do anything because it's already part of the accepted baseline, and it's you know, when folks really take hard looks at what they're doing, that's when you see the most gain.

Pedro Kertzman 4:10

You mentioned something about you know threat hunting and understanding better what's on your environment, not necessarily should be there. Brings me back to skills and better understanding of the technology you're using, triage alerts and and all that. Uh, do you think that that shift on how to hire? I think that's the best way to put it. When it comes to CTI is also applied to it's more complicated or even worse because of the CTI skills uh or skills needed on CTI, or kind of uh everybody is on the same boat when it comes to cybersecurity.

Hiring For Critical Thinking Over Certs

Joshua Copeland 4:49

Yeah, I think particularly in hiring, having folks who truly understand what the right skill set is for somebody who's actually doing threat hunting and using CTI and building detections around that is often not where it needs to be to do effective hiring, which leads a lot to leaning on things like certifications and you know, you got this college degree that says that you should know how to do this. And really, this is one of those skills where you truly have to think like a bad actor and be able to figure out I have this piece of information. Where can I go in the MITRE attack framework, or where can I go on my MITRE defend framework and go, where can I use this information to find out if this is occurring? Can I take this piece of data and tie this back to you know initial entry, or I can tie this back to lateral movement? And how do I find how to use the information that I'm getting, not just put a general alert in your sim and say, Oh, here's an IP address that's been used by you know SALT Typhoon. Give me alert every time this goes off. That's great, but really you're you're only getting as much information as you know that threat actors still using that IP address. And like, and you know, they're smart, they recycle IP addresses all the time. There's you know, tons of services that allow them to get a massive amount of IP cycled through in a relatively short period of time. And then it goes back to how long do I keep that IP in my threat detections because they are going to recycle it, and at what point does that become something that blocks my business? So it really is one of those things you have to be someone who is constantly in the data, constantly looking at your network and really truly understanding how data flows in your network and what data you're supposed to have flowing in your network to be able to kind of spot that weird oddity that might be just a little bit not normal. Not a huge spike, not you know, the 30 seconds before the ransomware kicks off, and you start seeing you know all the stuff flow out for Xville. You want to be able to find that when they're getting in and when they're lateraling before they pull the trigger and you know the bad thing really happens, and that requires you to understand what's normal, why is it normal, how is it normal, even if it is normal, should it even be there? And tying that all back. So, from a hiring perspective, that's a lot to kind of understand from a resume or a certification. You know, that's one of those things that you have to have a really serious conversation and understand what how that person's mind thinks. And if they're even able to do that with the tooling that you have. You know, I you can have someone who's really, really great when they have all the bells and whistles and all the tools, and that's great, but are they going to be good with your tool stack? How quickly can you get them skilled leveled up on the tool stack that you have or the threat intelligence that you have? You know, coming from my background in DOD, where we had tons and tons of really good threat intelligence, and then going into doing state government work where there's very little threat intelligence, they don't have budget to go out and get a recorded future or an anomaly. You know, you're pulling stuff down that you can find that's open source, you're pulling out stuff from MSI SAC if you're lucky enough to have that, because now it's a subscription model. Um and kind of figuring out how I can use this and am I really even a target? Is doing a threat detection for this worth it? Like if you're a you know, we'll say a manufacturing industry and there's a threat actor that's targeting water treatment centers, yes, that's valid threat intelligence, but is that something that I really should be spending time on? And it's the case is probably not. You're not their, you know, we'll use the marketing terms, you're not their ICP, their ideal customer profile. Yes, you could put that in there, but it's not really gonna be something that affects your organization.

Pedro Kertzman 9:28

Do you think we could classify that as a piece of critical thinking? And then how we translate that into like a resume, right? During the interview process, if we don't have the right folks' understanding, first, if you agree with the critical thinking part, how can the interview for that? How can they make sure that the guys can connect all these dots, see the bigger picture, your your uh water treatment facility example? Kind of a it's noise, right? If you're not on that industry, you have to filter through that noise and understand what really makes sense to your particular customer profile, as you mentioned. Right? Do you think that's is the missing piece, maybe, on this whole hiring process?

