Na-na-na-na na-na I'm Gonna Start a (CTI) Fight

all right all right so welcome all to the one of the breakup sessions for 11 30 a.m and it's titled nah i'm gonna start a cti fight and our presenter this morning is joan stoner uh he has 24 20 over 21 years of experience and intelligence and national security community and he has been a contributor for nova b sites from from the very first conference i guess back in 2017 and uh he has been he has uh working right with a cyber threat intelligence analyst and has experience with signed int instructional design uh and cyber counter intelligence among many other skill areas so without further ado i'm gonna pass the control to jones stoner enjoy the conference all right hi

everybody so this is uh no no no no no no i'm gonna start a fight for cti um so just like everything else in cyber security nobody agrees on everything so uh i'm assuming people will be from the cti world watching this and disagree with some things so we've already gone over my who is i will only mention that i am not john stoner from splunk that is someone else uh i coach soccer go liverpool all right so cdi if you are watching this talk and you're not in cti at least wanted to provide a little bit of a background of what cyber threat intelligence is and i'm sure some of you are familiar with cti work in the field

so you will probably also have thoughts about how i talk about cti so we're really talking about threats cyber threat actors mitigating cyber attacks mitigating incidents in cyberspace cti generally is going to inform the defenders of networks about threats possibly inform them about vulnerabilities and cyber threat intelligence sources of information can include ocean to open source social media it could include human human intelligence uh various forms of technical intelligence indicators of compromise hashes observables threat accurate ttps tactics techniques and procedures but to some extent it's all relative because it depends where you do cyber threat intelligence i normally have at least three major buckets of where you will find people doing cyber threat intelligence one

bucket is sort of federal government specifically in the department of defense so like cyber command or one of the other intelligence agencies or one of the other federal cyber centers and there's going to be some differences between what those cti analysts might do and focus on versus if you're doing cyber threat intelligence let's say like a very large company right like some fortune 50 company like cvs or cisco or bp versus what you do for cyber threat intelligence analysis if you are a cyber threat intelligence vendor right so all of those people will perform a lot of the same skills generally speaking but the day-to-day minutia of those roles may change for instance a lot of people in cyber

thought intelligence in the communities i'm most familiar with inside dod are performing cyber threat intelligence for intelligence purposes in furtherance of some further intelligence goal or priority intelligence requirement or in furtherance of an operation it could be a cyber operation it could be a law enforcement operation it could be in counterintelligence operation right nobody at cvs hopefully is performing advanced cyber you know counter intelligence operations on threat actors it's generally not something that private companies do in the united states right so the point of cyber threat intelligence at those companies is to inform the defenders and mitigate risk generally speaking so that's my first you can go get the pitchforks ready so you're a rock star right we got all

these skills we got all my rock moves and cyber threat intelligence and i have to know a whole lot of different things in order to be a cyber threat intelligence analyst i need to know the basics about how networks works about how security works about how operating systems works i need to be able to do analysis i need critical thinking i need to understand policies laws procedures regulations sops i might need to know about risk management i may do some level of traffic analysis there might be again specific industry things that i need to know like if i work in finance it might be different than if i work in aerospace which might be different

if i'm worried about scada or ics systems right which threat actors do i concentrate on because there's probably too many to have super deep in-depth technical knowledge of all of the state-sponsored or state-supported threat actors depending on which terminology will get me thrown off twitter today how do we evaluate information sources which information sources do i trust do i understand the basics about malware i might not be a malware analyst but i should have a pretty reasonable understanding of how malware operates can i do pivoting that's pretty critical do i understand geopolitical implications of how something that happens in the real world or in a specific geographic area might increase or decrease certain threat actors or threat activity

can i actually communicate and write reports or give briefings and on the right you're not meant to necessarily read all of these knowledge skills and abilities or ksas but we're about to dive in to some ksas so there's a lot of things that some cyber threat intelligence analysts are going to have in common and we're also going to talk about some areas of specialization within cti as well so to level set a little bit we get this question all the time like what do i need to do to be a cyber threat intelligence analyst so i really like the nice cyber available there's a link at the bottom of the slides you could google it

