Cyber threat intelligence: Learn to become a cybersecurity tactician


It's a celebration here in the studio because these cyber work with INFOSEC, podcast is a winner. Thanks to the cyber-security excellence awards for awarding US A best cybersecurity podcast gold medal in our category. We're celebrating, but we're giving all of you. The gift we're once again. Giving away a free month of our INFOSEC skills platform, which features targeted learning modules cloud hosted cyber changes hands on projects, certification, practice, exams and skills assessments. To take advantage of this special offer for cyber work, listeners head over to INFOSEC institute DOT. com slash skills or click the Lincoln the description below sign up for an individual subscription as you normally would then in the coupon box type, the word Cyber Work C. Y.. B. E. R. W. O.. R. K. NO SPACES, no capital letters, and just like magic. You can claim your free month's. Thank you once again for listening to and watching our podcast? We appreciate each and every one of you coming back each week so enough of that. Let's begin the episode. Welcome to this week's episode of the cyber work with INFOSEC podcast each week I sat down to the different industry, thought leader, and we discussed the latest cybersecurity trends how those trends are affecting the work of Infosec professionals offering tips for those trying to break in or move up the ladder in the cybersecurity industry. Today we're talking about a specific job within the cyber security ecosystem that of threat intelligence expert. This is the job involves both hands on know how, but also a great deal of analytical thinking skills as identified only threats, as they're currently presenting themselves, but a whole host of potential threats on the horizon so meetings you can think of threat intelligence as the tactician of security. You're not just preparing for the battle in front of you, but for the waves of attacks that you might see in the future. Your to talk with us about this today is Charles. De Boeck of IBM's x force, instant response and intelligence services He's had a connected hassle of job. Titles Ed Encompasses Risk Management Risk Analysis and vulnerability assessment, all of which have helped him to get to his current position now, so we're GonNa talk about similar tracks. You could start on right now. And what challenges you should look forward to in the future. Welcome to the program Charles next self ready so based on your job and education background. I'll admit. Admit I I ran sector-linked in a little bit further info, but it looks like security in tech earned the only interest in your life some of the guests you know we've had have been hacking some childhood or the you know. We're walked off their high school campus handcuffs for hacking government mainframes, but you know your background shows interest in mathematics, law, political science and more so how did you find your way to security and threat analysis? And what was the spark that I set you on the path? Church Salon I started off I grew up with computers right. Saint Generation a lot of folks that die grew up with computers and household. For a long time, and when I graduated college I was kind of looking around trying to figure out I want to go, and my interest is always really Bennett Lotto. how you know. How do we get from eight obt to see and so you're gonna see that a bite off my education mathematics much felt logical Russian. I different be same thing with law, but that's more from written sets Outta. We prefer argument A. Political Science I. Maintain is a lot of ways about our actions between two groups, so there's a lot of. Their of of interested logic lock problems games understanding how to how to get from A to B and When I was looking at where I wanna go for me, such security made sense because it's sort of the next step of taking logical problems on that to computers and having this background computing background, using jurors and start seeing relevance above Jitters Arbor Day lives to me. Educate working type security is potential around for require. Okay I like hearing that. Because as you know as I've I tried to sort of repeat in these episodes over and over like you can come to cyber security with a whole host of different types of skill sets are interest. It doesn't you don't just have to have been coding. For decades. You don't have you know, be able to. Do you know assembly language in your sleep, and all this kind of stuff like you can, you can do other you can have other interests and still contribute really strongly to the entire sort enterprise so. You was that he was a police officer. No cyber experiences policemen. Event said he wanted to go to threaten Neligence, and it was passionate about really excited about it, so we started working over the. Best Guys! We had I'm gene after a while. You can train anyone in technical skills or technical training is widely, so you certainly don't act attack, heavy background, and especially for younger generations who have grown up with Diana Mogi stand for long time run-up using computers using. Devices for a long time, just that life experience by itself and a Lotta way on gives you a leg up in steel. Yeah. You're you already know more than you think. You know exactly exactly yeah? So I want to start out today by clarifying the topic of our discussion, specifically threat intelligence so just for. Baseline let's just sort of define what it is. What is threat intelligence and what differentiates it from of related but different activity, maybe threat, monitoring, security, analysis, or incident response like