The Politics of Intelligence

they're doing a really good job here it's it's very well run it's nice not having to deal with any audio video problems so that's that's awesome um so the background on this talk is that for the last three years I've been doing a lot of Consulting with a lot of different companies and really seeing a lot of people struggling with threat intelligence and um when I for you know my free time I like to trade off reading like a technical book and then read a book for fun so I'm reading like history books spy books and then I'll mix in like a forensics book that way to break it up so I'm not just reading about editing a disc and hacks

all the time so a little bit of background on me like I said I was previously at crowdstrike and I've just switched over to a new rule working with the internal team internal IR team over at Splunk um see I've been in the industry for about 15 years working mostly in incident response and forensics and I'm super super into IR I'm kind of like an IR gentleman junkie which has led to uh some work life imbalances hence me getting out of Consulting and wanting to work more uh at a slower pace so I recently left crowdstrike um but I've spent a lot of time in targeted Industries over the time so I've had a lot of experience dealing with uh

nation-state threats and um that's led to kind of some interest in helping people better defend their organizations um so the book that kind of inspired me to come up with this talk combined with my work where I was seeing people spending a lot of money and not getting Roi from threat intelligence was a book from Christopher Andrews which I would highly recommend everybody uh check out it's not even that new of a book but it's fascinating and he's written a lot of books his other most famous book is about the KGB so I would recommend that one as well but what I wanted to cover was kind of like the current state of affairs what's going on with red Intel

um so how many people here at least consume threat Intel is there anybody here that does full-time threat Intel is their job okay we got a couple great um so I'm going to cover that first and then go over some some older stuff um some stuff way before you know sigint and way before computers even existed because I think there's some lessons there to be learned and highlight which may not make sense now but I want to make five key points about how organizations can be better about how they run their threat Intel team um and I thought it was pretty cool that the professor that kicked off the uh conference this morning he mentioned

that the problem you know was a lot of it was you know human and sociology so a lot of this is how to manage c-level psychology and get them to get on board with threat intelligence because a lot of the problem is they're just not interested in it they don't they don't see it as they're not sure that it even matters to their business so um first thing with threat intelligence there's I guess two major breakdowns of threat intelligence uh the first is tactical threat intelligence which is much easier to ramp up and I think that's where most organizations are having success how many people are you know taking in indicator feeds and building detections

and finding evil from you know data like this like iox indicators of compromise so I think that that's it's well understood and I compare that to like being able to sink a three foot putt it's it's very consistent there's Frameworks it's mostly all within your security organization so like the person that's producing it also reports the same person that's consuming it so there's less friction you don't have to depend on a lot of people to be really good at tactical threat intelligence um and it's it's more uh what I would call binary so it's like either this md5 is this hash or it's not or this cert was signed or this compile time was this

or it's not so it's much less gray than maybe strategic intelligence um which I would compare to try to hit a 300 yard drive to a certain spot on The Fairway every single time it's it's your chances are when you write a threat insole import report report you're guessing a lot you're saying like with medium confidence I think this is going to happen and the reality is you can't be right every time and you're never going to have like complete information and so for that reason strategic threat Intel is really really tough to do and that's where I see people building things but not really doing fresh analysis they're just repackaging Intel from other companies

so I think that's something to point out and then there's some other themes that uh are happening right now there's it's kind of an obsession with how many data feeds do you have I mean I I really I had a very large vendor uh try to sell me when I was working for a client I was representing them and they said well we have over 80 feeds and how could you possibly do threat intelligence without our data Lake I'm like okay I don't think he even knew what he was saying and I just kind of laughed at him and just said okay we're not going with these guys um so a feed is a part of it but that's

really just something that you would just feed straight into your detection and there's not a lot of context around it um but there's a for some reason obsession with like having you know 50 feeds 100 feeds like we have the latest threat intelligence and I think a lot of that is is just creating a lot of busy work um I'm also seeing and I touched on this earlier specifically around strategic threat until companies are creating these fusion centers which have really awesome displays they look great they look like something from an episode of like 24 and uh I'll go in and take a tour and look at it and they're either empty or I'll like talk to the people and say hey you

