CTI Careers Panel

hey welcome everybody uh hopefully you guys can see us all yes we are live now uh okay putting us in a second there's a error on our side on the b-sides team we originally in schedule and apparently when we put it in the platform we put in it for 1 30. smart enough to grab me and we ran in here okay um so we are gonna make it happen today um so uh welcome so this is a cti career panel um i am annie piazza if you haven't heard about me yet you've probably haven't been tuned in to v sides at all today um i do many many things right i am the the director of ops here for besides

nova it means i get to troubleshoot all the problems thankfully today i have an amazing team downstairs doing that stuff um i'm also the chief evangelist for fia llc we do some pretty cool stuff here in northern virginia area and raleigh and eagan minnesota a couple other areas but my actual day job is i'm a threat analyst um i'm on what i consider the consumer side right i support a sock um i think there's a big difference in what we do on the consumer side versus producer side um so i i kind of want to call that out early uh but first we're gonna go around the horn do some introductions uh my buddy john here is next to me so we'll go with

him first uh go ahead sir hey i'm john cerner i'm not the john cena from splunk that's a different person who also is in cyber security just to be clear so i am currently back at blues allen hamilton for the third time so they keep hiring me so that's awesome i'm a cyber strategist with them i'm not in a cti role at the minute i'm working on some like crazy cyber security for our virtual reality 5g application so like that's crazy i still consider myself a cti analyst that's how i still identify so we'll talk about all my time as a cti or cyber counterintelligence analyst maybe as well so i'm happy to be here miss brandy

all right hey guys uh brandi harris i am a cti analyst um been a cgi analyst for almost four years but but i've been an intel analyst for almost 10 i work for truest financial which is a uh down here in the south we have bb t and suntrust and they kind of merged into this big giant baby which by the way i don't ever advise working for someone in the middle of a merger it's had its unique set of challenges um but yeah happy to be here um i love cti um i used to work with andy um prior to this at usps so yep looking forward to this yeah so welcome another said uh katie's gonna

join here in a minute when she gets a chance to uh she was still planning on 2 o'clock because she read the original email um that was on our bat again on besides team so uh if you don't know katie nichols at this point um probably not on the internet so uh i'll let her do her own uh intro in the middle but obviously she is uh sans instructor she's also right canary as their threat intel director i think is their first official title but um she helped get my attack off the ground when she yeah if you don't know about mitre attack you don't know about katie i am very excited i'll say this before

she joins uh she i'm the one hosting her panel uh so basically pretty legit maybe that's why she didn't show up um just kidding no i love katie to death uh she actually had me on her uh sans star webcast um a couple months ago and it just went live to youtube this week so go check it out she's absolutely awesome super humble um person to talk to super smart and i can't wait for her to join when she gets a chance oh i think she's coming in now i said all those nice things about her um i i heard all the nice things via the airwaves hey katie we are just doing intros uh go ahead and do your intro tell us

who you are where you work yeah absolutely i'm katie nichols and i'm the director of intelligence at red canary i'm also a fellow at the atlantic council and i teach first sans or cyber threat intel course and yeah thanks for being patient i had to finish up my peanut butter and jelly sandwich otherwise i wouldn't be fueled up for this so i'm really excited to be here i am jelly wait can i say that is that too punny so you know one of the things we i talked about in in my intro was i am on the consumer side of thread intel and i think that that's important you talk about um producer versus consumer i know when

i started early in my career we're going to get vulnerable here so get ready to cry right when i started early in my career in cti like i would read these fire eye reports these crowd strike reports and be like how do they do all of this how and then you only see the author's names like one or two people like how do they know russian and malware analysis and network analysis like i have so much to learn and i got so overwhelmed because i kept reading these vendor reports and government reports too and thinking oh [ __ ] i am not good enough for this job and i spent a very unhealthy first couple years in my career going home

every night and studying um so one of the things i wanted to highlight here on the panel was uh was that kind of a shared experience with you guys um i know some of you have been on both sides producing in and consuming uh we'll go to you first katie because i think uh everyone thinks you're a rock star right but what about when when you first started you know how was that experience no one's a rock star we're all mere mortals we're all learning we all don't know everything um i think that's the toughest thing about cti and maybe infosec cyber security overall like even in looking at infosec there's so many jobs but even in the realm of cti

there are a bunch of different things like i am not a malware reverse engineer but i work with them and i know when to use their skill sets um and so i think that everyone has that challenge whether it's in infosec overall or in cti um and so i definitely dealt with that early in my career um and it's kind of funny because you realize like when you first start out yeah you're like oh my gosh these people are all amazing and then it's sort of like boiling the frog over the years you just keep learning and like most of my career has consisted of listening to other smart people thinking about what i think of what they

said and then like deciding what i think for myself and then saying those things and like it's it's weird because after a while you're like i've been doing this for over a decade but you know i think right everyone even rock stars which like let's just throw that right out of the window that's no one's a rock star um everyone has something to bring right and there's so many different areas and skill sets so yeah it can be intimidating but right like don't be afraid to ask questions don't be afraid to jump in and realize that no one knows everything yeah that's a good point uh brandy did you have a similar experience when you

