Tim Gallo - The 5 Laws of Librarianship in your Intel Operation

hello everyone welcome the next speaker is Dean Gallo with five laws of librarianship in your Intel operations but first we like to say thanks to our sponsors they are our goals our level sponsors are st. Mary's University USA

so we're doing a really intimate here all three of you that are here or four that are here to listen to me um okay yeah I know I know it's it they put me up against something and to be quite frank when you hear the sound of a topic it sounds really boring but to be what I find it is it's gonna be pretty interesting if you have been in security and have moved into Intel or if you've been in Intel and need apologies from people that are in security because there is a big difference between what we try to do and ultimately it comes down to what I learned from a friend of mine a few years ago about librarianship

ultimately so a couple things first off the bat I swear I apologize in advance I don't see any miners in the room so I'm just letting you know right now I was raised by sailors my mom's got a mouth like you wouldn't [ __ ] believe I learned that from her so just be forewarned I'm going to I'm gonna be that person I also put this in in every one of my talks I've done I've done quite a few talks around around and about two years ago I put this in it's important I think for those of us in the InfoSec community to recognize that we actually have a higher rate of suicide in our community than other than other

professional communities there's only a few that have a higher rate than we do one of them is dentistry I don't understand except that must be really really dull sticking your mouth your hands in people's mouths all day but we do have a high suicide rate and particularly amongst former against amongst veterans that have joined cyber security as well so just keep that in mind think about what you've got to deal with and what those what people may be dealing with if you see the signs of somebody that's that's potentially suicidal please talk to them bring it up use the resources that are available it's important because we don't want to lose great minds like we've lost over the last five years

don't want to continue to lose those minds so now let's go ahead and get started brief agenda a little bit about me where do we how do we get this cyber threat intelligence as a discipline why this is important I think is gonna is going to be one of the key components of this what are the laws of library science that showed up in the in the title why what do they mean how does the threat intelligence operation work and where do the laws of library science and threat intelligence converge to be quite frank many of us don't think about intelligence as librarianship and vice versa we tend to think of it as an offset of security operations and I

think that is actually a mistake different tools that we can use to make this more effective who should be engaged ultimately in building your operation other sources of analysis stuff like that so before I get into Who am I there's five of you in the room how many of you are actually threat Intel people one ok did you start off as an Intel person you start off as a security person Wow okay if this happens more and more frequently particularly when I'm in areas that have large Air Force bases that have a significant population of Intel operations or naval bases that have that or other forts whatever but to be quite honest most of most people kind

of like myself started in security in some way ended up in Intel operations and I like to apologize in advance for the things that we have brought to your discipline that have kind of [ __ ] it up I've I I spent a lot of time learning at the the feet of Intel operators after spending about 10 years in security trying to figure out what it is that I was doing wrong and why I was thinking incorrectly and ultimately how it came out so I like to say that the person that you see on all my LinkedIn and Twitter and all that is this this suave debonair black-and-white kind of hacker II but not hacker you looking dude this is the

person who I like to think of myself as somebody goes out to the desert rides motorcycles break [ __ ] burn [ __ ] causes all sorts of problems this is the person that I really probably am it's the idiot who on his 40th birthday decided that he wanted to have a toga party because he never got to have one when he was in college and got really really hammered shortly after that picture was taken so that's probably more like Who I am but what this means is ultimately let me give you a little bit of background I started in InfoSec in the in the 90s in 2002 I was pulled into a room and asked to perform some

some sort of Network magic for some folks and provide them with some attribution I didn't know what I was doing at the time then they sucked me in at that point I started to get engaged with them more frequently developed moved out of network security and information security into sort of intelligence through sort of telemetrics and network network intelligence and then eventually started to meet some of the sort of intelligence operators and get an idea of what overall intelligence programs look like and how you should how we how we from security interact with them very differently then then the way they want to be interacted with so I think from a security perspective and this is where

