August 19, 2025 • 41 mins
What does it take to build an effective Cyber Threat Intelligence function from scratch? In this eye-opening conversation, Bianca Miclea shatters the myth that cybersecurity is only for those with traditional technical backgrounds.
Bianca shares her remarkable journey from politics student to cybersecurity leader, revealing how her academic background became an unexpected asset in the CTI world. "It was one of those 'this is really cool, but I could never do this' thoughts," she explains, describing her initial hesitation before diving into the field. This refreshing perspective demonstrates how diverse educational paths can strengthen cybersecurity teams—an important message for anyone contemplating a career transition.
The conversation explores what makes CTI truly valuable: actionable intelligence that connects directly to security operations. Bianca walks us through her experience establishing a CTI team at a major financial institution, emphasizing the critical difference between information collection and intelligence that drives meaningful security improvements. Her implementation of monthly Mitre ATT&CK exercises brings together cross-functional teams to identify control gaps and assign clear accountability—a practice listeners can immediately adopt to enhance their security posture.
Perhaps most valuable is Bianca's practical advice for managing the overwhelming information flow in threat intelligence. Her concept of "reporting thresholds" offers a framework for prioritization that helps CTI teams focus on what truly matters while preventing analyst burnout. Combined with her insights on board communication, community engagement, and measuring CTI effectiveness, this episode delivers a masterclass in modern threat intelligence leadership.
Ready to transform how you think about threat intelligence? Subscribe now, share with your network, and join our LinkedIn community to continue the conversation about building CTI programs that deliver genuine security value.
Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Bianca Miclea (00:00):
We know this control has a gap.
You might not be aware of that.
Rachael Tyrell (00:06):
Hello and welcome to episode 13, season
one of your Cyber ThreatIntelligence podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of season one,our host, Pedro Kertzman, will
(00:38):
chat with Bianca Miclea Thanksfor having me, and is passionate
about empowering women in STEMand advocating for diversity and
inclusion in the industry.
Over to you, pedro.
Pedro Kertzman (00:55):
Bianca, thank you so much for joining the show
.
It's really great to have youhere.
Thank you.
Bianca Miclea (01:00):
Thank you so much for having me.
I'm excited to be here.
Pedro Kertzman (01:02):
I usually start asking the guests about their
journey into CTI.
Would you mind walking usthrough that please?
Bianca Miclea (01:09):
Yeah.
So I guess it's a bit of anon-traditional journey compared
to people who have studiedcomputer science, cybersecurity,
any way it performs.
So I've studied politics atuniversity.
It's always been one of thoseindustries that I thought this
is really cool, but I couldnever do that.
But then between my undergradand my master's degree, I
(01:31):
actually took a gap year and Iwas working at a consultancy,
kind of doing anything andeverything that was not related
to cybersecurity in any way,shape or form, but they actually
had a client-facingcybersecurity team.
I just got curious and on mylast two weeks with the company
I actually asked hey guys, can Ijust shadow you for a little
bit?
Can I see what you guys do?
(01:51):
What's this cyber thing about?
Because it sounds very cool andI'm very interested.
So I spent two weeks with themand I loved it.
I absolutely fell in love withit.
They were doing threatintelligence for clients or kind
of reporting what's out there,just had the platform where they
would update on a daily basis,create historical, all the cool
stuff, all the good, all thegood things.
(02:12):
So I got really interested intoit.
I still went on and didpolitics, though, so because
that was what my master's wasabout.
That's what I was planning todo Again.
It was one of those.
This is really cool, but Icould never do this I was
planning to do Again.
It was one of those this isreally cool, but I could never
do this.
But whilst I was doing mymaster's actually the last the
manager from that team emailedme and said hey, we've got an
opening for an internship if youwant to join our team.
(02:33):
I got really excited andobviously I said yes.
So for a period of time I wasdoing the internship as well as
my master's, finishing that off,and that was a three months
internship with the opportunityto get a full-time job at the
end, which I ended up getting.
So I ended up being aresearcher, from a researcher to
an analyst, so kind of movingup the ladder from there.
(02:53):
I've spent about three years, Ithink, roughly, in CTI, and then
I just got curious about whatother areas of cyber are there,
what do the other teams do,what's?
You know what are the ins andouts of vm, of supply risk, all
of these other interesting areasthat make up the cyber family
and I went and did consulting.
(03:14):
I went to a couple of big fours, moved around a little bit
project based.
So it basically touched oneverything under the sun because
he was you know this client isthis for six, nine months, two
weeks, whatever he was.
You know this client is thisfor six, nine months, two weeks,
whatever he was.
And then you move on to anotherproject, another project.
So it was really really goodoverview of how things work and
(03:34):
what else is there, and at thetime it was GDPR was a hot topic
, so he was all getting intothat GDPR area and suppliers and
all of that interesting,interesting data.
But after about two and a halfyears I think again roughly
three years I just really missCTI.
I thought, right, okay, I'vedone all of the other bits that
(03:55):
I could think of doing.
I know I love CTI, so I'm goingto go back into it.
So I did Ended up again kind oftouching on CTI throughout my
consultancy life anyway.
So I did Ended up again kind oftouching on CTI throughout my
consultancy life anyway.
So I was helping set up a teamalongside other people initially
, whilst I was also being aconsultant doing other bits.
But then, when I decided to moveback into CTI, I decided to
(04:17):
make a change and actually gofrom client facing to internal,
and I've moved internally to alarge financial sector
organization in the UK but alsoglobally, and that was basically
setting up their CTI structurefrom scratch.
So CTI team from scratch.
They had a process foringesting IOCs and kind of the
basics of what would keep thelights on, but they had kind of
(04:42):
no official CTI team orstructure.
So that was me coming into thatand helping set that up and
build that up, done that forabout three years as well build
a strategy, build up the teamprocesses you know all of the
good stuff.
And where I'm currently sittingis security engineering.
So moved a little bit away fromCTI.
However, because I loved it somuch and, as my career has shown
(05:04):
, can't stay away from it fortoo long, because I loved it so
much and, as my career has shown, I can't stay away for it for
too long.
So I actually ended up nowlooking after both the security
engineering team and the CTIteam.
So I'm still doing a little bitof CTI at the moment.
Pedro Kertzman (05:13):
Yeah, that's awesome.
Would you say that yourbackground on politics, your
master's and all that arehelping you, or helped you in
the past, throughout this CTIjourney?
Bianca Miclea (05:26):
It did.
Yeah, so I guess this is abroader question and this comes
down to what is CTI?
So I feel like CTI meansdifferent things to different
people, depending on where youstand In terms of politics and
economics and all of the stuff Idid at Masters and University.
Yes, absolutely, it was helpfulfrom the strategic point of
(05:47):
view of CTI understanding thewho, the why, the relationships,
the tensions, knowing when tospot that actually, I think this
will escalate.
So Russia-Ukraine was a goodexample.
The war started in February.
However, in around Decembertime I believe end of November,
december time I raised it to theteam at the time and I said I
(06:10):
think this will become a problem.
I think we need to look intowhat suppliers we have in these
areas a plan for if this was toescalate and, to be honest, it
wasn't taken too seriously atfirst, it was a bit of a I think
this will be a waste ofresources.
I don't think this willescalate, and everyone at the
time in terms of actualpolitical analysts well, not
everyone, but most people wereon the idea that actually this
(06:33):
won't escalate to a full-blownwar.
Fast forward to Februaryfull-blown war started, but we
were ready.
We, by that time had a full-onassessment on all our critical
supplies in Ukraine and aroundthe region.
How are we connected?
Where are we connected?
What day transfers arehappening?
What are we going to do?
What buttons are we going topress in case there is
(06:56):
escalating to a war?
So, yes, to answer your question, it did help in terms of the
strategic point of view, but itcomes down to what you
understand from CTI.
So I had a lot of learning todo in terms of the tactical and
operational side of things, interms of understanding threat
actors, iocs, the differencebetween a tip and how different
people understand the tip,because if you say tip to
(07:17):
someone, you might notnecessarily be talking about the
right thing.
Some people might think threatfeeds and the capability to do
some custom alerting, whilstother people might think threat
feeds and you know thecapability to do some custom
alerting, whilst other peoplemight be thinking an actual tape
where iocs are ingested and youcan do malware analysis,
investigations and the moretactical side of things.
So it it really I think I feellike cti is it is getting better
(07:38):
, but it still needs adefinition or or that discussion
of what do you understand bycti, when you mean CTI, when you
mean strategic, when you mean atip, what are you actually
talking about here?
Pedro Kertzman (07:51):
Perfect.