started out oh yeah absolutely for sure and i i find myself four years in i still kind of feel that some days where it's just like information overload and how does how does everyone keep up with all of this like you know it's it's definitely a struggle so yeah john i know you struggle with that we kind of talked in our workshop yesterday um yeah and i i talked about this earlier as well like when you're starting out right i reference the nice framework there's an all source cyber analyst there's a threat warning analyst and they lay out all the ksas but like an entry-level person in the field shouldn't know all of those ksas

like that's not the goal is to know like all 5 000 things that nice lists um and and this is a career where you're going to continually learn hopefully whether it's a cti specialization or you change special specializations or like myself you you know go from a cti role to a non-cti role so everyone has that impostor syndrome so if you're new and you're trying to get into this field you kind of got to narrow down what you're trying to study because if you try to study everything simultaneously you'll feel overwhelmed so try to get a mentor who can help you narrow down your focus so that it doesn't feel so overwhelming all the time

yeah no absolutely that's that's a big point is it it is overwhelming and there is a lot right you can learn and it's not just for cti anywhere in infosec if you're a stock analyst risk analyst like it's very easy uh even you know on red team right there's a lot of technology to go beat up and hack um but the reality is you know it's it is a team effort to do cti uh one of the challenges of cyber threat intel is we have to have this whole intelligence discipline of analytics right and structured analytical techniques and we talk about our fallacies and our biases and mental models and all these really cool you know normal intelligence stuff but

we also have to understand like what the sock does what their processes are because that's really our collection we talk about the intel life cycle um if you haven't seen it there's a great webcast out there from sands i think katie was the host maybe but talking about the intel lifecycle but like collection drives everything right and so if you don't understand how your sock gets the data that they get either what they've analyzed or what their events are um you know going into the seam or whether it's bunk or elk or whatever you're gonna you're gonna have trouble with the technical part analysis or the difference between dynamic malware analysis and static map or analysis

or pcapp or forensics or risk models or what the business units do like all of that stuff we have to know a lot about or at least a little bit about um so just be selective and understand i think you know my my advice there is figure out what's like the most important stuff that you need to learn up front but realize who the smart people are in your organization like katie talk about go talk to the malware analysts and you know be vulnerable like um i remember we were writing a product one time when i was at u.s cert my when i sent in one of our analysts to do a product on malware family and he emailed

the malware lab he's like can you give me all the iocs you have for this malware family it was like plug x or something that's been around forever and the the dude from the malware lab comes down like 15 minutes later and he goes hey i burned all of the hashes and all of the iocs we've ever had for plugx and they're on this cdr like that's our dvd-r that's how many iocs we have and it's dhs is malware lab they got a lot of samples or i can email you a yara rule that detects almost all of these samples do you just want to share that instead of all of these indicators and we're like

and this wasn't even the samples like it was literally just the observables like the hashes and stuff and so we were like learning moment yes i think i'd rather you know share the detections than these you know 10 year old hashes right and so um you know we we humbly learn that day and i continue to humbly learn um so part of that about learning though uh my now what is one part of our career field that you just continue to just like succeed that's not for me or you know whatever that is who wants to go first go ahead go ahead brandi um i will have a hard time understanding kubernetes i have read so many freaking things about

it and i try to like i just it's still sometimes i just look at it and i'm like is this pig latin because i don't know what this is so that's one thing that i still i'm trying to like learn some of those technical things still you know some things i get really really quick and easy and i can remember and then some things like i said i i just every time i'm like google google google because i can't ever seem to really catch on john what are you still struggling with it so thank god for google when i was getting my associate's degree which college is not i don't agree so i have a lot of certs like

scripting and programming like it's just not it's not my thing like i'm just not good at it i try to lean into other strengths as a cyber analyst right and we could talk about this more in a minute but like even within a cti role even on different teams people will have things that are stronger or weaker at so like you know this might be the guy who knows all about gru and you know that's the north korea guy this is the person knows linux so like i'm not the program scripter like you don't want me doing that definitely katie any any dragon you still haven't slayed oh i mean i'm never going to slay all

the dragons um i'll add on to john's like i am not a coder um so to be vulnerable here for a second so i came to red canary a year and a half ago and i hadn't used git or github day to day and like my team does now it's a very engineering kind of company and like for several months i was like oh god what have i gotten into i was terr i was scared to ask questions um you know people have mentioned that like being fearful of showing that you don't know something um i was super lucky because i have amazing teammates who are like no you're good like here's how to set up your vs

code and like now i know how to do like 10 things in get and that's enough and then if i mess something up i just get an adult um so coding is just not something i can read code sorta and be like okay if then cool but like that's just not me um the other one is reverse engineering like years ago i was like ooh reverse engineering sounds awesome like i can pick about the malware and see what it does and so i took sans 610 got my gram and realized like oh my god i don't want to do this like i just really don't like it i haven't really done it since i took that

and it's one of those skills that if you don't keep up that's the other thing like you would know something at one point in your career but if you don't do it every day it's it's very fleeting um so coding i've just decided like i'm just gonna call on experts and know enough to talk to those experts so john sorry i cut you off no no you're good i wanted to piggyback on this point too like when i was just getting into cyber security i thought i should be a red teamer because that's like what my friends and acquaintances were like oh yeah you should go be a pen tester red teamer and that's a path i went down and i