I'm putting this out there's typically two paths to get there people either come from sort of a compliance and patch management role where they've been doing things like vulnerability intelligence analysis working with infrastructure management and then ultimately delivering sort of Intel into the what is in my stuff and how do i what do i need to worry about right it's verbose it usually has some metrics but to be quite frank it's it's things keeping things up to date right I know Avon is out there I need to patch the vulnerability it's it feels kind of rote but it's actually very important because if we don't do this then we are screwed right you were just leaving wide open

holes for every attacker to just sort of walk their way through the other way people often get to and this is kind of how I ended up there into cyber threat intelligence is from security operations may be from Incident Response but typically from sort of somewhere in the cyber defense center right usually it's supporting the IR process you're looking in your sim you're doing like IOC hunting you you're usually focused on that lower end of the pyramid of pain the four of you in the room but does everyone in the room know what the pyramid of pain is excellent they're nodding heads just for the recording the key components to this typically are that it's minimalist right we're focused

on automation we want speed we want IOC s we want to get this in front of the person who makes a decision kind of quickly right oftentimes the initial focus from a security perspective on this on this portion of Intel is actually about speed to detection and then you know you know quickly remediating its unless you're part of the IR process it's not really in the investigatory alone until I say compliance is about knowing then enhancing and then or enforcing and then understanding right so it's about knowing where your vulnerabilities are knowing which patches to apply ultimately enforcing specific rules and you leveraging that rules enforcement to make sure the patches are applied so something can't get on the network if it

doesn't have the appropriate patch making sure that if it does then it's got access to the appropriate credentials and making certain that everything actually runs it's specifically about protecting protecting against exploits so the understand component is really where the vulnerability portion of this actually expands right it's no longer just knowing it's not just running tenable or necess and bones you know Volm scanning and finding out what's there it's looking at everything right enforcement leads to understanding ultimately you want to look at everything from when you've deployed an application all the way through when those applications retire because applications almost never retire at least in my 20 years it's really hard to find somebody who's actually finally

killed an application I think I can remember killing Lotus Notes but a lot of times applications still find some way to live on in some arcane process and so we want to make certain that we understand what the services criticality czar and what our enforce ability is amongst users in that right so if we're looking at threatened @ct I sort of from that vulnerability perspective ultimately we've learned to look at it of if we're a mature organization we've developed a you know sort of a gold silver platinum bronze whatever you want to call it matrix of I guess the the best way is service criticality right what is it how does it affect the business once you've done that you you

know the exploit ability of specific vulnerabilities and the the risks associated with that with that service being exploited right you've got to engage with the line of business I apologize I tend to walk you you understand that the way that engages with that service engages with the line of business and ultimately what the the risks are then to the business because you've got you you've got to live in that space right typically you prioritize based upon execution of proof of concept right if you're just doing it based upon cbss score you're doing it wrong period the end I you've got to know what exploits are out there what are being actively you know which ones

are actively being exploited and weaponized and which particular pieces of malware they're targeting you as an institution understanding who you are institutionally organizationally and then determining which of the applications are the most important right and I'm gonna there's a there's gonna be a theme to this eventually you're you'll pick up on it if you came from cyber defense center you've been in Sec ups typically your it's more of the see respond hunt as you mature in that space right the first focus for any anybody who's developing a security operations program with threat intelligence and and you talk to the sock manager and the first thing they want to do is they want to see those IOC they want to know when

I've communicated out with that c2 channel right that's a big deal well yeah they want to know when files that don't that shouldn't exist do when certain things have been dropped when something bad has gone on they want to know when something is executing that shouldn't be executing again this is all about just like reactionary work it's ultimately level one sock operations just more than more than just correlation right it's actually starting to get a little bit you know a little bit more interesting and actually an interested in what's actually going on not just looking for alerts off your technology the next step as you mature organizationally is in this response phase right it's like oh I need to find

everybody who talked to this bad computer well I need some tools that help me do that or I need some capabilities there and and the threat intelligence helps them understand okay like I know that if this was the c2 channel that was communicated to by this laptop that that c2 channel is associated with this adversary group and this adversary group tends to then map out internally using PowerShell well if I go back to the rest of my logs identify PowerShell commands that have run on that laptop and see who else had communicated out who else this device communicated with internally it's part of that response process right also obviously using it to lock down people

right using Intel lockdown somebody who's shown up an alert oh crap this device has this device has got three pieces of malware on it that just that just tape but we don't know how long it's been there because those files have existed for at least seven days want to lock it down knock it off slide it to the side and then eventually looking at sort of spread right using these i/o sees the pattern matching it's kind of that like second generation investing right I'm not doing a true evidence collection or you know compromises of the evaluation of the compromise in the network as of yet it's more about getting things together when you get to

the sort of the third tier from a maturity perspective in cyber defence centre typically you're looking for i/o sees without evidence compromise you develop tools you've got things in place that allow you to take you know expansive TTP and look within the environment for those things Enterprise searches for combinations of specific mutexes DLLs and file hashes or communication patterns that make the you know if TCP headers look like they're oversized because you know from certain devices combine that with a change in a registry key on a Windows laptop that's going to identify that maybe somebody's doing some TCP packets nothing they've changed the the DLL associated with the network and they're actually exfiltrating data in TCP headers right