And talking about theexperience you mentioned about
the financial institutionbuilding the team from scratch,
I think it's not a super commonexperience around the market.
Like I see more the organicgrowth and then building a CTI
program, slowly building a CTIprogram instead of having, like
(08:12):
I would imagine, a fairly bigbudget and then decided what to
do with that.
Any thoughts around what wasthe focus Was that, like people,
tools, how, like you build froma scratch, with a reasonable
budget, a cti team from fromzero?
Bianca Miclea (08:33):
I think in terms of, in terms of the approach, I
guess the the initialdiscussions we had and the
decisions we had to make waswhether this would be what kind
of cti function they wanted tohave and what they wanted that
CTI function to deliver, andthat was one of the key areas
that I had to focus on.
(08:53):
The questions were around wherethere is a CTI team in terms of
hey, we report every week onwhat's going on externally.
This might be talking abouthealthcare and retail, and you
know, there might be a financialsector attack there or or
something relevant but, it's notreally linked directly into the
(09:14):
SOC, to IOCs, to the processes,into suppliers.
So there was an initialconversation around there that,
yes, I can do that.
That that's.
That bit is not hard to do.
There's plenty information outthere at the moment on all of
these kind of attacks there's.
You just spend a bit of timeand you'll get all the data.
The conversation I was having,and where I was trying to get
the team to, is actuallybuilding that inbuilt sock team
(09:36):
that actually providesactionable intelligence,
relevant intelligence, thingsthat you can do something with
and that you can really get theso what behind this.
So you know, bringing insupplier, bringing in the tools
that we're using, understandingvulnerabilities, working with
the detect and respond team tounderstand what are we seeing,
(09:57):
what are the trends.
So that was one of the initialpoints in discussions that we
were having.
So once that was defined andunderstood and the direction was
set, it was then easier to say,right, okay, this is what we
want to do.
So we need to build xyz, weneed to understand ioc processes
, we need to start from thebottom, which, at the time and
(10:18):
where we were at it, meanttactical, and then slowly build
your way into operational thewho, the how, the why and then
the strategic.
So the strategic piece aroundyou know what's happening
geopolitically, what, what arewe looking at wars and politics
and economics.
And best tool was one of theframeworks I used and I found
(10:40):
very helpful in in that scenario.
But that came last.
That came after everything elsewas set up, after we understood
our crown jewels, our suppliers, our tools, after internal
processes were set up thatallowed me to reach out to
people I needed and getinformation quickly.
So, yeah, that was kind of thejourney as I went through it.
Pedro Kertzman (11:03):
Perfect.
I'm not sure if it's acontroversial topic.
Would you say the CTI teamshould be part of the SOC, not
part of the SOC?
Any thoughts around that?
Bianca Miclea (11:15):
Controversial topic indeed.
So I think, again, it dependson what you want to achieve.
So, obviously, if you're a CTIteam that's client-facing and
provides reports and stuff likethat to a client, that's a
different story.
But if you are an internal teamand you're looking to build up
a CTI function, my personalexperience is that it works best
(11:39):
when it's aligned to the SOC,when it's integrated in the SOC,
when that team has thecapability to talk to detect and
response engineering, vm,supplier risk, when that person
it's almost the way I see CTI isit's like a bridge between the
SOC and the organization andthat bridge would mean, hey,
(12:03):
detect and respond team mightnot have the time to speak to
supplier risk or ISOs or, youknow, have a look at whatever
decision was made on the boardlevel or business level on a
regular basis, but the CTI teamdo and should.
So that should be.
That integration piece of thisis what the business needs.
This is what we're seeing on atactical level, on the ground.
(12:29):
This is what I think we shoulddo and that, from my experience,
worked best.
That's what actually drivesvalue from a CTI team, because
you're not just providing noiseand again, this might be
controversial but you're notjust providing news feeds or
alerts that actually nobody doesanything with and that that
(12:51):
comes back into another.
I suppose quite difficult thingis around.
How do you actually measure,then, the effectiveness of a CTI
team?
and reporting and KPIs, andhaving it as part of a SOC helps
with that, because you can thenstart having a look at false
positive rates, you can have alook at mean time to detect, you
(13:14):
can have a look at what or howmany changes were done based on
a cti report or recommendationin the last six years, or six
months, sorry, or one year, soyou can kind of start to
quantify cti in a way.
That is a little bit harder todo if that integration with the
SOC was not there.
Pedro Kertzman (13:34):
That's a great point and with that experience
as well, from building the CTIteam from zero, any top three,
five KPIs almost every CTI teamshould have on their KPIs list.
Bianca Miclea (13:52):
So I think yeah, I think I mentioned some of the
critical ones there it reallydepends on how mature the team
and the function is.
If you are just starting offand if you are, you know, 100
days into building up the CTIfunction, those KPIs are not
going to be existent.
You will need to build uphistorical data, you will need
(14:13):
to work on actually gettingthose processes in place to be
able to monitor and measure, forexample, false positive rates.
But yes, if we are talking in ageneralized average CTI
maturity, let's say like three,five years down the line, then I
think some of the critical onesthat you should have is, as I
(14:35):
said, false positive rates interms of IOCs.
What is actually the team andnot just IOCs?
But are you doing threat hunts?
Are those threat hunts reachingthe right points?
Are you looking at the righttools?
What are the false positiverates on that?
Other bits is meantime todetect.
How quickly is the teamactually detecting what's going
(14:55):
on externally or internally?
Are most of the news feedscoming to you from exec?
Is the board asking you hey,I've seen this in the news,
what's it about?
And then you're reactive.
Or are you actually proactiveto things?
And that can be difficult to dobecause everybody reads the news
and a CTI team is more thanjust reading the news,
(15:16):
especially if it's integratedwith the SOC.
So it can be difficult toachieve, but it should be one of
those.
How long does it take us topick up things?
How long does it take us toescalate it?
And the other thing is aroundmaking it actionable again a
difficult KPI to have, but Ithink every cti team should have
it, otherwise you lose focus,you lose the so what and the why
(15:38):
, and that makes making itactionable can take different
forms.
So you can look at um, as Isaid, how many controls have
been improved in the last sixmonths based on recommendations
that we have made or um, I don'tknow how many sessions have we
delivered, training sessions orawareness sessions to the
business, to the board, towhoever your audience is.
(15:59):
How many engagements have wehad with suppliers team, or with
VM team or other external teams, and what impact has that had?
So I think, again, it reallydepends on where you are, but I
think that that actionableintelligence where is what
you're doing, where is it goingand what are people doing in it
(16:20):
it's something that every ctiteam should keep in mind and
have a look at and review on aregular basis awesome.
Pedro Kertzman (16:26):
No, I love that.
And one probably common topic Ihear from many other guests is
that CTI teams.
They need to do a better job onselling their value upstream,
which is difficult it is.
It is so.
That's why I wanted to hearyour take on the best KPIs or
how to sell value to theorganization and things like
(16:48):
just to share with the community.
Because, again, it's a, I wouldsay, rare experience to have
you know, building from theground up a CTI team on a larger
organization already maturecybersecurity organization, I'm
sure and then building thatwithin that organization.
So that's great, thank you, andyou built it.
(17:11):
It's up and running.
What's next?
Any lessons learned on thematuring part of the process,
maturing that CTI program?
Bianca Miclea (17:22):
Yeah, definitely so again, reviewing those KPIs
are a key lesson learned thereis right now.
The team is functional andwe're doing reports and we're
doing this.
Let's review KPIs and make surethe team understands the value,
understands where we are.
I guess a CTI team is neverreally mature because the threat
(17:46):
landscape changes all the timeand you need to as a CTI team,
you need to stay in as anorganization in general, but CTI
even more so.
I guess the expectation is therebecause you are CTI that you
are on top of everything, you'renever really going to be mature
because things will alwayschange.
New tools are being implemented, ai is coming down.
What does that mean?
(18:07):
How can you use it or can youuse it?
Are you allowed to use it?
Should we use it?
Are you allowed to use it?
Should we use it?
It's all of these questionsaround, not just what's changing
in the threat landscape, butwhat's changing in the way CTI
works in terms of processes, interms of people, in terms of
skills.
You know, as more peopleunderstand CTI and as the CTI, I
(18:27):
guess, journey went from alittle bit of a buzzword when it
first started and a regulatoryrequirement and you know one of
those hey, this is the cool newkid in town to now people
actually having this more andunderstanding what it is and
more people doing it and moreskills being built that way.
Then you have to consider howare skills requirement changings
(18:48):
based on this as well?
More people require malwareanalysis, a malware analysis,
for example, fret hunting.
Not everyone has the capabilityto have a cti team and a fret
hunting team now whether thatshould be separate, it's a whole
different discussion.
