Welcome And Guest Introduction

Liam Ryan 0:00

And so we can provide higher relevance information to each other and we kind of help each other that way.

Rachael Tyrell 0:04

Hello and welcome to episode 9, season two of your cyber threat intelligence podcast. Welcome to your season CTI expert, cybersecurity professional, curious about the digital battlefield, expert yes, and hostile complex effects and actionable insight on this episode of season two. To intelligence living analysis, weapon, and stakeholder collaboration. Over to you, Pedro.

Pedro Kertzman 0:57

Liam, thank you so much for coming to the show. I really appreciate your sharing your knowledge with us today.

Liam Ryan 1:03

I appreciate Pedro. I'm glad to be here. Like I had said to you, uh, you know, kind of previously in our chats, any chance to get it on the CTI soapbox and talk anything CTI, I enjoy.

Cyber Alberta And Proximity-Based Threats

Liam Ryan 1:12

Awesome.

Pedro Kertzman 1:12

So I did some digging before coming here today. And apparently the government of Alberta, through Cyber Alberta, is one of the most active public funded cybersecurity communities in North America. So I thought it would be interesting just to bring context to everybody that is not like super familiar with the uh cyber Alberta community. So there are like a lot of online meetings and all that for the local community in Alberta. And uh, what about your role in uh the cyber uh the government of Alberta and the cyber uh Alberta community? Would you mind bringing a little bit about that as well, please?

Liam Ryan 1:47

Yeah, sure things. So um I I didn't know that stat, but that sounds about right. Cyber Alberta is very active in, well, Alberta specifically. My role in that is I'm a cyber threat intelligence analyst for the government of Alberta and Cyber Alberta. So I kind of ride the line between uh the internal cybersecurity division and the Cyber Alberta community of interest, which consists of members of the Alberta public, both private and public organizations. We use the telemetry we have from the GOA to provide ideally highly proximal information on threats to several Alberta members, and then we'll also take information from Several Alberta and use that to look in our environment. So it's kind of mutually beneficial.

Pedro Kertzman 2:24

And you were with the team since the beginning, right? How was the experience to help build that CTI practice since the beginning? Any like interesting points, especially when it comes to this, let's say, dual very particular role that within the government having the internal quote unquote customers, but also the extended external customers that you were mentioning?

Liam Ryan 2:52

Yeah, it's an interesting point you bring up regarding building the team. I was there relatively from the start. Uh, my understanding is that the CTI Civil Roberta function was there about six months or

Building A CTI Practice From Scratch

Liam Ryan 3:05

so before I started, six months to a year. And so I joined, they were still very new. Um, CTI had kind of been added as an ancillary function to another team, uh which makes like CTI as an ancillary function is kind of tricky. It's its own specialty. Uh, so there was kind of difficulty navigating that initially. The other problem with you know me trying to help mature and build the CTI program, which is really why I joined, is I like building things, and the idea of building a CTI program was really cool, is that I didn't come in with CTI experience. I didn't actually have a lot of CTI background, so it was a lot of fumbling around, trying to figure things out, um, and so on. And then eventually actually I took uh the GCTI course or SANS 4578. Yeah. And John Doyle John Doyle was actually my instructor on that, who I know you've had on the podcast previously. He was really cool, he was really helpful. He sent me a bunch of uh extra material so to kind of get myself up to speed quicker so I could be effective in building a CTI program. I read everything he sent me, just read everything I can get my hands on, really, and then just started kind of doing in the doing the work, you know, ensuring we're aligned with the goals of the organization. So it always starts with governance. Is there executive support for a CTI team? And then uh what does that look like? What's your actual mandate? What does the organization need from you? Do you have a collection-only mandate? Do you have a a generation mandate or some combination? Turns out we had some combination, which means we needed to improve our intrusion analysis capabilities, and we had to do a bunch of stuff to get our foundation set up. The other piece to the question there you had was kind of that that dynamic of, you know, we're in the cybersecurity division for the government of Alberta, and we're also helping the public and kind of how that works there.

Pedro Kertzman 4:50

Yep.

Liam Ryan 4:50

You know, as I had mentioned earlier, it's it's mutually beneficial, it's probably our strongest feat as well. You know, thinking about things that increase the level of threat to you, proximity is one of those indicators you look for. So organizations in Alberta are proximate to the government of Alberta, and the government of Alberta is proximate to them. And so the threats that we're kind of discovering are tend to be higher relevance to each other, and so we can provide higher relevance information to each other and we kind of help each other that way. Now it gets tricky with something like Sever Alberta as well, because one of the things in the intelligence life cycle is that feedback mechanism. You know, it can be difficult to get feedback from external parties who don't necessarily have to provide it, right? Like you do internally. Yep. So there's a lot of guessing and testing as to whether or not we're uh providing you know highly relevant material to them. So get around that. You know, we'll do things like surveys, but again, they're they're proximate, and that's something we're always trying to improve is the relevance of the material we provide to uh both internal partners and then uh just partners in the province.

