October 14, 2025 • 42 mins
Data science meets threat intelligence in this fascinating conversation with Dr. Jean Nestor Dahj, who reveals why the analytical mindset serves as the perfect foundation for effective cyber threat intelligence work. With over eight years in information security and a strong background in data science, Dr. Nestor-Dodge shares how his experience analyzing vast datasets naturally evolved into identifying patterns in threat actor behavior.
What sets this episode apart is Dr. Nestor's practical approach to implementing CTI across organizations. Rather than isolating threat intelligence as a separate function, he advocates for integrating the "CTI mentality" throughout security teams. This revolutionary perspective transforms how security professionals approach their work—from SOC analysts contextualizing alerts with threat data to red teams emulating industry-specific threat actors during penetration tests.
You'll discover why threat intelligence goes far beyond collecting indicators of compromise. Dr. Nestor breaks down how properly implemented CTI enables proactive defense, prioritizes risks based on context, and provides the narrative needed to justify security investments to executive teams. His framework for evaluating threat intelligence sources ensures you're getting actionable information rather than noise.
Whether you're new to the field or looking to enhance your existing CTI program, this episode delivers concrete strategies you can implement immediately. From leveraging open-source feeds to integrating with security tools through STIX/TAXII, Dr. Nestor-Dodge provides a roadmap for organizations at any maturity level. And for those considering a career in threat intelligence, he outlines learning paths from the essential MITRE ATT&CK framework to advanced certifications.
Join us for this insightful conversation that reframes threat intelligence as a continuous journey rather than a destination—and discover why the fusion of data science and security expertise creates the most effective defense against evolving threats.
Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Dr. Jean Nestor Dahj (00:00):
I've integrated the CTI mentality
into the entire securityoperation team.
Rachael Tyrell (00:07):
Hello and welcome to Episode 17, season 1
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host, Pedro Kertzman, will
(00:28):
chat with who has over eightyears of experience in
information security and datascience, engaging with various
cyber units, including lawenforcement, forensic teams and
red team engineers.
A threat intelligence engineer,researcher and author of of the
book Mastering CyberIntelligence, he is currently
the head of cybersecurity andintelligence in a fast-growing
(00:50):
South African telecommunicationscompany.
Over to you.
Pedro Kertzman (00:58):
Jean, thank you so much for coming to the show.
It's really great to have youhere.
Dr. Jean Nestor Dahj (01:05):
Thank you very much, Pedro, and I think
the pleasure is shared.
I'm happy to be here.
Pedro Kertzman (01:08):
Yeah, I'm sure it's going to be an awesome
conversation, and usually Istart asking the guests about
their journey into CTI.
Would you mind walking usthrough that?
Dr. Jean Nestor Dahj (01:17):
please, yes, yes, definitely.
Cyber security in general hasalways been more than a job to
me.
It's a purpose, I consider itas a passion and over the past
nine years I've engaged with alot of units in different
security disciplines.
I've worked with forensicsagents, I've worked with law
(01:39):
enforcement, I've worked withred teamers as well.
All the knowledge collectedthrough these years exposed me
to CTI to understand more aboutthreat intelligence, because I
was providing a lot of evidenceto these people and it made me
understand really how cybercriminals work, what they do,
(02:04):
how they do their things, whatare their intentions and so on.
So that really pushed me towardthreat intelligence.
And since I have a very strongdata science background and I'm
used to navigating data,curating data, finding patterns
in data, so it's made thetransition a little bit smoother
(02:29):
, like trying to understand thevast data that we used to
collect, because I was workingfor a probing company, a network
probing company that used tocollect a lot of network
information transactions, likeraw network traffic.
So by using data analyticstechniques, you find a lot of
(02:50):
information and patterns in data, making data useful.
So that also escalated mypassion, or made my passion for
CTI much more aggressive, Iwould say, and on top of that,
as a researcher, because I holda PhD in electrical engineering
as well.
So as a researcher I dive a lotinto how things are done.
(03:16):
So I've been researching a lotin the security space and
engineering space communicationand I also wrote a book.
I wrote one of the mostcomprehensive books on CTI and
currently I'm heading a wholecybersecurity department in a
tier one company in South Africawhich is exposing me more in
(03:38):
the things that I like to do,exploring more and more.
And CTI is a journey.
So you don't reach the summit,you continue learning.
We keep on learning.
So more or less that is myjourney.
How I started as a networkengineer and then transitions to
(03:59):
probing, which exposed me todata analytics and data science,
which, because I wasinteracting with different
business units includingcybersecurity forensics.
Then I got a passion for thefield and it has continued like
that until today.
Pedro Kertzman (04:15):
That's awesome, and you mentioned the book.
Right, it's Mastering CyberIntelligence and I'll make sure
I'll include a link on thedescription of the episode as
well for everybody wanting tocheck more.
Can we maybe just talk a littlebit more about the book?
Some of the insights I knowroughly the book life cycle of
(04:37):
CTI requirements, things aroundthat then goes down to
analytical and modeling andintegrating CTI, like you're
mentioning, into businesses,right, the business processes
and all that.
Can you maybe talk a little bitabout the part one per se, like
(04:58):
the CTI tradecraft?
What was the thing or anythings that during your research
to the book that like, caughtyour attention that you enjoyed
the most?
Writing about many, anythinglike that?
Dr. Jean Nestor Dahj (05:15):
it's uh yeah, it's, it's very
interesting.
Uh, writing the book was a very, uh, very good journey.
It was a journey because mostof the time, people are focused
on the technical part of threatintelligence.
They forget a lot of thingsthat are prerequisite for a good
(05:38):
threat intelligence analyst.
Threat intelligence is not justcyber security.
It's a merging of many fields,including data science, data
analytics, while cyber security,of course, but a little bit of
soft skills like psychologicalskills and, yes, analytical
(06:02):
skills.
That's why, before, threatintelligence used to be applied
mostly in military, like in themilitary space, it has been used
a lot Like.
It's not most recently, butonly a few decades ago that it
has been now being migratedslowly and surely into the
(06:23):
corporate world.
And what actually set threatintelligence analysis apart is
not just the technical ability,but it's also the thinking
ability.
Like if you look at thetradecraft that I described in
the book, when you have theoutcome of a CTI report, you
(06:43):
don't just consume it like that,you analyze it, you question it
.
And how do you question it insuch a way that you are not
biased with the result?
We've seen it many times.
I'm not going to get intogeopolitics, but we've seen many
times where intelligence reportcomes in, they tell you that a
specific country has, like,nuclear weapons and people.
(07:06):
People don't really vet itenough, but they don't push it.
They question it like push itto to make them convince you
that the intelligence is trueand we can act actions on it.
And that's the part that it.
That's one of the parts that Ienjoy a lot because practically
I think I've been doing uh at mywork, but maybe not knowing
(07:32):
what it was, but writing thebook, getting deep down into
what is needed, the differentways of analyzing threat
intelligence reports, like howdo you question it, how do you
present it to the, to theexecutive team, and all that.
It was really a very importantstep for me, and my book is very
(07:55):
comprehensive in such a waythat it does not only tell you
the practical part but it alsogives you the theoretical
knowledge, like how do you getthe requirement and how do you
analyze the output, how can youmake the analysis more effective
.
You know the different types ofanalytical method and, as I was
(08:18):
researching, you find out thatthis method are being used by
actual, like intelligentservices into assessing
reportscom, which is reallyreally great.
Yeah, but for the rest of thedetails.
I think the book can beacquired on amazon and yeah yeah
, no, absolutely, absolutely.
Pedro Kertzman (08:38):
You're mentioning about a few times
about how you brought thatknowledge into your current role
.
How would would you saycompanies in general not
necessarily from sector A, b orC, but companies in general
could leverage CTI to improvethe overall company security
posture.
Dr. Jean Nestor Dahj (08:58):
Yes, that's a very, very important
question because most of thecompanies are trying to leverage
CTI and we have to at the endof the day.
But we need to understand whyis it important?
What are the benefits that weget from it?
So I will talk about how, thepractical ways that company can
do that, but first we need tounderstand what does CTI do?
(09:20):
How does it improve yourorganization's security posture
in general?
Let's take an example today.
First of all, you're not goingto be able to defend the company
alone.
No company can defend itselfalone.
You need collaboration.
(09:41):
Let's look at the different waysthat CTI can improve a
company's security posture.
So if you have a threatintelligence feed right, and
then you find out that there isa specific threat that has been
discovered in another part ofthe world in a company of a
(10:02):
similar industry as yours, youget an ioc.
You can get it can be a c2, ac2 uh ip.
It can be a file, a malware orwhatever it is.
You have that in advance, eventhough the breach has not
happened to you.
But by having that you canactually start searching your
(10:25):
logs or start tuning yoursecurity devices to detect and
block those IOCs, thoseindicators of compromise before
the breach happens to you.
So it brings you that type ofproactive defense, you know, and
second in terms of risks, andsecond in terms of risks.
(11:10):
And most of the companies whohave security tools, they know
not get trapped into a lot oflow-level IOCs looking for IPs
and things like that.
So CTI can actually help youprioritize your risk.
Let's take an example I wasdiscussing with one of my guys
in my team.
Let's say you have a rule thatdetects data exfiltration, right
, we know that data exfiltrationis one of the ways hackers use
(11:33):
to take data out of your networkto some way.
But you can also have dataexfiltration between internal
assets, from one asset toanother asset.
And you can also have dataexfiltration between internal
assets, from one asset toanother asset.
And you can also have dataexfiltration from your
organization to another trustedorganization.
But now it's the same alerts.
(11:53):
You get potent uh, potentialdata exfiltration alerts.
But now cti can make a bigdifference here.
If the destination where thedata is going is malicious or
has been detected or found in athreat, intelligent feed and
automatically you prioritizethat data exfiltration compared
(12:17):
to any other exfiltration yousee.
So with CTI you can actuallyprioritize your risks, which is
very, very key to responding tocyber attacks.
And CTI for sure also helps youharden your security devices
like firewalls, idss and IPSs.
(12:39):
You have all these low-levelIOCs that you can always feed to
those tools to be blocked,detected etc.
And, most importantlyespecially, you know
cybersecurity is an area whereit's very difficult to justify
the return on investment to theboard.
(12:59):
You know, because we are not ina revenue generation type of
department compared to otherdepartments, so we take more
money than we give.
However, we do protect assets,we do protect the company from
cyber breaches, but executiveteams, board members, they don't
(13:25):
understand IOCs, they don'tunderstand this.
They want you to tell them whythey should invest on something
specific and using threat intelwith good context, you can
actually sell a story to theboard so that you can invest on
the right tool or the rightsecurity solutions.
(13:47):
So those are some of thebenefits that you can get from
leveraging CTI in yourorganization.
So it's really helped youimprove your security posture.
That's one thing.
So now, how can a companypractically use CTI?
(14:12):
So the adoption of CTI is alwaysa very big question.
How do you start?
How do you get?
Well, most of the people alwaysstart with threat intelligence
feed.
Yes, which is a good thing.
They will get a feed.
Get iocs and all and all of thethings, but integrating ct and
(14:35):
the company is more than justthat.
I will give an.
I will give an example.
You, you start with trying tounderstand exactly what you want
to protect.
Right, let's say, those are theprerequisites, those are the
basics.
To start, you know, even youcannot, you cannot adopt cti out
of the blue.
(14:56):
Cti is comes after.
You have already done some ofthe prerequisites.
For example, you have acentralized logging system.
You have that internal datathat you are feeding to your CM.
You have logs, endpoint logs.
You have server logs, you haveapplication logs, you have
(15:19):
access logs.
All the logs are comingtogether.
Even if you have NDR, you canalso have packet logs that are
going to your same solution.
That's a prerequisite, becausethat way you're going to be
looking for information.
So once you have that, the nextthing that you have to do is
now understand what.
Ask yourself, what do I want toprotect from that?
(15:41):
What do I have to protect?
What do we do that hackers maybe after?
Who may want this information?
You know, and in a very simpleway.
I'll try to be more practicalto such that to help also
companies to you know to toadopt that once you, once you
have, then you can start withthings like open source open
(16:06):
source feed or open source tifeed.
So you have, there are a lot ofopen source ti feed that you
can you can start with.
You can start with alien vaults.
You have various total apis andall that you you take all those
ones.
If you have money, well, you cango for commercial feed as well,
that's okay.
But if you don't have money,you can still leverage uh cti
(16:29):
with with less effort.
So if you get those feed, themost important thing is to
curate your data.
Make sure that your data is iscurated.
It's correct because if youtake garbage or data that not
that does not help you.
You're not gonna get value outof your cti program.
So once you get those data,okay, it's curated data.
(16:52):
You have a bunch of iocs,context, threat actors, etc.
You try to put that togetherlike integrate that with your
security tools, which is veryimportant, very, very essential,
because, anyway, today most ofthe security tools anyway, like
CMs, ndrs and IDS, ipss theyhave integrations with threat
(17:17):
intelligent feeds, maybe throughAPIs or through sticks or taxis
.
You know, to get all thecontextual data, you integrate
your tools or integrate thoseCTI feeds with your tool.
That will bring context to yourdata or your CM data or your
(17:40):
NDR data.
Very simple, for example, youcan see if you see an indicator
of compromise, like an IPaddress that has been flagged.
If you have a threatintelligent feed, it can tell
you that this IP has been seensome way and then you can
textualize it and see whichthreat actor has been behind
(18:01):
that IP and then dig deeper tofind out.
Oh okay, what are the tactics,techniques and procedures used
by such threat actors, whichbrings context into your data
and you can also include it intoyour incident response team,
like what I usually do, is if Iget an alert and I have specific
(18:24):
IOCs in there, first thing thatI do if a TI feed is not
integrated, I just take that IPor that hash file or whatever it
is, put it on VirusTota.
Right, you put it on VirusTotaand see if it's malicious.
Put it on abuseCH check.
Some put it on AlienVault andsee if there is any pulse that
(18:47):
has been reported on such IOC.
So these are simple techniquesthat you use to integrate TI in
an easy way, but I know it takesmore than that.
But this helps you as astarting point.
Pedro Kertzman (19:03):
Yeah, that's really good.
Thank you, I think you touchedon very important points.
Maybe to stitch a few of themtogether, you also mentioned,
for example, selling the valueto decision makers, to the board
, so on and so forth, but alsomaking sure you are properly
analyzing risk and giving themwhich ones should be the
(19:27):
priority.
So I think you know, from anoverall CTI standpoint, it would
be fair to think on the wholeCTI value chain or structure on
a pyramid way where in thebottom, like you're mentioning,
you're going to have a lot ofinformation, like you're
(19:50):
mentioning, you're going to havea lot of information, feeds,
logs, but then you have to startpulling the most valuable
information out of it andstarting decreasing the size of
the pyramid, going to the topwith more, less detailed or
technical information and morevaluable risk-related
information up until the top ofthe pyramid, to the board or
(20:12):
something like that.
Correct.
Otherwise they will just, youknow, scare you away because
you're talking about ttps andiocs and hash values and they
don't want to do that.
They want to risk likelihoodand and things that they will
understand and and and make adecision based on that 100, 100.
Dr. Jean Nestor Dahj (20:34):
That.
That's why okay, it's uh not toanticipate, but uh, that's why
you see how you present your cti.
Uh is very important.
You have to understand theaudience right.
Things like IOCs and domainsand hash and whatever we've
talked about.
You're not going to presentthat to an executive team, right
(20:58):
To the strategic team.
You're not going to presentthat.
So what you're going to presentto the SOC team, for example,
is different from what you'regoing to present to, let's say,
your, your operational team,your red, uh, your tactical team
.
So, for example, your red, blueteam, purple team what you're
gonna give them is completelydifferent from what you're gonna
(21:19):
give to the SOC team.
And what you're gonna give toboth, to the, to the two is
different from what you're gonnagive to the strategic, uh,
strategic team as well.
Yeah, that's perfect.
So you're right to give to thestrategic team as well.
That's perfect.
So you're right, it's veryimportant to understand the
audience and how you phrase it,how you put it together, so that
it can carry more value.
Pedro Kertzman (21:39):
That's perfect and any best practices you're
working currently, maybe on yourcurrent employer how to
implement such CTI bestpractices Best practices.
Dr. Jean Nestor Dahj (21:55):
There are a lot of guidelines out there
that gives best practices, but Ialways like going in a
practical way.
So best practice is always tomake sure that you're getting
the correct information.
Okay, because there you'regoing to get a lot of third
(22:17):
intelligence feeds.
Some of them are open source,others are commercial.
The right feed will show morevalue on the on uh, on your cti
program or your cti project, forexample.
Understand your industry, don't, don't get feeds from industry
(22:39):
that are not related to you.
And and also in terms of, interms of analytics right.
So I always make sure that youare able to analyze the data.
You have the right knowledge todo that.
So one of the best practices,also investing in people.
(23:01):
I know that's what people willexpect the less, but best
practice of CTI is investing onpeople as well, because, at the
end of the day, you can automatemany things, but you need human
expertise to analyze the dataand get some value out of it and
(23:27):
report it back to differentbusiness operations.
So that's the same method thatI use in the company.
So the truth is, I don't have adedicated CTI team in my
organization Like a dedicatedCTI team, no, but the strategy
(23:47):
that I've used is I'veintegrated the cti mentality
into the entire securityoperation team.
Love it.
Everyone.
Everyone think, everyone thinkslike a threat intelligent
analyst, even if you are a sock,even my, my red, uh, red, blue
team, purple team.
So if you want to do a pen test, you you have to let me know,
(24:11):
for example, how is your pentest going to help the company?
I don't just want you to run ameta-sploit and then you try to
compromise.
No, look at the meter attackframework, for example.
So look at the meter attackframework, for example.
Look at one or two threatactors that are targeting our
(24:33):
industry.
Look at the methods that theyare using to compromise.
Look at the different malwarethey've used.
Now ask yourself, can youemulate that?
Can you use such approach totest our defense?
And then, the same way, get theblue team to also invest in
that?
Look at the framework, look atsome tactics, techniques that
(24:58):
are there right, and thenevaluate our defense.
Are we able to defend againstthat?
That's very important and thoseare the best practices that
you're gonna use to get mostvalue out of uh, out of your cti
program.
And, most importantly, you needto measure the effectiveness of
your cti if you want to continuethat way.
(25:20):
For example, you can definesome basic metrics that you you
can, you you can use to evaluateor assess your program.
Just look at and some if, ifyou go out there, you'll see
books with a lot of nice metrics, yes, but some, some of those
metrics are not straightforwardto understand and very difficult
(25:41):
to implement.
You can start with basic, basicmetrics.
Just look at, out of all the,the, the incidents or all the
threat detected, how many were?
How many did you detect becauseof your cti feed?
How many ips did you blockbecause of your cti feed?
It's very simple, because nowthings like firewall, firewall,
(26:07):
edrs, they will tell you whythey are blocking a specific
activity.
They will tell you this domainhas been flagged as malicious,
why.
They will tell you and thoseare some of the best practices
that you use to get more valueout of your CTTI program.
Pedro Kertzman (26:29):
That's very cool .
I really like how you put it,that you don't have necessarily
a dedicated CTI team, but theCTI mindset or frameworks are
going across the teams that youhave, the teams that you have,
(26:51):
and everybody kind of needs tohave that in mind to bring extra
value from their, from theirday-to-day cybersecurity related
activities.
That's that's reallyinteresting, and you mentioned
in the beginning as well toevaluate the quality of the data
you're receiving and all thatmaybe you know from your
experience, either researchingon the book on, or practical
experience, uh, on your work.
(27:14):
Any, the one I see the most toevaluate, uh, the data sources
and reliability of data sourcesis the admiralty code that also
is used by nato, any otherframeworks to analyze that
(27:34):
you've bumped into, or any otherexperiences evaluating data
sources well, that's a that's avery good question.
Dr. Jean Nestor Dahj (27:43):
So the I would, first of all, I'd say
there's no standard.
Maybe I'm not aware of, butthere's no standard way that
gives you the playbook on how toevaluate a CTI data source.
Most of the threat feeds willalways tell you that the data
(28:04):
has been assessed, they arecorrect, they get updated,
updated.
But it's up to your internalteam as well to do the due
diligence like, first of all,when you look at the feed, what
the the description do.
Do they give you what, whatyou're looking for?
That's why you have to knowwhat you're looking for.
(28:25):
Do they give you what you'relooking for?
Do they give you what you'relooking for?
Are they reporting IOCs only?
Are they giving context on whatthey're reporting?
Are they linking it to threatactor profiles and reports?
Are they mapping the data tothe meter attack frameworks, for
example?
So you know you have toevaluate how often do they
(28:51):
update their IOCs?
Because, remember, while we areon the topic of IOCs, iocs are
the lowest level of a CTIprogram.
They are very important, butthey are not everything in terms
of CTI, because IOCs areshort-lived, you know.
Rachael Tyrell (29:09):
They're short-lived.
Dr. Jean Nestor Dahj (29:11):
They can change every time, so you have
to.
When you evaluate your datasource, you also try to ask how
often do they update the IOCdatabases, the threat-acted
databases and all that you knowthreat-acted databases and all
that you know and how mucheffort do they put on research
(29:34):
and analysis of new malware andthings like that?
That's very, very important.
So I'm not going to go throughall the details, but those are
the basics that you have to lookat because that's going to be
important.
If you invest in threat sourcesthat are not updated constantly
, then your intelligence will belagging and you'll be getting
(29:57):
hit by something that hasalready been reported by very
good sources and because yoursource did not update on time,
and then you get breached likethat.
So those are, those are themethod that I use.
Uh, specifically, I don't use Idon't use a specific framework
(30:18):
to analyze the, the threat feeds, but I use some data science
techniques.
You know, the same way we, we,we do to to clean data and then
see, uh like, engineer the dataproperly.
That's almost the same conceptthat I use with with threat
intelligent feed.
I ask questions, I look, I vetit, how true it is, where they
(30:40):
come from, how much time do theygive on reports, how often they
update the, the databases, and,uh, how much context do I get
from the feed?
Do I just get a bunch of IOCsor do I get context beyond those
IOCs?
So yeah, those are thepractices that I use.
Pedro Kertzman (31:00):
That's very interesting.
Combining data science to theIOCs and CTI as well, that's
very interesting, thank you.
Dr. Jean Nestor Dahj (31:08):
Oh, that's true.
I strongly Just not to cut you,Pedro I strongly believe that,
honestly, the best threatintelligence analyst would be
the data scientist or the dataanalyst, that's nice.
Pedro Kertzman (31:23):
I mean, if you're handling a large amount
of, or a large volume of,information, it does make sense,
right?
Somebody that can go throughthat data first with analytical
eyes to make judgment of it andstarting funneling, you know
what's the best information, howto handle it, go to the next
(31:45):
step, next step and so on.
It does make sense.
That's a very interesting take,thank you.
You know, obviously we'reexposed to data feeds day in,
day out, threat reports, so onand so forth.
But when it comes to learningmore things about the industry,
(32:10):
more things about the industry,the CTI industry itself like new
trends, how people are doingCTI now, or what's the new role
for the analysts going to looklike in the next I don't know
five years, or anything likethat what are your favorite
quote unquote data sources forthis extra information about the
CTI industry?
Oh, favorite data sources for?
Dr. Jean Nestor Dahj (32:30):
this extra information, uh about the cti
industry.
Favorite that's that that's astrong word.
Favorite, I don't think I havea favorite, but uh, I'll just
say I like digging almosteverywhere you know from, from
books to uh to online courses,and you know, forums, and, as a
(32:55):
researcher like I read a lot ofpapers like security papers,
papers, sorry, journals andthings like that.
But I would say, especially forpeople who are trying to, you
know, to jump into the, theindustry in the, in the cti
(33:15):
world, it's, it's important togive a little bit of uh of a
structured way.
You know, not not just for me,because I know that for me I've
uh, I still, I still continuelearning about it.
Like, sometimes, you know, I doa lot of research, I I read uh
books that are that are outthere.
Like you, you can, you can justgo to google and and check the
(33:39):
number of cti books that arethere, that there are a lot.
And you go to udemy now you gota lot of platforms like udemy,
you get a lot of videos and youhave certifications, but for
some, for people who are tryingto uh jump into the cti world,
so so, especially for beginners,what I always advise is you
(34:02):
start with the meter attack, forexample.
If you open the meter attackframework, that's my friends of
every day, literally Everysingle day, I open the meter
attack.
If you can start there, learnabout, learn about, uh, the
(34:23):
different tactics, techniques,procedures that are there,
because I I I assume that if youwant to jump into cti, it means
you, you, you have some basicsof cybersecurity right, so,
which means, if you look at themeteor attack, you understand a
lot in terms of tactics that arethere, techniques that are
(34:45):
there, procedures that are there, and the most important thing
is that that framework alsotells you which threat actors
are linked to such TTPs and italso tells you some of the
techniques that are there.
Actually, you can see how toimplement rules on CM and IDSs,
(35:10):
ip or security tools to detectsuch attack.
So start there and then, uh, ifif you want to use open, open
source, uh, open source ctitools, like it's better to to
learn while you are practicingas well, you have a lot of like
uh, open source threatintelligence, uh, tools like the
(35:33):
misp, you have open CTI, a lotof them.
And now I see TriHackMe also.
Trihackme has a branch, a CTIbranch, of practical exercises
on CTI.
It's open.
Try to do that if you are abeginner, try to learn that.
(35:54):
And if you are an intermediateperson, maybe you want to invest
into uh like certifications.
Yeah, true, you can go forcertifications.
You have ec council, ec councilinternational has a cti course
and then you have, uh, you alsohave, I think, think, the SANS,
(36:16):
the SANS, yeah, the CTIcertification For 578.
578, if I'm not mistaken, ifI'm right yes, I'm still right.
So you have that and I thinkthe SANS SEC as well.
Also there's one version of SECthat also gives you some type
of continuous monitoring courses.
(36:36):
You can use that and then also,as an intermediate person,
practically use the MISP, buildthat like CTI pipelines to get
IOCs from sticks taxi servers inMISP, send it through rules,
(36:57):
yara rules or whatever it is, tosecurity devices and see how it
, how it, how it works,practically exercise on on them.
So that's that's kind of howyou you get, you get your hands
on dirty on on on cti and forexpert, I'm sure there are a lot
(37:18):
of experts there.
I don't know, I don't have much,much much to say there, because
if you are, if you're an expertlevel, maybe you want to
explore other uncommon ctipractices and channels and
invest more on research andthings like that.
And I think I'm not reallysomebody who talks a lot about
(37:39):
these things because I likedoing doing it, because I always
had the impression that peoplewho talk about things the most
are the people who actuallydon't know it the most people
who actually know the things.
They talk less about it, theydo it, they're doing it.
Yeah, so I I spend more time ondoing, and because I'm also
(38:01):
preparing two other books thatwill come out very practical
still in the in the cybersecurity uh arena.
Very, very practical, becausethat's what I like when you
research things, you have to putit out there and see what the
best, the best of the best, arethinking about your work, and
I'm always in for constructivecriticism.
(38:22):
So for experts it's it's betterto to explore other, other way,
invest in more research, and Ithink I think that's that's what
I think.
Pedro Kertzman (38:33):
That's awesome.
No, I appreciate the insightsand any like.
Closing thoughts for for thelisteners well, closing the
thoughts.
Dr. Jean Nestor Dahj (38:42):
First of all, I'll say thank you, pedro,
for for this opportunity andthank you, it has been a good
discussion.
I, I like.
I like unorthodox ways, yes, soI like more orthodox way like
this, where we discuss openly,not just a structured like oh,
(39:03):
let's talk about this, let'stalk about that, prepare about
this.
But you know, we talk about it.
I give you the experience as asI know it, and that's how I I
benchmark the knowledge that Ihave received, which is very
good.
But on a closing note, I'll saythat CTI is becoming very
critical into cyber defense, notjust because of its capability
(39:28):
to give us a lot of information,even because of the fact that
we are now sharing informationwith each other, with the
community, which is very, veryimportant.
So I think most companies andmost organizations are investing
into CTI, which is a good thing.
It's not a product.
(39:49):
There's no product, there's noproduct called CTI.
If somebody comes, they saythey're taking a CTI product.
That's wrong.
You know CTI is.
It's a process, it's a journey,it's something that start and
continue because you have tocontinuously invest into that.
As you get the result of yourCTI, or you get the outcome, you
(40:12):
feed it back to yourrequirement and come back.
You know we haven't touchedinto like I didn't want to go
into much theory about the lifecycle and stuff like that.
Maybe we'll have a chance totalk about those or the pyramid
of pain, because you touched avery important point in terms of
narrowing down the pyramid.