But you know those skills thatare required in in a majority of
cases, or at least are expectedto some extent that the cti
(19:12):
analyst would be able to.
So, yeah, I think overall interms of what, what is, what
does it come after maturing,keep maturing, keep reviewing
those kpis and making sureyou're hitting the right spots
and you're measuring the rightthings and that the company can
still see the value from you ona constant basis.
And also just integration withthe rest of the company.
(19:35):
So if you are integrated with aSOC, that's the first step.
That's not the end of thejourney.
Once you're integrated with aSOC, once the team is in place
and the processes are in placeand you've got some kind of tip,
now you need to start talkingto the business.
Now you need to start talkingto all of the you know,
(19:55):
identifying stakeholders outsideof the, your initial SOC team
or your initial sphere ofinfluence.
Let's put it that way who elsecan talk to what else?
What do they need from us?
Because then intelligencerequirements might change or
adapt or you might find thingsthat actually we this isn't a
crown jewel as we thought we are.
I think this was a priority forsomeone but not for someone
(20:18):
else.
So it's.
It is a constant.
It's almost like a constantreview of the maturity.
Pedro Kertzman (20:23):
You're never really mature, I think yeah,
environments change right, sothe company, business, even
business model, might change aswell.
Exactly that review is superimportant, for sure.
You know, between all thosechanges, I think it's fair to
say we have one constant withinCTI, which is the Mitre ATT&CK
frameworks.
Yes, and any within thatjourney, any like Mitre map
(20:46):
exercise or things related tothe Mitre knowledge that you
thought was important to use atthat time.
Bianca Miclea (20:55):
Yeah, absolutely, and actually it's a really nice
transition from CTI to securityengineering and I think one of
the lessons learned I guess fromafter maturing is work closely
with your security engineeringteams, because those MITRE maps
and this work that cti is doingin identifying control gaps and
(21:16):
providing recommendations, it isvery useful if you then
actually have a team to to applyit to.
So one of the lessons learned Ihad from doing loads of mitre
maps in in my career, from mycareer and gap analysis and heat
maps and you know, going fromhey, let's do it in a
(21:36):
spreadsheet in Excel to actuallyhow can we automate it and all
of that journey One of thebiggest learning points I guess
for me was actually how do wetake this forward in a regular
way in a way that engages andreaches the right people and
that gives the CTI team theright information?
Because one of the things Ifound in my assessments in my
(22:00):
CTI life is that, right, ok,I've done a CTI, a MITRE map.
I understand what reactors areusing.
I now know what controls wehave against it.
I now know what controls wehave against it.
However, there is no, or CTIteam often do not have the
assurance.
Let's put it that way of howeffective those controls are.
And this is where doing workwith other teams works really
(22:23):
well.
So what we've started doingrecently is implementing a
monthly MitemUp exercise thatinvolves various themes within
the SOC, including securityengineering, detect and respond,
threat hunting just variousthemes.
The CTI person will go off anddo the mitemapping and find out
what the key attack types areand techniques and where the
(22:45):
gaps are, as per where we thinkwe are, and then we all get in a
meeting together, in a workshop, face-to-face or virtual,
whatever it is, and we sit downand talk through those controls
one by one, through each ofthose identified gaps or
identified coverage even.
Because even if they say, oh,we've got a phishing button, so
(23:08):
we're protected against fishing,this might not be the case.
So it's just bringing all thoseum people together to to say,
actually, that has a gap.
We know this control has a gap.
You might not be aware of thatbecause you haven't seen what we
do, but we are aware of it.
So it's just yeah, it's justbringing all these people
(23:28):
together and doing that exercisehas been extremely helpful and
has found, you know, mini gapsand things that we could then go
on and make making itactionable.
It comes back to that making itactionable piece, because then
you actually know what is comingout of these meetings is going
to be.
You are responsible forpatching that gap, or we are
(23:49):
responsible for accepting thisrisk, or whatever the action is.
There is an action coming downfrom those meetings.
Pedro Kertzman (23:55):
Awesome and maybe stitching a few of those
points together.
So you mentioned the phishingfor the users and also changing,
sometimes, the stakeholders andhaving those mitre map
recurrent meetings.
And having those mitre maprecurrent meetings have you seen
like times, for example, you,through attribution, you see
(24:16):
like a specific threat actorpoking on your perimeter, on
your environment, but thenthey're not.
One of the techniques they useis not phishing, but they are
really good on leveraging stolencredentials.
Have you gone all the way tochange your stakeholders?
To go back to whoever or maybeHR is responsible for user
(24:37):
training, like regular phishingsimulation and all that?
I know companies vary,sometimes it's HR doing that,
sometimes it's IT doing that.
It changes a little bit.
But have you gone down thispath to actually chase, because
of that gap, a new stakeholder?
Bianca Miclea (24:55):
yeah, yeah, absolutely.
We have um and we have openedrisks, um against gaps that we
identified as well.
We saw an attack, we identifieda gap in control, we opened the
risk.
So it was almost like puttingthe accountability and
responsibility into thosestakeholders' hands and making
them understand that you can donothing, but if you do nothing,
(25:18):
you'll have to accept this risk.
So, yeah, we have gone downthat path multiple times in
multiple forms and ways and Iguess the recent news around
service desk social engineeringis a good example, for example
and we've done a couple ofexercises internally around that
and found improvements and wentand made that improvement.
(25:42):
So, yeah, absolutely, and thisis where my lessons learned.
There have been times in mycareer where that wasn't the
case and I found something andproposed an action and nothing
was taken.
And this is where thatexperience and lessons learned
come from around making surethat what you do is actually
actionable and someone doessomething with it and if not,
(26:03):
then that is recorded somewhereas a risk.
Or the next month you do aMITRE map.
If the previous month's gaphaven't been patched, then you
bring it up again, and you bringit up again, and you bring it
up again and that continues tobe a constant story in your
threat assessments that this iswhat needs to change awesome and
(26:25):
any like network or resourcegroups that you participate,
that you would recommend uh tothe listeners as well yeah,
absolutely so.
I am, and I have always been, astrong advocate for women in
cyber um, not least becauseobviously we all know there's
not enough of us in the industryum, but actually there's some
(26:46):
really good learningopportunities and groups out
there that can offer training,that can offer mentoring
opportunities.
So, for example, I am thepartnerships lead for the Women
in Cybersecurity UK and Irelandand it's in the UK that's a free
membership.
In the US it's a small amountper year that you have to pay.
However, the benefits you getare absolutely amazing in terms
(27:06):
of training and free trainingopportunities, in terms of
mentoring, in terms of actualjust getting it out.
You know, getting out there andnetworking with people and
seeing what other people aredoing and learning from um, yeah
, absolutely, I think generallyand I guess I'm coming from this
as from the perspective ofbeing a woman, so this will
apply to women listeners, um,but, um, yeah, generally, any
(27:30):
women in cyber networkabsolutely valuable, because you
just get so much um informationand and and guidance and even a
almost like a, if you can seeit, you can be it um kind of
kind of a view and and that hasguided me throughout my career
as well, you know, being a womanin cyber is hard sometimes and
(27:51):
you do get ignored sometimes,but having those support groups
and learning opportunities areamazing I love that.
Pedro Kertzman (27:57):
I had the chance to interact a few times with
women in cyber security groupslocal here to my city and and it
was always amazing like thesupport network they were able
to build here is just, you know,amazing, to say the least yeah,
absolutely, and I mean they arecalled women in cyber groups.
Bianca Miclea (28:13):
But most of the time, male allies are very much
welcomed and encouraged, and Ithink um from my experience
because I used to I created oneum and I, you know, I I had
events for male allies as welland encouraged them to join, and
the feedback was also amazingfrom from the male allies as
well.
Pedro Kertzman (28:28):
So it is a good networking opportunity and an
additional resource toeverything else you have as well
, for everybody yeah, it's avery list we we could do for
sure, and I'll make sure I'llpaste the link on the
description of the episode andfrom an industry standpoint.
Of course, we learn a lot, uh,on the daily.
You know CTI reports and feedsand from the industry.
(28:52):
But how do you learn about howthe CTI role or CTI frameworks
are reshaping or the news aroundaround that?
Bianca Miclea (29:03):
that's a really difficult question actually,
because, um, funnily enough,I've never actually taken a CTI
course per se or certificationor anything like that.
It was one of those.
I want to do this, but I nevergot around to it because other
courses were more interesting orbecause I was already kind of
learning what I was doing.
So I thought, well, I need toknow that more than this.
(29:23):
But I think there are plenty ofresources out there.