realized this is not the right career path no eject handle like out like cool mohawk's awesome actual pen testing like just probably not my area of expertise so like i went back into the cti realm and i was like oh cool i can bring some things i know and then learn this thing that like it just feels natural right it's a fit i just wanted to throw that out there too i'm going to say all of those for me uh i i yeah i did take graham uh thank god lenny zeltzer is an amazing instructor it's the only reason i passed i had a lot of fun with the dynamic stuff but you know he started talking

through you know jump if zero and i was like i don't know right but it's fun if you talk to folks that actually do that they'll get so excited like look and this is when they change you know last year they changed the way they wrote this and they get so lit up like you know anybody that's really into their career i love watching them get lit up about something but yeah i definitely thought malware analysis was going to be the next part of my like cti niche skills um i'm glad that i know it uh more more in depth now but i'm glad that there are people better than me but the one thing i always was told oh

you want to get an infosec you got to learn how to code and i've i suck at all languages like i barely do english well i grew up in san diego so i could do a little spanglish order some tacos possibly get in a fight but that's about it i tried learning code i suck at that i actually found if you want to learn uh code get the kids books because the kids books will explain concepts that the adult books don't don't explain and the kids books actually like no starch i think has a couple of them they'll explain terms that like adult books just jump right over right is it like c spot dll right yeah

no it's great man hello over and over again all day but um yeah so no i'm glad that we you know we're able to talk about that because career field really is you know i'm still learning every day there's obviously new techniques and stuff coming out but new techniques like of how to do the work too not just actor techniques um like uh joe slowic just a couple months ago released that amazing uh pivot infrastructure analysis pivoting thing under domain tools there's a whole you know a big big pdf on how he does infrastructure analysis so um if you want to get nerded out into that i always thought that that was really cool stuff and

for him to kind of peel back the layer and show his methodology he's when you think infrastructures for apt stuff that's probably the guy i think of the most um so like i love the fact that i get to kind of learn new things now but it took me 10 years to get comfortable with the fact that i had to admit that i one thing i came from combat arms in the uh in the army and i came from the world where if you didn't know something you got screened at so i was always terrified to say like i don't know that stuff um and that was kind of my background my biases that really screwed up the first

couple years my infosec career because i was it was not okay to say i don't know and be vulnerable right you'd get punched in the head so um you have a really good question from carlos that came in um how do you deal with overcoming the feeling of imposter syndrome i thought that was a really good question and i'm curious if you all have thoughts one thing that i've done that i recommended to like everyone i've ever mentored is to keep a list of your accomplishments um because anyone who's like struggles with this like oh my gosh i know nothing i'm terrible like as your brain's spinning it's much tougher to argue with like a

nice list of like here are the talks i've given here the accomplishments i made on my team if you don't give talks that's not the only sign of you know progress right here are the things i've accomplished here's how i made my team or the community better um it's much harder to argue with that list of accomplishments it's also really helpful for like if you do a you know pay cycle performance reviews kind of thing being able to hand that to your boss um so i think you know listing your accomplishments like it's really helpful when for those times when you're not sure of yourself so i'm curious if anyone else has thoughts on overcoming those feelings of self-doubt

that we all feel celebrate your wins definitely it's okay to have me uh we in the army we called it an i love me book you kept all of your certifications and and all of your documents it's okay to have them in an i love me wall if it's two or three walls we can start talking about having a problem my wife will probably yell at me um but definitely celebrate your wins um something similar brandi and i you know we were a team a couple years ago and it was right at the beginning of cobit and everyone was just kind of worn out working from home their kitchen table kids you know my kids were saying hi to

brandy's kids kind of a thing and it felt like a point where like work wasn't getting done and so um i i it was i think it was around the the new year too and i was like hey brandy let's do this in the chat with our team i was like let's just you know for like 10 minutes brainstorm all of the things that we accomplished in the last couple of months and so we had the whole team just like putting out projects that they finished uh me and her pulled some metrics from a system that we were using we were like planner in teams to actually pull some of the actual numbers of products we published and stuff like

that and then like 15 minutes we put together a list it was like we actually did more work when we started working for quarantine like we were way more productive working from home but you remember brady like um you know the team was kind of dragging right yeah and it was like you guys said it was really good to see it on paper in front of you and remind yourself that like you do good work you do you do kind of know what you're talking about and what you're doing and i what i found that's helpful helpful for me um is just talking to other people like andy my peers um about like how they feel

like do they still struggle with imposter syndrome and hearing people that have been in the industry for 20 and 30 years say that they still struggle with that it's like okay i'm not alone it's just a thing and and it's all good it just keeps pushing through so i'd like to hear those shared experiences because if you meet someone who who says that maybe maybe not everyone feels that way but you know the people who i've never met anyone who says that they don't have moments of doubt so yeah that that's good and we have some good questions in here so i answer this my uh something i learned from my sister and it's sort of true but

it was interesting to think about her her career she was like you know i've been told fake it till you make it and that was like for when she was taking some executive roles for the first time you know go in and do the best you can and learn and get a mentor for me it was when i first gave my first talk at b-sides nova 2017 and i was like oh like i can be one of the people that give talks and that for me was sort of like the ice breaker always going to be people who know something you don't know right they have a specialization they've been in the field longer right so understand that none