what does the job entail as a career track, and it can I ask you a little bit about the ways that IBM does threat intelligence gathering in monitoring. So the way I am black described. Intelligence is when you think about that. We think about computer security a lot of times. You're looking at the inside the perimeter so I'm an orange. County I'm looking at what do I see you know getting my walls? And what do I see within those walls and how to best protect against going their? Intelligence actually looks outside the walls. So imagine you're scouting cart outside. The walls casio looking around trying to see. Where are the bad guys now? The options are either looking into the woods. Almost make sure that. You can either bill. You can either build up all of your walls. Same time just hit the right spot or you can try and see where they're gonNA come from and build also just right there. That's much more efficient way to undo your security right because I know a bad guys are using a sequel injection all the time and I know I need invest resources in ensuring that my sequel is active, but if they're not doing that, then I can invest those resources somewhere else, so it's a good way to get sense of where we see the bad guys coming from on the outside, so it's a little bit different perspective. You're not looking from the inside out so much. You're looking at the outside and see what they're doing to see. How might try to get? that make sense it doesn't make sense yeah. Can You, can you tell me a little bit about how IBM does? Does you know where where you are right now? Ibm We actually kind of interesting model. We combined their incident response component so instant response intelligence services at IBM, and what's Kinda cool about that is it's a hand in hand process. When weeks onto instance, we can use our threat intelligence to more effective respondents, so if we see instance a Korean on a client's site, we can say okay. We're GONNA respond. What's happening there on site at the time were also GonNa take that information and look at our threat intelligence data and try and figure out as their other stuff. We should be looking for that otherwise might not. A lot of times. It's very easy to get sort about myopic view was happy. Source Say I? Just got sick your this. Fire Right Nice thing about incorporate tells us as we say. Oh, case appears the iron that we see right now, but where else might there be? Fires hidden behind the smoke of this big fire over here? and. So that's what's kind of cool about. IBS model is by combining those two elements were able more effectively responded incidents, and also incidents can help inform our intelligence, so we're able to research more active as well to good symbiotic relationship. Is this sort of hand in hand relationship between the Incident Response Team and the? Threat Intelligence team is that. Is that a common thing or is that a fairly? Unique sort of symbiotic relationship with with with your organization in my experience I think. I think it's going to be more common. I think a lot of intelligence organizations want to get into that sort of area. Because it's so, it's a great great relationship path out. There's a lot of challenges to to sort of combining these two elements but I. don't think it's not everywhere yet. I think it's becoming now. Something Lot. Organizations are look at energy, but thank IBM can the unique benefit the we happens, we start off. Say let's do it this way. By as our incident response, Kelvin Services Gal that gives a little bit of start. Okay I got I sent you the questions in advance, but I got a one one extra question that that someone on my team asked. Do you see small and medium businesses using threat intelligence I mean it seems like the moment like threatened. Hell is kind of the domain of huge enterprises due to the cost of the resources, but you know it seems like there could be a useful. To to say you know, get some sort of like threat weather report, showing maybe secondhand of some of the threats happening to other industries that are like there's. Is there anything like that out there is? Something about yeah, they make it very point down for small businesses. The most effective strategy I see is to the leverage outside provider so generally. The kind of model I've observed. This is just personal observations is that as a larger enterprise might have an internal intelligence team just focuses on intelligence orange, which is great if you can do that and your larger organization that has a large digital footprint and makes sense to do that review, small and medium-sized business. Business can't postlewait for that sort of you know that sort of payroll than it might make more sense to outsource stats or another organization that does all they do. Pellets Brandon. They just give you. The rewarding adds a great way for you to get that sense of what's going on so that you can help director ts one out one thing that I found really helps for she is. If you can't afford to have a threat, intelligence teed even having. Sort of threat. Intelligence person helps quite a bit because a lot. Because sometimes what might happen you get the reports? Everybody assumed that somebody else is taking care of their. Re Them you have one person whose job it as or at least half part of their job is to look at those reports at least one person's doing, and it could be a half time job quarter time job. It doesn't have to full time, but as long as you. That's where designated PSC that helps quite a bit for small medium. To Dan Intelligence, because it's a two way street, it's not just receiving. You also have to