Pedro Kertzman 5:48

Got it. So one of the I would say challenges within bigger government bodies provide the information downstream to smaller, you know it, organizations and companies, so on and so forth. A lot of the methodologies or systems we have to feed threat intelligence, they're like one-way

Sharing With 1,200 Members At Scale

Pedro Kertzman 6:10

streams. When I think about uh taxi servers, feeds and things like that, or you name it, emails, reports and stuff like that. It's like one-way communication, right? Have you had any experience in like uh trying to tackle this challenge in any way to become more a collaborative uh type of bi-directional approach with external, let's say, members of the community? Any lessons learned or trials around that?

Liam Ryan 6:44

It's tricky. So we want to offer as much help as possible to these organizations. Uh, but when you take a team of when I started, it was me and one other analyst, and now we're up to four analysts. But even that, you take that and you expand that to over 1200 members. There's only so much you can do. Uh but we do try to do what we can. Uh, we did implement a report and incident functionality similar to what the Canadian Center for Cybersecurity had developed. And so in the past, we'd we've had people from the uh community of interest report like a ransomware incident, for example. Um, and so we've gotten on calls with them and directly supported them or directed them to people who could help them better. Um, but that that's the primary function we're using right now, is basically email and then this report and incident button. Um we are spinning up uh a MISP instance and other tools like that to kind of facilitate you know better, more CTI sharing. But uh back to the point about you know, this kind of downstream sharing with the public. Not everyone in the public has the same capabilities, is going to have a MISP instance. So you kind of have to keep it uh dynamic. Uh you know, you want those more advanced capabilities as well, but you gotta be able to support you know your maw and pa shops, which we have some of in the COI. You'll have cybersecurity teams that are just one guy, for example. Oh, yeah. So yeah, uh there's a balance in it, depends on who your target audience is, I guess. In our case, it's a bit of everyone.

Three Phases Of CTI Maturity

Pedro Kertzman 8:12

Expanding a little bit more on the process of maturing the CTI program.

Liam Ryan 8:18

Yeah, sure thing. It started with like um again, like I mentioned, governance, making sure that there was a requirement for a CTI function and what that looked like. Uh, and then it was a matter of just deeper analysis and developing a strategy for doing that. So the strategy we employed consisted of three phases basically, taking us back to our building blocks. So it's more or less sequential and the way you want to execute it. The first phase is all about putting the cart back before the horse or the horse back before the cart. Always get that mixed up, but you know, making sure we have a solid foundation before we do anything else. So that's alignment to the organization again, the governance piece, intelligence requirements, getting seeing if you have the capabilities required, do you have the training required as well as your team capable of delivering on what you need to deliver on? Second phase uh was around once you have that, it's uh targeted investment. So we're doing pretty well for ourselves, uh kind of operating in a bit of an ad hoc state where I think a lot of CT analysts enjoy using open source tools and kind of using whatever they can get their hands on to get the job done.

Pedro Kertzman 9:19

Yeah.

Liam Ryan 9:20

That was doing all right, and we were getting by with that, but it's not sustainable long term. So once you have your foundation, you've demonstrated there's value there. Uh it was, you know, getting a business plan to get the appropriate tools in place and the appropriate training for staff as well. And then the third phase, once you kind of have that going, uh, it's automation. Uh it's just improving how you're doing things, improving your process over time iteratively. Uh, this resulted in the development of a kind of project plan/slash strategy for maturing the team. Uh, there's four basic elements to that. So typical what and when. So what do you need and when do you need it by, but additionally included components on how to deliver those pieces and uh how you're going to measure the success of those pieces you want to deliver on as well. So, for example, um the how piece. These were typically larger longer-term strategic items that would take a while to implement. And I'm sure a lot of people listening, especially if they're CTI analyst, can relate to the never-ending flood of things that come down the pipeline. And it makes it really hard to get into the flow state on a task and actually get it done, especially if it's larger. Long-term strategic items can take forever. So we decided hackathons were a good idea. We'd basically take an analyst and assign them to one of these tasks for a week straight, and they'd be effectively operationally removed from everything else. So it helped us make big dents and big items.

Pedro Kertzman 10:38

That's cool.