of the people you follow on twitter know everything like there are some no we're not going to say rosters unicorns like i have all my like speed dial lists right like if i have a problem i know like oh this person sort of knows everything but they really don't know everything but that's the person i would call like for vmware questions right and i called this person for a forensics question and i know this person knows about russia right and the gru and the fsb and like tell me one more time why they're different right like it's all kgb um but like i remember when i was getting my first role in cyber as an

instructor how long it took me to figure out subnetting like it was explained to me so many times and then i had to teach it so like i had to learn it because i was teaching that plus it's like i had to understand it so like yeah maybe some of the people look up to some of us but we all start out where we're learning stuff every day and we're never going to know everything but there's a great question from frank i think we might want to hit in particular all i can see is my ring light at this point wants to read that so i think frank asks us do we mind defining what cti actually

the day-to-day level so yeah do you want to so you're on the producer side katie when you want to talk about you know peel back layer a little bit what it looks like on the production side yeah absolutely um so starting with intelligence overall intelligence is all about informing decisions and this can be kind of confusing because people are like well what kind of decisions it depends it can be any kind of decision whether that's you know in terms of the sock how they respond to alerts or leaders how they you know organize their business um so i pasted in to the q a and i'll paste it into the chat as well i really like a definition um from

sergio caltogirone threat intelligence it's actionable knowledge about adversaries and their activities to enable defenders and their orgs to reduce harm through better security decision making so a couple key things are about cyber threat intel first off that it's not just raw data because otherwise what does cti analysts get paid for right it has to be analyzed ideally it should help inform some decision right whatever an organization is struggling with trying to improve security reduce harm that kind of thing so i'll drop that into chat as well brandon do you want to take that same question from your perspective i mean i agree you know it's it's informing actionable decisions um get a lot of questions you know in my

day today um you know from the top down like you know what can we do about this threat or this threat how can we improve our posture you know what can we do from a counter-measure standpoint you know what's the threat landscape now like those kinds of questions that go to inform um those big business decisions so i always talk about cyber threat intel that there's different specializations within cyber threat intel right like most of my career has been on like the government dod intelligence side right so that has a different flavor than if i'm a cti vendor or cti producer maybe versus a cti analyst at like a big fortune 50 company a lot of that day-to-day work

may be similar but katie you said like you know the decisions i'm providing intelligence for may be different right like hopefully none of the fortune 50 people are trying to conduct cyber counter intelligence operation hopefully that's in the dod right so i mean you know whatever it might be everyone likes offense you know right so like there still could be different specializations within industry specifics as well so that's another thing i like to kind of call out on this point of how that affects your day-to-day work as to like the purpose of why i am producing the intelligence yeah so some of the processes are some of the types of rfis we get right requests for information

um on the on the defender side my my old team and my current team actually immediately supporting a sock um so you know security operation center so we've got the sock analysts they're they're playing firefighting with all the alerts we've got the instant responders when we believe there's an actual infection or an impact and so some of the things you know we've worked in the past like brandi and i um you know we had an infection of a certain type of malware on a couple of hosts that ir was working and they reached out to our team and was like hey threat intel can you guys tell us more about this malware family um and so these are the these are the

operators so these are guys doing forensics so we're not going to be like oh well they started in 2016 like they don't give a [ __ ] about when they started or who it is they want to know where you know where they put mechanisms how are they moving laterally right and so brandon immediately went to threat reporting and started pulling out that kind of stuff and and was able to pass it to the ir folks when they're looking at these infected systems they're looking at the registry keys with that malware family impacted schedule tasks that kind of a thing um and so she was working with the ir person to answer his immediate questions

over the next couple of weeks as they dealt with this case while i started actually going and hunting so while he was looking at those scheduled tasks and those registry keys on that box i was able to actually go into our edr and hunt our entire environment and say any of these boxes have this registry key right did they already move laterally and find uh hopefully you know we did not find any additional inbox our boxes popped um and so one of the other outputs too is we were able to find additional signatures in the reporting that brandy had pulled down so we got those deployed into our tool for better detection um and then afterwards we actually did a

briefing of the whole incident and wrote up a little bit more actually about the threat actors behind that now our family the little history of the malware family so we could make the whole sock educated uh educate the sizzo of actually what happened um and one of the really important parts right it's important uh when you're briefing your sisso is not just what happened in the case and what went wrong because we're really good at bitching we're like oh that did we didn't have that visibility that tool didn't work but we also had to talk about what did work and the processes that we built were that we already had built that worked really well

what visibility was key to us so at the end of the year when he's he or she the cisso is deciding whether or not to renew that license they can remember there was a good case or good cases from that tool if we're not providing that feedback up and we're only complaining about tools they may yank out a tool uh because they didn't realize it was key to our success right we made sure that that was in the briefing all right and so the work was doing quick very very fast threat research right basically googling going in through threat intelligence platform going in through paid vendor platforms that we had access to and finding all

the reports possible really quickly in a chat just throwing out ideas of where they could possibly find persistence right and so the folks that were doing forensics were able to check those impacted boxes we did a threat hunt we got additional signatures deployed to the environment um and then we actually did an out brief so a lot of stuff from a simple rfi of hey what do you know about this malware family so that's kind of what it looks like i'm really good at firefighting um i would be a really crappy producer on the other end where like folks spend three months researching something um i just would get bored of that right so i'm really good like