actually act on right, so yeah, not only. Do you need someone who's looking at this for some portion of their day? But I imagine there's. Also the importance of having. Some degree of of reporting within the weekly briefings, or whatever like some actual sort of you know because I'm sure it's be easy to say well. We got. You Know Bob Looking at the you know the threats and I'm sure he'll let us know if something's wrong, but you know if you're not like. Reporting on each week. And your stand ups, or whatever I'm sure you know that's also watch out for well concerns well with them with. And this is something that Haddock man where people are looking. At Trenton Benders to consider is you WANNA make sure it's actionable intelligence, because sometimes the M. The profession gets a little bit of a bad rap because people say well three intelligence. Random or stories in interesting, but who cares no. What's what's the point? Good Valuable Intelligence, not just tell you something that's happening out in the wild. Just leave it at because that's not really helpful. I could say well, they're. They're using sequel injection. Okay so. And good intelligence, not only tell you you know what's happening out there, but also what it means for you what you can do, action or follow on after that otherwise it is just sort of campfire stories, which I don't been story, but that's not helpful for me as a business organization. I mean it's kind of like the you know. The way like a boring teacher teaches history versus one that can make a narrative around it where you know like you know there's this thing that happened, but you know if you don't tell the story so that people can understand what could happen to you. It's be happening right now. Whatever then? What's the point exactly exactly so that that's interesting because again. If you're thinking about intelligence, you know, make sure you. You know how to tell a good story and. As? Interesting as critical, really critical buyback context information, because and also to alive. Right as you might be drinking, too I don't see so who wants a really high level thing, or you might be talking to you know network defenders who WanNa know all the technical details. What's going on to be able? Speak both languages pretty effectively you know. So yeah, let's let's talk about that, so let's start with where you are right now. Can you talk sort of walked through your current job? Title Your Strategic Cyberthreat expert. So what is what is this job in at? Are Some of your primary responsibilities? Is Management of threat intelligence team, and how much the actual threat intelligence information gathering in the average day. Suddenly rolls sort of about fifty fifty split between more tactical level, threat, intelligence, research, percent, leading projects, leading initiatives and. Space, so he's the hands on stuff exactly like that person yelling cabinet In the tactical level stuff because to me that makes it so that you keep a good sense of what's happening in the world. You have a good understanding of what time what you're saying, but. I can break the tunnel down so strategic art that just means that I tend to work it up into a higher level of underway by threads, might threat intelligence products Ben Distinction is in my mind. There's sort tactical level where you're working. You're at what are the indicators compromise that are associated with actor activity or you're going out. You're really diving deep to a few actors. That's music much more tactical Elliott. What's happening right? Right now right here right now from Threat Dallas perspective. Right a strategic ex like myself when I tend to do is more broad-based. What trends are we see? You know what we've seen over the last six months a year. How is you know twenty twenty different from twenty nineteen so good example here is if you look at the the IBM, Brent Tells Index. We released those once a year and just really star twenty nine hundred. Twenty nine hundred not too long ago. We said that ransomware was way up. which was interesting? Because the previous year ransomware had been a bit down and so it's kind of we see these. You the immediate strategic statement of ransomware it's higher or lower, but then there's the again the important part is you know? Why does this matter and why? We think this is happy, and so that's what I do. Sort strategic level is I look at cross a wider time street and say what are we seeing? Doctors trending? And how can we use that information to most effectively census? Thanks? It does and it sort of brings up a follow up question so like what what sort of resources research materials like? What is your sort of analytical thought process? I mean let's let's take that specifically re ransomware and we'd seen some reports do. The ransomware is going down and twenty nineteen, but his back up again and twenty twenty so like you see something. Something that doesn't quite make sense like that to your mind. Like what are some of the first steps that you take to sort of breakdown? What what the what the numbers actually mean tricks of the first thing you always gotta do is make sure you got good numbers. Right? See something that doesn't make sense. It's always good to double. Check your day. Look at open source to make sure that matches up a look at our internal data here, at IBM and say okay. What is our data showing us? And then once the date is clarified. Looks like there's a trend there. Yeah, process I started down I started i. just thinking about logic know what are the possible rationales as to? Why could be the case and so we could say? More effective because. We're