these are all things that you should be looking for so it's it's all that like hunting around for dead bodies ultimately right it's no longer just waiting for somebody to come to you it's you know who you are and you know what you have so you start hunting for the hunters right we're not at this point sort of like thinking about them the adversary that's targeting us what should we be looking for then that they like to use I believe it was Dave that opened up in track one this morning talked about and showed you know the experience of various TTP for various apt groups or monkey panda blah blah blah pick your favorite nomenclature

there's a great rosetta stone that maher forces put out it's on Google Docs it's actually really fantastic to use but there's a you know you know who they're targeting you know what their TTP looks like search for that because in all likelihood you might not have any alerts on it because you know if they're the good if they're the the really good ones that are at you you're you're partly screwed I mean you know so you've got to go start finding that TTP yourself because your technology is probably not going to alert on it and if it is then you have done a fantastic job of tuning your technology and I'm proud of you so this is one of the things that I like

to apologize for security versus ever threat intelligence or threat intelligence in general typically from security you know the we think of it this way right there's two job functions CTI I want to know I need to understand right so I'm gonna spend time researching reviewing watching through the logs and not tipping off to the adversary that I have that I found them right because I need to know where they're going and what they're doing so I can better protect myself later not only can I contain them now maybe building out virtual systems to slide them into and find ways to ultimately contain them but then identify what it is that they're doing long-term performing a long-term investigation

ostensibly right I'm doing an Intel op against an adversary that's live inside my network and CTI we want to do that because we need to know more about what's happening whereas security it's like I got to stop it alright it's the difference between a traffic cop and a detective ultimately typically a security you want to stop the bad man from hurting you you want to stop the bleeding contain the threat kind of call it a day you're not necessarily working about working on learning and this is finally starting to go away it used to be like I say two years ago this was still like a huge huge differentiator between the two over the past two years those four

letters deeper really have kind of started to bring everybody together right and this is like intel needs to know where they should start looking for things security needs to start actioning on what what intel has provided with them security has to instrument so Intel can identify and it actually kind of comes together under this model that I think ultimately is is changed and is continuing to change now you'll look at organizational maturity over the next five years and I'll say will probably reach about 30% of the organizations across globally will probably get to the point where we where this becomes a regular methodology I would say in the last two years it has gone from half a

percent to about seven percent of the organization's based that I've worked with so I spend a lot of time traveling the globe and yeah seven out of ten seven out of a hundred now at least have some sort of connection here many of them are starting to actually jump on the CTI train but they're still focused primarily on indicators they're still focused on that sock operations mission and that's good it's a step but we want to think about this in a bigger way yeah I am so I'm gonna sidetrack for a second but I'm gonna get there so the whole point of this was about the five laws of librarianship where they kind of came

from so this is an interesting thing I was in Virginia two years ago talking about threat intelligence operations at a small at a conference there and I was speaking with somebody who mentioned this sort of five laws of library science her name is info shock InfoSec sure but follow her on Twitter but I started doing research on this and this kind of became an actual mantra for me as I realized that these are kind of the ideas that we need to build our threat intelligence operation around so historically speaking SR ragna thon in 1931 came up with these ideas book surfer use every person has his or her book every book has its reader the same

we want to save the time of the reader and the libraries of growing organism from a CT perspective all of these applying we're gonna dig in a little deeper so this gentleman you know he started as a mathematician worked in Madrid hrus Chennai if you've never been it's actually a beautiful there's beautiful temples it's a great place to go in 23 he in 1923 he was put in charge of the library and you put a mathematician in charge of a library and things get a little weird so this is where the idea started I started to come out of was like he didn't actually want the job but he was kind of not given much of a

choice and as he started to get into it this became sort of the mantra so law number one books are for use so this is really the basis for all of library science if you think about it books are often changed you know in in the olden days books were chained in the library to prevent the removal right which meant people couldn't use them they didn't get access to them they it was librarians were primarily focused on preservation and that's not what good you know what good librarianship is about if we think about it we want people to use these books take them out we're gonna put them back same thing goes with an Intel

operation right books in this case our intelligence reports intelligence reports are meant to be used by people within the security operations team right by people within the d4 organization by people within vulnerability management we have to create intelligence reports that are usable if we don't then we're not doing our job as Intel operators as Intel analysts and ultimately as stewards of our organization so number two every person has a his or her book so thinking about this right it's your idea is to serve a wide collection of patrons right so from a librarians perspective they've got a whole list of people that they want to serve in their community well ultimately when we think about