Liam Ryan 10:39

And then measurement as well. So uh you're trying to mature your CTI team. You want to be you're doing you're investing a lot of time to do that in various tasks. Uh, you want to be able to measure that those are having the effect you think they're having. So developing effective KPIs and metrics for, you know, not only measuring that we're functioning as we're supposed to as a CTI team, but like when we make an automation, for example, it actually improves our delivery times. And so

Hackathons, KPIs, And Training Targets

Liam Ryan 11:05

some examples there. Again, I got a lot of this from again, shout out to John Doyle. Uh, took 4578 from him. Yeah, he's great. But they talk about KPIs and metrics, and the ultimate measurement of a CTI team is their abilities to meet their intelligence requirements. Uh, so we have metrics around that, how well we're satisfying those. Uh we have KPIs and metrics uh around, of course, delivery times, which is pretty standard. You know, how long does it take us to deliver on strategic operational tactical items? Other measurements uh that are important uh were related to the maturity of the team because we wanted to mature the team, obviously. So it's kind of a dual-pronged approach based on impact and maturity and capability. Uh so one of the ones we implemented, which is pretty simple, is uh hours per analyst per year dedicated to training. You know, if you want to mature a team, you got to be training your analysts. So we make sure that every analyst gets at least 40 hours a year. Um, another one and uh that we're using is the Cyber Threats Intelligence Capability Maturity Model, uh, which is just a good tool for auditing ourselves, ensuring that we're you know progressing and using it for review across time, you know, is have we stagnated anywhere? And then the other kind of KPI we want to focus on again, we want to be impact and actionability focus. So we've started mapping the work we do to the impact it has in the organization. So uh as you know, uh intelligence is all about actionability. If you produce a report and it doesn't lead to an action or it's not actionable, it doesn't really meet the definition of intelligence. So trying to track that as well.

Pedro Kertzman 12:36

You you mentioned something that really caught my attention. Um when was the moment you realized that OSINT was not uh just enough anymore for your CTI program, and then you had to invest on paid intel? Like because I think a lot of people start their CTI program focused on OSINT feeds and platforms and tools and like focus because there is a lot of uh information out there that is free, it's good so you can test start testing things. But when was the flipping point that you decided to oh, we need more sophisticated things and all that? People might be like start feeling that so if you can share when was your like flipping point so people can understand that moment that might be going through similar situations. If you can share that with us, so maybe people can relate to similar situations, that that would be awesome as well.

Liam Ryan 13:36

If you can share that with us, yeah, you know, I gotta shout out John Doyle again, because again, uh I came into CTI with no background, and um I I took that course uh from him uh and he really highlighted the importance of intrusion analysis. Um it's well highlighted in that uh you know, if you're reading open

Beyond OSINT With Intrusion Analysis

Liam Ryan 13:56

source intelligence, and let's say it's the reports describing a threat that's active in Canada, that's a proximate threat. Uh but there when you're looking at your own intrusion data, those are direct threats, those are threats targeting you right now. That is the most relevant information to yourself. So previously we weren't fully exploiting that, and now we're heavily leveraging that. That's how we're generating novel, relevant intelligence. Uh, there's really a shift to a focus on on that information specifically. Um, and obviously, you know, if you're if you have a generation mandate, you're always flipping back and forth between collection and generation. Um, but really we try to we try to focus on that intrusion analysis piece a lot. And that would probably be my recommendation for others as well is you have data and telemetry right now that's really valuable. Start collecting on it uh and analyzing it.

Pedro Kertzman 14:46

Liam, thank you so much for coming to the show. I really appreciate you sharing insights with the audience. I know, especially in the public sector, it's complicated to share sensitive information, but I think it's so important to share the experiences with a broad audience. So I really appreciate you coming here and sharing uh your experiences with the community. So thanks so much. Any final thoughts for the listeners?

Cyber Alberta Resources And Closing

Liam Ryan 15:12

Uh shout out to Sabralberta. So severalberta.ca is the website there. I know Rachel would uh be dismayed if I probably didn't give one of those. Um, we have monthly community of interest meetings, we do a yearly in-person thing, kind of similar to B Sides, uh, where we have lots of presenters. So if you're an organization in Alberta, uh check out severalberta.ca. Um if you're experiencing an incident in Alberta, we have a report and incident button. We're happy to help in any way we can.

Pedro Kertzman 15:40

That's amazing, Liam. Thank you so much for so many insights. I really appreciate you coming to the show. And I hope I'll see you around. Thank you. Thanks, Pedro.

Rachael Tyrell 15:51

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group, Cyberthreat Intelligence Podcast. We'd love to hear from you. Until next time, stay tuned and stay tuned.