immediately after this i'm gonna run downstairs and fight other fires of what's going on with besides nova in the background right i love that side but other people are threat researchers and they may spend months uh researching the gru um i can't remember nate's last name but nate uh from the booz allen team they released uh an amazing gre report was it last year or full russia report last year yeah it was sometime last year he spent like a year on that thing yeah which is amazing and he got to talk to a bunch of teams and got to do a bunch of research like that's not for me i got 80d i need to drink a lot of monsters and move on

right but one of the prep researchers so there's a lot under the cti umbrella i think is what i'm trying to see i hope that answered the question what was the question what does this actually look like you know kind of day-to-day which is the point of this whole talk right this research looks like research meetings and email oh yeah learn excel yeah i think we have another question from michael that we should try to get uh you can ignore uh zero day anything he says is probably remember uh can you turn on what the biggest common mistakes are the new cti analysts make or traps that fall into yeah that's actually one of our questions what is a

rookie mistake that you made when you first came in or you know last year or this year um can anybody think of a rookie mistake that they made i know i have one but i'm gonna try to share the mic katie you got a rookie mistake yeah i got one this is my favorite one um so early in my career i tracked a middle eastern for actors um very ept focus um and i only knew that area like i didn't know anything like i know about crimeware or like all the other parts um and so for a while i was reading reports about mimi cats and how memey cats it's a credential theft tool and i was like

man maybe cats all right that seems like that is unique to iranian actors because that's something that i was reading about a lot and mimi cats was used by iranian actors um and so you know i think one you know to abstract that out a little bit meanie cats is not just used by iranian actors it's a credential theft tool that a lot of different adversaries use people use to test it's open source all of that and so i think that one thing to realize as you're getting started is just how vast the threat landscape is how vast the knowledge is and remember that you know you're only seeing a slice of it so trying to keep that in mind and you know

we can talk about attribution later or you know over a year later sometime but you know thinking being cautious of attribution and this is always used by these adversaries that's one that i see quite a bit for early cti analysts yeah i was going to say attribution to getting getting in the beginning getting stuck on attribution attribution being so important and it's it's the moss and everybody you know that's what they want to hear is attribution but that's not what's important most of the time um and another thing that i have seen um and i don't have as much experience as you guys but i've seen um some analysts get caught up especially when you're producing and writing reports

and being too too verbose um where you're getting the those essential elements lost in too many words um and you really need to you know i had to um help people realize you know getting that important information out um in a way that people can consume it quickly in in in a valuable manner instead of just you know it's cool that you're putting in all these details and all this work and that's awesome but sometimes it doesn't need to be you know a 10 page report a nice a nice one or two page to the point what's what's important um is what people really want brandy i will plus one that all the way like one of the toughest

things to do as a cti analyst is to focus on your consumer's needs not what you want because you might be like oh my gosh this is the coolest thing ever and they're like no just tell me what i need to do or what i need to know so i love that one brandy yeah i could pivot on that but go ahead uh speaking of pivoting i mean i'll just pick this one as an example like you have to be careful about pivoting right so it's real easy to go into these tools like all of a sudden everything ties back to russia right yeah well you were 27 ip addresses later across different infrastructure right um it's all connected man i'm

having sickened ptsd flashbacks for all my dod you know colleagues that are in the audience like you have to really be aware of the seven with the seven degrees of kevin bacon like you also need to have if you're if you're in the trench really deep on like specific actors whether it's criminal groups or state sponsored or whatever term won't get me kicked off twitter today you should try to develop the expertise and stay up to date with that specific threat actor but that's going to depend on like your organization what your client needs what are your pirs priority intelligence requirements or requirements from the customer so i think a lot of early people in the

field don't understand like katie sort of alluded to as well what does your customer care about just because you find trick bot fascinating if it's not applicable to the business then what is applicable to the business and all we have three priorities because if you have more than three priorities this is not cts specific three priorities it doesn't matter what it is career kids you get three priorities not ten not one no stop government um yeah attribution absolutely matters but it doesn't matter in like active defenses you're dealing with an incident there's other priorities right you can't put apt 28 as a yard rule it won't work very well um so my rookie mistake uh i talked

about it earlier a vendor hacking talk i did with james nixon from analyst one um we were i was very excited we spent about a year or a couple years without a tip at a government agency i was at and we finally got one in and it was the one that i wanted and was very excited and i was trying to show it's worth like the the government managers were had spent a lot of time and money and they really wanted to know that this thing worked and so we shared out a product um at uh i'll say us sir um we shared out a product that was apt named and this was the time where ufcer was first

coming out and actually naming actors at the unclassified level for a long time they didn't do that and so they had shared a report and um and they were like andy we need to get that into the end of the tip immediately um we need to see you know if it's related to anything it was something joint that they had done with fbi and i had uploaded it into the tip and i got really excited because one of the cool things that that platform does is it tells you if there's an actor overlap from those indicators to any reporting i was like holy crap and like sent off the email to my managers i was like there's an

overlap between this iranian activity and this russian i think i don't know use those examples but two completely different countries i was like this thing is awesome and then i pivoted into the indicators after i sent the email and it was um linking sciwatch at fbi is like uh contact info um because when we uploaded the report we hadn't like sanitized out the content both at the top of the bottom of the reports so the tip was doing its job was linking these two things they thought was an indicator it was just pieces of contact information um so two mistakes i didn't verify my data it's not the tip's fault it's absolutely 100 my fault