as information sorry as threat intelligence operators within an organization our community is our organization so we have to figure out what it is that they need from us so every person has a specific need and there's a report that is designed or a combination of reports that ultimately are designed for those readers to make sure that they can make effective business decisions keeping the company secure third one every book its reader this is literally just the reverse right so they have a place in the library even if there's a smaller demographic even if this is only meant for the M&A team right even if I'm only building you know this specific subset of my components

for the mergers and acquisitions portion of my organization there is still a niche and a need there and I ultimately have to meet those requirements because if I'm not meeting their requirements they're gonna go elsewhere so again it's about knowing who we are organizationally and making certain that we're meeting the needs independently so thinking about it from this perspective every again no matter how narrow it is we have to make sure that we're creating reports that meet that that are usable save the time of the reader this is important because one of the things that I learned early on and in my transition was writing giant 20 page reports everybody hated you you got they got

ignored and then you go and then ultimately I went way too far the other way and you started putting everything in machine readable JSON or XML and and again nobody paid attention to it so ultimately it's coming down to building a model that allows for you to save the readers time bottom line up front the bluff model it works it's very straightforward it's you know a very short summary that's gonna be able to get immediately to the action work your way down to the technical details for the folks that are going to read the report that need the technical details or need the automation scripts I'm building the report in such a way that matches the organization's needs if you

don't have a technical operation say you've outsourced your entire security cyber defense center operations to an MSP then you probably don't need those technical details unless you've got one or two hunters in the environment you just need sort of the strategic stuff lastly the library is it growing or in an organism so this is one that I think is often often overlooked as well reports aren't static they have revision numbers right like just my slide deck here said draft for Ryan I've gone through four different versions of this actually I've probably gone through about 16 different versions of this before putting it up today on average every report has a lifecycle that life cycle has a terminus point but

that terminus point can be extended as you change and as you apply new intelligence to that report or you create an association right so understanding that I mean they're growing a wider arm growing it deeper but making certain that everybody knows if I'm growing a report deeper right so there's a continuous level of communication between the Intel operators and the consumers of the intelligence because this ultimately is not a right it and forget it and write it and forget it and write it and forget it mentality it changes the way we have to interact so taking those five laws building out a threat intelligence operation like this is sort of basics all right so I think about it yep

sure so ultimately organizations need to get into the threaded are getting into the threat intelligence business because they're looking at it from the perspective of how am i investing my security dollars in many cases they're spending lots and lots of money on tools and they're still getting owned up right like how many breaches happen in the last three months yeah I it's just the way it is and that's you know there's there's companies whose entire business model revolves revolve around incident response and responding to breaches many of them are big consultancies and that's what they do so ultimately threat intelligence is is is to help guide you down the path of not just built buying a

bunch of tools and hoping that this next tool is going to be the one that's going to prevent them from happening it's about understanding your yourself organizationally yourself technically and being able to get predictive and preventive in your security controls so the reason you want to get into this threat Intel Operations game is because I'm no longer just gonna hope that I can you know build a better fence and keep the bad guys out it's that I can at least understand who's gonna come at me and if I know who's gonna come out and I know what tools I should look for so they're gonna try to get in they're probably gonna get in but I know what I

should be looking for once they do and and admitting that we're not perfect I've been a blue team or most of my life I did a small stint on the other side and yeah I can tell so okay how often does red team win every [ __ ] time right I mean come on red team always wins that's why everybody wants to be on the red team and that's why it's so [ __ ] cool again I apologize about my language I'm sorry but ultimately red team always wins we have to be right all the time on the blue team side of things and so we've got to get really invested in learning about what it is that

they're trying to do how they're going to attack us and and ways that we can make ourselves better because we do have to be right every time they only gotta be right once it sucks but it's the truth so when we get into this right thinking about it from a maturity perspective right starting off with just your basic organizational threat profile do you know who you are as a company what do you do right what what does the business make you know I I worked for an elevator company at one point in my career we made elevators and escalators but you know ultimately what we really were we were a construction company that had a

huge software development house we wrote a ton of software because all of that stuff runs on software now 50 years ago it all ran on relays and switches and it was super cool and I actually one of the first things I did when I got to work in there was I got to build one from scratch because that's part of the onboarding it was like you build a little mini elevator and it was super neat it was all sort of old-school resistors and stop and it's super fun but ultimately knowing what you are what you build and what the in the organizational environment is like are we risk-averse company wise are we are we bleeding edge do we spend all of