seeing a higher pay APPS. There were seeing people paying a ton of money for ransomware. ransomware has gotten better. You know the just the technology itself is increasing overall quality or become easier to use. That's another very strong possibility as to why would see ransomware increasing? And then once I, kind of have a couple ideas, I think it might be just sort logically out, and a lot of that comes from its strategic knowledge that most doctors are financially motivated and. And are lazy. But daisy way possible. Yeah, exactly yeah, you WanNa make money easy as possible right, and so there knowing that sort of background and understanding of gaming possibilities then will do go to open source I go to my dark web sources starts trying to find out. Are there indications of any of these options being the case? Do we see people posting on Auras or marketplace's? Hey? My Iran's service is on sale now. My seeing a lot more offerings on marketplaces or I see. A lot of people saying man, this is so easy. Anyone should do it or you tutorials by out of use these sorts of products. You know that's very often the case as well or do I. See when I look at the data. Is there a is there? Are there like collections of activities? So you know stuff happens in March. Bunch of stuff happens in. May might indicate to me that it's a matter of copycat attacks and so. The way, I would approach. It is look at what did stopped. Trying can guess what the possible options might be and then go out and see what the data supports from. Bailable usually Ozora Star web in Charlotte Cheese three. One I look at right. I mean that's straight up scientific method right there, you've you make your your hypothesis and then you tested against the facts and see what happens. At the end of the day threat intelligence is sort of science and art. I think there's only so much to tell you because we don't have perfect data. Collection! You're not to find the fortune cookie that says this is how we did it you. Say This is what I'm doing. To Now I? Right, a dominant number happens and so lacking that Key Element Intelligence Arab. It's sort of subtle is using analytic confidence language? So you know there's there's different, and you can look on Google. There's lots of different ways that you can help statements to make it as accurate as possible you can say. Medium competence that this probably occur. Right s suggest that you now that tells you how competent I am in a statement and tells you that probably means it's more likely than not not almost certain to be the case, and that sort of that sort of detail language kind of technical skill, but once you get really good at it is a great way to be able to make statements based on data while without sacrificing your handling integrity you. Okay so. This is great because you know like I say sort of opens up into my next question here, but you know we were talking about your background a little bit that you have the math background, political science, Law, background, and you know, and all these things obviously contribute strongly in you know it's hard not to see but like what are some specific sort of skills or educational tracks are learning. Learning experiences or projects you did in these other fields that you think sort of directly translate to. You know doing good work as a threat intelligence person like you know if if you have some, you know these kinds of backgrounds and the sound interesting to you. What are you sort of highlighting for someone saying? I want to get into threat intelligence and here's how I I. I can do it. S Very easy question for me whenever anybody ever asks education, my number one I answer. Should, be on the number, one takeaway from anyone listening to this is to check out the National Science Foundation, Scholarship for service program more the NSF SS, which is say it's a it's this. So what I did is I was a graduate student. I was stated through this program. At the time what they did is they pay for the tuition room and board a stipend for you to get a degree in sex security was a two year master's degree in exchange. You have to work for the federal government for two years now. I remember when I was a you know this was. A decade ago now for me adapt ten years ago, two years sound like a really long time towards the federal government, but what ended up happening was a master's degree out the deal and I got great experience the government for five years in exchange for them. Pay Me to do all this. If you have any interest in cybersecurity whether threat intelligence specifically or a variety of other fields. This is a great way to give the educational background. You need plus essentially a foot in the door at the government to get the actual hands on. Experience that you need to really be able to jump into a cybersecurity career. It's really fast I really can't recommend it enough, so that'd be my number one recommendation for on. If you're looking to the right education perception charity just mechanisms for sweet deal. So what we through your average day is as a cyber threat expert. Like what time do you start work you know? Where where does your work take you? In the course of the day you structure a day or you just constantly putting out fires. Are you able to turn off in the evening always on call. Yes. Intelligence I find that it's it's not really an on fire source situation, of course many situations where it is again since we're we work with incident response. Sometimes you might have incident. Come up in Becky's. Yeah, it's all hands on deck. Have to take your kids white way on occasionally are major fires likes