One of the one of the usefulones that I actually used um in
terms of when I was building upthe cti function, in terms of
actually defining what some ofthe skills for the team might be
and then aligning that to ourintelligence requirements.
Um, it's the nist framework andnist and icss, so they have aT
(29:50):
like task skillsresponsibilities section that
lists different capabilitiesthat a CTI function should have,
in terms of both toolingcapability as well as people
skills, and I found that quiteuseful and even if you don't
meet all of those requirements,it's a good indication as to
(30:11):
where you would want to be orwhat you accept, as we don't
need that, because this isn'twithin our capability and that's
not what we're trying toachieve with our CTI function,
so it almost gives a bit of achecklist, like, yes, this is
what we need.
We don't need that becausewe're not aiming to do that.
This is what we need.
(30:31):
We don't need that becausewe're not aiming to do that.
Other resources, I guess it'sjust having an intelligence
background in general reallyhelps, and I found a lot of, at
least from my career.
A lot of the CTI people I'vemet have often come from a
public sector work, so doingsome kind of intelligence in the
police or some kind ofintelligence, the military.
(30:52):
So that is, you know, havinghaving that intelligence
background per se and havingthat mindset of criticizing, I
guess in your in your headwhenever you read something, the
why, the what, the how, andconstantly questioning whatever
you read, is something that youdevelop through that
intelligence and it is hardbeing a CTI person without that
(31:14):
thinking.
I have met people like thatbefore.
It is you know you can learnthose skills but you would have
to train yourself or forceyourself a little bit more to
question everything you readyeah, no, that's a great point.
Pedro Kertzman (31:27):
I think sometimes it feels that cti
folks might be the mostsusceptible ones.
You know burnout because theamount of information if you
really decide to tackle everysingle thing, you're reading as
like a real thing or not noiseit's it's just comes from
everywhere and it's.
Bianca Miclea (31:47):
It's then managing that stakeholder
expectation as well.
Right, because you and in somany cases I've heard people in
CTI say this that you know boardasked about something that they
read in the news that,realistically, will never really
happen or it isn't really whatyou know.
The BBC reported on somethingand that wasn't the full story
(32:07):
or that wasn't going to happenor whatever the backstory of
that event actually was, andit's having exactly as you said,
having that historicalknowledge almost of I know this
won't happen or I know this willhappen because I know the usual
TTPs of this threat actor orthis usual behavior or this
tends to happen.
(32:28):
It does take time and it doestake a lot of reading and a lot
of critical thinking and, yeah,burnout at times because there's
just so much out there and evenwhen some someone brings
something up that you haven'tyet had the chance to read
because it was five minutes agoand you took a tea break and
someone's questioning you aboutit, that causes in itself a lot
of pressure and a lot of stress,especially if you're just
(32:50):
starting off.
So yeah, absolutely on theburnout and on the skills piece,
it's just yeah, you learn it asyou do it really.
Pedro Kertzman (32:59):
Exactly exactly.
And it's funny you mentionedthe board because of course
there is a lot of interactionwith the CTI reports and risks
and all that to the board.
You know, talking to people theother day it's like if it's
well written it's gonna almostsound like a james bond related
(33:19):
type of statement, because it'sgot to be not technical but just
threats and all that.
And I think that's that piecekind of also gets the board
super excited.
They didn start coming back tothe CTI team.
Oh, I saw this.
What about that Kind of things?
Bianca Miclea (33:35):
Exactly.
Yeah, I love working with theboard, to be honest, and you get
interesting questions from themsometimes, but that
relationship is so importantbecause they are the people who
make the decisions and they willknow stuff that you don't know
as a low-down person, as a CTIperson, and it's so important to
keep that conversation goingand to keep honest and open
(33:57):
communication.
And yes, the way you phrasethings has to be very careful
and you know technical jargonneeds to go out the window and
if you're in a small team like Ihappen to have been numerous
times and I was doing bothtactical and strategic and
operational and you have toswitch mindset between I need to
provide this malware analysisto the tech and respond team or
(34:18):
threat hunting team to look ifthere's something internal to
now I need to present somethingto the board Having that mental
switch between leaving thetechnical jargon behind and
actually explaining risk and sowhat and really focusing on what
matters.
It can be quite difficult, butit is really important in
maintaining that, I guess, wholecti picture yeah, no, I love
(34:39):
that.
Pedro Kertzman (34:39):
You have to understand your audience right.
So, exactly, this shift issuper important and, um, no,
that's, that's awesome.
Any Any closing thoughts forthe audience?
Any nice things about, or tipsabout, not tips, tips, yeah, I
should rephrase that, maybe, butyeah, any suggestions for the
(35:03):
audience related to CTI?
Bianca Miclea (35:07):
Yeah.
So I guess it depends who'slistening.
But if you're listening from amanagement board perspective,
then I think use your CTI teams,speak to them and really drive
down and make those intelligencerequirements clear, because the
value that you can get from awell-integrated and kind of
communicated with CTI team canbe absolutely invaluable in
(35:30):
keeping it up to threats and upto recommendations and, you know
, just generally threat informeddecision making.
If you're listening from a CTIperspective, there's a couple of
tips per se that I guess Iwould have.
One of the biggest one that Ifound useful in my career is
have a reporting threshold.
(35:51):
I call it a reporting threshold.
You can call it whatever youwant.
What it actually is is have somekind of threshold that when
someone comes to you and says,hey, have you seen this and why
haven't you written a report onit and why is there nothing done
on it?
You say because it doesn't meetour criteria.
Yes, I've seen it, it doesn'tmeet our criteria.
That criteria is defined.
(36:12):
As for business need, what youknow are your financial sector,
then you might not care aboutretailer tax or you might.
It depends what you care about.
You know it.
Defining that criteria takesunderstanding the business and
what the business risk appetiteis and where the business wants
to go.
But actually having thatcriteria saves so much of the
burnt out that we talked about,because you can easily say yes,
(36:35):
I have seen this five hours agoor last week or a minute ago.
I haven't done anything on itbecause it doesn't match our
criteria, it doesn't cross ourthresholds, there is nothing for
us to worry about at the moment.
It doesn't cross our thresholds, there is nothing for us to
worry about at the moment.
And on top of this as well,have various points and links to
(36:56):
the criteria as well.
It's have various points ofescalation depending on what
that threshold is.
So, has it met your threshold?
Okay, what are you doing withit now?
Are you going to write a fullon 10 page report that's going
to go to go to you know boardand stakeholders and whoever?
Are you going to do an email?
Are you going to I don't knowraise a threat to detect and
(37:17):
respond team, or to threat um,threat hunting team, or just
have that level of right, this,this, reach, this level?
so now we need to do xyz,because having that clarity
again it saves a lot ofstakeholder management time and
pressure and you know stress but, it also saves a lot of time as
(37:38):
a cti team in terms ofprioritizing what needs to be
looked at and how fast you canrespond to things, brings back
into again kpis and reportingand and you know how do you
actually measure the value andand what you do.
So a couple of points there, Iguess.
But yeah, having a generally Icall it a reporting threshold,
but having some kind ofthreshold that you will then
(38:00):
take or don't take action on, Ifound extremely helpful
throughout my career oh, I lovethis reporting threshold idea.
Pedro Kertzman (38:07):
It's uh just prioritizing the most important
thing, exactly.
Unfortunately, no team willever be able to cover everything
.
Uh, we wish right but it's justnot the nature of the industry
we are and, uh, that that's areally important idea to make
sure we're focused on the mostimportant things, that's and
(38:28):
that's and that's the otherpoint as well it touched on
briefly there.
Bianca Miclea (38:31):
But actually speak to your industry.
There are plenty industrygroups around there and that's
the best thing about cti is oneof those teams that are not
isolated.
Cti team is supposed to talk topeople.
You're supposed to go toconferences, you're supposed to
be part of information sharinggroups have, have those regular
meetings, build thoseconnections, and this isn't one
(38:52):
of those.
You know, cliche, you have tobe connected to get X, y, z.
This is one of the almost oneof the requirements of being a
CTI team is to be out there totalk to people, to share
information, whether it's opensharing, closed sharing, closed
forums, whatever it is.
You need to be part of variousgroups that provide this
(39:13):
information because oftentimesyou'll get faster information
and firsthand information thatyou will not get in the news
ever or for a very long time.
So having that will provide somuch value in terms of being
able to be reactive.
Pedro Kertzman (39:30):
That's a great point, yeah, being in touch with
your peers, similar companies,you can get firsthand
information of the thingshappening to them before it
reaches the news.
Bianca Miclea (39:42):
And there are groups out there that you know
you can say, hey, this is the LPRed, don't share it, don't
attribute it to us.