Maybe in the future, talk aboutthat, but it's a journey.
(40:35):
That's how we have to considerit.
So, to the audience, and it's avery important field, whoever
wants to jump in today, in thefuture there will be a need, a
big need for threat intelligencepeople.
So yeah, that's awesome.
Pedro Kertzman (40:53):
I'm biased.
I also think that we're only atthe beginning of this bigger
industry journey to recognizemore and more the value that CTI
can bring to the overall cyberdefenses.
I could not agree more with you, Jean.
Thank you so very much for allthe insights on the show.
(41:13):
I really appreciate you havingme here and I hope I'll see you
around.
Thank you
Dr. Jean Nestor Dahj (41:18):
Thank you, thank you very much, Pedro.
Rachael Tyrell (41:22):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
(41:42):
Until next time, stay sharp andstay secure.
We'll be right back.
I've integrated the CTI mentality
into the entire securityoperation team.
Rachael Tyrell (00:07):
Hello and welcome to Episode 17, season 1
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host, Pedro Kertzman, will
(00:28):
chat with who has over eightyears of experience in
information security and datascience, engaging with various
cyber units, including lawenforcement, forensic teams and
red team engineers.
A threat intelligence engineer,researcher and author of of the
book Mastering CyberIntelligence, he is currently
the head of cybersecurity andintelligence in a fast-growing
(00:50):
South African telecommunicationscompany.
Over to you.
Pedro Kertzman (00:58):
Jean, thank you so much for coming to the show.
It's really great to have youhere.
Dr. Jean Nestor Dahj (01:05):
Thank you very much, Pedro, and I think
the pleasure is shared.
I'm happy to be here.
Pedro Kertzman (01:08):
Yeah, I'm sure it's going to be an awesome
conversation, and usually Istart asking the guests about
their journey into CTI.
Would you mind walking usthrough that?
Dr. Jean Nestor Dahj (01:17):
please, yes, yes, definitely.
Cyber security in general hasalways been more than a job to
me.
It's a purpose, I consider itas a passion and over the past
nine years I've engaged with alot of units in different
security disciplines.
I've worked with forensicsagents, I've worked with law
(01:39):
enforcement, I've worked withred teamers as well.
All the knowledge collectedthrough these years exposed me
to CTI to understand more aboutthreat intelligence, because I
was providing a lot of evidenceto these people and it made me
understand really how cybercriminals work, what they do,
(02:04):
how they do their things, whatare their intentions and so on.
So that really pushed me towardthreat intelligence.
And since I have a very strongdata science background and I'm
used to navigating data,curating data, finding patterns
in data, so it's made thetransition a little bit smoother
(02:29):
, like trying to understand thevast data that we used to
collect, because I was workingfor a probing company, a network
probing company that used tocollect a lot of network
information transactions, likeraw network traffic.
So by using data analyticstechniques, you find a lot of
(02:50):
information and patterns in data, making data useful.
So that also escalated mypassion, or made my passion for
CTI much more aggressive, Iwould say, and on top of that,
as a researcher, because I holda PhD in electrical engineering
as well.
So as a researcher I dive a lotinto how things are done.
(03:16):
So I've been researching a lotin the security space and
engineering space communicationand I also wrote a book.
I wrote one of the mostcomprehensive books on CTI and
currently I'm heading a wholecybersecurity department in a
tier one company in South Africawhich is exposing me more in
(03:38):
the things that I like to do,exploring more and more.
And CTI is a journey.
So you don't reach the summit,you continue learning.
We keep on learning.
So more or less that is myjourney.
How I started as a networkengineer and then transitions to
(03:59):
probing, which exposed me todata analytics and data science,
which, because I wasinteracting with different
business units includingcybersecurity forensics.
Then I got a passion for thefield and it has continued like
that until today.
Pedro Kertzman (04:15):
That's awesome, and you mentioned the book.
Right, it's Mastering CyberIntelligence and I'll make sure
I'll include a link on thedescription of the episode as
well for everybody wanting tocheck more.
Can we maybe just talk a littlebit more about the book?
Some of the insights I knowroughly the book life cycle of
(04:37):
CTI requirements, things aroundthat then goes down to
analytical and modeling andintegrating CTI, like you're
mentioning, into businesses,right, the business processes
and all that.
Can you maybe talk a little bitabout the part one per se, like
(04:58):
the CTI tradecraft?
What was the thing or anythings that during your research
to the book that like, caughtyour attention that you enjoyed
the most?
Writing about many, anythinglike that?
Dr. Jean Nestor Dahj (05:15):
it's uh yeah, it's, it's very
interesting.
Uh, writing the book was a very, uh, very good journey.
It was a journey because mostof the time, people are focused
on the technical part of threatintelligence.
They forget a lot of thingsthat are prerequisite for a good
(05:38):
threat intelligence analyst.
Threat intelligence is not justcyber security.
It's a merging of many fields,including data science, data
analytics, while cyber security,of course, but a little bit of
soft skills like psychologicalskills and, yes, analytical
(06:02):
skills.
That's why, before, threatintelligence used to be applied
mostly in military, like in themilitary space, it has been used
a lot Like.
It's not most recently, butonly a few decades ago that it
has been now being migratedslowly and surely into the
(06:23):
corporate world.
And what actually set threatintelligence analysis apart is
not just the technical ability,but it's also the thinking
ability.
Like if you look at thetradecraft that I described in
the book, when you have theoutcome of a CTI report, you
(06:43):
don't just consume it like that,you analyze it, you question it
.
And how do you question it insuch a way that you are not
biased with the result?
We've seen it many times.
I'm not going to get intogeopolitics, but we've seen many
times where intelligence reportcomes in, they tell you that a
specific country has, like,nuclear weapons and people.
(07:06):
People don't really vet itenough, but they don't push it.
They question it like push itto to make them convince you
that the intelligence is trueand we can act actions on it.
And that's the part that it.
That's one of the parts that Ienjoy a lot because practically
I think I've been doing uh at mywork, but maybe not knowing
(07:32):
what it was, but writing thebook, getting deep down into
what is needed, the differentways of analyzing threat
intelligence reports, like howdo you question it, how do you
present it to the, to theexecutive team, and all that.
It was really a very importantstep for me, and my book is very
(07:55):
comprehensive in such a waythat it does not only tell you
the practical part but it alsogives you the theoretical
knowledge, like how do you getthe requirement and how do you
analyze the output, how can youmake the analysis more effective
.
You know the different types ofanalytical method and, as I was
(08:18):
researching, you find out thatthis method are being used by
actual, like intelligentservices into assessing
reportscom, which is reallyreally great.
Yeah, but for the rest of thedetails.
I think the book can beacquired on amazon and yeah yeah
, no, absolutely, absolutely.
Pedro Kertzman (08:38):
You're mentioning about a few times
about how you brought thatknowledge into your current role
.
How would would you saycompanies in general not
necessarily from sector A, b orC, but companies in general
could leverage CTI to improvethe overall company security
posture.
Dr. Jean Nestor Dahj (08:58):
Yes, that's a very, very important
question because most of thecompanies are trying to leverage
CTI and we have to at the endof the day.
But we need to understand whyis it important?
What are the benefits that weget from it?
So I will talk about how, thepractical ways that company can
do that, but first we need tounderstand what does CTI do?
(09:20):
How does it improve yourorganization's security posture
in general?