know what are you guys doing and it's you know somebody from legal just checking their email or it's somebody from uh the server team like just doing his daily job and nothing to do whatsoever with combining intelligence and it just I keep seeing this over and over again I'm like well I don't know what's going on but these guys just spent you know over a million dollars building this Fusion Center and it's not really producing any results um and then also the whole concept of just repackaging so they'll take you know feeds from fire eye and Flashpoint and crowdstrike and just repackage it into a summer into here but no real new analysis is being done so that's

something that I think people can improve on um hiring so another Trend that I've observed is companies kind of tend to get fooled by hiring people from from the government so not everybody not every job in the dod is created equal so one company that I work with they hired a person to lead their computer incident response from the dod but he was doing like uh fire incident response or environmental incident response and I'm of course he flamed out and didn't last more than a year but they were totally you know in love with you know we're hiring the next DOD guy but they didn't really vet and understand you know there's different uh Moses or there's

different roles and you need to make sure you find it like an actual analyst who is you know looking at data and creating uh fresh fresh reports uh and I think generally I don't um I don't think the work product is very good and this it probably goes out to all the threat until vendors too I don't know if how people perceive this but I don't think a lot of the reports that people get either from vendors or that they do internally is all that does anybody have any different experiences or is anybody like found a vendor that they think is all yes I think most people are kind of like you know yeah it's like yeah so Flashpoint has

some good stuff and I've heard I think um what was the company that that fire I bought I heard eyesight had a really good portal somebody told me that but I don't know what it's like now dark Trace what's it called Mas 360 okay I'll have to check that out um but yeah so that's a kind of like a survey some of the issues that I've been seeing um and now on to uh geeking out a little bit about history so before we get into some more modern stuff I wanted to dive into a little bit about um somebody that was like so far ahead of their time it's just ridiculous so there that quote up there

was from George Washington and I'm like how did he back then even understand this like he understood that you know you were going to combine all these diverse sets of intelligence that separately don't mean anything but when you put them together he was able to determine you know what the British were doing and where to move his forces um he was able to uh basically when he had already been beat back and had less troops he was floating um misinformation to the British to inflate his troop total so that they didn't attack him um and he did this on multiple occasions where the uh French were coming into uh land and joined the Revolutionary War

and what he did is he sent a courier that was captured to make them think that the the uh his forces were going to attack New York and that allowed the French army to land safely and not get attacked so it was a huge turn in the war that played out over and over again and if you've ever heard of this show on AMC I think it's maybe in season three I've only watched season one but it was pretty awesome it talks all about this and um he came up with this spy ring that was called the Culper spy ring and he named that after the county that he lived in it was Culpepper County in Virginia so he just

named the Spy ring Culper um so all throughout this time uh he was you know using his intelligence mostly Military Intelligence to basically beat out a superior uh military and uh when he finally came into office as president he set up um the first you know informal you know first formalized like Secret Service that to do intelligence operations and uh after three years his little secret service thing was already 12 of the budget the federal budget which is if you compare that to today that's pretty massive but it turns out that was really short-lived because after he got out none of the the people that came after him were all that interested in threat intelligence and then by the time the

next war broke out in 1812 it was all the way down from 1 million to fifty thousand a year and that that led to some some issues for them being ready um so can you guys see that text or is it just too small for you back there too small okay sorry about that um so from this area era that I'll call like the isolationist era there was a lot of um a lot of nothing there was a lot of presidents that really just didn't get intelligence um but there's some interesting stories that came out of this time most of the focus was on generals having their own spies so each little army had their own little Intel Force nothing

centralized nothing coordinated um but there's a funny story that actually I guess isn't so funny when you look at it together but during Abraham Lincoln's inauguration there was a death threat on his life and uh he traveled with a guy named Pinkerton which if you've ever heard the Pinkerton agency that's still around today helped protect him and smuggled at him into the city so he wouldn't get assassinated um but during that time when he came into the city he was dressed up like a woman and the Press got a hold of that and just started making fun of him well it turns out ever since they made fun of him in the Press he is like well I don't want all that

security leave me alone like just let me do my thing and of course then he got assassinated in the theater because he he didn't pay attention to his own personal security um something else interesting from that time that um the major you know form of communication and second during that time was the telegraph so Lincoln used to hang out there and they actually had three code Breakers that cracked the Confederate codes and allowed them to bust up some counterfeiting that was going on uh but they called them the sacred three and they were only 17 20 and 23 years old that's how old they were and they were breaking codes so it's pretty interesting um