But this is what's happeningand that information is just
absolutely valuable.
I know some companies are a bitprotective over what they share
and how much they share andwhere they go and talk to and
speak to and what they actuallyput out there, and that's fair
enough.
There are legal restrictions,there are intellectual property,
(40:05):
there is sensitive data.
However, a CTI team with theright kind of measures and you
know structure in place can getso much value from this.
Pedro Kertzman (40:16):
Absolutely, Bianca.
Thank you so much for so manyinsights, loved our conversation
.
I really appreciate sharing allthat and I hope I'll see you
around.
Thank you.
Bianca Miclea (40:28):
Thank you very much for having me.
Best of luck.
Pedro Kertzman (40:30):
You as well.
Bye.
Rachael Tyrell (40:34):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you.
No-transcript.
We know this control has a gap.
You might not be aware of that.
Rachael Tyrell (00:06):
Hello and welcome to episode 13, season
one of your Cyber ThreatIntelligence podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of season one,our host, Pedro Kertzman, will
(00:38):
chat with Bianca Miclea Thanksfor having me, and is passionate
about empowering women in STEMand advocating for diversity and
inclusion in the industry.
Over to you, pedro.
Pedro Kertzman (00:55):
Bianca, thank you so much for joining the show
.
It's really great to have youhere.
Thank you.
Bianca Miclea (01:00):
Thank you so much for having me.
I'm excited to be here.
Pedro Kertzman (01:02):
I usually start asking the guests about their
journey into CTI.
Would you mind walking usthrough that please?
Bianca Miclea (01:09):
Yeah.
So I guess it's a bit of anon-traditional journey compared
to people who have studiedcomputer science, cybersecurity,
any way it performs.
So I've studied politics atuniversity.
It's always been one of thoseindustries that I thought this
is really cool, but I couldnever do that.
But then between my undergradand my master's degree, I
(01:31):
actually took a gap year and Iwas working at a consultancy,
kind of doing anything andeverything that was not related
to cybersecurity in any way,shape or form, but they actually
had a client-facingcybersecurity team.
I just got curious and on mylast two weeks with the company
I actually asked hey guys, can Ijust shadow you for a little
bit?
Can I see what you guys do?
(01:51):
What's this cyber thing about?
Because it sounds very cool andI'm very interested.
So I spent two weeks with themand I loved it.
I absolutely fell in love withit.
They were doing threatintelligence for clients or kind
of reporting what's out there,just had the platform where they
would update on a daily basis,create historical, all the cool
stuff, all the good, all thegood things.
(02:12):
So I got really interested intoit.
I still went on and didpolitics, though, so because
that was what my master's wasabout.
That's what I was planning todo Again.
It was one of those.
This is really cool, but Icould never do this I was
planning to do Again.
It was one of those this isreally cool, but I could never
do this.
But whilst I was doing mymaster's actually the last the
manager from that team emailedme and said hey, we've got an
opening for an internship if youwant to join our team.
(02:33):
I got really excited andobviously I said yes.
So for a period of time I wasdoing the internship as well as
my master's, finishing that off,and that was a three months
internship with the opportunityto get a full-time job at the
end, which I ended up getting.
So I ended up being aresearcher, from a researcher to
an analyst, so kind of movingup the ladder from there.
(02:53):
I've spent about three years, Ithink, roughly, in CTI, and then
I just got curious about whatother areas of cyber are there,
what do the other teams do,what's?
You know what are the ins andouts of vm, of supply risk, all
of these other interesting areasthat make up the cyber family
and I went and did consulting.
(03:14):
I went to a couple of big fours, moved around a little bit
project based.
So it basically touched oneverything under the sun because
he was you know this client isthis for six, nine months, two
weeks, whatever he was.
You know this client is thisfor six, nine months, two weeks,
whatever he was.
And then you move on to anotherproject, another project.
So it was really really goodoverview of how things work and
(03:34):
what else is there, and at thetime it was GDPR was a hot topic
, so he was all getting intothat GDPR area and suppliers and
all of that interesting,interesting data.
But after about two and a halfyears I think again roughly
three years I just really missCTI.
I thought, right, okay, I'vedone all of the other bits that
(03:55):
I could think of doing.
I know I love CTI, so I'm goingto go back into it.
So I did Ended up again kind oftouching on CTI throughout my
consultancy life anyway.
So I did Ended up again kind oftouching on CTI throughout my
consultancy life anyway.
So I was helping set up a teamalongside other people initially
, whilst I was also being aconsultant doing other bits.
But then, when I decided to moveback into CTI, I decided to
(04:17):
make a change and actually gofrom client facing to internal,
and I've moved internally to alarge financial sector
organization in the UK but alsoglobally, and that was basically
setting up their CTI structurefrom scratch.
So CTI team from scratch.
They had a process foringesting IOCs and kind of the
basics of what would keep thelights on, but they had kind of
(04:42):
no official CTI team orstructure.
So that was me coming into thatand helping set that up and
build that up, done that forabout three years as well build
a strategy, build up the teamprocesses you know all of the
good stuff.
And where I'm currently sittingis security engineering.
So moved a little bit away fromCTI.
However, because I loved it somuch and, as my career has shown
(05:04):
, can't stay away from it fortoo long, because I loved it so
much and, as my career has shown, I can't stay away for it for
too long.
So I actually ended up nowlooking after both the security
engineering team and the CTIteam.
So I'm still doing a little bitof CTI at the moment.
Pedro Kertzman (05:13):
Yeah, that's awesome.
Would you say that yourbackground on politics, your
master's and all that arehelping you, or helped you in
the past, throughout this CTIjourney?
Bianca Miclea (05:26):
It did.
Yeah, so I guess this is abroader question and this comes
down to what is CTI?
So I feel like CTI meansdifferent things to different
people, depending on where youstand In terms of politics and
economics and all of the stuff Idid at Masters and University.
Yes, absolutely, it was helpfulfrom the strategic point of
(05:47):
view of CTI understanding thewho, the why, the relationships,
the tensions, knowing when tospot that actually, I think this
will escalate.
So Russia-Ukraine was a goodexample.
The war started in February.
However, in around Decembertime I believe end of November,
december time I raised it to theteam at the time and I said I
(06:10):
think this will become a problem.
I think we need to look intowhat suppliers we have in these
areas a plan for if this was toescalate and, to be honest, it
wasn't taken too seriously atfirst, it was a bit of a I think
this will be a waste ofresources.
I don't think this willescalate, and everyone at the
time in terms of actualpolitical analysts well, not
everyone, but most people wereon the idea that actually this
(06:33):
won't escalate to a full-blownwar.
Fast forward to Februaryfull-blown war started, but we
were ready.
We, by that time had a full-onassessment on all our critical
supplies in Ukraine and aroundthe region.
How are we connected?
Where are we connected?
What day transfers arehappening?
What are we going to do?
What buttons are we going topress in case there is
(06:56):
escalating to a war?
So, yes, to answer your question, it did help in terms of the
strategic point of view, but itcomes down to what you
understand from CTI.
So I had a lot of learning todo in terms of the tactical and
operational side of things, interms of understanding threat
actors, iocs, the differencebetween a tip and how different
people understand the tip,because if you say tip to
(07:17):
someone, you might notnecessarily be talking about the
right thing.
Some people might think threatfeeds and the capability to do
some custom alerting, whilstother people might think threat
feeds and you know thecapability to do some custom
alerting, whilst other peoplemight be thinking an actual tape
where iocs are ingested and youcan do malware analysis,
investigations and the moretactical side of things.
So it it really I think I feellike cti is it is getting better
(07:38):
, but it still needs adefinition or or that discussion
of what do you understand bycti, when you mean CTI, when you
mean strategic, when you mean atip, what are you actually
talking about here?
Pedro Kertzman (07:51):
Perfect.
And talking about theexperience you mentioned about
the financial institutionbuilding the team from scratch,
I think it's not a super commonexperience around the market.
Like I see more the organicgrowth and then building a CTI
program, slowly building a CTIprogram instead of having, like
(08:12):
I would imagine, a fairly bigbudget and then decided what to
do with that.
Any thoughts around what wasthe focus Was that, like people,
tools, how, like you build froma scratch, with a reasonable
budget, a cti team from fromzero?
Bianca Miclea (08:33):
I think in terms of, in terms of the approach, I
guess the the initialdiscussions we had and the
decisions we had to make waswhether this would be what kind
of cti function they wanted tohave and what they wanted that
CTI function to deliver, andthat was one of the key areas
that I had to focus on.
(08:53):
The questions were around wherethere is a CTI team in terms of
hey, we report every week onwhat's going on externally.