like wannacry right, which has such broad impacts such a major event that has all hands on deck, and you pretty much working until things take your yet through the weekend back met as I recall germ Soham yet that occasionally, but that's pretty rare. Usually, it's a pretty pretty good nightside job. I'm wearing prison myself, so I started Some thirty rate done rounds four four thirty, but it's it's not. It's not crazy. Long schedules kind of standard forty hour workweek and a lot of ways, so there's a lot to like I. Think from a work life perspective. And in terms of the work life balance I find that it's nice because you know when it's done is not keeping me up over begins. Usually working on a research project, especially at or abroad, sujit products like I've been doing. Role. It's not really something. We're too worried about it because this is a six month one year trend, you know we're talking about free long timeframe so I don't get weekends. GonNa really change that much right, but hopefully not I am Cova outright. Yeah Yeah Yeah. Usually only. Do so That's kind of how it goes for me. What are some of the sort of common tasks? You're doing every day like you know. Are you talking about clients? Are you sort of reporting to your? You know your board, your C. Suite. Whatever like what? What? What? What do you? What do you do a lot? What what do you have to be ready to do a lot? If you want to go into this trap at right writing is that is the number one things and and personally? I wasn't somebody who grew up saint man. Write papers. Some. Some people love that I I didn't love writing papers. On more people, person but but I do like is right logical. I like writing out arguments, and so if doing a lot of logical righty and dime precise writing, that's something you would come into the something. That could be a good. Fit because that's a little by days when I'm writing up, intelligence reports a lot of its connected dots a also as we talked about little before. Storytelling is a lot of my day where I where I may be grinding out stories to people's explaining. Here's the background. Here's where we are now, and here's what it means that your future might hold that sort of progression in storytelling in written form is loud what I do. A. I also like Sob on occasion and I. Do enjoy doing that quite a bit because it's nice to be able to watch or read. Someone's get questions back in real time. Generally less common, but that's something I. I do do as well. But most of my my work is written nature on otherwise researching researching dot reading the news seeing what's going on, keep track. Okay? So where does where does threat intelligence generally stand on the average company hierarchy chart? You? Who Do you report to you know? Where does where does it slot into an org chart? Especially people who have like a full set of different security staffs. Like where do where do you stand? So usually intelligence reports up to up to the sea so APP for mushrooming stations that I've seen. anyways could be another level between your their initial tall telecasts analyst positions those entry level positions that can be. Can pretty low level. But that said I'd say. Generally getting into three intelligence private industry in my experience requires a little more experience read whereas government can be an entry level position because with. Straighter requested had a lot. Of dumbest before and Grenfell isn't necessarily feel a lot of people jump into as their first field. How Nice government is agencies that all they do is intelligence, so it can be. Because that out. What's to sort of your legal analysts position? WHO's kind of two tracks? You can take you can, either you go. in-depth engaged really deep dive research analysts, who just you know out on the dark web outsource all day every day researching specific threats that you specialize in, or you can kind of leadership route. You're saying okay I want to look at how how? How are we doing our threat intelligence? How effectively I think those are two branch banks generally alter intelligence, my experience server Office for private industry or and government. It gets Kinda is Kinda wack little different, so is threat intelligence a position that's mostly done as part of a company, or they're freelance freelance opportunities in this area. Are there you know, can you? Offer your service especially. If you've done it for a while, can you sort of offer your services to an organization or do people mostly just have an in house threat intelligence unit. A. Both I'd say my experience. There's there's there's a lot of freelance opportunities available. The capture it is rattling sort of it's freelance versus but company. As there's Tony's of all shapes and sizes in intelligence, you've got large organizations that salting intelligence talents to other organizations. You've got smaller companies that provide for intelligence to small medium sized businesses or my APP at unique. Niche, in the intelligence field like it might might be a threat intelligence company, the just dark wet right? That's something that gets out there as well. There's also tell organizations within within companies. So that's the way I think of it as sort of either legal background so to me. It's like the difference between House counsel verse that way for Firm Okay for firm. You work for other companies, but you don't work for yourself. Specifically in house counsel works just specifically for the one. Just about right working in house. The Nice thing is you know if you're doing in house, trying to tell. You can really focus on this one organization. Make sure that