State Fusion Centers And Public Sector CTI

Joshua Copeland 10:15

Um, I think it's really asking the right kind of questions during an interview to get that critical thinking mindset out. Um, unfortunately, a lot of folks ask very, you know, well, I'll call either black and white binary type questions where it's a yes or no type answer, or there's a definitive right answer. And that's good for you know a certification exam where there has to be a right answer, but in CTI, rarely is there a right answer, there's multiple right answers. So, you know, I like to ask questions of you know, we've gotten this piece of threat intelligence from this source. What do you do with that? Here's a tool stack that we have. Walk me through what your process is, and that allows them to kind of really explore their critical thinking in real time in a way that is actually linked back to what they would be doing in your organization. So if it's a you know, you have a Elasticsearch back end and you have all these other cool tools, you have some IDS stuff, you have some firewalls, you know, let them walk through. All right, I'm gonna look at this and go, one, is this something that's applicable to my industry or not? Is this threat actually something that's even in my tech stack? You know, it's a threat vector that is targeted at Palo Alto, and we're a pure Fortinet shop. Why would I even waste time on that? Because I have other things that I could be doing that are actually targeting my tech stack that are actually targeting my organization. So kind of asking those really open-ended questions where it allows them to fully explore the topic is where you're gonna see a lot of return on investment in your interviewing.

Pedro Kertzman 12:07

You're talking about like the the state part, right? Working on that side. You are on a very like uh cool type of role now on the Louisiana State Guard Cyber Reserve, which is very interesting. Any like intelligence or CTI part that you could mention how states are using uh CTI for their benefit, the you know, of course, public-related information.

Joshua Copeland 12:34

Yeah, um, there are a lot of states. Louisiana is one that has an intelligence fusion center, okay, where it actually combines intelligence, law enforcement, and the uh local military department to kind of put all the right people together in the right place so that when this stuff comes in, they can figure out how best to accurately use that. All right, this is something that's coming in and it's affecting you know our water treatment systems. Let's send a notice out to all the municipal water treatment centers and give them that information and give them support saying, you know, here's this thing, here's how you might actually implement this piece of information in your environment. If it's something that comes in and it's tied directly towards education, you know, schools are a big uh ransomware target right now, and not for the reason that a lot of people think. Um, a lot of people think it's they target schools just because there's a lot of people in schools and you know it generates a lot of buzz, but it's not truly about the ransom, it's truly about exfiltrating data on minor students because they're minors with clean credit histories with social security numbers, that they're not gonna know that you're using their credit for anywhere from two to ten years down the road. And by the time they catch it, it's already too late. So that's the real value when they're hitting all these schools for ransomware. It's kind of like the two for one deal. You know, we're gonna get you and try to get you to pay a ransom, but we're also gonna take this data and then sell those identities because they're super clean identities that aren't gonna get caught, you know. I'm 46. I'm gonna know when someone's using my identity, it's gonna show up on my credit report pretty quickly. I'm gonna realize that because I monitor my credit. Is an eight-year-old monitoring their credit? No, they're not gonna think about their credit until they're probably 25. That's a lot of years to exploit that. So that's kind of thinking of why are people doing the things that they're doing. Yeah, ransomware is you know, quick money if the people pay, but that's really where the the gotcha is. It's kind of you take the same thing with medical centers, you know, medical centers have not been super great at doing things like backup and recovery. You know, they're going to pay the ransom so they can get their medical records back. Like, it's the same attack, but for very, very different reasons. And understanding what those reasons are can help you understand what threat intelligence is really applicable to you. You know, I'm not going to worry about a medical ransomware group coming after a school. Like, yes, I'm worried about ransomware, but the reason behind it, what those threat actors are doing, are vastly different kind of scenarios. So understanding that just because you have a the same concern, you have the same concern for different reasons, and that means that there's different actors going after you for those reasons.

Why Schools Get Hit By Ransomware

Pedro Kertzman 15:46

So the Fusion Center, I think it's uh very interesting, kind of serves every public entity related to the state. And if I can take a like a wild guess, you probably have the work to sell the value of an initiative like this to the you know school boards or the infrastructure-related units, so on and so forth beforehand. So you don't have to, you're not in the middle of um, you know, an attack or anything like that, and then having to uh convince folks why this matters. So you do this to speed up the the center itself, yeah, right? To have that, so that's that's very good. I think one of the struggles is people understanding the value of doing proper you know security, having threat intelligence in place to detect things hopefully before they they they happen, and not like when something is is is ongoing. About um the value part, what have you you know seen that can maybe help folks uh listening to the to the podcast? Like, what's the best way or best route to sell the value of, for example, threat intelligence or a fusion center upstream? How they convince people to you know the importance of that type of initiative?