and of course intelligence played a role in the Gettysburg Gettysburg Battle as well where they were able to predict when the Confederates were going to attack um now during this time if you take a step back the U.S had nothing no foreign intelligence um no real capability but French Russia Germany all their peers had code breaking capabilities and they were reading everything all of our state department traffic from our embassies they were able to read this and um the British had something called room 40 which eventually became Bletchley Park which is the modern day gchq and that started all the way back then um another cool thing about um this time about World War One

I know when I was in school I was taught that the reason that the U.S got into the war was because they sank the Lusitania and that Drew us into the war but that was actually two years before the U.S got into the war the reason that we got into the war was actually the Zimmerman cable which was a sigan intercept where Germany was plotting to have Mexico start a second front and attack the U.S and that was two months before we got into the war or actually less than two months and we were in the war because of that so that's one thing that I think like the history book history books probably need to be

updated for that um uh a lot of the a lot of the presidents just had no clue so along that theme of this time where it's just isolationists um would you would your Wilson and this is you know during World War One everybody's fighting he didn't even believe or understand that everybody was spying on each other he had no clue and he he admitted this publicly um but following that they finally stood up uh what was the precursor to the NSA which was a team called Black Chamber uh but that only lasted 10 years and because there was no you know existing War they ended up shutting it down um and of all the people

um probably the one that people would say was probably the most inept about Foreign Affairs and and uh um Military Intelligence uh Truman he actually didn't even know what he was doing at the time I think he was duped but he signed all the major directives that established you know what would become um the CIA the NSA all those capabilities and National Security Council they weren't called exactly that at the time but he was the one that established it in in his Memoirs he didn't even want to admit that he did it because he he thought it was like ungentlemanly he didn't understand that countries were were doing this and spying on each other so

um this is a long time from Washington to World War II where all these countries were way more advanced than code breaking way they were stealing our secrets they were light years ahead of the US and so we got a pretty pretty late start to the game and I think a lot of that was just because of the isolationists most most people just thought we were on our own here and didn't need to be involved in any of the uh European or Asian you know conflicts uh so the first thing that I wanted to touch on um is a concept about when we're trying to present intelligence to to leadership is failure of imagination they're never going to want to admit

that something can happen um let's think of like um crypto Locker or wannacry right they if you would have told them that before that occurred you would have people swearing up and down that our manufacturing network is air gap there's no way that that we can get crypto lockered you know until after the fact then they see it and then they're all of a sudden like oh okay I get it now this is a real threat they just really they can't imagine it and I think that that's what we have to do as um as people that have to sell threat intelligence and build a successful program we have to help leadership understand like these are real threats

and you can't just think of what you know you have to worry about things that you can't even comprehend that exist um there's this whole timeline so I apologize for the wall of text um but leading up to Pearl Harbor so it's I think considered the biggest intelligence disaster for the US um in September 1940 we had already broken Japan's code uh in May 1941 they knew we broke it but they they thought that their special Purple Machine was okay it was just some of their code so they kept using it even though they knew we were getting some of their information um and then there's this bizarre thing so everybody knows December was when

Pearl Harbor occurred um and they had this Arrangement where the Army would provide updates one month and the Navy would provide updates the other month because the two agencies fought each other but it turned out the month November the month before Pearl Harbor the Army decided they weren't going to deliver updates uh so pretty bad timing there uh so the Navy I think tried to keep giving them information but it wasn't their job to do it um November 5th Japan actually decided that they wanted to make the invasion okay November 25th FDR tells his entire cabinet hey we're going to get attacked okay on 26 they observed that troops have left Shanghai from Japan and on the 27th they decrypt

instructions that the embassies are that they know how to destroy their code machines their papers their books so that they're ready when they get the order they can do this so one FDR says hey we're getting attacked and they know that they're going to get um they know that the embassies have been warned so they can destroy their stuff then the next day he goes on vacation it's like what so we on the 28th he uh he goes on vacation and the next the day following that they send out a major alert to just the Asia Fleet so like think of uh the Western Pacific just they got the warning so they had no clue