our money trying to be first to market and then understanding the the vulnerabilities in the exposure you have to these vulnerabilities is also important the next step stakeholder analysis usually when we first start building our cyber threat Intel program the stakeholder is probably only vulnerability patch management infrastructure and sec ops but if you're doing it right you start to identify other other other portions of the organization this is where as a threat Intel person you've got to not be the the nerd sitting in the basement I [ __ ] hated being that person but you got to not be that person you got to be outgoing you got to go to those lines of business you got to talk to everybody

and get an understanding what their appetite for risk is go to the engineering team this is how I found out that you know we were primarily a software development Alice's I started hanging out with you years at lunch and I was like what do you mean you're not just building this stuff you eat and then I come to find out they have you know that we had 300 soft knees in 1996 for a company that made elevators it was kind of crazy um but then I started you know start to identify well that's that's the biggest threat that's ultimately where the risk is right because that was all trade secret none it was patented everything

it was patented with all the hardware stuff because somebody can just buy one you know to just go look at it software was all trade secret so suddenly now I understand you know some of my stakeholders building out consumption news cases this is the other piece again sock typically they just want it shoved in through their tip their threat intelligence platform or right into Splunk or ELQ stack or you know whatever it is that you're using as sort of the the sock to do the day-to-day look at the things but there are other consumption news cases all right as you elevate yourself maturity-wise ostensibly if you're doing it right you're going to be providing quarterly reports to the board as you

mature yourself from a threat Intel perspective and B and the reason you're gonna be doing that is because you're providing them with an idea of what the risks that they need to look at for the next three months the next 92 days are to the organization and things that you suspect that they should be taking into account as they're making business decisions associated with you with the company but you got to understand what their appetite is right at first again soft guys want as much as quick as possible but ultimately you're gonna probably start off with these every six months to you know somebody in network security that you're going to be reporting to once you've made the the identification

of who the consumers are what the roles are and what the app what their appetite is that's when you get into PIR development so you're building out your intelligence requirements this is actually important because I need to know what are my intelligence criteria what is the categorization that I'm using what is the intent and expected actions onset intelligence what kind of products does each of the various groups want and ultimately what are the collective sources and methods that I'm going to use to be able to generate my Intel from you know and put it into the library ultimately right because again thinking about it from that perspective we're we are no longer just working as

technical operators our goal is to build this library for for our organization we start to build practices and this is where that librarianship really comes into play lifecycle management for threat Intel how long is something about how long is an Intel report valid for if I'm updating it what am i doing to change it what are the standards what's what's my peer review process right if it's just me as an Intel analyst and I'm the only one for the organization then I don't have a lot of peer review process right I'm trying to get it you know just trying to get to the point where this is important but I got to find some way to

at least get it through grammar oftentimes some of your favorite folks to work with in this are legal and marketing because those people love to screw with your handwriting they like they like to look at it and be like that makes no sense or that you can't legally say that well that's good because it's a starting point from a peer review perspective it's at least getting you to the point where you're going to be able to produce reporting that meets their you know sort of their understanding so again getting to know people outside of the the CISOs sort of domain the glueten the global security office whatever you want to call it is important in these

cases what are the supporting technologies so as you're building this out you're moving into building out threat intelligence platforms and using those threat Intel integrated into day-to-day operations your into tier 1 tier 2 2 or 3 Sauk operations what's your content management system building analytic tool sets right so I need to build out a an analyst workbench that's going to allow me the afford me the ability to start doing node and edge analysis right these are those next steps as I get more and more mature ultimately full of fulfilling into a capabilities matrix that allows me to basically build you know repeatable communications create a you know an internal communications platform that allows me to reach out to

everybody inside the or inside the company key off here in strategic and operational decision support so this is another win you'll know that you've made it when they start asking you hey we're looking at buying this company or expanding our operations into Costa Rica or into Chile can you help us understand what the threats are how's that gonna change us organizationally which new adversary is going to be targeting us and what are the tool kits that we could expect them to use against us because of this change it's an interesting question and it's it's not properly formed but that's the way that question is gonna come at you and then spout the idea of taking that improperly formed question

understanding the intent of the question and being able to provide them with the appropriate response that allows them to make a solid business decision because they're gonna ask a lot of questions and they're gonna not make sense as you start to build out what it is intelligence means and the types of questions the types of RFI's you're gonna intake so I went through them sort of elsewhere but realistically this is the convergence points right intelligence reports are written for a purpose not just because they're cool man every person has his or her book the requirement should be built around each members use case right so build the socks get the socks use cases get the