This might be talking abouthealthcare and retail, and you
know, there might be a financialsector attack there or or
something relevant but, it's notreally linked directly into the
(09:14):
SOC, to IOCs, to the processes,into suppliers.
So there was an initialconversation around there that,
yes, I can do that.
That that's.
That bit is not hard to do.
There's plenty information outthere at the moment on all of
these kind of attacks there's.
You just spend a bit of timeand you'll get all the data.
The conversation I was having,and where I was trying to get
the team to, is actuallybuilding that inbuilt sock team
(09:36):
that actually providesactionable intelligence,
relevant intelligence, thingsthat you can do something with
and that you can really get theso what behind this.
So you know, bringing insupplier, bringing in the tools
that we're using, understandingvulnerabilities, working with
the detect and respond team tounderstand what are we seeing,
(09:57):
what are the trends.
So that was one of the initialpoints in discussions that we
were having.
So once that was defined andunderstood and the direction was
set, it was then easier to say,right, okay, this is what we
want to do.
So we need to build xyz, weneed to understand ioc processes
, we need to start from thebottom, which, at the time and
(10:18):
where we were at it, meanttactical, and then slowly build
your way into operational thewho, the how, the why and then
the strategic.
So the strategic piece aroundyou know what's happening
geopolitically, what, what arewe looking at wars and politics
and economics.
And best tool was one of theframeworks I used and I found
(10:40):
very helpful in in that scenario.
But that came last.
That came after everything elsewas set up, after we understood
our crown jewels, our suppliers, our tools, after internal
processes were set up thatallowed me to reach out to
people I needed and getinformation quickly.
So, yeah, that was kind of thejourney as I went through it.
Pedro Kertzman (11:03):
Perfect.
I'm not sure if it's acontroversial topic.
Would you say the CTI teamshould be part of the SOC, not
part of the SOC?
Any thoughts around that?
Bianca Miclea (11:15):
Controversial topic indeed.
So I think, again, it dependson what you want to achieve.
So, obviously, if you're a CTIteam that's client-facing and
provides reports and stuff likethat to a client, that's a
different story.
But if you are an internal teamand you're looking to build up
a CTI function, my personalexperience is that it works best
(11:39):
when it's aligned to the SOC,when it's integrated in the SOC,
when that team has thecapability to talk to detect and
response engineering, vm,supplier risk, when that person
it's almost the way I see CTI isit's like a bridge between the
SOC and the organization andthat bridge would mean, hey,
(12:03):
detect and respond team mightnot have the time to speak to
supplier risk or ISOs or, youknow, have a look at whatever
decision was made on the boardlevel or business level on a
regular basis, but the CTI teamdo and should.
So that should be.
That integration piece of thisis what the business needs.
This is what we're seeing on atactical level, on the ground.
(12:29):
This is what I think we shoulddo and that, from my experience,
worked best.
That's what actually drivesvalue from a CTI team, because
you're not just providing noiseand again, this might be
controversial but you're notjust providing news feeds or
alerts that actually nobody doesanything with and that that
(12:51):
comes back into another.
I suppose quite difficult thingis around.
How do you actually measure,then, the effectiveness of a CTI
team?
and reporting and KPIs, andhaving it as part of a SOC helps
with that, because you can thenstart having a look at false
positive rates, you can have alook at mean time to detect, you
(13:14):
can have a look at what or howmany changes were done based on
a cti report or recommendationin the last six years, or six
months, sorry, or one year, soyou can kind of start to
quantify cti in a way.
That is a little bit harder todo if that integration with the
SOC was not there.
Pedro Kertzman (13:34):
That's a great point and with that experience
as well, from building the CTIteam from zero, any top three,
five KPIs almost every CTI teamshould have on their KPIs list.
Bianca Miclea (13:52):
So I think yeah, I think I mentioned some of the
critical ones there it reallydepends on how mature the team
and the function is.
If you are just starting offand if you are, you know, 100
days into building up the CTIfunction, those KPIs are not
going to be existent.
You will need to build uphistorical data, you will need
(14:13):
to work on actually gettingthose processes in place to be
able to monitor and measure, forexample, false positive rates.
But yes, if we are talking in ageneralized average CTI
maturity, let's say like three,five years down the line, then I
think some of the critical onesthat you should have is, as I
(14:35):
said, false positive rates interms of IOCs.
What is actually the team andnot just IOCs?
But are you doing threat hunts?
Are those threat hunts reachingthe right points?
Are you looking at the righttools?
What are the false positiverates on that?
Other bits is meantime todetect.
How quickly is the teamactually detecting what's going
(14:55):
on externally or internally?
Are most of the news feedscoming to you from exec?
Is the board asking you hey,I've seen this in the news,
what's it about?
And then you're reactive.
Or are you actually proactiveto things?
And that can be difficult to dobecause everybody reads the news
and a CTI team is more thanjust reading the news,
(15:16):
especially if it's integratedwith the SOC.
So it can be difficult toachieve, but it should be one of
those.
How long does it take us topick up things?
How long does it take us toescalate it?
And the other thing is aroundmaking it actionable again a
difficult KPI to have, but Ithink every cti team should have
it, otherwise you lose focus,you lose the so what and the why
(15:38):
, and that makes making itactionable can take different
forms.
So you can look at um, as Isaid, how many controls have
been improved in the last sixmonths based on recommendations
that we have made or um, I don'tknow how many sessions have we
delivered, training sessions orawareness sessions to the
business, to the board, towhoever your audience is.
(15:59):
How many engagements have wehad with suppliers team, or with
VM team or other external teams, and what impact has that had?
So I think, again, it reallydepends on where you are, but I
think that that actionableintelligence where is what
you're doing, where is it goingand what are people doing in it
(16:20):
it's something that every ctiteam should keep in mind and
have a look at and review on aregular basis awesome.
Pedro Kertzman (16:26):
No, I love that.
And one probably common topic Ihear from many other guests is
that CTI teams.
They need to do a better job onselling their value upstream,
which is difficult it is.
It is so.
That's why I wanted to hearyour take on the best KPIs or
how to sell value to theorganization and things like
(16:48):
just to share with the community.
Because, again, it's a, I wouldsay, rare experience to have
you know, building from theground up a CTI team on a larger
organization already maturecybersecurity organization, I'm
sure and then building thatwithin that organization.
So that's great, thank you, andyou built it.
(17:11):
It's up and running.
What's next?
Any lessons learned on thematuring part of the process,
maturing that CTI program?
Bianca Miclea (17:22):
Yeah, definitely so again, reviewing those KPIs
are a key lesson learned thereis right now.
The team is functional andwe're doing reports and we're
doing this.
Let's review KPIs and make surethe team understands the value,
understands where we are.
I guess a CTI team is neverreally mature because the threat
(17:46):
landscape changes all the timeand you need to as a CTI team,
you need to stay in as anorganization in general, but CTI
even more so.
I guess the expectation is therebecause you are CTI that you
are on top of everything, you'renever really going to be mature
because things will alwayschange.
New tools are being implemented, ai is coming down.
What does that mean?
(18:07):
How can you use it or can youuse it?
Are you allowed to use it?
Should we use it?
Are you allowed to use it?
Should we use it?
It's all of these questionsaround, not just what's changing
in the threat landscape, butwhat's changing in the way CTI
works in terms of processes, interms of people, in terms of
skills.
You know, as more peopleunderstand CTI and as the CTI, I
(18:27):
guess, journey went from alittle bit of a buzzword when it
first started and a regulatoryrequirement and you know one of
those hey, this is the cool newkid in town to now people
actually having this more andunderstanding what it is and
more people doing it and moreskills being built that way.
Then you have to consider howare skills requirement changings
(18:48):
based on this as well?
More people require malwareanalysis, a malware analysis,
for example, fret hunting.
Not everyone has the capabilityto have a cti team and a fret
hunting team now whether thatshould be separate, it's a whole
different discussion.
But you know those skills thatare required in in a majority of
cases, or at least are expectedto some extent that the cti
(19:12):
analyst would be able to.
So, yeah, I think overall interms of what, what is, what
does it come after maturing,keep maturing, keep reviewing
those kpis and making sureyou're hitting the right spots
and you're measuring the rightthings and that the company can
still see the value from you ona constant basis.
And also just integration withthe rest of the company.
(19:35):
So if you are integrated with aSOC, that's the first step.
That's not the end of thejourney.
Once you're integrated with aSOC, once the team is in place
and the processes are in placeand you've got some kind of tip,
now you need to start talkingto the business.
Now you need to start talkingto all of the you know,
(19:55):
identifying stakeholders outsideof the, your initial SOC team
or your initial sphere ofinfluence.