and i didn't verify the data before i let management know and so they were like this is amazing we got to tell the nsa that there's an overlap in these two countries infrastructure and stuff and it was just me being an idiot not verifying my data because i wanted to dunk on you know how good this platform was that we finally had because we were using spreadsheets forever and access databases and i just needed to slow down like most of my mistakes in life i need to slow down outlook recall right right yeah it was far too late for that people were already celebrating that it had worked um but no i mean we all

make mistakes i mean i still make mistakes um you know made mistakes yes at the time of what today's event was uh what we originally scheduled the platform was different so i was messaging katie like five minutes before we started um that is on us we get the gs question answered i can't see the replies was that a government oh no that's yeah you know what that is yeah part of my nickname uh mike and i worked together before oh it was grizzly step i i thought it was general schedule i was like no that's the hour only conversation yeah kitty i'll have to tell you that story uh off a camera someday uh i actually if rob lee ever watches

this i owe him several beers about grizzly step i'll say that much in a good conversation um if you could give yourself one piece of advice uh back going back right talking about fixing some of those rookie mistakes um i think we kind of covered this question a bit but if there's anything we missed like what would you give a young cti analyst or a young katie or a young grey like what kind of advice would you would you help steer yourself in your own career if you could do that now um i guess my advice would be to trust myself for many years i didn't realize how much i knew it sounds kind of weird but like i was

sitting you know in government socks and saying things and i was like i don't know if this is right like ugh like i think we should maybe do this or like yeah but i don't really know and sometimes on some teams um it's tough to get listened to it's tough to be recognized if you have good ideas um and what i would say is to try to find leaders who will lift you up um and in my career you know i i was really lucky and then i found leaders i found a team in minor attack and it was a very weird experience for me first few times when i went out and started speaking publicly and people

were like yeah you have things to say and i'm like damn right i do um and that's what i would say to anyone who's starting out in this career like just because you're newer in the career doesn't mean your ideas and your thoughts don't matter and so if you're at that point where you're you're in a meeting and you're like man i really think i have a really good idea but like i'm gonna hold back i'm not gonna say anything like just go for it just bring up your idea ask your question because like the self-doubt like i doubted myself for way too many years and now that i've like gotten better on that um

good things have happened so don't doubt yourself like just speak up right speak up ask your question do the thing that's what i was going to say it's don't be questions because it's intimidating at first when you're you know in these meetings with rooms rooms with people that you think are like they're so smart and they're going to think i'm so dumb if i ask this question about what is this or what are you talking about just get comfortable asking questions because you'd be surprised how how willing people are to answer those questions and they want those questions and they want to teach you and they want you to know and they want everyone to be on the same page so just

make sure to ask those questions my advice is to proactively manage your career so i talk about this a lot especially for mentoring people i am one of the few people that like still sort of in the dod world but like i'm out here and i speak at events it's if you're still in that world please twitter even if it's you know a picture of a giraffe like you need to be involved in the industry but you should like hard work good hard work won't be enough to necessarily get you where you want your career to go either because there's a lot of good hard workers in all of these specializations but like get a mentor that will help you figure

out where do you want your career to go you don't have to speak at events you could write papers you could get multiple phds like that's not for me like i college and i we don't agree with each other like i hope it agrees with most of you like i got my search i got all my you know search and we can have a fight about that um but like proactively manage your career in whatever capacity that means to you for what you want your career to be and that way you can get training education advice mentorship to help shape your career where you want it to go yeah no definitely all of that is great

absolutely amazing advice um you know kind of pivoting on that there was a question about like um you know getting into cti in the first place and i think some of that advice definitely applies as well katie's actually got a whole self-study guide right on medium go check out her blog um she's uh resources this whole time i'm like fantastic she's she's a pro a year and a half of us streaming sans talks i think she's gotten pretty good at multitasking um but i'll tell you yeah go check that out right so but actually like actually getting into the role i will say 99 of organizations that have a threat intel team they're probably not going to take entry

levels so if you don't have existing experience in infosec it's going to be very hard to get into those so i would look at the stock i would look at the risk team or information assurance depending on the type of work and try to pivot into into the thread intel dod obviously is a great source because a lot of us come in through dod um but i get it you know put it on the uniform and shaving the beard off isn't for everybody um but yeah it's gonna be hard to get into thread intel completely from the outside if you're not already in it or infosec um simply because there is a lot to know already right

like i talked about having to understand how a sock works basically security plus level knowledge of stuff plus all those other intelligence things like ach and all these you know different types of models right time and time and model kill chain all those fun things right put put a dollar in the jar for kill chain um you don't have to do it jump in here yeah so yeah i think for cti like we've talked about it's such a vast field i think that yeah one path can be in through like other infosec jobs or any i.t jobs um tony lambert on my team he was previously a cis admin at a college and he's freaking amazing at cti and

analysis um and so i think there is sort of like a you know i t technical way in but then the other um way in what there are many ways and of course another way in um i'd say especially for more strategic focus threat intel analysts anyone who has sort of like a policy background national security background journalists um there are a lot of other skill sets that um my friend selena larsen's a great example she was a journalist covering cyber security and she pivoted to her work at dragos she's now at proof point um i will say though that you know there is sort of a foundational skill set that you're gonna have to learn somehow