that they couldn't even comprehend that they would be attacked at Pearl they had all this all this information happening but um their imagination made them think that it was only this certain area of the country or of the globe that could be could be attacked and um even further leading up into that they intercepted messages from Tokyo to Berlin say and hey we're going to war so they had every they knew that the attack was coming they even warmed part of their Fleet but they never said anything to the base at Hawaii so they were caught completely unaware and that was strictly you know failure to even imagine that that could have occurred um it turns out when and obviously this

is like super I guess you would call it like hindsight bias because we all know what happened so it's somewhat biased in the fact that we know how it played out um but the code that they were using the naval codes um they only assigned like two to five analysts in the entire military to break the certain Naval code so they didn't break it in time but after the war they went ahead and broke it and found out hey they were they were coming for Hawaii and they were they found all these plans that if they would have just assigned you know more than two to five people they would have broken no problem um the same thing failure you to imagine

you think that that they would learn from this right they failed to imagine the Ted offensive in the in the 60s um they saw all this traffic about all these attacks on all these major cities and they just said no there's no way like this is a diversion and of course I think um U.S forces lost you know thousands of men uh in the attack and the whole time they were like no this didn't happen and um I it just baffles me that like they have all this intelligence and refuse to like even believe that this could occur um the next concept is like to me this is the most important one of all these this

would be the one that would allow you guys to be the most successful in getting more resources or getting trust with your Executives and it's the fact that like when we're talking about psychology um people always want to know what their peers are doing like how do I compare to what uh company X is doing you know how do I compare to what the uh the best practices are or his friend their buddy CSO at this other place like the more you can shape your analysis to align with what your peers are doing the more that they will be wanting to do what you want them to do um and over time this came out over and over again so in

the 1880s um there was the war of the Pacific and the U.S was completely blindsided they thought the U.S thought that they had the most powerful navy and they turned out that like the Chilean Navy in the 1800s apparently was like four times more powerful and more um more modern than the U.S Navy so immediately they freaked out and uh established the Office of Naval intelligence and the Military Intelligence Division and Congress authorized a bunch of spending just because they were afraid oh we're behind so I mean you can just see how powerful it is that if your CSO or CIO or sea level figures out hey um we're Bank of America and we're so

far behind JP Morgan okay here's another 100 million dollars you know buy every tool um air gap power the same thing happened again uh they uh leading up to World War II uh the uh the U.S estimated that the Germans had 6 500 planes they actually only had 70 1700 and it turns out the Allied Forces had more way more planes than than the Germans and because of this FDR asked for 10 000 planes they only had 1700 so it's uh the same thing happened again the bomber Gap in 1955 uh the Air Force said that the Russians had six to eight hundred bombers they actually had less than 200 and so of course the U.S started building more

bombers missile Gap uh the Air Force and then a group called The National Intelligence estimates uh said that the Russians had uh like a hundred uh icbms ready with plans to grow to 1500. the US only had 130 but the real number the Russians only had four uh so it's it's just scary uh how wrong they were and how constantly they overestimated and because of that obviously we spent a lot more money on defense

uh here's another thing to be worried about with uh your intelligence program and it's overestimating your capabilities so um especially like when new leadership comes in uh and you've got to go report to them and say like here's our capabilities here's what we can do because they're like I don't know you what do you what do you do what can you do for me and so of course you want to put your best foot forward and make it look like you're walking on water with your program but you got to be careful there you want to look good but you don't want them to think like one that you're 100 right all the time or like you have capabilities

that you don't uh and it's actually more important to probably you know be present a more accurate picture than than to look like you have more than you do because then they're going to rely on you and then you're going to find out like oh yeah those servers actually aren't patched um so something that came up when uh I think it was in 1952 um the uh the head of the CIA reported back to the president that he had 1500 agents in North Korea uh but when they actually went to go like prove that out he had only 200 in the office and Seoul and none of them spoke Korean but he reported back to the president

that he had 1500 agents and it found out that like um over time all their agents that they had said over the Border had all been killed like none of them none of them transmitted back anything of value uh so that was a pretty embarrassing uh and in his Memoirs um Beetle Smith said yeah I was just too embarrassed I didn't want the other branches to know that I I was you know overstating my capabilities uh so that's pretty pretty silly this also happened again when Kennedy came into office um the whole Bay of Pigs thing so that would have been planned for like I think it was like you know four or five years under