you're doing best postle pret- intelligence just for that company, but the downside arguably is that it's not quite as diverse suburb adding kind of a slow week. You might have slow week when you're doing intelligence for a from organization that works with many other organizations. You're kind of constantly bouncing around between different industries, which means you have to understand a lot more industries. It's a little more challenging in some ways, but the bright side is. There's always something which I realized I really enjoyed. A busy said signed. That's why awake enjoy enjoy working. IBM, because we always have things going on. The to be aware of being a global company. There's lot of. A lot of global nonsense well now. If you have a full threat, intelligence staff and you're saying that they're sort of like three or four sort of primary places, you know the dark web, or what have you like to have sort of a specialty in terms of like you know? Jill here is the the dark web person and Bob Talks you know looks at you. Know ransomware situations you. Can you sort of sub specialize within it where you are mostly sort of looking at one thing is everyone kind of looking at everything and synthesizing data, and so forth really depends on the organization. Is Different theories best approach. I'm not sure dinosaur throwing the best wine. The ones most commonly tend to be you can have people who are focused on threat types on the threat, specific actors I usually those sort of geographically aligned. Alternatively you might have seen places that might ask somebody who's like it just do. Darkwa they're just really really good at dark wet, and that would wealthy is. Really Key go-to person. It ruins. Kinda depends on the organization Halley. Want structured if you're kind of getting into this deal. How you WANNA, bestmark yourself, I think those are the two main either say like I, I speak a language, especially speak a language Avin from one of the big one. The countries rights I speak that language I I'm going to learn everything. There is about actors from that area. I'm going to say I'm a market myself as somebody who is a specialist in this region as a great way to market yourself in this area, or alternatively you can say I am just really really good at open source. I'm the only source. Guy Evans. Open source sources, and that gives you want to build out open source skills, actually both. They're both definitely needed skills in different organizations, so they both Oregon clutches okay. So. Tell me what Jimmy Certifications I. You feel like there's any particular certifications that are important for people looking to get into threat intelligence. which valuable certification just from kind writing that executive understand it and sort of learning more about what executive? Sorry I'm thinking I think if you're just starting out in this field, I'm not sure it's as critical as sort of further into the field. The Nice thing about cip as it does provide. Insights into what your audience might be worried about, and that sort insight really helps you make your product more effective for them. But otherwise reputations. I don't have a lot of reputations. I know that security plus a good one. I've heard good things about that. Personally happened I. That isn't studying for it and same dancing. Also if you feel like, you need more technical acumen, network pluses also go. There are many issues out there. I can't. I can't speak to all. Of course. Yeah, no, it makes sense. Yes, I mean. You're basically studying how perimeters work, so it's perfect. Is that by understanding sort of what the executive level Swedish thinking about when they're looking at things, helps you tailor your threat intelligence product to speak their language because. You know if you're not speaking their language, they're not read, or they want it of which are back, yeah? So we you know you gave us some really good good tips for sort of like getting your foot in the door with especially the you know the the organization that you. Worked with but so what are some of the steps along the way to go from a low level threat intelligence? technician to cyberthreat expert like which you know, wh. You know what I remember when. To a security analyst and he was saying you WANNA. Go to security manager. Automate yourself out of your job. You know he was saying like you know. If you create enough sort of automated processes than you sort of like the you know the stuff that you're doing rotely you know is already handled, and then you can sort of handle the next thing, so what is. How do you sort of automate yourself? Quote Unquote out of out of a low level threat intelligence job into into what you do. It's Kinda tough question, but demo my best to answer. Think I think the primary. Will you do it a? Not Answer as best liking Roy gives. Is You have to learn a lot about what's going on? It's wral. You have to I think the the main way you can take that next level is when you re report, it says. Sequel injection ransomware when you start off your side Oh. That's interesting. They're using sequel injection, drop ransomware. But when you start after you've done this, you know a number of times you see were being number of ways. Then you can start asking questions like why they're using you know sequel, injection ransomware Kinda Weird, or why are they dropping ransomware out this month? They're usually incorrect. And so as you develop those as you develop experience and start learning the different ways these happening done historically then you can start seeing the broader picture and picking out the trends that are