Let's put it that way who elsecan talk to what else?
What do they need from us?
Because then intelligencerequirements might change or
adapt or you might find thingsthat actually we this isn't a
crown jewel as we thought we are.
I think this was a priority forsomeone but not for someone
(20:18):
else.
So it's.
It is a constant.
It's almost like a constantreview of the maturity.
Pedro Kertzman (20:23):
You're never really mature, I think yeah,
environments change right, sothe company, business, even
business model, might change aswell.
Exactly that review is superimportant, for sure.
You know, between all thosechanges, I think it's fair to
say we have one constant withinCTI, which is the Mitre ATT&CK
frameworks.
Yes, and any within thatjourney, any like Mitre map
(20:46):
exercise or things related tothe Mitre knowledge that you
thought was important to use atthat time.
Bianca Miclea (20:55):
Yeah, absolutely, and actually it's a really nice
transition from CTI to securityengineering and I think one of
the lessons learned I guess fromafter maturing is work closely
with your security engineeringteams, because those MITRE maps
and this work that cti is doingin identifying control gaps and
(21:16):
providing recommendations, it isvery useful if you then
actually have a team to to applyit to.
So one of the lessons learned Ihad from doing loads of mitre
maps in in my career, from mycareer and gap analysis and heat
maps and you know, going fromhey, let's do it in a
(21:36):
spreadsheet in Excel to actuallyhow can we automate it and all
of that journey One of thebiggest learning points I guess
for me was actually how do wetake this forward in a regular
way in a way that engages andreaches the right people and
that gives the CTI team theright information?
Because one of the things Ifound in my assessments in my
(22:00):
CTI life is that, right, ok,I've done a CTI, a MITRE map.
I understand what reactors areusing.
I now know what controls wehave against it.
I now know what controls wehave against it.
However, there is no, or CTIteam often do not have the
assurance.
Let's put it that way of howeffective those controls are.
And this is where doing workwith other teams works really
(22:23):
well.
So what we've started doingrecently is implementing a
monthly MitemUp exercise thatinvolves various themes within
the SOC, including securityengineering, detect and respond,
threat hunting just variousthemes.
The CTI person will go off anddo the mitemapping and find out
what the key attack types areand techniques and where the
(22:45):
gaps are, as per where we thinkwe are, and then we all get in a
meeting together, in a workshop, face-to-face or virtual,
whatever it is, and we sit downand talk through those controls
one by one, through each ofthose identified gaps or
identified coverage even.
Because even if they say, oh,we've got a phishing button, so
(23:08):
we're protected against fishing,this might not be the case.
So it's just bringing all thoseum people together to to say,
actually, that has a gap.
We know this control has a gap.
You might not be aware of thatbecause you haven't seen what we
do, but we are aware of it.
So it's just yeah, it's justbringing all these people
(23:28):
together and doing that exercisehas been extremely helpful and
has found, you know, mini gapsand things that we could then go
on and make making itactionable.
It comes back to that making itactionable piece, because then
you actually know what is comingout of these meetings is going
to be.
You are responsible forpatching that gap, or we are
(23:49):
responsible for accepting thisrisk, or whatever the action is.
There is an action coming downfrom those meetings.
Pedro Kertzman (23:55):
Awesome and maybe stitching a few of those
points together.
So you mentioned the phishingfor the users and also changing,
sometimes, the stakeholders andhaving those mitre map
recurrent meetings.
And having those mitre maprecurrent meetings have you seen
like times, for example, you,through attribution, you see
(24:16):
like a specific threat actorpoking on your perimeter, on
your environment, but thenthey're not.
One of the techniques they useis not phishing, but they are
really good on leveraging stolencredentials.
Have you gone all the way tochange your stakeholders?
To go back to whoever or maybeHR is responsible for user
(24:37):
training, like regular phishingsimulation and all that?
I know companies vary,sometimes it's HR doing that,
sometimes it's IT doing that.
It changes a little bit.
But have you gone down thispath to actually chase, because
of that gap, a new stakeholder?
Bianca Miclea (24:55):
yeah, yeah, absolutely.
We have um and we have openedrisks, um against gaps that we
identified as well.
We saw an attack, we identifieda gap in control, we opened the
risk.
So it was almost like puttingthe accountability and
responsibility into thosestakeholders' hands and making
them understand that you can donothing, but if you do nothing,
(25:18):
you'll have to accept this risk.
So, yeah, we have gone downthat path multiple times in
multiple forms and ways and Iguess the recent news around
service desk social engineeringis a good example, for example
and we've done a couple ofexercises internally around that
and found improvements and wentand made that improvement.
(25:42):
So, yeah, absolutely, and thisis where my lessons learned.
There have been times in mycareer where that wasn't the
case and I found something andproposed an action and nothing
was taken.
And this is where thatexperience and lessons learned
come from around making surethat what you do is actually
actionable and someone doessomething with it and if not,
(26:03):
then that is recorded somewhereas a risk.
Or the next month you do aMITRE map.
If the previous month's gaphaven't been patched, then you
bring it up again, and you bringit up again, and you bring it
up again and that continues tobe a constant story in your
threat assessments that this iswhat needs to change awesome and
(26:25):
any like network or resourcegroups that you participate,
that you would recommend uh tothe listeners as well yeah,
absolutely so.
I am, and I have always been, astrong advocate for women in
cyber um, not least becauseobviously we all know there's
not enough of us in the industryum, but actually there's some
(26:46):
really good learningopportunities and groups out
there that can offer training,that can offer mentoring
opportunities.
So, for example, I am thepartnerships lead for the Women
in Cybersecurity UK and Irelandand it's in the UK that's a free
membership.
In the US it's a small amountper year that you have to pay.
However, the benefits you getare absolutely amazing in terms
(27:06):
of training and free trainingopportunities, in terms of
mentoring, in terms of actualjust getting it out.
You know, getting out there andnetworking with people and
seeing what other people aredoing and learning from um, yeah
, absolutely, I think generallyand I guess I'm coming from this
as from the perspective ofbeing a woman, so this will
apply to women listeners, um,but, um, yeah, generally, any
(27:30):
women in cyber networkabsolutely valuable, because you
just get so much um informationand and and guidance and even a
almost like a, if you can seeit, you can be it um kind of
kind of a view and and that hasguided me throughout my career
as well, you know, being a womanin cyber is hard sometimes and
(27:51):
you do get ignored sometimes,but having those support groups
and learning opportunities areamazing I love that.
Pedro Kertzman (27:57):
I had the chance to interact a few times with
women in cyber security groupslocal here to my city and and it
was always amazing like thesupport network they were able
to build here is just, you know,amazing, to say the least yeah,
absolutely, and I mean they arecalled women in cyber groups.
Bianca Miclea (28:13):
But most of the time, male allies are very much
welcomed and encouraged, and Ithink um from my experience
because I used to I created oneum and I, you know, I I had
events for male allies as welland encouraged them to join, and
the feedback was also amazingfrom from the male allies as
well.
Pedro Kertzman (28:28):
So it is a good networking opportunity and an
additional resource toeverything else you have as well
, for everybody yeah, it's avery list we we could do for
sure, and I'll make sure I'llpaste the link on the
description of the episode andfrom an industry standpoint.
Of course, we learn a lot, uh,on the daily.
You know CTI reports and feedsand from the industry.
(28:52):
But how do you learn about howthe CTI role or CTI frameworks
are reshaping or the news aroundaround that?
Bianca Miclea (29:03):
that's a really difficult question actually,
because, um, funnily enough,I've never actually taken a CTI
course per se or certificationor anything like that.
It was one of those.
I want to do this, but I nevergot around to it because other
courses were more interesting orbecause I was already kind of
learning what I was doing.
So I thought, well, I need toknow that more than this.
(29:23):
But I think there are plenty ofresources out there.
One of the one of the usefulones that I actually used um in
terms of when I was building upthe cti function, in terms of
actually defining what some ofthe skills for the team might be
and then aligning that to ourintelligence requirements.
Um, it's the nist framework andnist and icss, so they have aT
(29:50):
like task skillsresponsibilities section that
lists different capabilitiesthat a CTI function should have,
in terms of both toolingcapability as well as people
skills, and I found that quiteuseful and even if you don't
meet all of those requirements,it's a good indication as to
(30:11):
where you would want to be orwhat you accept, as we don't
need that, because this isn'twithin our capability and that's
not what we're trying toachieve with our CTI function,
so it almost gives a bit of achecklist, like, yes, this is
what we need.
We don't need that becausewe're not aiming to do that.
This is what we need.
(30:31):
We don't need that becausewe're not aiming to do that.