Eisenhower and Kennedy came in and um literally like within the week or so it was like 10 days he didn't have much time to even you know when you're coming in as a new president they're doing the nuclear codes they're doing all these other things you're having to nominate people um So within that short time frame he had to decide whether or not he was going to go forward with this and he basically said like I don't these guys seem like they know what they're doing they come off really smart um so he went ahead with it and it turns out that the uh the advising Marine that was devising the plan for landing uh he had only done

one amphibious Landing in his whole life versus some of the other people from World War II had done you know 30 you know throughout the course of the war so he had no experience and they actually landed at a swamp so um that that didn't end well for them um and if you just look at the numbers they landed with 1400 troops uh Castro set 20 000 at them so yeah it was kind of overstating capabilities the same thing happened again in uh when Jimmy Carter came on board they had just deployed this awesome new satellite technology the keyhole satellites and they came in and wowed him and showed him like they could you know see down

the chimney and like see the the stripes in the parking lot and where somebody was parked and that was like crazy for back then um in the late 70s having that technology and so that gave him a distorted opinion of you know what they could actually do which was um a lot less when it came to other areas like of human intelligence and uh stuff that led to the hostage crisis later because he just didn't have what he thought he had in terms of intelligence um being Milton so what I mean by this is you don't want your intelligence reports to sound like Milton just mumbling background noise like if you um if you send them just too much

information or you're just not giving really solid presentations I mean they already don't want to hear from you anyway you know we're the Geeks from it security like they could care less but bombarding them with a ton of information probably isn't the best technique um it's funny to watch the progress of this of where the different presidents got so much information and finally complained so FDR when they first started decrypting codes he was getting 50 separate decrypts a day um on his desk so no real summary no sometimes it decrypts conflicted each other they did he nobody answered his questions they just dumped 50 decrypts on his desk every day um finally in 46 Truman just flipped the

lid and got pissed off and says give me a summarized brief so from then on they got like an actual summary because uh it just that old way wasn't gonna work right um it even if you look at FDR he never even acted on any of it because he's like I don't even know what to make of this it's just like you're dumping stuff on me so it's like a lot of especially if you have to work for somebody from the military they have this concept of bluff where it's bottom line up front if you don't tell them in that first few lines what you want they just stop reading um so in 61 finally

um I think it was JFK asked for a uh a checklist they changed the way they did it and it's like give me you know a one-line summary of what it is because I don't have a lot of time here um and it would get it uh every morning with an analyst to actually answer his questions so JF JFK actually I think worked for a time in in on I so he actually had a little bit of a background with the intelligence um and he actually was a good consumer he would tell them like what I like and what I don't like versus FDR never said anything um and um that was a I think a good time

at least from the CIS perspective because they had somebody that was listening to them now then you have LBJ so he came in and he actually secretly thought the CIA sabotaged him so he basically from day one hated these guys uh and so the president used to get daily updates after 10 days he just said nope I don't even want updates from you guys um and then finally he's like I just want one page and I want it before I go to bed so it's not like you're starting the day off and you're going to take actions this is something you're what do you do with something you get before you read before you go to bed forget right

um so the only feedback they ever got from him was one time the report was two pages and he complained um and then a funny story about Carter so he was getting all this intelligence but he was getting so much he literally had to take speed reading classes because it was taking him too long to read so I think you know this is another important concept that we just we need to be uh brief and have high quality in what we communicate from intelligence you know if some things can be summarized in four bullet points then do it a 20-page report You're Gonna Lose Executives don't want to read that like they're one paragraph tops in there and

then they're out um another cool thing um that we are another not cool thing but another thing we need to be cognizant of with our threat intelligence program is um what you can call politicized Intel or basically forcing the Intel to match your view so I I would say that anybody that's ever been a consultant and had this has to deal with lawyers understands this concept really really well where they will sit there and say nope you didn't find that that's something that don't put that in the report like that ain't happening they want to shape you know what you're going to report or what you believe to fit their narrative and uh this there's a long long history

of this happening um obviously the movie The Post right now has anybody seen that it was pretty good it tells a story about the the Pentagon papers and stuff that really happened during LBJ but blew up during Nixon um but starting off back with Teddy Roosevelt a long time ago um he would tell his uh Office of Naval intelligence like just straight up like you have to lie about our numbers you just need to give me intelligence that shows that we need to rebuild our Navy um and he was obsessed with battleships and he said we need to build more battleships well by the time the war broke out um which was I think the

