Season 1 - Episode 1 (Pedro Kertzman & Mary D'Angelo) - Cyber Threat Intelligence Podcast

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Mary D'Angelo (00:00):
Sets you up to be more of a proactive

(00:02):
organization, as opposed tobeing reactive when it comes to
cyber threats.

Rachael (00:06):
Hello and welcome to the very first episode of your
cyber threat intelligencepodcast. Whether you're a
seasoned CTI expert, acybersecurity professional, or
simply curious about the digitalBattlefield, our expert guests
and hosts will break downcomplex topics into actionable
insights. On this episode ofseason one, our host Pedro
Kertzman, will chat with MaryD'Angelo, who is a cyber threat

(00:28):
intelligence solutions lead atfiligran, dedicated to helping
organizations integrateactionable threat intelligence
across silos. She emphasizes theneed for a top down cultural
shift to demonstrate threatintelligences, Arrow eye to
executives focused on Dark Webthreats and ransomware attacks.
Mary is a strong advocate fordemocratizing intelligence
sharing. Over to you, Pedro,

Pedro Kertzman (00:54):
Mary, thank you so much for coming to the show.
It's amazing to have you here.
Yes, thank you so much. I'm soexcited to be here with you
today. One of the main reasonsI'm super excited to have you on
the very first episode isbecause of your role. If I heard
it correctly, part of it is todemocratize CTI, right? Yeah,
definitely. That's awesome. Andhow did you ended up in this
role in the first place?

It's interesting how I got to this point, because
if I looked back 10 years fromnow, I would have no idea what
even democratizing threatintelligence means, let alone
out. I would be here championingit. But when I so my background
actually isn't isn't cyber atall. So I came from a business

(01:38):
communications marketingbackground, but I was first
recruited to work for a cybersecurity company. So that was
when I was first I got into thecyber space and working with,
you know, practitioners,analysts as well as like C
levels of organizations of alldifferent sizes and after work,

(02:00):
I was working for a company forDark Trace for a couple years,
and after working there, I gotrecruited to work for a company
that specialized in purely DarkWeb threat intelligence. And so
that brought me into the thisCTI world with an emphasis on
Dark Web threat and tell andthat was so eye opening for me.

(02:24):
It was extremely exciting timefor me as well, because that
was, it was a way of, you know,so often when it comes to
cybersecurity, people are soreactive, right? It's like when
an attack happens, then incidentresponse team responds and like
but what I loved about thiscompany that I was working for

(02:47):
was they were all about, youknow, shifting left on the cyber
kill chain. So if you'refamiliar with the cyber Kill
Chain, it's the stages that athreat actor takes in order to
achieve their objective, andwhere most security teams were
focusing on was like stage twoor three or four, whereas CTI

(03:10):
was like, No, we need to shiftas far left as possible. And as
they would say, far left, leftof boom, because they use a lot
of military terminology in theCTI world, and so that was so
amazing. I expressed a lot ofinterest with company I was
working for, and so they led medown more as a technical path.

(03:34):
So they did a ton of trainingfor me to work, not only to do
investigations within the darkweb, you know, understand how
the dark deep web work, how it'slike criminal underground for
threat actors, and theimportance of monitoring it. And
it was only until I was with himfor a couple years, but it was

(03:57):
only until I was at an event,and at this time, it's, I think
a year or so ago, lockbit, therights of our group was was
going crazy. They were targetingmajority of hospitals in
America, and that's it, to me,it's one thing when you're
targeting hospitals, and it'snothing like targeting like

(04:19):
insurance firm and financialfarmers, right? Because there's
real lives at stakes when you'refocusing on hospitals. And some
of these ransomware groups werevery, like, very malicious, like
they were going after children'shospitals, yeah. And so the
stakes, the stakes were muchhigher. And I remember because

(04:43):
we were monitoring the dark weband we were receiving
notifications of the movementsof these threat actors, I
remember seeing so many likeinitial access broker selling
per. Essentials for hospitals,like every single day, and so
how sort of part of theirprocess of how they worked, or

(05:05):
the TTPs is like someone gainsaccess to hospital, maybe
through insider threat. Theytake that information, they sell
it on the dark web. But they'revery, very vague of the
information they have. So theyhave some type of credentials.
They won't name the hospital.
They'll say, like the area atthe hospital, the revenue size

(05:28):
of the hospital. And so if youare that hospital, oftentimes
they don't have threatintelligence teams. And if they
do have a threat intelligenceteams, it's so hard for them to,
like, sift through all thisintel, right? Because we get
alerts constantly. And so it gotto a point where, I think, in

(05:51):
this particular example, darksoul was the name of the initial
access worker who was justselling all of these
credentials, which then werepurchased by lockbit or other
ransomware groups who then usedit to exploit and attack these
organizations. And I justremember seeing all of this

(06:13):
intel out there, and there wasabsolutely nothing we could do
about it, right? It was justlike, this is like, what's the
example? It was like, you see atrain about to crash, you know?
And like you're on thesidelines, and there's nothing
you can do, but just watch itcrash. And so that kind of

(06:36):
brought me more into Okay,there. There needs to be a shift
here in terms of how we sharethreat intelligence, you know,
and I think, and I will say ithas over the years. I don't want
to say that, you know, it'ssharing threat intelligence has
been, hasn't been great, becauseit has been, it's changed so

(06:59):
much, especially within the pastfive to seven years, especially,
you know, with the involvementof ISACs, you know, various
government agencies that helpwith it, and also private firms
that set up their own, their owncommunities for threat and self
sharing. So that's kind of aftergoing through that. It kind of

(07:23):
led me to Philo grand, where Iwork now, the solutions laid and
it was awesome. It was like itseemed like all the stars
aligned, because Philo Grandewas exactly what I was looking
at. They were all about theCEOs, all about democratizing
Cyber Threat Intelligence like,you know, we as a good guys,

(07:46):
need to work together, you know,with also all of our resources
to be able to, you know,essentially protect ourselves
from the threat actors outthere. Because cyber threat
intelligence is like a puzzle,right? It's a puzzle. You need
different you need all pieces ofthe puzzles in order for it to

(08:09):
be productive or effective. Andif you, if organizations are
just holding on to one piece ofthe puzzle, you're not sharing
it with each other, then it's,it's renders useless. And so
that's where how I landed here.
And I've been here with, withPhil grant for about eight

(08:32):
months now, working very closelywith with our clients. So I did
a lot of on site trying tounderstand their threat
intelligence, theirrequirements. You know where,
you know where their industrystands and what their landscape
looks like, and then making surethat they're getting the right

(08:54):
Intel they need and building theworkflows they need in order to
protect and mitigate any sort ofrisk.

through your your journey here. That's
amazing. And you're talkingabout the your day to day, work
with your with your customers,trying to leverage the best on
threat intelligence. Anythoughts on why is that so
important to companies to be onthe top of cyber threat
intelligence?

Yeah. So I think like so, I guess I could start
it by saying the value of cyberthreat intelligence, right? So
really, the primary function ofCTI is to reduce uncertainty for
stakeholders, and that could bestakeholders from a full range

(09:42):
across an organization withcompletely different objectives.
And so the CTI role is to makesure that they are providing
Intel for those, those variousstakeholders. So we from like a
strategic level, an operationallevel and a tactical level. And
I know I talked about this a fewtimes before in the past, like

(10:03):
when it comes to threatintelligence, the main three
buckets are your strategic,tactical and operational threat
intelligence. So strategic beingmore of your executive level,
trying to understand makinginformed decisions of long term
security risk management,regulatory compliance,
understanding your overallthreat landscape. Who are the

(10:26):
threat actors targeting myorganization or my industry?
Operational has to do more withsupporting stocks, improving
detection response, mitigationof cyber threats, using threat
intel for those purposes. Andthen tactical is more, I think,
if it is like right here andnow, you know, having considered

(10:48):
response, understanding theadversary, CTPs, tactic,
techniques and procedures, inorder to be more, more
proactive. And so if you haveCTI permeated, if it's done
correctly, it'd be permeated inevery single aspect of an
organization, really, in orderto reduce uncertainty. And that

(11:13):
just makes it better forstrategic planning, better risk
assessment, and it sets you upto be more of a proactive
organization, as opposed tobeing reactive when it comes to
cyber threats, excellent. Andany insights about companies
that perhaps could be seen ascompetitors because they are

(11:36):
from the same industry, theyserve the same population.
Should they share threatintelligence? Yeah, any insights
about that? Yeah, that's a kindof a it's an interesting
question, right? Because there'salso, like, sort of, like, a
moral dilemma behind it as well,because if you are gatekeeping

(11:56):
this intel, like, like, thehospital is a great example of
this. If a commercial company,like a commercial feed, has this
intel that could potentiallyhelp hospitals, right, like from
stopping an attack, and when ahospital gets attacked, you
usually, more often than not,lives are at stake, right? And

(12:21):
so it, it's, it's kind of, it'shard to navigate, because we
understand these companies aretrying to make money, too, and
there's also sharing Intel isn'talways effective, right? If it's
not done properly, it could getin the hands of the wrong

(12:41):
people. And it also, you know,as much as we are tracking our
adversaries, they are trackingus as well, and they're tracking
us very closely. So if we aresharing this intel, we have to
make sure we're doing it in avery secure means. And so I

(13:02):
think, to start, I will say, youknow, it's changed so much
within the people are alwaystalking about how we need to,
organization needs to startsharing and democratizing threat
intelligence, making it moreavailable. And it's gotten so
much better. I mean, especiallywith, you know, the role the
ISACs have taken how FBI hasplayed a big role in this as

(13:25):
well. And there's a ton ofdifferent group like, I know, at
least for open CCI, we have aSlack channel with over 4000
users, all practitioners. And inthat is to, you know, may a big
part of it is to share Intelamongst various, you know, like
different oil oil gas firms, toshare with other oil and gas

(13:48):
firms. So in that sense, if theyhave, let's say, like a
commercial feed, and I've seenthis before, where, like, a
large oil and gas firm will havereceive like commercial feed of
saying this, you know this oilgas firm is being targeted. What
they will do is and share thatpiece of Intel with the rest of

(14:11):
their those in their sector. Andso that's important. So I don't
think it necessarily the onusneeds to be on the commercial
threat intelligence firms, butthey need someone to be sharing
this out. I think if it's donecorrectly, it'll eventually get
to the right folks. But also,Ben talks about the timeliness

(14:34):
of Intel, right? Intel, a big,important aspect of Intel, is
the timeliness of it, right? Ifit's, if it's even a day too
late, it's, it's rendereduseless. And so that's also, you
know, another factor that playsinto it.

Got it? Do you think it would be fair to say
that when building a. CTIprogram, for example, companies
should at the very beginning,think about how they could
potentially share informationwith their peers, in case they
receive any relevant CTIinformation that actually shows

(15:17):
them one of their peers is beingtargeted, so they know the
channels how to share thatinformation instead of running
screaming and trying to find theright person to share that
information?

Yeah, I was on that side too. I think I was
when I was working for the darkweb threat intelligence company.
There would be times when I sawthere's like a major airline,
someone had, I forgot the typeof access this initial access
broker was selling for thisairline, but it was just out

(15:50):
there, but they didn't and ofcourse, they're very threat
actors. Are incredibly sneakyabout how they put this
information out there. So if youare in airlines and you're only
monitoring your name of yourcompany, you would totally miss
this piece of Intel, because thethreat actors are sneaky, and so
they'll just put, like, therevenue size of the company,

(16:13):
where the company is based. Andso since you know, I came across
that, that piece of Intel, and Iwas like, Okay, this is huge.
This is something we need toshare. I just reached out to the
cybersecurity, the CTI team atthe airline, letting them know
about it, and they they were sotaken by surprise with it.

(16:39):
That's just one example. Thereare, you know, again, with the
ISACs really, really plays ahuge role in this. There's a ton
of different communities outthere that you can join. Another
plug is, we have women in CTIthat started by me and another
colleague at Pedro grand and soit's another great place for

(17:02):
people to share Intel that'sawesome in a safer space.

Yeah, okay, thanks for sharing that. So
imagine you see so many examplesthroughout your previous roles
and in the current role as well,what would be like do's and
don'ts when it comes toimplementing a CTI on a company
and advancing that practicewithin those companies.

I have some do's and don'ts that I like to give
but they're not they're kind ofall over the place, but they're
very important. So just bearwith me as I go through some of
them, but basically, the mainpurpose of CTI is to block
emerging attacks, right? So youwant to make sure the
intelligence that you're usingis to help stop the in within

(17:54):
the cyber Kill Chain. You wantto stop it as early on, so that
the attacker will have to startfrom the very beginning. And so
in order to do that, you want tomake sure that the intelligence
that you're receiving isaccurate before you actually
apply it to threat intelligence.
So sometimes, off, you know,you'll always hear threat
intelligence practitionerscomplaining a lot about false

(18:16):
positives, and oftentimes, whatthis do when, when you get a lot
of open source Intel, some of itwill be some of the IOC is maybe
a little bit identifying, it'llsay something like CloudFlare,
AWS or Google infrastructure. Sothat's not what you want to
action upon, because then you'reshutting down your Google

(18:39):
infrastructure, which is likelifeblood of an organization. So
that's something you know to beis very high priority, and it
was also expiring your outdateddata threat intelligence is as
you know. It loses relevanceover time, and so you want to
ensure you know your fireworkssecurity systems don't rely on

(19:04):
sale IOCs, so making sure you'recleaning through it. I know I
have some clients that do it on,like, a couple months, I think
kind of like, if I like, acouple months, they go and they
clean through it some evensooner than that. So it just
depends on how your organizationis structured. Very importantly,

(19:28):
too, so you're not wastinganyone's time. Is you want to
meet with the stakeholders youknow you want to meet with all
the various stakeholders acrossthe organization. Really define
their CTI requirements, becauseyour intelligence must serve a
very clear business securityperspective. And then lastly,

(19:50):
this is big as well. It's verydifferentiated between data. In
intelligence. So threat feeds isnot intelligence. IOCs alone are
just raw data. Right?
Intelligence is processed, it'sanalyzed, and it makes

(20:10):
assessment about future risks.
So having that understanding,because they know a lot of
people who say CPI, they thinkit's just data, it's IOCs, no,
it's not. It's it's already beenprocessed. It's been analyzed.
It's you. It has a fundamentalpurpose behind it. Um, okay, so
some don't, okay. So the firstone is, I would say, don't

(20:33):
blindly trust vendor providedattribution always, always
verify intelligence beforeaction. Oftentimes, to teams
will have you want to make sureeveryone on your team is on the
same page in terms of how youdefine your confidence metrics
or your likelihood yourconfidence levels, right? And so

(20:58):
having very precise numericalvalues for consistency across
your organization that must beestablished so that you're all
speaking the same language, andit just helps communication
across the team. And then also,like, don't push out CTA that

(21:18):
doesn't benefit stakeholderskind of goes back into what I
was talking about, about makingsure you have an understanding
of what the stakeholders needsare, building a CTF program
around their use cases. And atthe same time, if you have
intelligence that is not relatedto stakeholders, don't push it

(21:39):
out if it's not relevant, ifit's not actionable, it's just
noise. And as everyone in thisCTI world, security world knows
like it's everyone is. What isit? Noise? Fatigue. Alert. Yeah.
So, yeah,

that was super insightful. Thank you. Any other
best practices worth sharing?

Yeah, so I think, and this is something that I've
been looking into more recently.
So when it comes to, so whenyou're building out a Cyber
Threat Intelligence Team, right,you'll have your cyber threat,
your intelligence analyst, andthen you have your very your
technical analysts, so thesepeople that will probably work

(22:25):
on SOC, SOC teams now, whenthey're working together for
your CTI program, communicationcan be extremely difficult,
because the CTI folks have astrong understanding of how
intelligence or how to gatherthe intelligence, how to analyze
intelligence, and how toproperly communicate that

(22:47):
intelligence, whereas whenyou're dealing with technical
information securityprofessionals who are also
trying to get into Intel,there's a big gap, right?
Because the communication,because they, they're not, they

(23:07):
don't know how to communicatewith each other, and so that's
something to be aware about,because you'd want to make sure
that you're working on makingsure you can work through the
differences in communication sothat both parties are more
effective. Otherwise it couldbecome, you know, bogged down

(23:29):
with so much noise andmiscommunication and ultimately
ineffective got a littlechaotic, yeah.

Do you think MITRE ATT&CK Framework, or any
industry recognized common bodyof knowledge could help on this
type of communication issue, orany other best practice on how
to make sure that's nothappening with your
organization?

Yeah, I think, Well, I think it's, I think it's
very important for organizationsto have a strong understanding
of their vertical landscape. Sonot only so you know, if you are
like, again, back to thehospital, example, if you're a
hospital, having strongunderstanding of what that

(24:25):
landscape looks like a cyberperspective, and then aligning
that intelligence with the minorattack framework in order to map
out gaps in coverage againstthose targeted actors. So I
think that is it's not, and it'salso, it's not that hard to do,

(24:46):
but it just requires moreupfront work of trying to
understand what my frontlandscape looks like here, and
then align that with the matterattack framework so that you can
find the gaps more easily. Andthen, now, then you can
probably. Prioritized. You knowwhere you need to spend your
time, perfect.

And what about sharpening your CTI knowledge?
What do you like to use? Blogsor social media or books?

Yeah. So there is this saying in the CTI world
that if it's already printed, ifit's already booked, then it's
out of date. Which makes sense,although I will say there are a
few, like trusted source sitesthat I will that I'll receive

(25:32):
notification on, just to keep meupdated on, on the political
climate, cyber climate, andthere's also a few different
articles I think that I foundrecently that was extremely
helpful, especially as it talksto some of what we were talking

(25:54):
about today, about the gapsbetween the technical analysts
and the Intel analysts and theirtheir communication barriers,
and so I think that was fromkarnegi Mellen article, which is
a great so trade craft report,state of cyber threat

(26:17):
intelligence, I am going to plugto open CTI, the company that I
work for. They send out verythey send out emails on a weekly
basis of you know, like what wemight be seeing in the threat

(26:38):
deal world, some of thechallenges that various sectors
might see, is it for customersonly or general public as well?
No, general public. Is it justgoing to the Philly gram website
and subscribing to thenewsletter or something? Okay?
Yeah, awesome, yeah, subscribingto that. And we so we're an open

(26:59):
source company at at at heart,right? And so most of the
information that we try toprovide is by our community of
people, of people so realanalysts, real practitioners,
what they find to be valuable.
And

if any of the listeners wanted to follow you
or see more of your work, getyou know, more information about
CTI from you. What would be thebest way to do that? A blog,
social media.

Um, so LinkedIn is my best my go to right now.
So I've posted a couple ofarticles on there, mostly around
democratizing cyber threatintelligence, you know, making
it as I mentioned, the wholelock pit story, the importance
and the value of making how weneed to stand together as

(27:47):
organizations against thesethreat actors. Yeah, so feel
free to add me on LinkedIn. Sendme a message, and I have some
articles and other interviews onthere as well.

That's great, Mary. Thank you so very much for
coming to the show. Really happyto have you here for the first
episode, and I hope I'll see youaround.

Perfect. Thank you so much, Pedro, great
speaking with you,

Rachael (28:14):
and that's a wrap.
Thanks for tuning in. If youfound this episode valuable,
don't forget to subscribe, shareand leave a review. Got thoughts
or questions, connect with us onour LinkedIn group Cyber Threat
Intelligence podcast, we'd loveto hear from you. If you know
anyone with CTI expertise thatwould like to be interviewed in
the show, just let us know untilnext time, stay sharp and stay

(28:34):
secure. You.

All Episodes

Season 1 - Episode 1 (Pedro Kertzman & Mary D'Angelo)

Episode Transcript

Popular Podcasts

NFL Daily with Gregg Rosenthal

On Purpose with Jay Shetty

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Season 1 - Episode 1 (Pedro Kertzman & Mary D'Angelo)