Let's take an example today.
First of all, you're not goingto be able to defend the company
alone.
No company can defend itselfalone.
You need collaboration.
(09:41):
Let's look at the different waysthat CTI can improve a
company's security posture.
So if you have a threatintelligence feed right, and
then you find out that there isa specific threat that has been
discovered in another part ofthe world in a company of a
(10:02):
similar industry as yours, youget an ioc.
You can get it can be a c2, ac2 uh ip.
It can be a file, a malware orwhatever it is.
You have that in advance, eventhough the breach has not
happened to you.
But by having that you canactually start searching your
(10:25):
logs or start tuning yoursecurity devices to detect and
block those IOCs, thoseindicators of compromise before
the breach happens to you.
So it brings you that type ofproactive defense, you know, and
second in terms of risks, andsecond in terms of risks.
(11:10):
And most of the companies whohave security tools, they know
not get trapped into a lot oflow-level IOCs looking for IPs
and things like that.
So CTI can actually help youprioritize your risk.
Let's take an example I wasdiscussing with one of my guys
in my team.
Let's say you have a rule thatdetects data exfiltration, right
, we know that data exfiltrationis one of the ways hackers use
(11:33):
to take data out of your networkto some way.
But you can also have dataexfiltration between internal
assets, from one asset toanother asset.
And you can also have dataexfiltration between internal
assets, from one asset toanother asset.
And you can also have dataexfiltration from your
organization to another trustedorganization.
But now it's the same alerts.
(11:53):
You get potent uh, potentialdata exfiltration alerts.
But now cti can make a bigdifference here.
If the destination where thedata is going is malicious or
has been detected or found in athreat, intelligent feed and
automatically you prioritizethat data exfiltration compared
(12:17):
to any other exfiltration yousee.
So with CTI you can actuallyprioritize your risks, which is
very, very key to responding tocyber attacks.
And CTI for sure also helps youharden your security devices
like firewalls, idss and IPSs.
(12:39):
You have all these low-levelIOCs that you can always feed to
those tools to be blocked,detected etc.
And, most importantlyespecially, you know
cybersecurity is an area whereit's very difficult to justify
the return on investment to theboard.
(12:59):
You know, because we are not ina revenue generation type of
department compared to otherdepartments, so we take more
money than we give.
However, we do protect assets,we do protect the company from
cyber breaches, but executiveteams, board members, they don't
(13:25):
understand IOCs, they don'tunderstand this.
They want you to tell them whythey should invest on something
specific and using threat intelwith good context, you can
actually sell a story to theboard so that you can invest on
the right tool or the rightsecurity solutions.
(13:47):
So those are some of thebenefits that you can get from
leveraging CTI in yourorganization.
So it's really helped youimprove your security posture.
That's one thing.
So now, how can a companypractically use CTI?
(14:12):
So the adoption of CTI is alwaysa very big question.
How do you start?
How do you get?
Well, most of the people alwaysstart with threat intelligence
feed.
Yes, which is a good thing.
They will get a feed.
Get iocs and all and all of thethings, but integrating ct and
(14:35):
the company is more than justthat.
I will give an.
I will give an example.
You, you start with trying tounderstand exactly what you want
to protect.
Right, let's say, those are theprerequisites, those are the
basics.
To start, you know, even youcannot, you cannot adopt cti out
of the blue.
(14:56):
Cti is comes after.
You have already done some ofthe prerequisites.
For example, you have acentralized logging system.
You have that internal datathat you are feeding to your CM.
You have logs, endpoint logs.
You have server logs, you haveapplication logs, you have
(15:19):
access logs.
All the logs are comingtogether.
Even if you have NDR, you canalso have packet logs that are
going to your same solution.
That's a prerequisite, becausethat way you're going to be
looking for information.
So once you have that, the nextthing that you have to do is
now understand what.
Ask yourself, what do I want toprotect from that?
(15:41):
What do I have to protect?
What do we do that hackers maybe after?
Who may want this information?
You know, and in a very simpleway.
I'll try to be more practicalto such that to help also
companies to you know to toadopt that once you, once you
have, then you can start withthings like open source open
(16:06):
source feed or open source tifeed.
So you have, there are a lot ofopen source ti feed that you
can you can start with.
You can start with alien vaults.
You have various total apis andall that you you take all those
ones.
If you have money, well, you cango for commercial feed as well,
that's okay.
But if you don't have money,you can still leverage uh cti
(16:29):
with with less effort.
So if you get those feed, themost important thing is to
curate your data.
Make sure that your data is iscurated.
It's correct because if youtake garbage or data that not
that does not help you.
You're not gonna get value outof your cti program.
So once you get those data,okay, it's curated data.
(16:52):
You have a bunch of iocs,context, threat actors, etc.
You try to put that togetherlike integrate that with your
security tools, which is veryimportant, very, very essential,
because, anyway, today most ofthe security tools anyway, like
CMs, ndrs and IDS, ipss theyhave integrations with threat
(17:17):
intelligent feeds, maybe throughAPIs or through sticks or taxis
.
You know, to get all thecontextual data, you integrate
your tools or integrate thoseCTI feeds with your tool.
That will bring context to yourdata or your CM data or your
(17:40):
NDR data.
Very simple, for example, youcan see if you see an indicator
of compromise, like an IPaddress that has been flagged.
If you have a threatintelligent feed, it can tell
you that this IP has been seensome way and then you can
textualize it and see whichthreat actor has been behind
(18:01):
that IP and then dig deeper tofind out.
Oh okay, what are the tactics,techniques and procedures used
by such threat actors, whichbrings context into your data
and you can also include it intoyour incident response team,
like what I usually do, is if Iget an alert and I have specific
(18:24):
IOCs in there, first thing thatI do if a TI feed is not
integrated, I just take that IPor that hash file or whatever it
is, put it on VirusTota.
Right, you put it on VirusTotaand see if it's malicious.
Put it on abuseCH check.
Some put it on AlienVault andsee if there is any pulse that
(18:47):
has been reported on such IOC.
So these are simple techniquesthat you use to integrate TI in
an easy way, but I know it takesmore than that.
But this helps you as astarting point.
Pedro Kertzman (19:03):
Yeah, that's really good.
Thank you, I think you touchedon very important points.
Maybe to stitch a few of themtogether, you also mentioned,
for example, selling the valueto decision makers, to the board
, so on and so forth, but alsomaking sure you are properly
analyzing risk and giving themwhich ones should be the
(19:27):
priority.
So I think you know, from anoverall CTI standpoint, it would
be fair to think on the wholeCTI value chain or structure on
a pyramid way where in thebottom, like you're mentioning,
you're going to have a lot ofinformation, like you're
(19:50):
mentioning, you're going to havea lot of information, feeds,
logs, but then you have to startpulling the most valuable
information out of it andstarting decreasing the size of
the pyramid, going to the topwith more, less detailed or
technical information and morevaluable risk-related
information up until the top ofthe pyramid, to the board or
(20:12):
something like that.
Correct.
Otherwise they will just, youknow, scare you away because
you're talking about ttps andiocs and hash values and they
don't want to do that.
They want to risk likelihoodand and things that they will
understand and and and make adecision based on that 100, 100.
Dr. Jean Nestor Dahj (20:34):
That.
That's why okay, it's uh not toanticipate, but uh, that's why
you see how you present your cti.
Uh is very important.
You have to understand theaudience right.
Things like IOCs and domainsand hash and whatever we've
talked about.
You're not going to presentthat to an executive team, right
(20:58):
To the strategic team.
You're not going to presentthat.
So what you're going to presentto the SOC team, for example,
is different from what you'regoing to present to, let's say,
your, your operational team,your red, uh, your tactical team
.
So, for example, your red, blueteam, purple team what you're
gonna give them is completelydifferent from what you're gonna
(21:19):
give to the SOC team.
And what you're gonna give toboth, to the, to the two is
different from what you're gonnagive to the strategic, uh,
strategic team as well.
Yeah, that's perfect.
So you're right to give to thestrategic team as well.
That's perfect.
So you're right, it's veryimportant to understand the
audience and how you phrase it,how you put it together, so that
it can carry more value.
Pedro Kertzman (21:39):
That's perfect and any best practices you're
working currently, maybe on yourcurrent employer how to
implement such CTI bestpractices Best practices.
Dr. Jean Nestor Dahj (21:55):
There are a lot of guidelines out there
that gives best practices, but Ialways like going in a
practical way.
So best practice is always tomake sure that you're getting
the correct information.
Okay, because there you'regoing to get a lot of third
(22:17):
intelligence feeds.
Some of them are open source,others are commercial.
The right feed will show morevalue on the on uh, on your cti
program or your cti project, forexample.
Understand your industry, don't, don't get feeds from industry
(22:39):
that are not related to you.
And and also in terms of, interms of analytics right.
So I always make sure that youare able to analyze the data.
You have the right knowledge todo that.
So one of the best practices,also investing in people.
(23:01):
I know that's what people willexpect the less, but best
practice of CTI is investing onpeople as well, because, at the
end of the day, you can automatemany things, but you need human
expertise to analyze the dataand get some value out of it and
(23:27):
report it back to differentbusiness operations.
So that's the same method thatI use in the company.
So the truth is, I don't have adedicated CTI team in my
organization Like a dedicatedCTI team, no, but the strategy
(23:47):
that I've used is I'veintegrated the cti mentality
into the entire securityoperation team.
Love it.
Everyone.
Everyone think, everyone thinkslike a threat intelligent
analyst, even if you are a sock,even my, my red, uh, red, blue
team, purple team.
So if you want to do a pen test, you you have to let me know,
(24:11):
for example, how is your pentest going to help the company?
I don't just want you to run ameta-sploit and then you try to
compromise.
No, look at the meter attackframework, for example.
So look at the meter attackframework, for example.
Look at one or two threatactors that are targeting our
(24:33):
industry.
Look at the methods that theyare using to compromise.
Look at the different malwarethey've used.
Now ask yourself, can youemulate that?
Can you use such approach totest our defense?
And then, the same way, get theblue team to also invest in
that?
Look at the framework, look atsome tactics, techniques that
(24:58):
are there right, and thenevaluate our defense.
Are we able to defend againstthat?
That's very important and thoseare the best practices that
you're gonna use to get mostvalue out of uh, out of your cti
program.
And, most importantly, you needto measure the effectiveness of
your cti if you want to continuethat way.
(25:20):
For example, you can definesome basic metrics that you you
can, you you can use to evaluateor assess your program.
Just look at and some if, ifyou go out there, you'll see
books with a lot of nice metrics, yes, but some, some of those
metrics are not straightforwardto understand and very difficult
(25:41):
to implement.
You can start with basic, basicmetrics.
Just look at, out of all the,the, the incidents or all the
threat detected, how many were?
How many did you detect becauseof your cti feed?
How many ips did you blockbecause of your cti feed?
It's very simple, because nowthings like firewall, firewall,
(26:07):
edrs, they will tell you whythey are blocking a specific
activity.
They will tell you this domainhas been flagged as malicious,
why.
They will tell you and thoseare some of the best practices
that you use to get more valueout of your CTTI program.
Pedro Kertzman (26:29):
That's very cool .
I really like how you put it,that you don't have necessarily
a dedicated CTI team, but theCTI mindset or frameworks are
going across the teams that youhave, the teams that you have,
(26:51):
and everybody kind of needs tohave that in mind to bring extra
value from their, from theirday-to-day cybersecurity related
activities.
That's that's reallyinteresting, and you mentioned
in the beginning as well toevaluate the quality of the data
you're receiving and all thatmaybe you know from your
experience, either researchingon the book on, or practical
experience, uh, on your work.
(27:14):
Any, the one I see the most toevaluate, uh, the data sources
and reliability of data sourcesis the admiralty code that also
is used by nato, any otherframeworks to analyze that
(27:34):
you've bumped into, or any otherexperiences evaluating data
sources well, that's a that's avery good question.
Dr. Jean Nestor Dahj (27:43):
So the I would, first of all, I'd say
there's no standard.
Maybe I'm not aware of, butthere's no standard way that
gives you the playbook on how toevaluate a CTI data source.
Most of the threat feeds willalways tell you that the data
(28:04):
has been assessed, they arecorrect, they get updated,
updated.
But it's up to your internalteam as well to do the due
diligence like, first of all,when you look at the feed, what
the the description do.
Do they give you what, whatyou're looking for?
That's why you have to knowwhat you're looking for.
(28:25):
Do they give you what you'relooking for?
Do they give you what you'relooking for?
Are they reporting IOCs only?
Are they giving context on whatthey're reporting?
Are they linking it to threatactor profiles and reports?
Are they mapping the data tothe meter attack frameworks, for
example?
So you know you have toevaluate how often do they
(28:51):
update their IOCs?
Because, remember, while we areon the topic of IOCs, iocs are
the lowest level of a CTIprogram.
They are very important, butthey are not everything in terms
of CTI, because IOCs areshort-lived, you know.
Rachael Tyrell (29:09):
They're short-lived.
Dr. Jean Nestor Dahj (29:11):
They can change every time, so you have
to.
When you evaluate your datasource, you also try to ask how
often do they update the IOCdatabases, the threat-acted
databases and all that you knowthreat-acted databases and all
that you know and how mucheffort do they put on research
(29:34):
and analysis of new malware andthings like that?
That's very, very important.
So I'm not going to go throughall the details, but those are
the basics that you have to lookat because that's going to be
important.
If you invest in threat sourcesthat are not updated constantly
, then your intelligence will belagging and you'll be getting
(29:57):
hit by something that hasalready been reported by very
good sources and because yoursource did not update on time,
and then you get breached likethat.
So those are, those are themethod that I use.
Uh, specifically, I don't use Idon't use a specific framework
(30:18):
to analyze the, the threat feeds, but I use some data science
techniques.
You know, the same way we, we,we do to to clean data and then
see, uh like, engineer the dataproperly.
That's almost the same conceptthat I use with with threat
intelligent feed.
I ask questions, I look, I vetit, how true it is, where they
(30:40):
come from, how much time do theygive on reports, how often they
update the, the databases, and,uh, how much context do I get
from the feed?
Do I just get a bunch of IOCsor do I get context beyond those
IOCs?
So yeah, those are thepractices that I use.
Pedro Kertzman (31:00):
That's very interesting.
Combining data science to theIOCs and CTI as well, that's
very interesting, thank you.
Dr. Jean Nestor Dahj (31:08):
Oh, that's true.
I strongly Just not to cut you,Pedro I strongly believe that,
honestly, the best threatintelligence analyst would be
the data scientist or the dataanalyst, that's nice.
Pedro Kertzman (31:23):
I mean, if you're handling a large amount
of, or a large volume of,information, it does make sense,
right?
Somebody that can go throughthat data first with analytical
eyes to make judgment of it andstarting funneling, you know
what's the best information, howto handle it, go to the next
(31:45):
step, next step and so on.
It does make sense.
That's a very interesting take,thank you.
You know, obviously we'reexposed to data feeds day in,
day out, threat reports, so onand so forth.
But when it comes to learningmore things about the industry,
(32:10):
more things about the industry,the CTI industry itself like new
trends, how people are doingCTI now, or what's the new role
for the analysts going to looklike in the next I don't know
five years, or anything likethat what are your favorite
quote unquote data sources forthis extra information about the
CTI industry?
Oh, favorite data sources for?
Dr. Jean Nestor Dahj (32:30):
this extra information, uh about the cti
industry.
Favorite that's that that's astrong word.
Favorite, I don't think I havea favorite, but uh, I'll just
say I like digging almosteverywhere you know from, from
books to uh to online courses,and you know, forums, and, as a
(32:55):
researcher like I read a lot ofpapers like security papers,
papers, sorry, journals andthings like that.
But I would say, especially forpeople who are trying to, you
know, to jump into the, theindustry in the, in the cti
(33:15):
world, it's, it's important togive a little bit of uh of a
structured way.
You know, not not just for me,because I know that for me I've
uh, I still, I still continuelearning about it.
Like, sometimes, you know, I doa lot of research, I I read uh
books that are that are outthere.
Like you, you can, you can justgo to google and and check the
(33:39):
number of cti books that arethere, that there are a lot.
And you go to udemy now you gota lot of platforms like udemy,
you get a lot of videos and youhave certifications, but for
some, for people who are tryingto uh jump into the cti world,
so so, especially for beginners,what I always advise is you
(34:02):
start with the meter attack, forexample.
If you open the meter attackframework, that's my friends of
every day, literally Everysingle day, I open the meter
attack.
If you can start there, learnabout, learn about, uh, the
(34:23):
different tactics, techniques,procedures that are there,
because I I I assume that if youwant to jump into cti, it means
you, you, you have some basicsof cybersecurity right, so,
which means, if you look at themeteor attack, you understand a
lot in terms of tactics that arethere, techniques that are
(34:45):
there, procedures that are there, and the most important thing
is that that framework alsotells you which threat actors
are linked to such TTPs and italso tells you some of the
techniques that are there.
Actually, you can see how toimplement rules on CM and IDSs,
(35:10):
ip or security tools to detectsuch attack.
So start there and then, uh, ifif you want to use open, open
source, uh, open source ctitools, like it's better to to
learn while you are practicingas well, you have a lot of like
uh, open source threatintelligence, uh, tools like the
(35:33):
misp, you have open CTI, a lotof them.
And now I see TriHackMe also.
Trihackme has a branch, a CTIbranch, of practical exercises
on CTI.
It's open.
Try to do that if you are abeginner, try to learn that.
(35:54):
And if you are an intermediateperson, maybe you want to invest
into uh like certifications.
Yeah, true, you can go forcertifications.
You have ec council, ec councilinternational has a cti course
and then you have, uh, you alsohave, I think, think, the SANS,
(36:16):
the SANS, yeah, the CTIcertification For 578.
578, if I'm not mistaken, ifI'm right yes, I'm still right.
So you have that and I thinkthe SANS SEC as well.
Also there's one version of SECthat also gives you some type
of continuous monitoring courses.
(36:36):
You can use that and then also,as an intermediate person,
practically use the MISP, buildthat like CTI pipelines to get
IOCs from sticks taxi servers inMISP, send it through rules,
(36:57):
yara rules or whatever it is, tosecurity devices and see how it
, how it, how it works,practically exercise on on them.
So that's that's kind of howyou you get, you get your hands
on dirty on on on cti and forexpert, I'm sure there are a lot
(37:18):
of experts there.
I don't know, I don't have much,much much to say there, because
if you are, if you're an expertlevel, maybe you want to
explore other uncommon ctipractices and channels and
invest more on research andthings like that.
And I think I'm not reallysomebody who talks a lot about
(37:39):
these things because I likedoing doing it, because I always
had the impression that peoplewho talk about things the most
are the people who actuallydon't know it the most people
who actually know the things.
They talk less about it, theydo it, they're doing it.
Yeah, so I I spend more time ondoing, and because I'm also
(38:01):
preparing two other books thatwill come out very practical
still in the in the cybersecurity uh arena.
Very, very practical, becausethat's what I like when you
research things, you have to putit out there and see what the
best, the best of the best, arethinking about your work, and
I'm always in for constructivecriticism.
(38:22):
So for experts it's it's betterto to explore other, other way,
invest in more research, and Ithink I think that's that's what
I think.
Pedro Kertzman (38:33):
That's awesome.
No, I appreciate the insightsand any like.
Closing thoughts for for thelisteners well, closing the
thoughts.
Dr. Jean Nestor Dahj (38:42):
First of all, I'll say thank you, pedro,
for for this opportunity andthank you, it has been a good
discussion.
I, I like.
I like unorthodox ways, yes, soI like more orthodox way like
this, where we discuss openly,not just a structured like oh,
(39:03):
let's talk about this, let'stalk about that, prepare about
this.
But you know, we talk about it.
I give you the experience as asI know it, and that's how I I
benchmark the knowledge that Ihave received, which is very
good.
But on a closing note, I'll saythat CTI is becoming very
critical into cyber defense, notjust because of its capability
(39:28):
to give us a lot of information,even because of the fact that
we are now sharing informationwith each other, with the
community, which is very, veryimportant.
So I think most companies andmost organizations are investing
into CTI, which is a good thing.
It's not a product.
(39:49):
There's no product, there's noproduct called CTI.
If somebody comes, they saythey're taking a CTI product.
That's wrong.
You know CTI is.
It's a process, it's a journey,it's something that start and
continue because you have tocontinuously invest into that.
As you get the result of yourCTI, or you get the outcome, you
(40:12):
feed it back to yourrequirement and come back.
You know we haven't touchedinto like I didn't want to go
into much theory about the lifecycle and stuff like that.
Maybe we'll have a chance totalk about those or the pyramid
of pain, because you touched avery important point in terms of
narrowing down the pyramid.
Maybe in the future, talk aboutthat, but it's a journey.
(40:35):
That's how we have to considerit.
So, to the audience, and it's avery important field, whoever
wants to jump in today, in thefuture there will be a need, a
big need for threat intelligencepeople.
So yeah, that's awesome.
Pedro Kertzman (40:53):
I'm biased.
I also think that we're only atthe beginning of this bigger
industry journey to recognizemore and more the value that CTI
can bring to the overall cyberdefenses.
I could not agree more with you, Jean.
Thank you so very much for allthe insights on the show.
(41:13):
I really appreciate you havingme here and I hope I'll see you
around.
Thank you
Dr. Jean Nestor Dahj (41:18):
Thank you, thank you very much, Pedro.
Rachael Tyrell (41:22):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
(41:42):
Until next time, stay sharp andstay secure.
We'll be right back.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.