um and so not to underestimate the challenge of that it's a big challenge but you know i think that people with a lot of different backgrounds whether it's like i.t cyber security um sock analysts right entry-level stock analysts can be a great funnel into cti analysts you do not have to be a cti analyst named to do cyber threat intel if you're maybe in a sock and you're just like not loving it and you're you know in a shift work and cool go find some alert that you're excited about go like research the heck out of that and show you can figure out what malware it is and explain to your team what it does like

you can absolutely do thread intel without being a named threat intel analyst so that'd be my recommendation for anyone who's trying to get into it randy any advice for making that transition yeah you know i i agree with what everyone else has said and there's a lot of different ways in i've seen a lot of success um like katie just said with coming in from policy um something like that you know i came from the dod military side and then started contracting so i think i had a little bit of an easier transition because that you know being an intel analyst in the military held a lot of weight and really helped me get in

but i would also say networking and the power of networking um especially if you're you know looking to change careers from something that's non-technical into cdi cti i've seen um you know making those connections um finding a company you really like um that has a job that you want and maybe it has a cti job but you know maybe you can't get in that one maybe you can take another job at that company and like you said kind of make that that transition later um laterally over to what you want in on cpi uh so just stuff like that i think my advice and introduce yours if you're already in a company introduce yourself to the cti

team go sit have some coffee with them in a post-covered world or have a zoom call and just just network with them right and learn what the work looks like by the monsters um the other the other one of the core functionalities if i had to give you like three things you have to do as a cti list one of them is research right and research and write so i see tracy's here again so library sciences knowledge management right you can come from an academic background as well this leads me to a whole other conversation about diversity of thought in cyber threat intel because many many many former army brandy hit on that right a lot of us came from the military

so so like iranian actors i have biases i'm aware of and i have biases i'm not aware of because of that background right so if somebody else has studied iran and speaks the languages of various areas we're interested in they can bring a different perspective to the geopolitical focus and maybe they're aware of things that the rest of us aren't as fair because we're more technical right and they have this other huge important asset they can bring to the team and the situation depending on your organization and why you're producing the intelligence so there is certainly more than one path but again you're going to have to have a certain level of i.t and cyber security

on other skills um and then you network all right one more question that i think will bring us to time this thing may or may not automatically cut off it may automatically cut off for some but not others but there's a curveball it wasn't in our pre-list what is one thing about the ct i'd like to see changed i've got ten things but i'll pick one later um i can go first but has anybody got one thing that's just about the cti like community the way we do things okay so infosec overall i'll cut you off um i mean it's cpi but if it impacts cti and you can draw it back go ahead how

about that i'll give you um the gatekeeping that's my big one um you know people thinking oh like this is you the bar must be this high to do cti you have to be an expert at writing yara rules you have to be an expert at analyzing malware like no that is not true um and i think a lot of gatekeeping happens honestly because people are insecure if you're insecure with yourself and what you know then if you might feel like you need to tear down others or like oh they're coming for me if you know i'm not good enough um if you're securing yourself you should be welcoming others in so i think that you know you all and there

are many people here in this community many people we know that are trying to tear down the walls and stop the gatekeeping but i'd like to see that get better in cyber security infosec and cti yeah so that's a real one that's a really good one talking about um how you guys are talking about you're not really coders you're good at scripting and stuff like that kind of hate seeing those cti job postings that say you must have all of these technical requirements and you must be able to write things in python and bash and c-sharp and you need to have you know engineering background to be able to come into cti that like you said along with it's the

gatekeeping thing and gosh yeah that's really it's really it's really disheartening for those of us that have been doing it for a while because it's like i wouldn't want to apply for that job because it's like even someone i feel like i have a decent amount of experience but i don't have that you know like i'm probably never going to because i don't want to be an engineer you know so scratch that one yeah also just apply for those jobs because no one's applying for those jobs and it's another gatekeeping mechanism because no one has those like nobody has those things um so there's that so if there's a cti job and it's entry level or says junior

and you want a junior or entry level cci job please job those jobs right and the one thing that i'll see from i'll take this a little differently is it's better but it's not good the siloing of those in the dod and the government but mostly the dod who work very similar problem sets to cti analysts in industry but there is still this like operational concern security concerns and there is a gap that has not been bridged effectively between the people that are still working in skiffs and the people that aren't working in skiffs and too many of the people in skiffs who have been skiffs their whole life don't know how much information is

outside of their skiff and they are terrified i think to some extent because in some parts because um right you can do this job somewhere else but maybe they can't do that job somewhere else right there's some like real vulnerabilities there i think so they stay in those communities because they can get a job with their clearance this is a whole nother talk we can have their gatekeeping is keeping them in right their gatekeeping is i'm here right so it's a it's a weird different kind of gatekeeping and we also don't have enough cross-agency movement in the dod to proliferate knowledge because we don't have we that agency doesn't take this clearance and that agency doesn't take that polygraph and

et cetera and etc and that's its own huge problem in the government as well so like that could be addressed sometime while i'm alive yeah i mean i think we saw that with um i hate calling it solar winds because it wasn't solar winds that don't blame the vendor right um but that whole campaign and like a lot of people even in the community and not just the talking heads outside the community but it's really amazing that microsoft and fire i had so much information before the government and it's like microsoft and fireeye have billions more sensors than the federal government do right they have the visibility one isn't looking at hosts here in the