Selling CTI Value With Risk And ROI

Joshua Copeland 17:12

Well, one of the things is you don't want to be the next headline, and really coming down to that perspective is how do we limit risk? You know, it's always comes back to speaking in dollars and cents and risk because those are languages that the business people or the administrative folks, if you're in uh government side, understand. They understand risk, they understand money. So, yes, I'm going to potentially pay money for this, whether it's through hiring somebody to do CTI or pulling in a feed and hiring the person to kind of understand that piece. But it's also coming back and saying, if we're doing this, this is where we're protecting ourselves. You know, we're reducing the cost of our cyber insurance because we have an actual CTI program in place. We're now supporting, you know, our total industry because we're giving information back to our ISAC, and we're also getting information from our peers in the ISAC. So it's potential that we can avert a breach before it happens because we have that. And quantifying how much does a breach going to cost us? How much is a ransomware attack that takes us down for you know two days or in the case of Jaguar, like two months? How does that affect the organization? Is you know the hundred thousand dollars that we pay between people and you know CTI feeds to do that worth the return on investment of not being shut down for two months? How does that affect our company's bottom line and how we do business? And when you kind of start framing things like that, you start seeing better return on investment. Um, same thing with in state and local government where you have folks who are historically understaffed, under-resourced, and are not highly skilled across all these areas because they're doing three different jobs. You know, a small municipality might have three people running their entire IT department for the city, this the parish, the county, whatever the case may be. There's only so much they can do. And by leveraging things like fusion centers, you're able to get great data coming in that's actual that they can actually plug directly into their tools rather than them having to spend time doing all the things that it takes to do threat intelligence, which is a full-time plus job as it is. Oh yeah, if you don't have a huge team to do it. And to be fair, most organizations don't have a full team doing it. Typically, it's if they have anybody, it's one person, and you're lucky if they're doing that full time and not doing it in addition to one or two other roles. So anything you can do that can make their job easier, faster is gonna be an advantage to your organization.

Pedro Kertzman 20:17

You touched on a very good point, like the the dollar figure or translating uh things to a more business type of uh information or to decision makers. Uh the way decision makers can understand that information, and it's usually risk, dollar figures. Going back to the hiring uh um difficulty and hiring process we were talking about before. Have you seen like people really or CTI teams or CTI analysts being able to connect all these dots all the way from you know threats, threat actors, indicators of IOCs, you name it, uh risk of ransomware to really business type of conversation? Are we getting there? Should we get there? Anything on that side?

Joshua Copeland 21:05

Should we get there? Yes. Um, are we there? I would argue that for the vast majority of folks, we're not quite there yet. They're they're very, very good at understanding the threat kill chain of how the attacks happen, where the CTI falls in. But and this is not specific to CTI either, it's specific to cybersecurity as a whole. We've not been really great at explaining what we do for the business and how we generate results for the business, and that's something that we have to spend a lot of time upskilling ourselves on because it's unreasonable to expect the MBA from Wharton to learn cybersecurity. You know, there that's not gonna happen. We need to talk in the language that they understand, which means we need to be able to tie back. These are the things I'm doing, and this is how it affects the business in ways that affect either revenue, increase revenue, decrease revenue, or puts us in a position where we could be sued, which in turn goes back to revenue. Um on the government side, it's all about you know your organization's mission and protecting your constituents. It's kind of the same thing, just you're switching it from pure dollars and cents into you know protecting citizenship. So with that, it's really kind of the onus is on us to learn how to speak better to the business. You know, I can have a really fantastic CTI analyst who's doing great things, but if I can't tell the business that here's what they're doing, here are the things that we found, here's how having this position with this money spent has helped protect the business, I'm not doing my job as a leader, and I'm doing a disservice to my CTI folks because they're not one getting the credit they deserve, because ultimately, a lot of times in cybersecurity as a whole, we do a lot of really great stuff, and we do a poor job at explaining all the things that we're doing and how that either aids the business or causes the business to accelerate faster. And when we start doing that, you start getting better buy-in from folks.

Translating Security Work Into Business Language

Pedro Kertzman 23:29

I'm debating if we should go down this path, but I I think it's important there's like so much buzz nowadays. But what about AI and cybersecurity? And even uh if you want to go down to CTI, how you see the whole like the speed that things are at like insane speed that we see AI these days? How you see this uh within the industry now, and how could AI help shape the cybersecurity industry down the line as well?

