September 2, 2025 • 28 mins
How does a military intelligence background translate to cyber threat intelligence? Sam Flockhart, a former UK military intelligence operator who now heads threat management at a global bank, reveals the fascinating journey and powerful parallels between these worlds.
Sam opens up about his transition from conventional military intelligence to the cyber realm despite having "absolutely no cyber knowledge" initially. He shares a critical insight for job seekers: while certifications matter, demonstrating real knowledge and preparation during interviews often matters more. Sam explains how anticipating common interview questions about threat actors, their methodologies, and recent attacks can set candidates apart.
Drawing from his military expertise on Russia and Ukraine, Sam offers a riveting deep dive into why ransomware predominantly emerges from Russian-speaking regions. He explains the cultural concept of "Kresha" (roof/protection) that allows these groups to operate with impunity and traces how post-Soviet history created the perfect ecosystem for cybercrime to flourish. This cultural understanding adds a crucial dimension to technical threat analysis that many professionals overlook.
The conversation explores how military intelligence frameworks have shaped modern CTI practices. From tactics, techniques, and procedures (TTPs) to intelligence collection plans and priority intelligence requirements - these structured approaches have been adopted by the cyber community. Sam also discusses the nuances of intelligence sharing in private sector environments compared to military settings, where different constraints and opportunities exist.
For aspiring CTI professionals, Sam's advice is practical and actionable: prepare thoroughly by researching top threats, understand organizational stakeholders who consume intelligence, and familiarize yourself with various intelligence sources. This episode offers invaluable guidance for anyone looking to enter the field or enhance their threat intelligence capabilities through a deeper understanding of the human element behind cyber attacks.
Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sam Flockhart (00:00):
which is really important for CTI teams to do
that.
Rachael Tyrell (00:05):
Hello and welcome to Episode 14, season 1,
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host, Pedro Kertzman, will
(00:26):
chat with Sam Flockhart, who isa former military intelligence
operator with expert knowledgein leading teams in intelligence
operations, risk management,geopolitical analysis and cyber
threat management.
Sam spent 10 years within theUK's military and Ministry of
Defense and now, as the head ofthreat management of a large
global bank, he brings hiswealth of CTI knowledge not only
(00:46):
to keep the institutionprotected, but also to help
aspiring CTI professionals tojoin the industry.
Over to you, pedro.
Pedro Kertzman (00:55):
Sam, thank you so much for joining the show.
I really appreciate you sharingyour knowledge with us.
Thanks for coming.
Sam Flockhart (01:01):
No, thank you, Pedro.
Thank you for having me.
It's a privilege to be asked tojoin.
Thank you.
Pedro Kertzman (01:06):
Usually I start by asking the guests their
journey into CTI the first timethey heard of it, how they came
to the position they are rightnow.
So would you mind walking usthrough through that, please?
Yeah sure.
Sam Flockhart (01:19):
So my kind of background, my career, was with
the British Army in the militaryintelligence part of the army,
which is sort of theintelligence corps so
effectively.
You know I was a sort oftrained quite a high standard in
military intelligence.
But this was much more kind offocused at the time.
It was kind of, you know,counterterrorism and sort of
(01:42):
contingency operations andthings like that.
And then sort of over mymilitary career, that kind of
transitioned more towards sortof conventional threats like
from Russia or China, forexample, so kind of nothing to
do with cyber.
Really, whilst I was in themilitary, more sort of focused
on some of those operationaldeployments that we did in more
(02:03):
traditional militaryintelligence type stuff.
And I think in the last year orso of my career, when I kind of
knew I was probably going toleave and try and join the
private sector, one of the areasI was looking at was cyber,
because it was just like superinteresting, super cool to
somebody who had no cyberknowledge whatsoever, but
(02:25):
primarily kind of linked in alot with some of the experience
I'd already gained.
You know, in the last two orthree years I spent a long time
looking at Ukraine, russia andlooking at some of those
intelligence groups operatingfrom there.
So obviously, you know, cyberespionage was a big component of
that type of activity as well.
So that kind of then got meinterested in some of those
(02:47):
groups and and, yeah, when I wasleaving the army, you know,
it's just a natural kind oftransition to then try and take
that intelligence experience inthe conventional sense into the,
into the cyber, with theprivate sector, right.
So that was kind of um, how Igot into, how I got into it.
And I'll just repeat when Ifirst started, you know, leaving
the military, looking for jobs,I had absolutely no cyber
(03:09):
knowledge whatsoever, um, and itwas more kind of picking that
up as I've kind of went alongthis journey.
So, um, I guess that's one ofthe things for for people that
might be in a similar position,when, when you're trying to get
into cyber, it's like you know,don't worry, the, you know the
path has been well trodden and,um, you don't always have to
have that sort of guru, expertlevel knowledge of all things it
(03:29):
or cyber to sort of get a jobin cyber that's amazing.
Pedro Kertzman (03:32):
And uh, talking about that transition from from
military to cti, any like Idon't know, lessons learned or
something like that, the type oftraining that you decided to
have to kind of fill some of thegaps and all that, any thoughts
around that?
I?
Sam Flockhart (03:50):
guess like there's this.
One of the things that I'velearned is that there's this
fixation in cyber on these likequalifications.
So you know there's obviouslydifferent disciplines inside
over then.
You know you can get thesequite expensive sometimes really
the qualifications like cispand cism, and there's that sort
of fixation on having to havethe qualifications first before
(04:10):
getting the job.
And my experience was reallydifferent to that where you know
I'd done some whilst I wasleaving in my last year.
We're quite lucky in thebritish army where you get, you
know, you get a year to kind oftransition out and they do help
you with qualifications and I'ddone some of the very basic you
knowals like comp, tsec, networkplus that type of stuff.
I've done some um kind of q,radar, seam type courses but
(04:34):
effectively that was just afoundational type type type
qualification.
It wasn't really that thatimpressive and so one of the
things that really when when Iwas interviewing for some cyber
roles and things like that, itwas more like it of the things
that really when I wasinterviewing for cyber rules and
things like that, it was morelike it was the knowledge that
was important.
It wasn't.
Sometimes these littlequalifications might be ticking
the box in terms of your CV.
But I think the knowledge isthe most important bit.
(04:57):
So it's almost when you comeinto the interview, kind of
trying to anticipate thequestions that you might be
asked and having sort ofexamples and things prepared.
So even if it's like, okay,I've never done a cyber job, but
I actually have a lot of cyberthreat intelligence knowledge
around these subjects and I cantalk a little bit about them,
that really worked for me tosort of then kind of lay that
(05:19):
groundwork, say, look, I do knowquite a lot about this subject.
So I think even now, while I'vebeen in sort of different CTI
teams hiring and doing therecruiting, that's kind of what
I like.
The big tips I can give peopleis yes, the qualifications are
great to have and nice if youcan get them, but often you have
people that have all thesequalifications that then when,
(05:40):
when you ask the question in theinterview, the knowledge just
isn't there.
So I think it's more about howyou prepare for that interview.
I think that's one of the sortof key lessons learned is sort
of doing that research and thatknowledge which is actually just
available to everybody.
You know a lot of the if you'relooking to get into cyber threat
intelligence.
You know, I'm guessing thatmost recruiting firms, most orgs
(06:00):
, are asking the same types ofquestions.
Most orgs are asking the sametypes of questions.
You know.
They're asking about what topcyber threats, who the top cyber
threat actors are, whetherthat's, you know, ransomware
groups, ddos, activist typeactivity, nation states, um, so
just having kind of like anexample there of you know a
group that you that's that'staking your interest, how they
go about doing these types ofattacks or ttps and and that
(06:22):
type of thing.
And then you know, I rememberwhen I was being asked, it was
always asked like, okay, tell meabout the malware.
And so having like one in yourback pocket, you know, I think I
remember I really wasinterested in the russian gru
groups, like fancy bear, youknow, um, sandworm and stuff
like that, because they're justkind of cool, right, um, and so
having like, okay, here's anexample of the malware.
I think it was hammer toss.
(06:42):
They use steganography in termsof command and control and all
these dislike little things that, okay, I wasn't an expert on.
But you know, when you've beenasked at the interview, it shows
knowledge, it shows passion.
So I think that's kind of.
One of the lessons learned forme is that people try to get
into cyber threat.
Intelligence is really goingwith that, that research in
terms of anticipating thequestions, top threats, top
(07:04):
threat actors.
Having some examples in yourpocket that you can just kind of
talk about, I think that willgo even further than having just
like a crest call or a sanscall on your CV.
Pedro Kertzman (07:14):
No, I love that and I would say especially, you
know, my little two cents isthat when you go and do that
type of research, you're notonly showing the necessarily the
best answer possible, becausethe person on the other side
might have even, like a largeror better answer, deeper
knowledge on that topicparticularly, but it shows that
(07:37):
you're willing to do the effort,you're willing to go and do
research, you're curious to dothat stuff and that's like our
day-to-day activities.
They're like all around doingthat kind of digging, digging,
digging right, and I thinkthat's uh, that's super
important.
For sure you mentionedsomething about the prior near
(07:57):
or near military experience.
The uh focus on some of theother military groups or
attackers, or maybe now known asAPT groups, any particular
knowledge about the Russian sideor the way they usually target
other organizations or countriesor something related to their
(08:20):
country, culture, history, manythings related to them.
Sam Flockhart (08:23):
I think so.
So this is where I tried to usethat military background and
intelligence experience reallyto help me get these the cyber
threat intelligence roles when Ileft and I might not have known
quite a lot about cyber, but Idid know a lot about Russia and
Ukraine, having served in sortof on a orbital which was the
British military's trainingmission for Ukraine.
(08:46):
I think I was on that in andout for three years, probably
longer than almost anyone in theBritish Army at that time I had
quite a lot of exposure to sortof Russian culture as well,
with family from there.
So yeah, I didn't know a lotabout cyber, but I did know a
lot about sort of Russia.
That was my area of expertisewhilst I was in these roles
(09:08):
within the military.
So you know how do you use thatto your success and it's kind
of like well, you know, well,you've got all this.
You know technical cyberframeworks and technology and
you know very complex ways ofdoing all these attacks Right.
But at the end of the day, it'sa human at the end of the
keyboard, whether that's amilitary unit or whether that's
a ransomware operator.
So the cultural aspects interms of understanding you know
(09:31):
their behaviour andunderstanding.
You know sometimes their slangand the language which they're
speaking to each other on theseunderground forums can be really
important.
You know, understanding ifyou're having to negotiate with
a ransomware operator workingfor you know, some of these cti
companies, you definitely needto have that cultural
understanding of you know um ofof that.
(09:52):
So you know, I tried to use alot of that experience that I
did have and bring that intocyber and there's loads of good
examples of this.
So probably I would say formost orgs, um, if you ask them,
you you know the private sector,you know.
If you ask them who the topthreats are, they're probably
going to say something likeransomware, right, because it's
such a prevalent threat.
(10:12):
And you know it's kind of likethe key components of ransomware
.
Ransomware primarily kind ofcomes from Russian-speaking
regions in Eastern Europe,mostly sort of Russia, but also
Ukraine, moldova, you know,sometimes Central Asia as well,
you know.
So you know why is that?
It's kind of like aninteresting question, right?
Why is it that, effectively,this ecosystem that is built on
(10:33):
the dark web, you kind of haveto really have that ability to
speak Russian to kind of get by.
There is some Chinese and some,you know, iranian groups and
things like that as well.
But most of the Russiandevelopers, most of the Russian
sort of ransomware strains, arecoming from these
Russian-speaking regions.
(10:53):
So you know again, like you'reable to sort of bring that.
Why is that?
Well, it's because Russia reallyoffers this kind of unique
environment where government lawenforcement are able to sort of
profit and benefit from theransomware groups themselves,
whether that's through sort ofprotection and kind of
racketeering and that kind ofthing, where you sometimes see
some of the leaks that have comeout right, where I think it's
(11:15):
the Conti leaks, for example,where you can see some of the
sort of inner goings of whatthese guys are chatting about
and how these guys operate.
And there's quite a lot ofreferences in some of these
groups, whether it's Lockdown,the leagues you know the Conti
leagues about a word calledKresha, and Kresha is basically
the Russian word for roof.
So it's kind of like they'reusing it as like it means top
(11:35):
cover and what that means isRussian ransomware groups will
use these intelligence services,they'll probably pay them off
and then that offers them anelement of protection and as
long as they've got the rightcreation in place, then they can
kind of operate as they wantand as long as they don't target
within, within russia or ciscountries, and they kind of
continue to sort of plague and,um, victimize, you know, western
(11:58):
countries, um, so you kind ofget these little concepts, that
kind of transfer that havetranslated from mine, you know,
my understanding of ukraine andrussia, into that ransomware
space, which my understanding ofUkraine and Russia into that
ransomware space, which is kindof cool and you can kind of use
and you can talk about some ofthe sort of human element on the
other side as well.
Pedro Kertzman (12:12):
Very interesting .
Would you mind expanding onthat please?
Sam Flockhart (12:15):
I think one of the things that's just
interesting is that, like I said, you know most of it.
A lot of the cybercrime, a hugeportion of cybercrime activity
comes, comes from those regions.
So you kind of want to be ableto understand, you know that
type of environment.
You know like if, if you were amilitary intelligence operator,
um, working in a conflict zone,you kind of have again like a
(12:37):
structured process right goingthrough these things.
So you kind of look at your,your battlefield first.
You look at the geology.
You, you know, as an operator,military intelligence might be
expected to know how fast thatriver stream runs, because
Ultimately the commander needsto know can I get you know tax
across it?
Or you know, is it a naturalbarrier to the enemy, etc.
Etc.
So you kind of have tounderstand your environment,
(13:00):
forced and To be able to sort ofreally do a complex threat
evaluation down the line whenare your weak points, where's
vital ground?
On the cyber side, your networkis exactly the same.
You want to understand whatdevices make up that perimeter
VPN connections, firewalls,which ones have you got?
(13:21):
So when there's vulnerabilitiescoming out, the concepts are
again quite of in terms ofthings like that.
But you know, with the russia,with the russia stuff, you kind
of need to know, like, who arethese operators?
Why are they able to operate inthis environment without really
fear of arrest?
What does that mean?
You know how do you kind of umtry and disrupt or have an
impact?
You know um.
(13:41):
So I guess it comes down tolike knowing a little bit about
culture but also known a lotabout history, right?
So when you're looking back atRussia in the 1990s, when the
Soviet Union collapsed, you kindof have like two of these major
forces that kind of emanate.
One is criminal, the criminalorganizations.
(14:04):
You know the sort of some ofthese Russian groups.
They kind of have a huge amountof power and sway.
And the second politicalfaction is kind of like the
political sphere under BorisYeltsin, but he's kind of
dominated and surrounded bythese oligarchs.
So people like Boris Berezovsky, you know roman abramovich and
(14:28):
yukunin and all these differentum.
You know mikko korokovsky, allthese kind of figures that
emerged because they werebasically buying up all these
businesses and they theybasically had a lot of financial
clout and they would have thiswhat they call like a symbiotic
relationship with these criminalgroups, where it kind of they
both mutually benefit from eachother, right, because you've got
the muscle and then you've got,you know, the political and the
(14:50):
financial and everyone kind ofbenefits from this ecosystem and
the political organs kind ofjust oversee that and let that
happen.
But that when when putin comesto power in 2000, it completely
sort of changes where he kind ofturns on a lot of these
oligarchs.
He makes sure that theyunderstand that he is the power
vertical now and you know,anyone who wasn't willing to
comply with that regime, whetherit was criminal, whether it was
(15:12):
the oligarchs, you know theywould effectively be taken down.
So they all have to pay homageto the state.
Some of these oligarchsobviously decide that they're
going to do that um, and some ofthose don't, like likezovsky or
Khodorkovsky, who theneffectively kind of lose their
power and influence over aperiod of time.
But that's kind of like thatecosystem had already been built
(15:34):
and established with thissymbiotic relationship between
organised crime, between thepolitical units and between
private businesses, banks, youknow, energy companies and then
ransomware kind of comes,emerges.
You know, many decades laterreally, you can sort of
companies and then ransomwarekind of comes and merges many
decades later really, and sortof, I guess ransomware as a
server kind of merges as a bigbig thing, big global threat, in
about 2015-ish right With GameOver, zeus and sort of the
(15:59):
elements that move that.
And they're all coming fromRussia because you've got this
nice environment for it to youknow really flourish ransomware
as a service and you know theydon't really have that, that
fear of prosecution for some ofthose reasons we talked about.
So this is kind of like why wehave this problem and it.
You know you're looking ahead.
Sometimes threat intelligence isalso about trying to predict
(16:21):
what's going to happen next, andreally you can't solve a
ransomware problem withoutsolving the Russia problem.
So this is kind of like we'reall kind of interlinked in
knowing that political history,knowing the geopolitics of the
situation and how that ischanging then in the cyber
environment, right.
So all these kind of elementsmix together.
(16:41):
So this is where you kind ofhave to be, you know,
knowledgeable on all thesesubjects and then be able to
explain to some of the cyberthreat intelligence that you
might deal with as a CTI team.
Pedro Kertzman (16:55):
That's amazing.
That's amazing.
I didn't know about the wholeecosystem and how they would
relate to each other within thecountry and then get the way we
are right now with this massiveamount of ransomware all over
the place.
That's cool.
Thanks for sharing that and anyother insights from things you
(17:17):
brought from the military intothe CTI maybe frameworks, other
kind of knowledge, anythingabout that as well.
Sam Flockhart (17:26):
Yeah.
So that was kind of the otherpart of when you try to sell
yourself.
Coming out of the military,it's like a lot of the time I
was working in what you wouldsay is big intelligence
organizations, whether that'sNATO headquarters, sometimes SF
headquarters, etc.
So you're kind of working withthese world-class intelligence
agencies that have had theseframeworks and structure and
(17:46):
operationalized processesestablished for decades, right,
yeah, so you kind of get areally good understanding of how
intelligence operations work,not in the cyberspace, but in
the kinetic space, and what isgoing to happen really.
Over the last 10, 15 years,however, cti has emerged as this
big thing is.
A lot of people have left themilitary and have taken those
(18:07):
frameworks from their militaryexperience into CTI.
So a couple of examples of thateven anyone who is interested
in CTI needs to understand TTPstactics, techniques and
procedures which effectively isjust an acronym for how cyber
attacks happen.
That word itself has been takenfrom military intelligence.
(18:30):
In terms of a TTP might be howyou can seal IEDs.
Or sometimes, you know, inAfghanistan they started making
IEDs out of plastic and theykind of changed the TTPs so that
they avoided, you know, violentdetections and things like that
.
So you know your adversariesare changing their TTPs.
That's what that's going to,and cyber's obviously adopted
that angle.
(18:55):
Second example intelligencecollection plans, or icps.
So this was just a.
It's just a very structured wayof kind of looking at what,
what is it you want to collectit on, right?
Um, you know you can't have acyber team that's just been
given complete freedom.
There needs to be some sort ofstructure, some sort of
direction as to what they'resupposed to be.
Collecting intelligence onthings that add value to your
own organization top threatsagain, how these attacks are
(19:19):
happening.
So you have an ICP is basicallya structured way of collecting
and planning out thatintelligence and then looking at
okay, where is thatintelligence going to come from?
So, have you got your data?
Web monitoring, is it yourmalware analysis or open source?
You know, could you do a lot on?
You know, ip and sort ofNetFlow type investigations and
(19:39):
things like that.
So it's basically that conceptcomes from the military
intelligence.
I remember, you know, in mymilitary career, having to
create ICPs as part of battlegroups, whether it's in real
life operating environments orjust on exercises, and coming up
with that template and thatplan and sort of working with
(20:00):
the commanders and things likethat on that.
So again, it's kind of one ofthose things where, even though
I had no cyber experience cominginto a cyber team, it's kind of
like you know how tooperationalize that intelligence
and structure it and try anddeliver the value and the so
what's to your sort ofstakeholders and your consumers
within a, within an organization, which is really important, um,
for cti teams to do that, um.
So these are kind of come someof the examples.
(20:21):
You know, priority intelligencerequirements is another one.
Right, these are all thingsthat have stemmed from military
intelligence, that a lot of thereal forerunners coming into cti
particularly, I would say, inthe uk, but obviously massively
in the States as well, you knowthey're coming from these big,
big intelligence organizationsand they're kind of they're just
taking what is a tried andtested intelligence framework
(20:43):
and structure and bringing thatinto the cyberspace.
Pedro Kertzman (20:47):
No, that's awesome and I imagine for sure
you know the reality.
For example, related to Intel,sharing in the military will be
super particular.
Right, you have to know theother, maybe military forces
like NATO, whatever other groupsyou can actually share Intel
with or get Intel from.
(21:09):
How about, when you transitionto the private sector, how that
changes?
Isaacs for certs?
You know other in between typeof organization, uh, have you
had the chance to interact withthose?
Any thoughts around that?
Sam Flockhart (21:28):
it's kind of like a wee one because there's
obviously a little bit morefreedom in the private sector.
So obviously if you work forthe government, you know, um you
might have you get securitycleared, you might have access
to sort of confidential secret,even top secret information,
right.
So there's obviously huge legalconstraints about sharing, um,
you know, and you know nationalsecurity implications and things
(21:50):
like that.
So there's it's much morecontrol, there's much more
structure to that and there'sthere's massive strangulation
and limits on what you can do,what you can share.
And so that's kind of the artof intelligence is knowing that,
knowing what would be what andbeing able to do that.
Moving into the private sector,there is a little bit more
openness in terms of, you know,an emphasis on proactive
(22:13):
intelligence sharing to protectthe wider you know whether it's
the financial sector, forexample, or the wider um, you
know critical nationalinfrastructure.
You know there's the types ofsort of external organizations
and partners you may be workingwith.
There's more of a willingnessand openness to do that, I would
say.
But then there's also quiteinteresting constraints too.
So you know, a lot of the timeyou might have an intelligence
(22:36):
feed that kind of resembles likehuman.
It's kind of like that dark web, underground ecosystem type
thing where you've gotpotentially, you know,
confidential sources sitting onsome of these forums gathering
intelligence on some of thesecyber criminal actors.
Those sources still need to beprotected, right.
(22:56):
So there's that.
You know you can't just gowilly-nilly share whatever it is
if it's come from sources likethat.
So you have natural caveats andrestrictions on some of that
intelligence sharing.
It could be, you know, legallyprivileged information in terms
of you.
You know, maybe there's a thirdparty that might have an
(23:17):
incident you don't want thewhole world to know.
It's non-public information,and so again you can have a
custodian of intelligence thatisn't isn't available to the
wider public, or you might beaware of it before the wider
public, and so again there'sthat that's one of the, the real
sort of your trustedintelligence operator for a
reason because you know when andwhat to share, um, and then you
(23:40):
kind of a lot of orgs will haveisaacs, as you mentioned.
So whether it's a financialsector isaac, or sometimes you
know, manufacturing or telcosmight have their own, you know
section-based intelligencesharing, um, and there's kind of
that you know emphasis that youshould be sharing more about.
You know whether it's justincidents, near misses or again
compromise third parties orsomething like this, where
(24:01):
you're kind of sharing withintrusted circles.
So you kind of got theseestablished structure forums
where you can access some ofthat type of thing.
Um, you know where, uh, a lot ofyou know the organizations I've
worked for.
Some of the best intelligenceis coming from those types of
isaacs and partnerships, so, um,but there's that there's still.
(24:21):
You know, um, as anintelligence operator you're
still trusted with.
You know when and how andyou're still kind of responsible
for, for the sort of knowledgethat you might have now in your
head.
That actually, um, you kind ofwant to trust and protect some
of the relationships that you'rebuilding or some of the
confidentiality and where thatintelligence has come from.
So it kind of there's acrossover still, um, but in the
(24:43):
private sector, you know it's, Ithink there is more of a
unwillingness to share oh, Ilove that super insightful thing
.
Pedro Kertzman (24:50):
Thanks for sharing that.
Any final thoughts?
Sam Flockhart (24:53):
no, I guess.
Like I mean, one of my passionsis obviously helping people
trying to get into cti, right,so it's about you know that
experience that I had noknowledge of cyber.
But what sort of questions andthings.
As now, as a recruiter orsomeone who tries to hire, you
know cti analysts what would yoube asking?
And it's getting cti is notreally that hard if you've got
(25:14):
good answers prepared for thesequestions.
If you were applying for a bank,who would those top threats?
What is the top cyber threats?
Can you give an example, arecent example, of a big cyber
threat?
Obviously, in the UK at themoment we've got some retail
typeset of targeting forransomware Globally.
You've got North Korean ITworkers and insiders and then
(25:36):
you've always got China APTgroups and the target and the
telecommunications things likethat.
So all these things are likeokay, here's a nice example,
provide that recent example,have a group of the different
types of cyber threats andthreat actors that you've got.
So whether it's ransomwareoperators, initial access
brokers, apt groups and have anexample of how they're operating
(25:56):
.
But then also kind of thinkabout like, okay, you're going
to come in as a CTI analyst, whodo you think your stakeholders
within an organization are goingto be.
Is it going to be vulnerabilitymanagement?
Is it going to be your detectand threat hunting teams, your
purple teams or red teams, youknow?
Is it going to be sort ofsecurity architecture, cisos and
risk teams and governance andcompliance?
And have a little think aboutwho do you think is going to
(26:19):
benefit from the types ofintelligence you're going to
produce and at what differentlevels do you have to tweak or
keep the product?
And then, I guess, the differenttypes of intelligence feeds.
So I think we've kind oftouched upon it Dart web in
malware analysis, you've gotopen source intelligence and
just the different types ofintelligence feeds that you
might be dealing with as a CTAanalyst.
Having a little bit ofknowledge about that, I think,
(26:41):
really makes a difference, evenif you've never used those
products before, to just kind ofbe able to talk about.
These are the types ofquestions that, as a recruiter,
you can ask and I think if youprepare some of those answers as
a CTI candidate, then I thinkyou're going to be in a good
place.
So I think that's kind ofprobably my top tips or advice
(27:03):
for sort of getting into CTI, inthe same way I did for those
who are passionate about gettinginto it.
Pedro Kertzman (27:10):
I love that.
I love that.
Perfect Sam, thank you so muchfor coming to the show.
I really appreciate all theinsights and I hope I'll see you
around.
Sam Flockhart (27:20):
Yeah, no, cheers for having me, Pedro, and I'm
sure we'll catch up at somepoint.
Rachael Tyrell (27:26):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
(27:47):
Until next time, stay sharp andstay secure.
which is really important for CTI teams to do
that.
Rachael Tyrell (00:05):
Hello and welcome to Episode 14, season 1,
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host, Pedro Kertzman, will
(00:26):
chat with Sam Flockhart, who isa former military intelligence
operator with expert knowledgein leading teams in intelligence
operations, risk management,geopolitical analysis and cyber
threat management.
Sam spent 10 years within theUK's military and Ministry of
Defense and now, as the head ofthreat management of a large
global bank, he brings hiswealth of CTI knowledge not only
(00:46):
to keep the institutionprotected, but also to help
aspiring CTI professionals tojoin the industry.
Over to you, pedro.
Pedro Kertzman (00:55):
Sam, thank you so much for joining the show.
I really appreciate you sharingyour knowledge with us.
Thanks for coming.
Sam Flockhart (01:01):
No, thank you, Pedro.
Thank you for having me.
It's a privilege to be asked tojoin.
Thank you.
Pedro Kertzman (01:06):
Usually I start by asking the guests their
journey into CTI the first timethey heard of it, how they came
to the position they are rightnow.
So would you mind walking usthrough through that, please?
Yeah sure.
Sam Flockhart (01:19):
So my kind of background, my career, was with
the British Army in the militaryintelligence part of the army,
which is sort of theintelligence corps so
effectively.
You know I was a sort oftrained quite a high standard in
military intelligence.
But this was much more kind offocused at the time.
It was kind of, you know,counterterrorism and sort of
(01:42):
contingency operations andthings like that.
And then sort of over mymilitary career, that kind of
transitioned more towards sortof conventional threats like
from Russia or China, forexample, so kind of nothing to
do with cyber.
Really, whilst I was in themilitary, more sort of focused
on some of those operationaldeployments that we did in more
(02:03):
traditional militaryintelligence type stuff.
And I think in the last year orso of my career, when I kind of
knew I was probably going toleave and try and join the
private sector, one of the areasI was looking at was cyber,
because it was just like superinteresting, super cool to
somebody who had no cyberknowledge whatsoever, but
(02:25):
primarily kind of linked in alot with some of the experience
I'd already gained.
You know, in the last two orthree years I spent a long time
looking at Ukraine, russia andlooking at some of those
intelligence groups operatingfrom there.
So obviously, you know, cyberespionage was a big component of
that type of activity as well.
So that kind of then got meinterested in some of those
(02:47):
groups and and, yeah, when I wasleaving the army, you know,
it's just a natural kind oftransition to then try and take
that intelligence experience inthe conventional sense into the,
into the cyber, with theprivate sector, right.
So that was kind of um, how Igot into, how I got into it.
And I'll just repeat when Ifirst started, you know, leaving
the military, looking for jobs,I had absolutely no cyber
(03:09):
knowledge whatsoever, um, and itwas more kind of picking that
up as I've kind of went alongthis journey.
So, um, I guess that's one ofthe things for for people that
might be in a similar position,when, when you're trying to get
into cyber, it's like you know,don't worry, the, you know the
path has been well trodden and,um, you don't always have to
have that sort of guru, expertlevel knowledge of all things it
(03:29):
or cyber to sort of get a jobin cyber that's amazing.
Pedro Kertzman (03:32):
And uh, talking about that transition from from
military to cti, any like Idon't know, lessons learned or
something like that, the type oftraining that you decided to
have to kind of fill some of thegaps and all that, any thoughts
around that?
I?
Sam Flockhart (03:50):
guess like there's this.
One of the things that I'velearned is that there's this
fixation in cyber on these likequalifications.
So you know there's obviouslydifferent disciplines inside
over then.
You know you can get thesequite expensive sometimes really
the qualifications like cispand cism, and there's that sort
of fixation on having to havethe qualifications first before
(04:10):
getting the job.
And my experience was reallydifferent to that where you know
I'd done some whilst I wasleaving in my last year.
We're quite lucky in thebritish army where you get, you
know, you get a year to kind oftransition out and they do help
you with qualifications and I'ddone some of the very basic you
knowals like comp, tsec, networkplus that type of stuff.
I've done some um kind of q,radar, seam type courses but
(04:34):
effectively that was just afoundational type type type
qualification.
It wasn't really that thatimpressive and so one of the
things that really when when Iwas interviewing for some cyber
roles and things like that, itwas more like it of the things
that really when I wasinterviewing for cyber rules and
things like that, it was morelike it was the knowledge that
was important.
It wasn't.
Sometimes these littlequalifications might be ticking
the box in terms of your CV.
But I think the knowledge isthe most important bit.
(04:57):
So it's almost when you comeinto the interview, kind of
trying to anticipate thequestions that you might be
asked and having sort ofexamples and things prepared.
So even if it's like, okay,I've never done a cyber job, but
I actually have a lot of cyberthreat intelligence knowledge
around these subjects and I cantalk a little bit about them,
that really worked for me tosort of then kind of lay that
(05:19):
groundwork, say, look, I do knowquite a lot about this subject.
So I think even now, while I'vebeen in sort of different CTI
teams hiring and doing therecruiting, that's kind of what
I like.
The big tips I can give peopleis yes, the qualifications are
great to have and nice if youcan get them, but often you have
people that have all thesequalifications that then when,
(05:40):
when you ask the question in theinterview, the knowledge just
isn't there.
So I think it's more about howyou prepare for that interview.
I think that's one of the sortof key lessons learned is sort
of doing that research and thatknowledge which is actually just
available to everybody.
You know a lot of the if you'relooking to get into cyber threat
intelligence.
You know, I'm guessing thatmost recruiting firms, most orgs
(06:00):
, are asking the same types ofquestions.
Most orgs are asking the sametypes of questions.
You know.
They're asking about what topcyber threats, who the top cyber
threat actors are, whetherthat's, you know, ransomware
groups, ddos, activist typeactivity, nation states, um, so
just having kind of like anexample there of you know a
group that you that's that'staking your interest, how they
go about doing these types ofattacks or ttps and and that
(06:22):
type of thing.
And then you know, I rememberwhen I was being asked, it was
always asked like, okay, tell meabout the malware.
And so having like one in yourback pocket, you know, I think I
remember I really wasinterested in the russian gru
groups, like fancy bear, youknow, um, sandworm and stuff
like that, because they're justkind of cool, right, um, and so
having like, okay, here's anexample of the malware.
I think it was hammer toss.
(06:42):
They use steganography in termsof command and control and all
these dislike little things that, okay, I wasn't an expert on.
But you know, when you've beenasked at the interview, it shows
knowledge, it shows passion.
So I think that's kind of.
One of the lessons learned forme is that people try to get
into cyber threat.
Intelligence is really goingwith that, that research in
terms of anticipating thequestions, top threats, top
(07:04):
threat actors.
Having some examples in yourpocket that you can just kind of
talk about, I think that willgo even further than having just
like a crest call or a sanscall on your CV.
Pedro Kertzman (07:14):
No, I love that and I would say especially, you
know, my little two cents isthat when you go and do that
type of research, you're notonly showing the necessarily the
best answer possible, becausethe person on the other side
might have even, like a largeror better answer, deeper
knowledge on that topicparticularly, but it shows that
(07:37):
you're willing to do the effort,you're willing to go and do
research, you're curious to dothat stuff and that's like our
day-to-day activities.
They're like all around doingthat kind of digging, digging,
digging right, and I thinkthat's uh, that's super
important.
For sure you mentionedsomething about the prior near
(07:57):
or near military experience.
The uh focus on some of theother military groups or
attackers, or maybe now known asAPT groups, any particular
knowledge about the Russian sideor the way they usually target
other organizations or countriesor something related to their
(08:20):
country, culture, history, manythings related to them.
Sam Flockhart (08:23):
I think so.
So this is where I tried to usethat military background and
intelligence experience reallyto help me get these the cyber
threat intelligence roles when Ileft and I might not have known
quite a lot about cyber, but Idid know a lot about Russia and
Ukraine, having served in sortof on a orbital which was the
British military's trainingmission for Ukraine.
(08:46):
I think I was on that in andout for three years, probably
longer than almost anyone in theBritish Army at that time I had
quite a lot of exposure to sortof Russian culture as well,
with family from there.
So yeah, I didn't know a lotabout cyber, but I did know a
lot about sort of Russia.
That was my area of expertisewhilst I was in these roles
(09:08):
within the military.
So you know how do you use thatto your success and it's kind
of like well, you know, well,you've got all this.
You know technical cyberframeworks and technology and
you know very complex ways ofdoing all these attacks Right.
But at the end of the day, it'sa human at the end of the
keyboard, whether that's amilitary unit or whether that's
a ransomware operator.
So the cultural aspects interms of understanding you know
(09:31):
their behaviour andunderstanding.
You know sometimes their slangand the language which they're
speaking to each other on theseunderground forums can be really
important.
You know, understanding ifyou're having to negotiate with
a ransomware operator workingfor you know, some of these cti
companies, you definitely needto have that cultural
understanding of you know um ofof that.
(09:52):
So you know, I tried to use alot of that experience that I
did have and bring that intocyber and there's loads of good
examples of this.
So probably I would say formost orgs, um, if you ask them,
you you know the private sector,you know.
If you ask them who the topthreats are, they're probably
going to say something likeransomware, right, because it's
such a prevalent threat.
(10:12):
And you know it's kind of likethe key components of ransomware
.
Ransomware primarily kind ofcomes from Russian-speaking
regions in Eastern Europe,mostly sort of Russia, but also
Ukraine, moldova, you know,sometimes Central Asia as well,
you know.
So you know why is that?
It's kind of like aninteresting question, right?
Why is it that, effectively,this ecosystem that is built on
(10:33):
the dark web, you kind of haveto really have that ability to
speak Russian to kind of get by.
There is some Chinese and some,you know, iranian groups and
things like that as well.
But most of the Russiandevelopers, most of the Russian
sort of ransomware strains, arecoming from these
Russian-speaking regions.
(10:53):
So you know again, like you'reable to sort of bring that.
Why is that?
Well, it's because Russia reallyoffers this kind of unique
environment where government lawenforcement are able to sort of
profit and benefit from theransomware groups themselves,
whether that's through sort ofprotection and kind of
racketeering and that kind ofthing, where you sometimes see
some of the leaks that have comeout right, where I think it's
(11:15):
the Conti leaks, for example,where you can see some of the
sort of inner goings of whatthese guys are chatting about
and how these guys operate.
And there's quite a lot ofreferences in some of these
groups, whether it's Lockdown,the leagues you know the Conti
leagues about a word calledKresha, and Kresha is basically
the Russian word for roof.
So it's kind of like they'reusing it as like it means top
(11:35):
cover and what that means isRussian ransomware groups will
use these intelligence services,they'll probably pay them off
and then that offers them anelement of protection and as
long as they've got the rightcreation in place, then they can
kind of operate as they wantand as long as they don't target
within, within russia or ciscountries, and they kind of
continue to sort of plague and,um, victimize, you know, western
(11:58):
countries, um, so you kind ofget these little concepts, that
kind of transfer that havetranslated from mine, you know,
my understanding of ukraine andrussia, into that ransomware
space, which my understanding ofUkraine and Russia into that
ransomware space, which is kindof cool and you can kind of use
and you can talk about some ofthe sort of human element on the
other side as well.
Pedro Kertzman (12:12):
Very interesting .
Would you mind expanding onthat please?
Sam Flockhart (12:15):
I think one of the things that's just
interesting is that, like I said, you know most of it.
A lot of the cybercrime, a hugeportion of cybercrime activity
comes, comes from those regions.
So you kind of want to be ableto understand, you know that
type of environment.
You know like if, if you were amilitary intelligence operator,
um, working in a conflict zone,you kind of have again like a
(12:37):
structured process right goingthrough these things.
So you kind of look at your,your battlefield first.
You look at the geology.
You, you know, as an operator,military intelligence might be
expected to know how fast thatriver stream runs, because
Ultimately the commander needsto know can I get you know tax
across it?
Or you know, is it a naturalbarrier to the enemy, etc.
Etc.
So you kind of have tounderstand your environment,
(13:00):
forced and To be able to sort ofreally do a complex threat
evaluation down the line whenare your weak points, where's
vital ground?
On the cyber side, your networkis exactly the same.
You want to understand whatdevices make up that perimeter
VPN connections, firewalls,which ones have you got?
(13:21):
So when there's vulnerabilitiescoming out, the concepts are
again quite of in terms ofthings like that.
But you know, with the russia,with the russia stuff, you kind
of need to know, like, who arethese operators?
Why are they able to operate inthis environment without really
fear of arrest?
What does that mean?
You know how do you kind of umtry and disrupt or have an
impact?
You know um.
(13:41):
So I guess it comes down tolike knowing a little bit about
culture but also known a lotabout history, right?
So when you're looking back atRussia in the 1990s, when the
Soviet Union collapsed, you kindof have like two of these major
forces that kind of emanate.
One is criminal, the criminalorganizations.
(14:04):
You know the sort of some ofthese Russian groups.
They kind of have a huge amountof power and sway.
And the second politicalfaction is kind of like the
political sphere under BorisYeltsin, but he's kind of
dominated and surrounded bythese oligarchs.
So people like Boris Berezovsky, you know roman abramovich and
(14:28):
yukunin and all these differentum.
You know mikko korokovsky, allthese kind of figures that
emerged because they werebasically buying up all these
businesses and they theybasically had a lot of financial
clout and they would have thiswhat they call like a symbiotic
relationship with these criminalgroups, where it kind of they
both mutually benefit from eachother, right, because you've got
the muscle and then you've got,you know, the political and the
(14:50):
financial and everyone kind ofbenefits from this ecosystem and
the political organs kind ofjust oversee that and let that
happen.
But that when when putin comesto power in 2000, it completely
sort of changes where he kind ofturns on a lot of these
oligarchs.
He makes sure that theyunderstand that he is the power
vertical now and you know,anyone who wasn't willing to
comply with that regime, whetherit was criminal, whether it was
(15:12):
the oligarchs, you know theywould effectively be taken down.
So they all have to pay homageto the state.
Some of these oligarchsobviously decide that they're
going to do that um, and some ofthose don't, like likezovsky or
Khodorkovsky, who theneffectively kind of lose their
power and influence over aperiod of time.
But that's kind of like thatecosystem had already been built
(15:34):
and established with thissymbiotic relationship between
organised crime, between thepolitical units and between
private businesses, banks, youknow, energy companies and then
ransomware kind of comes,emerges.
You know, many decades laterreally, you can sort of
companies and then ransomwarekind of comes and merges many
decades later really, and sortof, I guess ransomware as a
server kind of merges as a bigbig thing, big global threat, in
about 2015-ish right With GameOver, zeus and sort of the
(15:59):
elements that move that.
And they're all coming fromRussia because you've got this
nice environment for it to youknow really flourish ransomware
as a service and you know theydon't really have that, that
fear of prosecution for some ofthose reasons we talked about.
So this is kind of like why wehave this problem and it.
You know you're looking ahead.
Sometimes threat intelligence isalso about trying to predict
(16:21):
what's going to happen next, andreally you can't solve a
ransomware problem withoutsolving the Russia problem.
So this is kind of like we'reall kind of interlinked in
knowing that political history,knowing the geopolitics of the
situation and how that ischanging then in the cyber
environment, right.
So all these kind of elementsmix together.
(16:41):
So this is where you kind ofhave to be, you know,
knowledgeable on all thesesubjects and then be able to
explain to some of the cyberthreat intelligence that you
might deal with as a CTI team.
Pedro Kertzman (16:55):
That's amazing.
That's amazing.
I didn't know about the wholeecosystem and how they would
relate to each other within thecountry and then get the way we
are right now with this massiveamount of ransomware all over
the place.
That's cool.
Thanks for sharing that and anyother insights from things you
(17:17):
brought from the military intothe CTI maybe frameworks, other
kind of knowledge, anythingabout that as well.
Sam Flockhart (17:26):
Yeah.
So that was kind of the otherpart of when you try to sell
yourself.
Coming out of the military,it's like a lot of the time I
was working in what you wouldsay is big intelligence
organizations, whether that'sNATO headquarters, sometimes SF
headquarters, etc.
So you're kind of working withthese world-class intelligence
agencies that have had theseframeworks and structure and
(17:46):
operationalized processesestablished for decades, right,
yeah, so you kind of get areally good understanding of how
intelligence operations work,not in the cyberspace, but in
the kinetic space, and what isgoing to happen really.
Over the last 10, 15 years,however, cti has emerged as this
big thing is.
A lot of people have left themilitary and have taken those
(18:07):
frameworks from their militaryexperience into CTI.
So a couple of examples of thateven anyone who is interested
in CTI needs to understand TTPstactics, techniques and
procedures which effectively isjust an acronym for how cyber
attacks happen.
That word itself has been takenfrom military intelligence.
(18:30):
In terms of a TTP might be howyou can seal IEDs.
Or sometimes, you know, inAfghanistan they started making
IEDs out of plastic and theykind of changed the TTPs so that
they avoided, you know, violentdetections and things like that
.
So you know your adversariesare changing their TTPs.
That's what that's going to,and cyber's obviously adopted
that angle.
(18:55):
Second example intelligencecollection plans, or icps.
So this was just a.
It's just a very structured wayof kind of looking at what,
what is it you want to collectit on, right?
Um, you know you can't have acyber team that's just been
given complete freedom.
There needs to be some sort ofstructure, some sort of
direction as to what they'resupposed to be.
Collecting intelligence onthings that add value to your
own organization top threatsagain, how these attacks are
(19:19):
happening.
So you have an ICP is basicallya structured way of collecting
and planning out thatintelligence and then looking at
okay, where is thatintelligence going to come from?
So, have you got your data?
Web monitoring, is it yourmalware analysis or open source?
You know, could you do a lot on?
You know, ip and sort ofNetFlow type investigations and
(19:39):
things like that.
So it's basically that conceptcomes from the military
intelligence.
I remember, you know, in mymilitary career, having to
create ICPs as part of battlegroups, whether it's in real
life operating environments orjust on exercises, and coming up
with that template and thatplan and sort of working with
(20:00):
the commanders and things likethat on that.
So again, it's kind of one ofthose things where, even though
I had no cyber experience cominginto a cyber team, it's kind of
like you know how tooperationalize that intelligence
and structure it and try anddeliver the value and the so
what's to your sort ofstakeholders and your consumers
within a, within an organization, which is really important, um,
for cti teams to do that, um.
So these are kind of come someof the examples.
(20:21):
You know, priority intelligencerequirements is another one.
Right, these are all thingsthat have stemmed from military
intelligence, that a lot of thereal forerunners coming into cti
particularly, I would say, inthe uk, but obviously massively
in the States as well, you knowthey're coming from these big,
big intelligence organizationsand they're kind of they're just
taking what is a tried andtested intelligence framework
(20:43):
and structure and bringing thatinto the cyberspace.
Pedro Kertzman (20:47):
No, that's awesome and I imagine for sure
you know the reality.
For example, related to Intel,sharing in the military will be
super particular.
Right, you have to know theother, maybe military forces
like NATO, whatever other groupsyou can actually share Intel
with or get Intel from.
(21:09):
How about, when you transitionto the private sector, how that
changes?
Isaacs for certs?
You know other in between typeof organization, uh, have you
had the chance to interact withthose?
Any thoughts around that?
Sam Flockhart (21:28):
it's kind of like a wee one because there's
obviously a little bit morefreedom in the private sector.
So obviously if you work forthe government, you know, um you
might have you get securitycleared, you might have access
to sort of confidential secret,even top secret information,
right.
So there's obviously huge legalconstraints about sharing, um,
you know, and you know nationalsecurity implications and things
(21:50):
like that.
So there's it's much morecontrol, there's much more
structure to that and there'sthere's massive strangulation
and limits on what you can do,what you can share.
And so that's kind of the artof intelligence is knowing that,
knowing what would be what andbeing able to do that.
Moving into the private sector,there is a little bit more
openness in terms of, you know,an emphasis on proactive
(22:13):
intelligence sharing to protectthe wider you know whether it's
the financial sector, forexample, or the wider um, you
know critical nationalinfrastructure.
You know there's the types ofsort of external organizations
and partners you may be workingwith.
There's more of a willingnessand openness to do that, I would
say.
But then there's also quiteinteresting constraints too.
So you know, a lot of the timeyou might have an intelligence
(22:36):
feed that kind of resembles likehuman.
It's kind of like that dark web, underground ecosystem type
thing where you've gotpotentially, you know,
confidential sources sitting onsome of these forums gathering
intelligence on some of thesecyber criminal actors.
Those sources still need to beprotected, right.
(22:56):
So there's that.
You know you can't just gowilly-nilly share whatever it is
if it's come from sources likethat.
So you have natural caveats andrestrictions on some of that
intelligence sharing.
It could be, you know, legallyprivileged information in terms
of you.
You know, maybe there's a thirdparty that might have an
(23:17):
incident you don't want thewhole world to know.
It's non-public information,and so again you can have a
custodian of intelligence thatisn't isn't available to the
wider public, or you might beaware of it before the wider
public, and so again there'sthat that's one of the, the real
sort of your trustedintelligence operator for a
reason because you know when andwhat to share, um, and then you
(23:40):
kind of a lot of orgs will haveisaacs, as you mentioned.
So whether it's a financialsector isaac, or sometimes you
know, manufacturing or telcosmight have their own, you know
section-based intelligencesharing, um, and there's kind of
that you know emphasis that youshould be sharing more about.
You know whether it's justincidents, near misses or again
compromise third parties orsomething like this, where
(24:01):
you're kind of sharing withintrusted circles.
So you kind of got theseestablished structure forums
where you can access some ofthat type of thing.
Um, you know where, uh, a lot ofyou know the organizations I've
worked for.
Some of the best intelligenceis coming from those types of
isaacs and partnerships, so, um,but there's that there's still.
(24:21):
You know, um, as anintelligence operator you're
still trusted with.
You know when and how andyou're still kind of responsible
for, for the sort of knowledgethat you might have now in your
head.
That actually, um, you kind ofwant to trust and protect some
of the relationships that you'rebuilding or some of the
confidentiality and where thatintelligence has come from.
So it kind of there's acrossover still, um, but in the
(24:43):
private sector, you know it's, Ithink there is more of a
unwillingness to share oh, Ilove that super insightful thing
.
Pedro Kertzman (24:50):
Thanks for sharing that.
Any final thoughts?
Sam Flockhart (24:53):
no, I guess.
Like I mean, one of my passionsis obviously helping people
trying to get into cti, right,so it's about you know that
experience that I had noknowledge of cyber.
But what sort of questions andthings.
As now, as a recruiter orsomeone who tries to hire, you
know cti analysts what would yoube asking?
And it's getting cti is notreally that hard if you've got
(25:14):
good answers prepared for thesequestions.
If you were applying for a bank,who would those top threats?
What is the top cyber threats?
Can you give an example, arecent example, of a big cyber
threat?
Obviously, in the UK at themoment we've got some retail
typeset of targeting forransomware Globally.
You've got North Korean ITworkers and insiders and then
(25:36):
you've always got China APTgroups and the target and the
telecommunications things likethat.
So all these things are likeokay, here's a nice example,
provide that recent example,have a group of the different
types of cyber threats andthreat actors that you've got.
So whether it's ransomwareoperators, initial access
brokers, apt groups and have anexample of how they're operating
(25:56):
.
But then also kind of thinkabout like, okay, you're going
to come in as a CTI analyst, whodo you think your stakeholders
within an organization are goingto be.
Is it going to be vulnerabilitymanagement?
Is it going to be your detectand threat hunting teams, your
purple teams or red teams, youknow?
Is it going to be sort ofsecurity architecture, cisos and
risk teams and governance andcompliance?
And have a little think aboutwho do you think is going to
(26:19):
benefit from the types ofintelligence you're going to
produce and at what differentlevels do you have to tweak or
keep the product?
And then, I guess, the differenttypes of intelligence feeds.
So I think we've kind oftouched upon it Dart web in
malware analysis, you've gotopen source intelligence and
just the different types ofintelligence feeds that you
might be dealing with as a CTAanalyst.
Having a little bit ofknowledge about that, I think,
(26:41):
really makes a difference, evenif you've never used those
products before, to just kind ofbe able to talk about.
These are the types ofquestions that, as a recruiter,
you can ask and I think if youprepare some of those answers as
a CTI candidate, then I thinkyou're going to be in a good
place.
So I think that's kind ofprobably my top tips or advice
(27:03):
for sort of getting into CTI, inthe same way I did for those
who are passionate about gettinginto it.
Pedro Kertzman (27:10):
I love that.
I love that.
Perfect Sam, thank you so muchfor coming to the show.
I really appreciate all theinsights and I hope I'll see you
around.
Sam Flockhart (27:20):
Yeah, no, cheers for having me, Pedro, and I'm
sure we'll catch up at somepoint.
Rachael Tyrell (27:26):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
(27:47):
Until next time, stay sharp andstay secure.
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com