united states in the first place hopefully not right that would be illegal um but like if you're still surprised that those cti vendors and those actual os vendors have better visibility than the us government i don't think you get how collection is done right and collection drives analysis and production and dissemination i still get fit people all the time break on twitter like hey there's new proof of concept code for the cv i'll write it up and notify an agency like that i'm working with and they're like oh is there any high side reporting and i'm like probably three weeks from now like the guy on twitter didn't have a review cycle before he had to publish

that like my one thing i would like to change uh because i am an ioc nerd is uh context down at the ioc level i see a lot of organizations they publish amazing blogs and they dump the indicators at the bottom with no correlation to what is above it um that is telling you right now you're screwing over your socks because we put those tips we put those indicators into the tip and those tips match uh traffic in this in the seam all we get is a match that you know this vendor said that this domain is bad and none of that context is with it and now we're taking us 15 20 minutes to go back look at report and read that

context we have this the sharing structure in sticks and in open csv and a bunch of other four are open anyway a bunch of formats have a description field if you're producing intel please use that and please publish in multiple formats there is a government agency that's not dhs that is still publishing thread intel with indicators published in a pdf and that's it does it sound like fbi no okay it sounds like fbi um right and you're it's 20 21 and i'm copying and pasting indicators out of a pdf like it's cyber 2009 right be better at producing and sharing for the your end users right um i i i was guilty of that when i was

at us certainly i was publishing products then i went into a sock and was like oh my god alert fatigue was my fault like um if you're a producer and you've never seen what your consumers do go see how the sausage is actually on the other end and you might actually have better processes on your end wait we care about the customers yes especially if they're paying for it right um parting thoughts uh you know we're gonna run out of time here in the next couple of minutes if there's any more questions uh any parting thoughts start thinking about that i'm gonna say thank you now and then we're gonna continue the conversation because i don't know when the platform's

just gonna hang up on us my friends uh very excited i could talk about cti all day long um was very excited to get brandy here on the call with us even though she's not a northern virginia person i've tried to hire her up here a thousand times but she won't come up here katie is always a pleasure i love the way you're always you know blowing up other people's stuff and sharing out their their stuff you always obviously giving back to the community which is really important for us at besides nova's to give back to the community so wanted to highlight and thank all the work you're doing um john workshop yesterday and helped me kind of

moderate he was sharing links while i was talking and he would correct me when i said stupid stuff um it's about correcting your stupid friends no um is giving back and digging and participating um so hopefully you you guys that are watching here and guys that are watching uh have a little better understanding of what the cti life is like it is a lot of excel um it is a lot of powerpoint is a lot of reading importantly a big piece of advice a new report came out i think it was like friday at like four in the afternoon she says this report looks awesome can't wait to read it on monday it's okay to do that i needed that katie

i was about to click the link and i needed that so don't do it man don't do it you need your time you need your time off brandi any uh final thoughts about cti no that's a good point disconnecting right because of the overload and the burnout right just make sure that you give yourself go outside some days i realize like i have been at this desk for way too long and it's finally summer and i need to go outside and and get the sunshine even though i'm a ginger and i make my own vitamin d i still need to go outside and get that vitamin d and get the sunshine so just make sure that you

you take a mental break as often as you can to help with that burnout because it'll happen so fast you even in your first month of your first cti job ever it's very easy to get burned out really quickly so and put shoes on it is summertime brandy i have shoes don't worry shoes are optional as we wrap up i would add i love cti i think we all do um it's an awesome career i think there are a lot of paths in um so if you want to do it just keep working there's so much to learn there's always more to learn so don't get overwhelmed right little by little um and i would also add the cti matters

right now we're hearing about ransomware every five seconds in the news like the work that cti analysts do really makes a huge difference i mean that's part of the reason that i love it so much so if you're if you want to work in this field we want to have you yeah absolutely john parting thoughts nobody ever asked how i got into sickend right everybody's like how did you get into cyber security did you know like back in the days of cordless phones like if i had a walkie-talkie that i bought from walmart i could listen in on the nearside conversation of my mom's cordless phone when she called her aunt to tell her what she'd gotten us for our christmas

presents does your mom know this story oh yeah i'm on this point so like you discover like anything technical you're doing in this field like there's some tie-in right like whether it's lockpick village whether you think you might want to be a red teamer whether you're interested in malware there's so much to learn across cyber security so whether you end up being like a super deep cti expert or like i talked about in my talk you're like sort of a generalist and maybe you change focus a couple different times and have like a really broad understanding of lots of different things there's a place for you in this world we need you so like apply for the job network with

us contact me on linkedin directly i will get back to you like we need you in this world if you're here and you don't work in this world we need you in cyber security he's john stoner at splunk that's what joe no not the other guy that's the other john stoner uh seriously thank you guys um i'm gonna wrap up unless there's any other questions um i know i have plenty more to do today with besides i hope everybody enjoyed today i thank everybody who's participate uh in this event we are 100 all run by volunteers uh the only thing we're paying our speakers is uh wonderful t-shirts that should be set in a couple of weeks some

additional swag if you're here and of ours you're way overheated because the ac is not keeping up so we're drinking lots of water and whiskey seriously thank you so much i'm going to click stop broadcast i hope that kicks you out of the room but thank you guys thanks bye take care everyone