Other resources, I guess it'sjust having an intelligence
background in general reallyhelps, and I found a lot of, at
least from my career.
A lot of the CTI people I'vemet have often come from a
public sector work, so doingsome kind of intelligence in the
police or some kind ofintelligence, the military.
(30:52):
So that is, you know, havinghaving that intelligence
background per se and havingthat mindset of criticizing, I
guess in your in your headwhenever you read something, the
why, the what, the how, andconstantly questioning whatever
you read, is something that youdevelop through that
intelligence and it is hardbeing a CTI person without that
(31:14):
thinking.
I have met people like thatbefore.
It is you know you can learnthose skills but you would have
to train yourself or forceyourself a little bit more to
question everything you readyeah, no, that's a great point.
Pedro Kertzman (31:27):
I think sometimes it feels that cti
folks might be the mostsusceptible ones.
You know burnout because theamount of information if you
really decide to tackle everysingle thing, you're reading as
like a real thing or not noiseit's it's just comes from
everywhere and it's.
Bianca Miclea (31:47):
It's then managing that stakeholder
expectation as well.
Right, because you and in somany cases I've heard people in
CTI say this that you know boardasked about something that they
read in the news that,realistically, will never really
happen or it isn't really whatyou know.
The BBC reported on somethingand that wasn't the full story
(32:07):
or that wasn't going to happenor whatever the backstory of
that event actually was, andit's having exactly as you said,
having that historicalknowledge almost of I know this
won't happen or I know this willhappen because I know the usual
TTPs of this threat actor orthis usual behavior or this
tends to happen.
(32:28):
It does take time and it doestake a lot of reading and a lot
of critical thinking and, yeah,burnout at times because there's
just so much out there and evenwhen some someone brings
something up that you haven'tyet had the chance to read
because it was five minutes agoand you took a tea break and
someone's questioning you aboutit, that causes in itself a lot
of pressure and a lot of stress,especially if you're just
(32:50):
starting off.
So yeah, absolutely on theburnout and on the skills piece,
it's just yeah, you learn it asyou do it really.
Pedro Kertzman (32:59):
Exactly exactly.
And it's funny you mentionedthe board because of course
there is a lot of interactionwith the CTI reports and risks
and all that to the board.
You know, talking to people theother day it's like if it's
well written it's gonna almostsound like a james bond related
(33:19):
type of statement, because it'sgot to be not technical but just
threats and all that.
And I think that's that piecekind of also gets the board
super excited.
They didn start coming back tothe CTI team.
Oh, I saw this.
What about that Kind of things?
Bianca Miclea (33:35):
Exactly.
Yeah, I love working with theboard, to be honest, and you get
interesting questions from themsometimes, but that
relationship is so importantbecause they are the people who
make the decisions and they willknow stuff that you don't know
as a low-down person, as a CTIperson, and it's so important to
keep that conversation goingand to keep honest and open
(33:57):
communication.
And yes, the way you phrasethings has to be very careful
and you know technical jargonneeds to go out the window and
if you're in a small team like Ihappen to have been numerous
times and I was doing bothtactical and strategic and
operational and you have toswitch mindset between I need to
provide this malware analysisto the tech and respond team or
(34:18):
threat hunting team to look ifthere's something internal to
now I need to present somethingto the board Having that mental
switch between leaving thetechnical jargon behind and
actually explaining risk and sowhat and really focusing on what
matters.
It can be quite difficult, butit is really important in
maintaining that, I guess, wholecti picture yeah, no, I love
(34:39):
that.
Pedro Kertzman (34:39):
You have to understand your audience right.
So, exactly, this shift issuper important and, um, no,
that's, that's awesome.
Any Any closing thoughts forthe audience?
Any nice things about, or tipsabout, not tips, tips, yeah, I
should rephrase that, maybe, butyeah, any suggestions for the
(35:03):
audience related to CTI?
Bianca Miclea (35:07):
Yeah.
So I guess it depends who'slistening.
But if you're listening from amanagement board perspective,
then I think use your CTI teams,speak to them and really drive
down and make those intelligencerequirements clear, because the
value that you can get from awell-integrated and kind of
communicated with CTI team canbe absolutely invaluable in
(35:30):
keeping it up to threats and upto recommendations and, you know
, just generally threat informeddecision making.
If you're listening from a CTIperspective, there's a couple of
tips per se that I guess Iwould have.
One of the biggest one that Ifound useful in my career is
have a reporting threshold.
(35:51):
I call it a reporting threshold.
You can call it whatever youwant.
What it actually is is have somekind of threshold that when
someone comes to you and says,hey, have you seen this and why
haven't you written a report onit and why is there nothing done
on it?
You say because it doesn't meetour criteria.
Yes, I've seen it, it doesn'tmeet our criteria.
That criteria is defined.
(36:12):
As for business need, what youknow are your financial sector,
then you might not care aboutretailer tax or you might.
It depends what you care about.
You know it.
Defining that criteria takesunderstanding the business and
what the business risk appetiteis and where the business wants
to go.
But actually having thatcriteria saves so much of the
burnt out that we talked about,because you can easily say yes,
(36:35):
I have seen this five hours agoor last week or a minute ago.
I haven't done anything on itbecause it doesn't match our
criteria, it doesn't cross ourthresholds, there is nothing for
us to worry about at the moment.
It doesn't cross our thresholds, there is nothing for us to
worry about at the moment.
And on top of this as well,have various points and links to
(36:56):
the criteria as well.
It's have various points ofescalation depending on what
that threshold is.
So, has it met your threshold?
Okay, what are you doing withit now?
Are you going to write a fullon 10 page report that's going
to go to go to you know boardand stakeholders and whoever?
Are you going to do an email?
Are you going to I don't knowraise a threat to detect and
(37:17):
respond team, or to threat um,threat hunting team, or just
have that level of right, this,this, reach, this level?
so now we need to do xyz,because having that clarity
again it saves a lot ofstakeholder management time and
pressure and you know stress but, it also saves a lot of time as
(37:38):
a cti team in terms ofprioritizing what needs to be
looked at and how fast you canrespond to things, brings back
into again kpis and reportingand and you know how do you
actually measure the value andand what you do.
So a couple of points there, Iguess.
But yeah, having a generally Icall it a reporting threshold,
but having some kind ofthreshold that you will then
(38:00):
take or don't take action on, Ifound extremely helpful
throughout my career oh, I lovethis reporting threshold idea.
Pedro Kertzman (38:07):
It's uh just prioritizing the most important
thing, exactly.
Unfortunately, no team willever be able to cover everything
.
Uh, we wish right but it's justnot the nature of the industry
we are and, uh, that that's areally important idea to make
sure we're focused on the mostimportant things, that's and
(38:28):
that's and that's the otherpoint as well it touched on
briefly there.
Bianca Miclea (38:31):
But actually speak to your industry.
There are plenty industrygroups around there and that's
the best thing about cti is oneof those teams that are not
isolated.
Cti team is supposed to talk topeople.
You're supposed to go toconferences, you're supposed to
be part of information sharinggroups have, have those regular
meetings, build thoseconnections, and this isn't one
(38:52):
of those.
You know, cliche, you have tobe connected to get X, y, z.
This is one of the almost oneof the requirements of being a
CTI team is to be out there totalk to people, to share
information, whether it's opensharing, closed sharing, closed
forums, whatever it is.
You need to be part of variousgroups that provide this
(39:13):
information because oftentimesyou'll get faster information
and firsthand information thatyou will not get in the news
ever or for a very long time.
So having that will provide somuch value in terms of being
able to be reactive.
Pedro Kertzman (39:30):
That's a great point, yeah, being in touch with
your peers, similar companies,you can get firsthand
information of the thingshappening to them before it
reaches the news.
Bianca Miclea (39:42):
And there are groups out there that you know
you can say, hey, this is the LPRed, don't share it, don't
attribute it to us.
But this is what's happeningand that information is just
absolutely valuable.
I know some companies are a bitprotective over what they share
and how much they share andwhere they go and talk to and
speak to and what they actuallyput out there, and that's fair
enough.
There are legal restrictions,there are intellectual property,
(40:05):
there is sensitive data.
However, a CTI team with theright kind of measures and you
know structure in place can getso much value from this.
Pedro Kertzman (40:16):
Absolutely, Bianca.
Thank you so much for so manyinsights, loved our conversation
.
I really appreciate sharing allthat and I hope I'll see you
around.
Thank you.
Bianca Miclea (40:28):
Thank you very much for having me.
Best of luck.
Pedro Kertzman (40:30):
You as well.
Bye.
Rachael Tyrell (40:34):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you.
No-transcript.
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com