Joshua Copeland 24:00

Um AI is one of those things, it's like any other tool. You know, if you use it well, you're gonna see great results. If you are very slapdash and just start putting things in just because you want to say that you're using this tool, you're gonna get slapdash results. Um, and I can use the CTI analogy where if I just start pulling in feeds and alert on everything, yes, I can say I'm doing CTI, but I'm not getting anything that's valuable out of it. I'm getting, you know, hundreds and hundreds of false alerts that have nothing to do with my business or what's going on in my network. AI is kind of the same way. You can use AI in a way that gives you lots and lots of churn and you know lots of information, but is it usable and actionable? Um, I'm a big proponent that AI should be very, you know, tailored and very specific to what you're doing. And the smaller you can make it, the better results you're gonna get. Um, AI is all about kind of the ability to do prompt engineering in a way that makes sense. So, you know, using your AI, this is who you are, this is what your experience is, here's your left and right guardrails, here are the things that you're allowed to do. Cite your sources, go back and check your sources after you've cited them, you know, and using that for CTI is going to be one of those things that helps you do that at speed, but you still need the human in the loop to verify does this make sense? Because ultimately, AI doesn't go to jail for you, it doesn't testify in court for you, you know, a human's always going to be held accountable. So you want to make sure the human's in the loop at multiple places in that loop to make sure that the AI is doing the thing that you need it to do. You know, if I want AI to go pull feeds, I want it to make sure that's pulling the right feeds for my organization, not or it's not hallucinating feeds and giving me, you know, a thing that it made up because I told it I need a a CTI feed on this particular thing. And it goes, well, I couldn't find anything, so here's some gibberish. And now I have alerts firing all over my environment, and it's it's not provided any value, it's in fact provided detriment to my organization. So it's all about how you're gonna use AI and how quickly you can refine that in a way that allows you to free humans to do really important things and let AI do the things that are boring and that we don't want to do anyway.

AI In Cybersecurity With Humans Accountable

Pedro Kertzman 26:39

You mentioned like probably one of my favorite takes uh when it comes to AI. For me, it's uh at least at this point we are, it's all about speed, right? So basically it's something you know how to do it, but then you're just gonna do it faster. Joshua learning sources. Many for our industry, you know, uh even though I still love books, it's not necessarily the fastest way you can get information out. Any other non-traditional uh information sources you like using uh podcasts or blogs or any other uh type of information you recommend for folks?

Joshua Copeland 27:22

Um I'm a big proponent of you know, read as much as you can um from any source that you can get. You know, there's tons and tons of reliable news websites out there that are targeted around this. You know, dark reading is great. Um I'm a proponent of going in looking at the tailored CTI-related threads on Reddit because you have a lot of folks who are putting great stuff out there. Twitter is not, or X, whatever name you want to call it. Um used to be a really, really good spot for that. Um it's less so now. Um, there are some other things. Um, Mastodon has tried to replace that. There's some good feeds from that perspective. Um just connecting with your peers, you know, find a peer group and have those conversations. You know, if they find something, they're gonna share it with you. And having that human connection allows you to get some stuff that you wouldn't be able to find on your own.

Pedro Kertzman 28:19

That's that's a great point. Yeah. And and back to books. Let's say if you had like to pick one book, of course, to two books, your book on the list, but if you have to pick another book, you know, take your time.

Joshua Copeland 28:34

What book that would be for someone who's trying to get into cybersecurity and CTI, um I would do the uh book by Nadine Tanner. It's the Cybersecurity Blue Team Tools book. It's fantastic, it's a great introduction using you know some widely available open source tools on how to do cybersecurity from kind of ground zero up to you know that entry-level position.

Learning Sources, Book Pick, And Closing

Pedro Kertzman 29:04

That's that's a great advice. Thank you. I'll make sure I'll put that on the description of the episode as well. And any final thoughts for the listeners?

Joshua Copeland 29:12

Yeah, um, CTI is one of those things that it's great if you have it, but it's better if you know how to use it.

Pedro Kertzman 29:20

That's that's a very good one. I'll take that one. Joshua, thank you so much for coming to the show. I really appreciate all the insights and I hope I'll I'll see you around. Thank you.

Joshua Copeland 29:31

Thank you so much.

Rachael Tyrell 29:34

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group, Cyber Threat Intelligence Podcast. We'd love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure.