Season 1 - Episode 11 (Pedro Kertzman & Ondra Rojčík) - Cyber Threat Intelligence Podcast

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Ondra Rojčík (00:00):
They are running an organization that can
implement the recommendations.

Rachael Tyrell (00:08):
Hello and welcome to episode 11, season
one of your Cyber ThreatIntelligence podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional, or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of season one,our host, Pedro Kurtzman, will
chat with Andra Roycik, who is aprincipal cyber threat

(00:30):
intelligence analyst, but healso teaches and do consulting
on intelligence analysistradecraft.
Previously, he co-founded andled the Strategic Cyber Threat
Intelligence Andra, thank you somuch for joining the show.

Pedro Kertzman (00:58):
I'm really happy to have you here.

Hello, Pedro.
Thank you very much for havingme today.

Usually, I start asking the guests their journey
into CTI, how they started,anywhere in between, and how
they land into their currentrole.
Would you mind walking usthrough that, please?

Yeah, absolutely.
I have a background ininternational relations and
political science that I studiedat Masaryk University in Brno,
Czechia.
And I truly fell in love therewith researching complex topics.
My first big topics wereproliferation of nuclear weapons

(01:42):
and non-proliferations.
These were also research areasof my PhD dissertation back
then.
I later found a job in thisarea surprisingly i got into
intelligence analysis and threatintelligence when i joined

(02:03):
first the ministry of interiorand later one of the czech
intelligence agencies theintelligence agency they had a
permanent position at nato wherei got into rotation for two
years at the what's calledintelligence production unit at

(02:24):
NATO headquarters in Brussels.
I was there in the time of thefollow-up to the Arab Spring,
basically, especially the Syriancivil war.
And I have to admit that I wasreally impressed by NATO.
The quality of people that Imet there was just incredible.
And I wanted to get a permanentjob there.

(02:49):
And My idea of how to do ameaningful step towards this
goal was to graduate from aprestigious university.
So I took basically asabbatical and went to study
security studies at UniversityCollege London.
After that, I was consideringeither finding a way back to

(03:14):
NATO or start to work in theprivate sector in London.
But Instead, a friend of mine,later my boss, Daniel Bage, a
big figure in the Czechgovernment cybersecurity,
convinced me to help him toestablish a strategic CTI
function of what later becamethe Czech National Cybersecurity

(03:38):
Agency.
It was quite a journey, to behonest.
Even the leadership of theagency, they had no idea what a
strategic CTI team could do.
be good for.
But luckily, I had a couple offantastic analysts in my team
and through their analyticalwork, we managed to convince the

(04:01):
leadership that there is agreat deal of value in having
strategy CTI.
The real breakthrough, I wouldsay, was an analysis by our lead
analyst Michal Timm regardingthe Chinese company Huawei that
was very active all around theCzech government sector and

(04:25):
critical informationinfrastructure including
telecommunication companies andso on and we managed to identify
clear risks to the future ofthe whole country basically and
to our technological sovereigntyif you will and Through the
analysis, we managed to convincethe leadership of the agency

(04:48):
that this is a crucial issue.
And then, luckily, they had theguts to go against our then, I
would almost say, pro-Russianand pro-China president back
then.
And it didn't stop there,because suddenly, thanks to the
agencies activities in inwashington and brussels the

(05:12):
czech republic was center of thedebate about chinese
technologies and we sparked andled the discussions in eu and
nato and we really changed thenarrative because until that
point the narrative at least inEurope, was that it's just a

(05:32):
technology.
And technology is a neutral, nomatter where it comes from.
And I believe that our littleanalytical team and the agency
contributed to realization,again, at least here in Europe,
that not really technology is...

(05:54):
This is really not the case.
It's not neutral.
The technology is actually apretty political issue, and
there are a lot of potentialrisks if a country that is
hostile to your values hasaccess to your critical
infrastructure.
The analytical team was alsobehind the first attribution of

(06:17):
one of the many intrusions intothe Czech Ministry of Foreign
Affairs.
We later kicked offestablishing of a policy and
analytical framework forattribution in Czechia.
Or we had quite important rolein post-incident activities to a

(06:37):
ransomware attack on the secondlargest hospital in the Czech
Republic during the COVIDpandemic times.
I mean, the strategic CTI werenot forced hands-on working on
remediation of the IT systems inthe hospital, but we were
responsible for thecommunication and analysis of

(07:00):
all the information between thefolks on the side of the
incident and the Czechgovernment and the prime
minister of the country.
Because as I said, it was thetime of pandemic.
So a non-functional secondlargest hospital in the country
was a big deal.
So overall, it was greatexperience, very rewarding job.

(07:24):
But I was realizing that myposition as a manager is not
that much analytically hands-on,and I have very abstract ideas
what information security isabout on the, let's say,
practical level of anorganization.

(07:45):
And I was just making up mymind and considering a job
outside the government at thattime.
There is quite a niche jobmarket for CTI-related positions
in the Czech Republic, not tomention in Brno, where the
second largest town in CzechRepublic where I'm located.

(08:08):
So I was certain at that pointof time that if I want a
CTI-related job in Europe, I'llhave to move to brussels paris
amsterdam berlin maybe but i wasvery lucky that redhead was
just launching their cti teamand they uh opened a position in

(08:31):
bernard where redhead has a bigbig presence but my luck didn't
stop there as i soon realizedthat redhead is Definitely a
great company to join.
And the group of people that Ican work with, they have so much
to offer.
I'm part of the internal CPIteam there.

(08:52):
It's a very hands-on work.
Most of the time, you can seethe impact of your work very
directly because our mainstakeholders are detection
engineers, incident responseteam, product security,
offensive security, GRC teams,for example.

That's a very interesting journey.
Thanks for sharing that.
You mentioned that you didn'tstart, let's say, on a
traditional cybersecurity typeof role and then just naturally
moved into CTI or something likethat.
So you came from anon-cybersecurity related

(09:33):
background and then pivoted intoCTI.
Any kind of lessons learned,you know, best practices or
something that you learnedthroughout this pivoting of your
career that maybe could bebeneficial for people listening
to kind of take that experienceand maybe shortcut a little bit

(09:54):
or kind of know the right pathto follow or something like
that?

My story probably...
would not be very typicaltoday.
I was hired to my first CTI jobat the agency for, I assume, my
research, breadth intelligence,and intelligence skills in
general, while I knew basicallynothing about information or
cybersecurity.
I'm sure that the bar at anyCTI position today is much

(10:23):
higher.
But I was lucky and my employergave me quite a lot of space to
catch up and learn.
But in general, it's actuallyquite difficult to give
universal advice in this areabecause it very much depends on
your starting point and yourbackground.
If you are a technical personwith understanding of the

(10:46):
technical aspects of informationsecurity, let's say you are an
incident responder, malwareanalyst, detection engineer,
then your major focus should beyour intelligence analysis
skills, critical thinking.
Learn how to critically consumeintelligence reports, learn how

(11:08):
to collect data, how to analyzethem, how to put together CTI
deliverables, such as reports,briefings, and so on.
If you have non-technicalbackground, intelligence
analysis and research skillsshould ideally be part of your
competence already, and then youshould focus on information

(11:30):
security concepts andtechnologies.
My way, and by no means I'mtelling you that this is the
best or the only way, but my waywas to do a couple of the basic
information securitycertifications, such as
Network+, Security+,Cybersecurity Analyst Plus or by

(11:51):
CompTIA.
The reason was that I didn'thave much space to have any
hands-on information securityexperience when I was working
for the government.
So to read, to consume videoson YouTube, Udemy and so on was

(12:12):
one of the few opportunities toexpose myself to the InfoSec
concepts, frameworks,technologies.
But as I said, it's prettydifficult to give some good
general advice to everyonebecause there are a lot of
variations of the types ofstarting points that you can

(12:32):
have if you are considering acareer in CTI.
It's really a very diversefield that is able to
accommodate all sorts ofbackgrounds.

No, that's awesome.
It's good advice.
I think, of course, peopletrying to pivot their career,
they will have their collectionof advices and make their own
unique type of path.
That's for sure.
But it always helps learningthose experiences that worked in
the past.
So, you know, looking at youroverall journey, looks like you

(13:08):
have a lot of experience on bothpublic but also private sector.
Any thoughts around thedifferences between working for
a public organization and aprivate organization

yeah so like in general if you are not talking
specifically about this tpi thatthat's that's interesting one
i'm i'm not sure if this is alocal like a culture check thing
but there's this notion of lazygovernment officials here

(13:42):
versus the hardworking people inthe large corporations.
My experience is that this isnot exactly like that.
And it's not also the oppositeas well.
There are a lot of passionate,hardworking folks on both sides.
And the CTI jobs can be quitestressful both in the public and

(14:08):
private sector.
I have a very limited, verypersonal perspective.
I've never worked for a CTIvendor, working for clients on
an incident, for example.
So I can speak only based onwhat I've seen and on my

(14:28):
personal experience with Red Hatand some secondhand stories
from other organizations.
But to be honest, Whatsurprised me at Red Hat,
considering it is a largeUS-based international
corporation, is that there is alot of emphasis on life-work
balance, for example.

(14:49):
And they really mean it.
It feels like it's a bigpriority for the company to make
sure that you have time to takecare of your family, yourself.
And that was not always...
the case while working for thegovernment.
If there is an unexpectedrequest for information because

(15:10):
the director general of youragency is meeting an ambassador,
minister or prime minister in aweek or even better in two or
three days, you suddenly have towork on that full steam.
And in my position at theagency, which was the head of
relatively small unit, thestrategic CTI, it was not

(15:34):
unusual to have two or threebusiness trips a week.
And of course, it's not justgoing on business trip, enjoying
some nice travel, but you needto perform, you need to...
do briefings, take part innegotiations, go there with
prepared and coordinatedpositions and so on.

(15:55):
And that could keep you busyand your work-life balance quite
off balance, to be honest.
So my, and I need to point out,very limited and personal
experience is that there's a bitmore predictability in the
private sector.
And you also might be lucky tohave an employer that takes it

(16:19):
as a long-term priority to havehappy and satisfied employees
with the right work-lifebalance.
Although there might be timesand, of course, situations when
this is simply not possible,even with this type of company.

Do you think this difference could translate
into the CTI work being done?

It's very much my personal experience.
But what I was doing for theagency, there was a lot of
reactive work.
We had long-term plans for theCTI.
production, but they were veryoften interrupted by the demands

(17:03):
and requests for information.
While in my current role, themix of the requests for
information and working on somelonger term strategic projects
have a slightly differentbalance.

(17:26):
I certainly, or the team needsto be flexible, needs to be open
minded, needs to react towhat's going on out there in the
threat landscape and needs toreact to various incidents and
so on.
But at the same time, we aretrying to follow We have the

(17:48):
private intelligencerequirements, for example.
So we are trying to follow thatfor our longer term production.

That's very interesting.
Thank you for that.
It's interesting to see how theemployer, quote unquote,
behavior works.
can have an impact on theproduction of intelligence or
even on the team, right?
The things they're producingand all that.
And from talking about CTIproduction and intelligence,

(18:22):
analytical skills, how do yousee the differences between
those sectors?
What are the things that youcan produce or have access to in
different private and publicsectors?

Well, there are some noticeable differences.
It may also have to do with inbetween private sector and
government.
It may have to do also withwhat we could call a maturity of
intelligence culture inorganizations.

(18:56):
In government, there is a lotof threat intel and CPI
customers that are motivated toto learn how to read
intelligence products let's saya minister or deputy ministers
they usually understand the theposition of intelligence in the

(19:19):
in the whole policy cycle theyunderstand that you provide
assessment occasionallyrecommendations and that they
are running an organization thatcan implement the
recommendations.
When they are reading thereports, they understand the

(19:39):
intelligence jargon, things likewords of estimated probability,
likely, highly likely,unlikely, and so on, or
confidence levels of theassessments.
And if not, it's wortheducating them because they will
be reading intelligence reportson a daily or weekly basis.

(20:00):
In the private sector, thespectrum of the intelligence
cultures of organizations can bemuch wider.
You can have leaders andexecutives with government or
military background who consumeintelligence reports, including

(20:20):
CTI reports, on a regular basis,and they clearly understand
what to do with them.
At the same time, many of ourcustomers in the private sector
That is something that I'mseeing quite often.
Getting to touch with this typeof reporting very, very rarely.
And the whole organizationoutside of your stakeholders,

(20:46):
your infosec buddies, let's say,IR detection, red teamers, and
so on, all those that areoutside the circle, they don't
necessarily have to be ready toTranslate mainly the strategic
CTI assessments intomitigations, new policies, new
controls.

(21:06):
Because they don't know how todo it.
Where to start?
Because they are not that oftenexposed to this type of
intelligence production.
They have other words.
They have the business to run.
So you need to help them.
And I believe, or actually weat Red Hat, the Red Hat CTI

(21:29):
team, because this is how weoperate.
We are trying to be as muchhelpful to our stakeholders, to
our customers.
And so the best way is toprovide as much
operationalization, that's aterrible word, as much as

(21:49):
possible.
So ideally provide...
not just assessment, not justwhat are the implication, not
just list of possiblemitigations in your CTI
reporting, but you shouldunderstand your organization
well enough to understand howyou can help to translate the

(22:12):
mitigations into reality of thenew controls or policies in case
of more strategic products orinto practical let's say red
teaming scenarios or newdetections in case of more
practical CTI outputs.

Excellent.
Excellent.
Thank you.
And if I understood correctly,especially related to
intelligence analysis, you alsodo lectures, right?
Would you mind mentioning alittle bit about how those
lectures are and anythingrelated to it?

Absolutely, yeah.
After I joined the intelligenceproduction unit at NATO, I was
confronted with how littleprepared I am for the
intelligence analysis job,actually.
As I said previously, I alwaysenjoyed research, I enjoyed

(23:16):
analysis, but I also realizedhow little I know about the
analytical tradecraft when Ijoined NATO, and the principles
and standards.
I had to work hard to catch upand be on pair with the
colleagues from all theseamazing intelligence services
from all around NATO.

(23:38):
And later I decided that Iwould like to make it easier for
the future generations of theCzech analysts.
I didn't have the...
opportunity to work on thesituation at my then employer.
But as I joined the cybersecurity agency that had great

(23:59):
cooperation with the localuniversity here in Brno, I
decided to open a kind ofboutique course for intelligence
analysts or introduction tointelligence analysis,
tradecraft and intro to OSINT aswell, for a very limited number

(24:20):
of students.
And this is something that wehave been doing with a colleague
of mine, Michal Miklin, forsome eight years now.
I believe that we are on alittle mission here to encourage
new talent into threatintelligence and potentially

(24:41):
also into CTI and to give themsome preconceptions about the
tradecraft of intelligenceanalysis.
And I keep doing the FREDintelligence analysis tradecraft
workshops for a couple of Czechgovernment and military
organizations or colleagues fromRed Hat and other private

(25:06):
companies.
The goal there is to promotethe FRED intelligence analysis
tradecraft and principles mainlyto folks with technical
background who oftentimes arevery passionate about going deep
down in their research and theyare having this tendency to

(25:29):
admire problems instead ofdelivering actionable
intelligence occasionally.
So what I'm trying to point outat these workshops is that we
need to understand who we workfor what our stakeholders really
what they really need to givethem what we call implications

(25:55):
in in other words answering thequestion so what once we
understand the problem of coursewe need to explain what the
problem means for thestakeholders and a part of of
that we discuss at theseworkshops how to define problems

(26:16):
through questions and how toidentify information gaps so
that we can better plan our datacollection.
We learn to accept thatinformation is often imperfect
and that we need some strategiesto mitigate these imperfections

(26:38):
like using words of estimativeprobability, for example, or
levels of confidence and so on.
Or we discuss, and that soundsmaybe super academic, but it's
actually not.
It's simply a reality of how weprocess information.
We discuss cognitive biases andhow to overcome it to form some

(27:01):
objective assessments.

That's very nice.
Is there a People want to learnmore about those workshops.
Any websites or website theycan go to?

There isn't a dedicated website at the moment
as this is more of a part-timepassion project for me.
But if you are interested inlearning more about the
workshops, feel free to connectwith me on LinkedIn.
I'm always happy to chat andshare more details.
I also occasionally post on myMedium blog where I cover some
of the ideas explored in theintelligence analysis tradecraft

(27:39):
workshop as well as other ctitopics

okay i got it um so you mentioned one a very
important aspect about learningmore of the tradecraft that is
not something for example youwould learn sometimes people
think about learning cti Theyneed to read reports and analyze
threat feeds, but that's notall of it.

(28:02):
So you mentioned about thetradecraft, analyzing
intelligence or communicatingupstream decisions that need to
be done based on thisinformation, so on and so forth.
Where do you go to learn otheraspects of the CTI process?
broad spectrum like again notnecessarily feeds and reports

(28:26):
but i don't know trends in theindustry or new interesting ways
to to analyze uh or to convertinformation into intelligence,
you name it, anything that's notrelated to the feed or report,
where you learn the other thingskind of thing.

Yeah, yeah.
I mean, my general approach tolearning, I love the concept of
learning by doing.
So if I have to learn how touse, let's say, a new CTI
platform, platform or how tostart using a new concept.

(29:08):
I prefer start really use it,try to use it.
And if there is a good, I don'tknow, for example, webinar that
goes with it, I like to go backand forth between showing me
how to use it and me trying itactually.
And at the same time, I wouldalso say I'm quite old passion

(29:30):
and how I consume information,especially some long-term
knowledge or concepts that I canuse over and over again.
So I love books.
Recently, I spent more timelistening to them than reading,

(29:51):
but whenever I finish anaudiobook that I like, I go and
buy it.
So I'm probably a greatcustomer of all these publishing
houses.
Should I go ahead and recommendsome Books that might be useful
for...

Honestly, I love books as well.
When I'm not here in front ofmy lab and all that, I don't
want screens.
I want good old-fashionedpaper, and that's it.
I prefer to unplug a littlebit.
Even though I'm reading abouttechnology, but I prefer to
consume it in an unplugged

Yeah, I have to say, man.
So, yeah, speaking about books,the first...
One is a phenomenal book thatis basically an international
bestseller and I don'tunderstand how I managed to keep
avoiding it for such a longtime.
It's Thinking Fast and Slow byDaniel Kahneman.

(30:53):
It's highly recommended to anyCTI analyst.
It will give you a perspectiveon how we consume and process
information and how embeddedthese what we call cognitive
biases are in our thinking.

(31:14):
And therefore, how important itis to find some strategies to
fight the bias.
Another is Critical Thinkingfor Strategic Intelligence by
Katherine and Randolph Persson.
This book It will help to anyCTI analyst to find a way how to

(31:38):
approach complex issues and howto communicate more
effectively.
And the last one is that Iwould mention here is
Storytelling with Data by PaulNussbauer-Knaflik.
It's a great resource foreffective data visualization,

(31:59):
which I believe is an importantbut often overlooked skill among
CTI analysts.
And for those who arecompletely new to CTI or are
considering to go into thatcareer path, if somebody like
this is listening to us today, Iwould mention Visual Threat

(32:22):
Intelligence by Tomas Rozia.
It's a good first intro book.
But if you would prefer moredepth, and you are taking your
journey to CTI more seriouslythan intelligence-driven
incident response by RebeccaBrown and Scott Roberts is a

(32:43):
must-have resource.

Excellent, excellent.
Yeah, I know a few of thosebooks and they're really good,
really good.
Thanks for sharing that.
No, that's excellent.
And any closing thoughts forthe listeners?
Any extra thing to mention?

Yeah, especially...
If you are someone who'stransitioning to CTI, and that's
very typical from deeplytechnical background, be mindful
that we are talking about C, T,and I.
So there is the cyber aspect,the information security

(33:19):
concepts and technologies andthe whole technical side in
general.
There is the threat aspect.
So you should understand howthe adversaries are operating
and what is going on in what wecall the threat landscape.
And then there is theintelligence part, for which you

(33:39):
should be familiar with theprinciples and concepts of
intelligence analysis.
And in your continuous trainingand education, always try to
keep some kind of balance amongall of these major concepts in
CTI.
Because, for example, the lastpart, the intelligence

(34:01):
tradecraft part, it will preventyou from losing dozens of hours
of research in ineffectivereports and briefings.
It will allow you tocommunicate clearly and deliver
the message to your stakeholdersif you work on that bit as

(34:24):
well, because that's quite oftenover.
by folks in the CTI industry.

That's very nice.
I love the way you broke downthe C, T and I pieces and so
people can understand theimportance of every single one
of them.
That's very nice.
Super insightful.
Andra, thank you so very muchfor coming to the show.
I really appreciate all theinsights and I hope you'll see

(34:51):
you around.
Thank you.
Pedro,

thank you.
Thank you so much for having mehere today.

Rachael Tyrell (35:00):
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup, Cyber Threat
Intelligence Podcast.
We'd love to hear from you.
If you know anyone with CTIexpertise that would like to be
interviewed in the show, justlet us know.
Until next time, stay sharp andstay secure.

(35:23):
b

All Episodes

Season 1 - Episode 11 (Pedro Kertzman & Ondra Rojčík)

Episode Transcript

Popular Podcasts

NFL Daily with Gregg Rosenthal

On Purpose with Jay Shetty

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Season 1 - Episode 11 (Pedro Kertzman & Ondra Rojčík)