executive teams use cases get infrastructures use cases build those requirements every book it's reader each report should have at the very least one of the PIR is in mind at the very least and if you can cover as many PIR S&S ir inside a report great you're doing it you should cover as many as possible that still marry ultimately to the goal of of the report itself right in a way that meets the needs of the reader make sure that the report that they're able to look at it in 30 seconds and determine if this is something that they need or not it should be as simple as glancing at the first three lines no I

need it or I don't need it and move on because if they have to read two pages to determine that that was that they don't need it you've wasted their time and then the next time they're not gonna look because we're always wrong until we're right and then again actors ttp adversary everybody changes we need to understand that our library of reports is going to constantly change as well and because the bad guys are changing we have to change so we have to make sure we're serializing our reports that we're doing the right things to identify within the library itself what is the most recent version of this report and how does it apply to us today so I go

back so I'm flipping back to what is the actual cycle for generation of intelligence all right so if we look at it from a capabilities perspective that was kind of what we think about the operation but this is actually building out an Intel report right documentation of all your requirements leads to gathering your data and information from all of your sources right so once you know what your requirements are you're performing the research if you've developed a large extensive organization where you've got analysts and collectors the collection team is taking the requirements and using those from those analysts to go off and find the stuff that you want them to look for now those collections teams can be human

intelligence they can be signals intelligence experts data scientists whatever these are folks that are going to be able to take the majority of this information and goes based upon the requirements that have developed that you've developed as a as an analyst go get you the stuff that you need ultimately it goes into a normalization structure this is where you bring everything together it starts to make some logical sense you process this found information and by processing this inbound information you're going to be able to use this to produce your intelligence right this is where analytic tradecraft comes into play because you're taking the hypothesis that you originally generated with your planning and your requirements development ultimately turning it into a

piece of production and at that point this is where things cycle in in the government space something like between research and production this can take months in commercial intelligence organization this takes hours days right ultimately this production process is where we've gone back validated our hypothesis to determine whether or not this is actually correct and if it is correct producing the report getting it peer-reviewed typically by individuals that are both within our area of expertise if we've gotten to the point organizationally where we're able to specialize right into cyber criminal organisations activist organizations I'm a Russian language specialist I'm a Chinese language specialist whatever because oftentimes if I'm a Russian language specialist when I look at it

when I look at what's happening inside an environment I'm gonna call it Russia because that's who my boogeyman is so I need to get it looked at by other people to make sure that I'm not myopic that I'm not biased right that I'm not applying my own cognitive biases to my report generation so this production cycle should take a few couple hours a couple days a couple people right different areas that are going to review the review your final production and then ultimately disseminate it right so that dissemination process is everything that you've built right shoving the IOC s into the tip which ultimately go to the CDC generating the new report that goes to the executives in the line of

business that are pardon me that are associated with this and then getting feedback every report should have a feedback button on it because it doesn't then again you're wasting their time if they can't tell you that this didn't help them then they're never gonna fight you're never gonna find out that it didn't help them and they're not gonna look at it the next time we are trying to put things in front of them to make their lives easier and it's it and we need to get their feedback to make sure that we're making their lives easier pardon me while they take a drink of beer [Music] yeah but one of the biggest things here is quantitative data is important but

you also end up having to put human judgment on it right data scientists be damned I still need my gut to make sure that I look at something and it's right I don't get me wrong I love data scientists because they make such cool things that allow me to identify outliers but I still need to be able to judge the intent of something and we haven't gotten to the point where I where I feel that that has sentiment and judgment analysis has gotten great in in sort of the machine learning and AI models yet it's getting there but it's not there yet five years from now I'll probably be like screw it all we're done hey I can

do everything but right now it's not the end of the day I like to say good Intel program is like good books or like good journalism because ultimately it tells a story every good report should tell a story it should tell you what is happening where it's happening when did it or will it happen how did it happen and why the [ __ ] are they doing it right it's actually those same sort of like journalistic questions that we all learned in like fourth grade when we learn how to write an essay right answer the who what where when why and how ultimately that's really what we're still doing right we're generating a narrative that is easily consumed and it

tells the story about why is a pt3 coming at us next week using China chopper and in order to get at our our intellectual property because we make super giant tractors it's a completely random example I just made up but ultimately these are just like good books so this is a problem that I have right it's a library it's a lot of books it's a lot of reports I've been trying to find the right tool and a lot of the threat intelligent platforms are really good at sort of storing things in XML format or in JSON and and I think of this as books right so I've been trying to mess with different tools that allow