nice cyber framework so on the left is a all source cyber analyst and i in my own word say this is sort of the less technical version of what a cti analyst can look like there's also a threat or warning analyst job with all of their ksas and i generally say that's a little bit more technical and then there are clearly some cyber threat intelligence specialists or smes that are even more technical in some areas that they operate in on a daily basis as well i always describe myself as a little bit less technical but the knowledge skills and abilities to get started in this role require a baseline of knowledge about how it systems operate how networks operate

you probably need about a security plus level of understanding of cyber security maybe you don't need to cert that's a whole other topic i think there's actually a panel on certs today we can talk about that at the happy hour if you're there i have very strong feelings about most things including certifications so you're also cyber analysts so less technical doesn't mean that there's less things that you need to bring to the table to perform this role do you understand communication can you actually write executive summaries that are going to inform the executives for what they need to know do you understand your customer can you give a briefing if you were in the cti workshop yesterday

andy piazza covered a lot of really important topics about all source cyber analysts and threat warning analysts and some of the foundational skills and that was a great class too so if you missed it and he gives it again at some point i highly recommend you jump into his class it was basically like mini sands four five seven eight on steroids with three monster energy drinks so there's a lot of ksas necessary for this but it's this next slide that i really am going to dig into because this is a cti career talk right because i get a lot of questions about careers and flexibility or lack of set career paths and that is true cyber is a new

field we have been doing cyber security for maybe 20 years some people might say 25 years so it's not like law law has been being has been practiced for what 2500 years at this point or philosophy because philosophy has been practiced for a real long time right cyber security is a new discipline for the human species so everybody is still figuring this thing out so i want to talk about different careers and different related specializations as it pertains to threat intel and some capacity so you have your all source analysts right do i understand geopolitical things and like deeply like if my company has assets or you know in the middle east do i understand middle east politics and

how that might affect the threat picture that we are worried about as a company do i have briefing skills do i understand the applicable policies laws and regulations that affect my industry that affect the industry where i am like do we worry about you know gdpr is that what it's called in europe um you know am i concerned about that do i do root cause analysis critical thinking and then there's ocean analysts which is a whole specialization there's a whole field of ocean now some cti analysts are good at this do i understand you know research sock puppets social media analysis deep or dark web analysis like actual deep web analysis not what the vendors

often times say just kidding do i understand meta data analysis harvesting data do i understand all the osint techniques this is a specialization some all source analysts have these skills but technically they're different specializations and then you have your sort of like what traditionally is considered the core competencies of a cyber threat intelligence analyst that threat slash cyber analysts do i do some light pcap analysis still policies laws and and procedures that are applicable to me in my industry and where i'm geographically working do i do some light malware analysis i at least need to understand that definitely pivoting across iocs and observables is a critical skill do i specialize in certain threat actor ttps or certain geographic

areas right am i involved in tipping and queuing well a lot of all of these things is also threat hunting some cti some cti analysts might do some light threat hunting but i think threat hunting is its own pure specialized skill right so a lot of threat hunters will come from a world where they have done some of this other stuff so do know threat actor ttps right we are in the network proactively looking for what we think might be a threat actor in the network that has so far been unidentified so there's a lot of more technical knowledge needed to be a threat hunter and then we have dfir analysts well how is this related well

a lot of the same skills that we've been talking about will be applicable if you move into a dfir analyst role a forensics analysis registry analysis event log analysis probably more traffic in pcap analysis um and at a more technical and deeper level you need to understand the ir processes and evidentiary things right even if you're not purely an ir person right we have this bucket are you doing artifact analysis right well that has a lot of skills that are related to being a malware analyst so now these are really specialized roles right so do you have a deep knowledge of multiple types of oss do you do some scripting and programming and understand it so that when you're reversing the

malware you understand what the malware is doing because you have to include that in your report do you understand assembly languages do you understand disassemblers like ida pro packers extractors compilers can you do binary analysis and do you have a deep technical understanding of what certain threat actors are doing with the malware and then that's you know some of this is related to the forensics analysts who again can be very specialized do they understand the evidentiary rules and procedures and policies for the organization that you work at you're probably going to do some application footprinting data preservation live imaging probably some at least light malware discovery maybe malware analysis maybe traffic analysis pcap analysis right it could really depend and