Spanish-American War um the U.S was actually short under stories because he forced them to build so many battleships so it really messed up like the naval uh Naval capabilities MacArthur uh he actually um didn't want to even listen to any of these so he had all these signals intelligence that China was going to attack so if you know the story of North Korea MacArthur basically drove all the way up to the border of China and North Korea and he thought everything was good and he kept getting all these reports saying China's getting ready to attack you it's not like an army of 200 000 Chinese is part hard to see right that's a lot of people coming at you and you

have aerial surveillance so he was getting all these reports and he refused to believe in and of course they attacked and drove them back um same thing with with uh Eisenhower he um put together his okay uh he put together his own little um intelligence or his own commission to create a study that said we need more covert action that was their goal like it wasn't an actual study he's just saying this is what you will determine give me a report and of course uh he went on and probably directed uh more cues and more uh government you know sabotaging elections than any any president at the time um and then I won't even the last one here um I thought something

that was interesting was that uh during the war LBJ didn't want to hear anything that was against the war you only wanted to hear intelligence as supported his Viewpoint so he didn't listen to anybody on the National Security Council he just went and had lunch with his guys on Tuesday and that's how they set Vietnam policy so it's uh it's pretty uh pretty scandalous some of the things that have happened um okay so for time let's let's recap um failure to imagination failure of imagination so we need to really like focus when we're trying to communicate threats to leadership you know Embrace what-ifs so even though they may say or even I.T I.T may say that's impossible

we have two Factor well maybe maybe not like was two-factor there three months ago or what about this new business you just acquired so we really need to post we really need to talk about what ifs well let's just assume that it does happen and walk through that scenario what would we do tackle all the unknowns um you know what do we not know about our business you know what can hurt us just talking to people and learning more about the business and then uh Community communicating where your risks are can can go a long way because the last thing you want is a leadership team that thinks that they're you know invulnerable or they have Best in Class

security and nothing will ever happen to them um the second point I can't emphasize this a month it's just been very successful for me so I would assume that it will work for you guys but just the fact of you know competitive intelligence that's already a thing today so um all major companies probably have like a big um competitive intelligence team that's giving them business intelligence and sap and all that stuff they're already making big Investments so the more you can um slant your threat intelligence to be like well this is how our peers are doing it or competitors the more I think gains and more trust you can build I think because they they tend to take

that they overweight that for some reason um obviously never overstate your capabilities that's a pretty easy one in order to be in order so that you don't just sound like noise and get ignored you know you're not going to want to send reports every single day you're not going to want to do that choose quality so one single quarterly briefing that's really well done can be way more powerful than you know every day sending them little briefs of stuff that they don't read it just becomes background noise um politicized intelligence I mean obviously you want to maintain your your your uh your integrity here it's hard to do like people can put a lot of pressure

on you you might have options on the line there may be all these things where you might just say hey the easiest thing is just to go along go along with it um and you know everybody just has to make their own choice about what they do there but I think the best thing would be to just say like here's the facts and you could do with it whatever you want and there was a really good example about how to do this so the Central Intelligence DCI homes remember when I told you that um LBJ and I think Nixon too they both hated the CIA so his approach was I'm not going to comment at all on policy