me to create content that matches my needs all right so how many of you have a giant library of mp3s and/or movies videos yeah I'm not gonna you're not gonna but right you have a plex server you have in my case a media monkey library for all my for my music calibra a for all my from my books but what are these do these are all about like taking different media different content and putting it into a way that I can find it all right so it's about taking the content that we've generated putting it into a way that makes sense to me it makes it so that all my books are available to me as a

reader it makes it so you know every reader has access to the appropriate books so somebody can just crack open the media monkey that's associated with my with my appropriately tagged mp3s and be able to identify I'm looking for all of the 1997 hardcore Bay Area Punk boom it pops up there it is right this turns into what I like to think of as an autobiographical definition of our library guess he was right when he categorized all his records autobiographically ingress boy blank ultimately I think that's what we have to do from an intelligence perspective so we think about ourselves as an organization we think about what our what we're being targeted with and how we're being

targeted we need to build this library in a way that makes sense and the only way it's gonna make sense to the lines of business to the organization itself is if we build it around ourselves autobiographically we know who we are and what we're being targeted with and why we're being targeted we build the appropriate tagging mechanisms that match the language that we use internally that means that there is no specific set way that you're gonna to use different language than what you're gonna use when you build your library because to you infrastructure maybe they may use CPE for every piece of infra it and for you they may use like the common canonical name very different right so

understanding from an autobiographical perspective what is the linguistics that we use what is the lingua franca if you will love us organizationally and who are we ultimately building the reports in a way that makes sense to us so that always when somebody goes to our internal site to see what the newest threat Intel is the things that are most important to them and pop up first which means we need a custodian and I know that sounds really bad because you want to make sure that everybody has access to this information but ultimately in order to make sure that it makes sense we need somebody who's building the requirements of the data sources themselves whose role is to update these

repositories it really is the job of a librarian library science has been around for a long ass time a lot longer than we've been in InfoSec a lot longer than we've been in in you know technology you know pretty much generally all right I well we can get into very specific debate about what technology is associated librarianship blah blah but technologies as we think about it post IBM you know giant computers when we when the term bug still meant moths right librarianship has been around for a much longer period of time and because it's all around custodian being a custodian and curating information for our users and so we need to find somebody who can do this for us

cataloging and tagging on the assets making certain that we've developed a strong methodology around this that's where librarians actually come into play so thinking about it this from this perspective folks that have come out of journalism school typically don't have jobs I mean I hate to say it but every citizen with a webcam and a iPhone is a journalist now so journalists need jobs they're really good at writing they're really good at answering those questions and it'd be quite frank there's a lot of institutions that have really good Jai schools they could easily transition to Intel schools there's a lot of small Intel schools on the East Coast and I would be willing to bet if you came out

of a J school journalism school you could probably write Intel Intel reports as good as those folks that come out with specific degrees in intelligence analysis librarians as custodians that's also important I think we should start sealing them as well and then weather forecasters just not just because they're really good at you know grabbing the the sort of weather data but ultimately because they're really good at processing large quantities of complex information and making predictive analysis with area with with confidence scoring right if we don't have good weather mapping then planes go down ships sink Marines don't get on beaches whatever you want to call it right so a lot of investment in weather forecasting and data science is really

data science and weather forecasting actually are hand-in-hand and the ability to be able to pull those things together I think is something we can steal into the Intel organization as well so as we look at it holistically we build out these are the types of people we should probably be looking for as we move from just me as an Intel analyst for a company to building out a threat intelligence operation for my organization if you build the ops with the team building in mind if you can get three headcount you're way ahead of the game get an analyst a librarian and a technologist that technologist is solely responsible for building out the technology that underlies your platform

ultimately then that analyst of the librarian whoever is more personable gets to be the person that goes and talks to the executives line of business the IT physical security all that [ __ ] because that is the person who's actually going to be able to extract the requirements from those individuals put the technical person on vendor analysis because ultimately that's really a great spot for them being able to identify the various technologies determine which repositories are good what content is good and then play that back to the to the lob x' as well so you turn that into a really good cycle and again continuous engagement build your budget build your business case and make certain that