basically everything that's listed in gcfa you would have to know to be a good forensics analysis and then somebody has to manage teams so i'm going to spend a minute on this manager role here so sub managers are managing very specific teams like this manager manages cyber threat intelligence people this manager manages dfir analysts this manager manages the malware analysts and the malware shop some managers in our world manage multiple specializations especially the further up the management tree you go right your teams generally get larger so you're now managing multiple types of specializations so what does this person need to bring to the table well industry-specific skills and knowledge right so it's not always directly

transferable right somebody who spent a really long time in dod and goes to industry they're going to have to learn some things about how that particular industry works right some things will be transferable but some things will not be transferable so there's going to be different policies and laws and regulations including like hr legal right there's all the manager stuff we need to be concerned with how do how does um salaries work how do i get people promoted what is somebody's underperforming uh this big concept of servant leadership i think is pretty critical so if you have haven't heard of that you might want to look that up at some point probably some project and program

management types of skills at this manager role are you good at mentoring folks and then technical prowess so in our industry what we typically see and and i've experienced this on sort of both sides as the manager and a technician if you will is that if that manager doesn't have some level of technical understanding or technical prowess in the things that we are talking to them about the team really loses credibility in that manager that doesn't mean that if that person in a manager role is not a deep malware analyst right that's not their core focus i don't necessarily need them to be able to do every aspect of the job that the malware analyst is

doing what we would expect is that they have a an understanding of what is required for that role so that when the malware analyst is talking to them about technical topics they have an understanding right they appreciate what's being said at a technical level as to maybe why something is taking longer or why there's a technical glitch right like maybe it comes due you know down to you know you're decrypting something right if the manager doesn't have any technical understanding or prowess in the in these aspects it makes it very difficult for the team to trust the manager and you're gonna have a lot of communication and a lot of other issues so i i know management is a specific

topic but i wanted to spend some time discussing that aspect of as well if you are in this world of threat analysis you can move specializations it is very possible and often done that someone starts in one area and pivots through education managing their career networking in the industry and moves into another specialization and we're going to talk about that because you want it all but that's not fair right so hopefully you guys appreciate my song lyrics so i'm going to talk about traditional or non-linear career paths but realistically there are no traditional career paths because cyber security has only existed maybe for 20 or 25 years right if you want to be a constitutional

lawyer we have very good guidance that we could give you if you want to be a neurosurgeon there's lots of other neurosurgeons that have come before you if you want to be a philosopher we know how that career field works right if you want to be a malware i see a scada specialist it's not like i can go to my local college and be like oh yeah i want to sign up for your master's program and scada ics malware exploitation right like you're going to have to do a lot of different things in order to get that level of knowledge so this traditional path is achievable in cti or other aspects of cyber security right you start off as an analyst you're

a junior level analyst and you get promoted so now you're you know not quite the newbie anymore and then you become a mid-level analyst and you know a lot more things and you help out and mentor some of the more junior people and then you become a senior analyst and you get paid a bunch of money hopefully depending on where you work and like you're really senior and you know you're in charge of more projects and it's probably very stressful and then maybe you step into that technical manager role so now you're managing a team of analysts right and maybe it involves some hands-on but probably less hands-on than you were as a senior analyst right it's more

people management but still being involved in the technical aspects and then you sort of step out of a technical manager role to like a true manager role right so this means the team is probably bigger and that can vary wildly so maybe you have people on your team where you didn't used to do that kind of job so you might have to learn you know what does it take to do their job so that i can manage them what sorts of training and education should i recommend for these people how do i get the good people promoted so that we can keep the cycle going and then eventually maybe you become like an izzo or a sizzo

right this is possible this is a career path that people have taken but it doesn't have to be your career could be like this you could start off as an entry-level analyst and then a junior analyst and then a mid-level analyst and then a senior analyst and then the old smee in the corner who knows everything but we don't talk to them before 10 a.m because they haven't had three monster energy drinks yet right and you stay as me your whole career hands on the whole career never entering management now like maybe maybe you briefly enter management you decide it wasn't for you you pivot back into one of these like senior roles there are people like this in the

industry right there's plenty of them across different cyber security specializations so i've seen people in cti roles who you know are 60 years old and are still writing cti reports right there are forensic specialists who want to stay hands on keyboard the whole time offset people red teamers right there are people who don't want to be managers and they proactively ensure that through certain career choices they have been able to both progress in seniority and salary but stay a technical specialist and this there are absolutely lots of people in the industry who do this or you could do this different specializations across careers so you start out as an ocean analyst and you get some experience and

then you get some more training and education and you network and you manage your career and you become an all source analyst or a less technical cti person just starting out and then after a couple years in that role you become a true cti or threat warning analyst and you're a little more technical and you've picked up some more tools in your toolkit and then you become a mid-level cti analyst and now you like you really know a lot about cti analysts for whichever industry or career area you specialize in whether it's you know as a vendor or in the government or out in private sector and industry and then you decide actually the cti thing's pretty cool but

i've done this for a while and i've done some light threat hunting and the threat hunting team has an opening so i'm gonna become a threat hunter so then you maybe get some additional education training manage your career work your network you become a threat hunter and then after a while you become a dfir specialist and then you become a senior dfir specialist and then at the end of the day you're like actually really i like doing forensics and i want to you know help the forensics team out and then you do that and you never were a manager and you never did the same thing for a long time either people have careers like this and it

doesn't have to be those specializations either or your career could look like this there are no rules in cyber security the cake is a lie you have to proactively manage your career in order to get what you want out of your career because there are real no traditional paths right you started off in sales and then you were an emt and then i got my first entry-level i.t help desk role and then i became a junior security analyst and then i did some more training and education and worked my network and volunteered to besides nova to meet some people who needed a junior pen tester and then i got hired there and then i decided i really like malware

and somebody was like oh i have this opening at the startup but we need a malware analyst so then you went there and then they're like oh my god you're really good you can like talk to people and mentor them do you want to be a technical manager and you said no and they said well we'll give you like 30 000 more dollars and then you said yes and then you became a technical manager and then you're like i really hate this this is terrible i had to fire some when you cried for like a week and you become a senior malware reverser which also still means that you cry a lot but in a different way and then you're

like actually what i want to do is be in charge of everybody and work with like seven people and my buddies we start this company so you become the ceo of a startup and there are no rules in cyber security but you have to proactively manage your career i do also want to point off uh point out that there's this book called range why generals triumph is a specialized world um by david epstein i'm about halfway through it but i actually describe my career much more in general as terms than in specialization terms because at some point we have to have personnel in cyber security that really do have a lot of knowledge a lot about it

about a lot of different specializations in areas but they might not be deep technical experts in all of those areas and i would say that currently i describe myself that way but i'm proactively trying to manage my career to get to where i think i want to go because i have to have a plan but the plan can change so um get a mentor in the area of specialization you are working in or that you want to work in you should have mentors that are before memento formal mentors informal mentors you should have maybe at least one mentor at the organization you work and you should probably have at least one mentor outside of the organization

or company you work with all my advice comes with the your mileage may vary warning or sticker right so not only do i try to give advice based on my own personal career but i also try to tailor the advice i'm giving to people based on other people's careers that i am you know engaged with my colleagues and associates and friends be proactive about your career planning because your career planning can make your career unique to you so when you see talks about like this is how i got to where i am that's all important information but your career is different and unique and you should manage it there are no rules so i will now

take questions if there are some questions in the chat and my moderator will help me because i do not see chat currently

yes are there any questions there are no questions right now let me check the chat again sure all right so oh there's a question in the chat right there audrey wants to know the name of the book you mentioned again sure it's called range why generalist triumph in a specialized world that's on the second bullet on this slide i went back all right thank you sure john any other questions any other questions so if you are interested in cti and you're in the audience today there will be a panel later with several people on it i will also be on that panel it will be about cyber threat intel as well i will probably talk on some of the

topics i talked about earlier in the presentation about you know what is a day in the life of a threat analyst look like and some of it will probably be industry specific so there's another question or comments uh so the term jack of all trades or master of none will be a successful strategy yeah i it's actually that that quote is longer if someone googles the quote for me give me the whole quote because we've reduced the quote um so if you look up the whole quote um there's like a second phrase that gets cut off so you have to look at it this way like i don't like that theory about you know a jack of all trades

trades means you're a master of none because if you look at the sorts of complexity that's involved in cyber security like are you going to tell me that all the scissors are absolutely specialists in like their cloud platform and all their stock operations and their engineering team and their ir response team like you can't that person can't be an expert in everything so they essentially have to be jacks of all trade right so the more you learn and and this is a an industry where you continue to learn like if i have a passing understanding of of scada and ics systems and i'm not an expert there well that is helpful if i be if i became if i went to a job

where i needed to know a lot about scada and ics well then i would study and learn to become more of an expert but i have some passing knowledge which lets me get by for most of the roles i have had so far in my career all right so they were asking right the next the next uh the panel that you mentioned is cdi careers and that's coming up at 2 30 p.m yeah so there is an interesting question here let me see wait wait wait what is the one thing you need you knew before embarking on a career in cti um so my background is in the intelligence community as a signals intelligence or sigint analyst

um so for me i knew i wanted to leverage the information and the background and and stay at least at that time within the dod world um and performing intelligence analysis is important so the other aspect of that question is i am a really mission driven individual so while i was in the army and and as a cti analyst right you're contributing to something much greater than uh than just making money which you know sounds weird to a lot of people in industry but like you know i'm having a greater impact in terms of national defense and and security of the nation so for me that's really important and has been throughout most of my career

to have that broader impact all right thank you john any other questions any other questions comments let me see so there's a link that was shared that was shared by ken kono little bobby sunday morning what comic on technology and security thank you thank you little little bobby drop tables maybe yes i'm gonna stop sharing my screen one last question it will be is the cti fight at 2 30 rest is going to be a 2 30 it's going to be a panel right so it's a panel so the this i mean i don't i i if this were in person i probably have to be dodging rotten tomatoes right now because a lot of cti people will you know i'll

play devil's advocate with myself no every cti person should be a threat hunter that's a core skill it's not a cause threat hunting isn't a core skill of cti like there's a nice framework i can point to like should you understand threat hunting and maybe do some threat some light threat hunting yes threat hunting is its own specialization so like if you are a business or an organization that has threat hunters that is its own job and there will be people who disagree with me all right one question here what advice would you provide intel cyber graduates intel first of all feel free to connect with me on twitter linkedin and and i can talk to that person i'm happy to do

that um is that you have to understand cyber right so we can take sort of like the intelligence aspects and like you know all the different analytic techniques and analysis of competing hypothesis and root cause analysis and structured analytic techniques and estimated language and probability with cyber security and understanding threats the number one advice most new people don't get is don't be overwhelmed like you have to focus your training in education most new people in any specialization are overwhelmed by information so the other thing is that katie nichols who's going to be on the panel by the way and she just got twitter verified by the way she has some great blogs about how to get started in cyber threat intel

so if you contact me i can give you the link or you can just google katie nichols blog about cyber threat until i'm sure it pops up all right so i guess one last question what if you have knowledge in a sector that does not traditionally have a cyber focus but you want to get cti focus in that area so if you don't have traditional focus or you want to get cti focused so um you can there's so much stuff to read that comes out from the vendors like the verizon dbir and and and on and on and on right there's so much information and like anything draco's posts about threat actors or you know any of the other vendors i'm

not trying to be vendor specific here but like there's so many cti vendors or like the the stuff that comes out from like dhs or fbi that's publicly available or tlp white you can read all of that there's also a couple of like really good podcasts to follow so you know what's going on you have to be on twitter even if it's a sock puppet account even if you like put up a picture of a giraffe and your name is like you know bob bubbles like you have to be on twitter you have to be part of the community um and then to build up those skills like could you summarize like andy's workshop can you summarize the

dbir in one page give me the highlights can you do that effectively like there's things you can do to get those skills your first job will probably come through networking so yeah there's a couple panels that are competing i think the panels are going to be recorded just like the talks i know the workshops weren't recorded i think the panels are going to be recorded so is cti careers 230 i don't know when i just go where they yell at me cydia careers at 230 and then certs versus nose shirts is at 1 30. so there you go that's the that's why we have moderators wow all right so thank you so much for all your questions

thank you so much john all right very interesting presentation and so thank you all for attending and i hope you enjoyed the rest of the day the rest of the sessions thank you all right have fun bye