interested and why they're interesting a lot faster. I think that's what leads to a moron, more effective intelligence expert. Okay. So. What advice would you have? People who are looking to make a curse which into cybersecurity from other careers you've you had other areas of interest and stuff so like from a you know whether you're just picking it up from this episode or even thing about anyway from an interview perspective. What are some things that you can sort of put on your resume or in your cover? Letter? Talk about interview. That would make you your perspective employer. Know that you'd be great for this job. Even if you don't have you know the correct signposts in yours might indicate that. Question. I mean obviously collect the NSF SF. Best thing again say you're looking at security. Check out this program. It's Great Commandments Cybersecurity, but but. Beyond that. If I think to me, e, there's two things that row standout at someone easiest one uses one for someone to start doing. Is that read the news? You have to be really well versed in what's going on oral especially in the NBA threat intelligence world in the security world. Beyond just your basic CNN dot com right Start reading things like leaving computer where you're gonNA. Get really good security. In an interview on talking to someone if they're referencing the latest greatest activity, see any stop there. The re rating of open source articles that indicates to me that somebody has interest in Cybersecurity, and as willing to take the extra step of actually raised about it, and can understand it digested executive fashion, so that's one good way signposts. Hey, I'm interested in Cybersecurity and get. Up The other thing that I've always looked for in reviews is just passion, just somebody who's really passionate and excited about sub security. Ed SORTA tough quality to explain how to make that. Come across, and everybody's GonNa. Show their passion differently, but doing your best to show. This is something that you're passionate about to me. I will ten times out of ten. Take a passionate candidate. That's somebody I can treat anyone. United teach anyone basic technical skills, but you can't train passion. That's something that CEO Harrington you. It's something that excited about that. That's something that I want you to. Now You know. Without going into super granular detail what you know, we keep saying well know we can train you the tech and stuff. If you have the passion, or you have the the background, but like what is the sort of baseline tech that beginning threat intelligence? Person needs to know that you're probably going to train them. And say the. Two main things are going to be basic network, basic number protocols or basic network Understanding about this, it's now you should be able to understand if I go on my computer roughly. What's happening from a network perspective? Just, because then network understanding of you now for DNS resolution basic no connection galls. that sort of technical understanding, even if it's you know, medium depth will help you when you're reading. Thanks to understand what's happening. The other key thing from that I I have found health one I know. There's people on both sides of this issue is the the might attack chain not I. Think it's very helpful to understand from a threat intelligence active out because there's. When thinking about how attacks happened. Understanding dip a process here of starting off, com sense that you're moving forward attack, and then what happens after that and allow looming understanding that sort of front to back. Process will help when you're learning. What's going on IBM SLOP? That in so said I'll give a sequel. Injection is the Michele faction. is be exploited within the actual payload is being dropped ransomware. Okay, so I see now how these fit? Fit In to the overall time line so when I'm telling the story I can help understanding kind of categorize workings Galley so I I think that's a good idea. Also has their own journal framework that we use around for threat chain sort of understanding between of events. It's out a little bit die, unique and I like a lot well. It's different from Mitre, but I reference monitors because a lot of people know. Interested. While we have pretty okay for you know. We have lots of minor attack articles on our on our on our blog so if you want to get a foot in the door. Come got resources I didn't. Dot Com and also. IBM's. What was it called threatening? Preparation, framework. Framework. Okay! So, how is the threat? Intelligence landscape changed in practice since you began You know you've been doing it for a while. And where do you see it going in the years to come like has has sort of methodology changed. Has What what are? What are we doing differently these days? Great Question. So I'd say the waitress intelligence is done has changed a little bit and that there's a lot more people doing it, and that sort of time about before in terms of freelance. We'll see if you on twitter. There's a lot of folks on twitter. Postie, intelligence bearing wally. There's some great the order doing some really good style also people on there who are taking their best guesses putting up. So one of the big risks daddy run into is. Is People out there? Say Oh, I saw on. Twitter is a true. Another thing that I've noticed changed when a bit is We're seeing a lot more. When I started out, crowd strike was new right known hurt along their brand new organization. It's just getting started now. Across strike is one of that is a big big player in the market welcome. I'm seeing a lot more big players just do read intelligence