I'm just going to give you the facts and his goal was to build trust so he built he focused on building trust with that person and then he also his point was once I built up the trust I'd ever you know he didn't want to comment on like should I do this they just said you know here's the data and that built up that trust and then he also recommended like when he was talking to I think it was LBJ like if he didn't get his point across in 60 seconds he lost so like the longer he took to get his point across the less likely it was that he was going to even convince anybody of

anything so I thought that that was really good because he turned that relationship around and actually became effective after he built up Trust um lastly you got to be like robly the guy's awesome so read everything you can from that guy about threat intelligence and we're a little bit over so questions

a lot of what we think of foreign [Music]

so I think the biggest thing there is going to be context so I would say you know you have data and then you have information and then you have intelligence and so you want to have context and also some kind of recommendation so you want to State the facts and then State like here's what we would advise because that's the biggest thing is that people say well it's not actionable so why am I spending time reading it right um so actionable and context is the key so understanding you know one where did you get this information how reliable is it you know versus just having an IP address what makes it the intelligence is the context

um you know level of confidence and then some some action right but yeah it's a great question um just that talk about how much companies are spending on cyber security operations do a lot of fun data about what is the responsibility yeah [Music] um so her question was is there any benchmarks on Preparation there's nothing that I've seen I think you're best bet really is just to establish you know discussions with your peers because I don't think that's something that's super super controlled but um also maybe if you're a lot in one of the industries that has an ISAC that's one option um miter has a lot of stuff there's there's different reports out there but

I've never ever seen one that's specifically around preparation I've seen like overall budgets and tools but not not that so I'm sorry

um

that's one of the best ways for us to um [Music] depending on which industry there's you know yeah so um his question was you know how do you obtain actionable threat intelligence um I've always recommended like a three-prong approach so one um the first thing is analyze all your own incidents so do root cause you know run that stuff to the ground because that's really giving you the first uh leg of it you know understanding what's hitting you then uh you know add a couple commercial feeds see what happens you know you can integrate that in and then the last thing is with your peers so there's a lot of companies outside of the formal Isaac stuff I don't

outside of the financial services which I'm sure a lot of people here are involved in that um the eye stocks haven't been that great from what I've seen from the one outside of that but a lot of closed circles um I can't mention any of them by name but like the closed groups of people seem to share uh the most information and you're just talking about sharing campaigns and I think that gives you a lot of visibility into what's happening um I don't know does anybody else have any advice there about that one

yeah so that's that's a big I would call that a major pain in the ass so aging out your indicators because so much of that is shared infrastructure so you get an alert three months later and it's it's like a hosting provider and it's not even malicious so yeah

how will CTI it's pretty easy IQ make it actionable right it's like taking immediate action and do something about it um I'm curious to hear your suggestions on how to make strategic CTI incorporate more actionable steps yeah um so I think first um I would want to you know uh if you have a CSO look for what he's looking for then venture out into the other parts of the business so in a business that I worked at previously I spent a lot of time on M A and looking at that because a lot of the m a um we had a lot of fishing and attacks around that and people trying to breach your network that's a good one but a lot

of it depends on your business you know what vertical you're in uh to figure out what the best route is but I think definitely um uh m a comma pure intelligence that kind of stuff but also you know number one should be your C cell first and hopefully that person is engaged and you know wanting to do that um but like whatever your business is so if it's you know online transactions then you're going to want to figure out a way to make your threat intelligence align with that uh whatever threats are facing that did you have one yeah even if some of those indicators are going to go and expire the pattern of what you're seeing in the past can also

form which you can also form a strategic thing to see how your adversary or threat actor or what have you is evolving over time and what they intend to rely on the past maybe something they switch up in the future on that so even if that some of that information looks like it's going to expire it's still useful on the street again yeah yeah I agree so like not the actual like Atomic indicator but the ttps yep for sure so yeah that's uh the whole kill chain thing right

I would say the most the the the the easiest

[Music] way so here's I have a really good example for it has nothing to do with crowdstrike so well you don't have to worry um so when I worked for an energy company um I got on board there and we were still ramping up and I was leading their information security program and a peer of mine at another Energy company had virus total intelligence and I didn't and he had already deployed Yara rules to watch what was getting submitted he he he pinged me like on uh what did he pick me on um I think not it wasn't slack it might have been Twitter that he pinged me and he's like hey I don't know if you saw

this yet but somebody's making a run at you and I was like what and he had already seen it because the threat actor was testing his his tool that had the strings of our company's name that rule fired he told me I saw it a day and a half later and so we were prepared we blocked it already and I thought that was probably the best example right there of like just no-brainer like you've gotta you've got to do something there to to stay ahead of the threats we're out of time but uh all right thank you [Applause]