everybody looks that it looks like that money that they're giving you to spend is actually being spent wisely the technologists then is typically engaged in the integration and processing strategy ultimately this is where your analyst is performing the enrichment or decoration whatever you want to call it they're taking your own intelligence fusing it with the external vendor data source and then generating this these first sets of Intel right and that's typically if you've been brought in as the Intel analyst to run this that's your role right you build in your context associated with the third-party data that you've gathered now whether you're using any outside vendor or OSINT or whatever doesn't matter it's application of your own context and a

contextual awareness that have come out of these requirements building into the enrichment which generate the reports which then you disseminate and again come back to the feedback loop because this is got to be cyclical where do we keep [ __ ] this up we all want this operational search and focus and indicator driven every time we we get engaged in this we're typically these are the first two things I got I got a million false positives on my spunk because of this or I didn't see any hits I'm looking at it just in that space typically those types of requirements ultimately are gonna mean that you're from a budget perspective you've got like two years before they're like we'll

just go do something else the budgetary entanglements also happened because oftentimes this organization doesn't fit quite under the cyber defense center but doesn't fit quite under vulnerability and doesn't really fit under audit you got to kind of navigate your way budgetarily so if you're part of a threat Intel operation organizationally you've got to find a way to get your own budget and if you don't have your own budget to make certain that you've got a nice piece carved out of whoever's budget you're sharing because the first couple bits can get costly and it doesn't look like you're gonna be immediately returning ROI another thing that typically happens is yeah focus on the actionability not the information quality people just want

that thing to like light up right away and it's not always gonna do that so I'm gonna complain about something actionable intelligence I [ __ ] hate that term because actionable intelligence what does that really mean actionable intelligence doesn't necessarily means that it's something that I can immediately you know take take action on well if I'm immediately taking action on it wouldn't have been great if I'd had an informational intelligence report about it two weeks ago which meant that I wouldn't need to be immediately taking action on it right now I just think about the idea that actionable intelligence tends to be indicator focused machine formatted it's really again of the moment or as informational intelligence is

requirement driven it's research it's researched out its the books in your library typically written right now to analytical standards it's designed for humans oftentimes is complicated to parse but if you've done the requirements build you've delivered you know what your research purposes are you've created both structured and unstructured content within your within your intelligence reporting informational intelligence is incredibly useful and you're able to gain actionable capabilities outside of the informational intelligence [Music] so we're almost done I think one more thing a typical approach for building out a program starts with establishing and updating your foundations building the assessment the capability and training your resources ultimately this is a cycle because again we've got to be

able to do this continuously I know I'm almost done where does all this stuff come from you know obviously you've got to be able to do your in-house collection your security products your information systems all the business plans that you've got have you ever read your organization's 10k you should because ultimately that's gonna identify what is actually important to the [ __ ] business and if you know what's important to the business you know what you're protecting when you look at the vendor side of it you've got to find vendors that have good talent and have a good access and ultimately that give their analysts time so if you're at third-party vendor evaluations these are

the questions you should be asking the vendors but your in-house collection processes you know I sacks are a good place to get to get raw content osoon sources again all of that fits into building your into building your library your Intel library ultimately that's that's about it so I five minutes before I go there's my Twitter there's me yeah we'll leave that at that questions yes

so I haven't found any writing on it as of yet that doesn't mean that it's not out there i what i find is anecdotes actually work pretty well in these cases and I hate to put it to put it on the on sort of that anecdotal terms but to be quite honest ah that's usually being able to say hey you wouldn't want me over here studying the Chinese threat when to be when everything that we're producing is actually being you know mass-produced in Estonia as well I could be spending all of wasting all of my time and money looking at that when I should be looking over here it's finding those different things I like to take use cases that

come out of like some of the vendor reports right so recorded future fire I eyesight even Symantec has some decent Intel reports being able to pull those out and use those to be able to build out that this is why we looked over here instead of over here and that's how we were able to prevent this from happening I think those are actually good anecdotes but I haven't found a book yet maybe I should write one I don't know but but that needs to be done ultimately there needs to be something that's done about that yeah it makes a lot more sense and getting that out of the yellow bees actually works really well at that

point right if you talk to them about they're talking to them about their business now I was deflecting it back to the security side but yeah from the business requirements yeah talking to them about their business that's why I like the story of how I first started you know found out how many softies we had right it's like I just started hanging out in the cafeteria with all these people that I never saw before and I found out that they were all writing stuff on cue niché's and there were a bunch of software engineers and then I they let me have access to the systems and I realized that they were putting elevators on on computer networks and I

was like y'all are stupid and they stopped doing it but needless to say those understanding the business requirements and why they're making the choices they make is actually it is very important I'm sorry any other questions all right thank you so much [Applause]