or do threat. One their primary missions and I think that's great. I think it's great. There's a lot of folks out there doing intelligence, because it makes all of our all of our organizations better right. Down by having more competition out. There were all forced into doing hard work. Great, but down one thing that's kind of come out of that as well as we found new ways to gather new ways to understand what's happening. Sort of expanded perspective because we, we've been doing this for a few more years weekend. Now we as broader intelligence community, can start drying conclusions that from us, but my brother set I mean when I started off in this two thousand eleven. The idea of a lot of these tax were still relatively new. Stocks now was still fresh in your mind, right? That was really the only distracting attack you see. Now when you're looking at twenty twenty, we've seen a whole handful of destructive our tax writing and now now will put paper all about destructive now because we see so many of these attacks whereas twenty seven when I started, we didn't have that much data wasn't that much? It's not necessarily things were happening way. Just have that much access to it and really the only major threat Intel groups tentatively government now seeing private industry really into it more, which I think is great, and there's a lot of opportunities there for people looking to get into the field, but also audrey opportunities I sort of. Collective framework intelligence it. Was Pretty Cool. I'm guessing I know the answer this because it sounds like it's such A. Sort of personal research based thing, but apart from the ways that all our work lives change right now has the. Practice of threat intelligence change it all with the the current pandemic. The practice of it hasn't for me at least so realistically. dren television, a lot of ways to pretty decentralized. Feel! The. Need for people to be in office for me. That hasn't made a major change I think. It's probably the case for a number of organizations. I think there's been some some changes in terms of. Intelligence but in terms of the wave, actually practice thankfully, Democrat relatively minimal nights experience advice. So. What are some of the cyber threats? You're currently that are currently looming largest on the horizon in your experience that you and IBM are engaging with the most frequently. That's always a risk questions. Because the minute you say, MISS ANYTHING CHANGES AND I. Were they see that you see them. Right, let's say I. Think is kind of looming large my mind. Is that. I think that organizations are moving to cloud environments more more, and and realistically and actors get they see the organizations are movies, huge amounts of data into cloud environments and that there's potential gaps are a risks. When you're kind of looking you, that could be present tense. And so they're trying to take advantage of those road can and find out on those gaps at there, and it's a good opportunity for your, because it means that hike in contentiously cause more harm than I could buy point and don't have to worry about much latter movement. There's a lot of benefit there. To me where I see things, going is look at. How can we best security cloud environments? And what are the security considerations when we're looking at? How we make sure that we're. Done I'm sure you know in IBM's estimated. By vesey CLOUDS CURIE! Something that were uniquely interested in from. Ryan perspectives and including run CELTS, understanding how threat actors trying to break into that. Okay this has been a great talk. I just wanted to thank you for your time and insight here now if people want to know more about Charles toback or your doings at IBM where can they go online? And if I'm a profile on leap day, otherwise security intelligence dot com, which is IBM's ask site for for nation as my a profile on there, and they can never work done, I'd say. Okay. You've any vinyl tips for potential threat intelligence. People It's a great field. I enjoyed as a great combination of of the strategic understanding of how things work in strategic understanding out, vowed geopolitics and computing and governments and networking, and taking all of that information, and then somehow crashing into a story that somebody can understand that dumb handle knowledge so I think of great opportunity for folks to get into as sort of feel which is fine, but I had I think it's great. Yeah, thank you very much. Charles back. Thanks for your insights. This has been so much fun and I think a lot of people who are listening are probably doing some quick research right now to look into their new career, so thank you. Exotic. Appreciate the time and thank you for listening and watching today. If you enjoyed today's video, you can find many more on our youtube page. Just go to YouTube dot, com and type in cyber work with Infosec to check out our collection. Auriol's interviews and past webinars. You'd rather have us in your ears. During your workday. All videos are also available as audio podcasts just search cyber work with INFOSEC and your podcast catcher of choice, and if you wouldn't mind five star, rating and And Review and whatever you listen, it always does help us to get to new listeners so for a free month of the INFOSEC skills platform just go to INFOSEC INSTITUTE DOT COM slash skills. Sign up for an account, and there is a coupon code there type in cyber work all one word, all small letters, no spaces and get your free month. Thank you once again to Charles DEBEC and thank you all for watching and listening. We will speak to you next week.

Coming up next