April 29, 2025 • 43 mins
What does it take to succeed in cyber threat intelligence today? Josh Darby McLellan draws from his unique journey through geopolitical risk into the CTI space to reveal practical insights for both aspiring analysts and established professionals.
The conversation opens with Josh's unexpected path into threat intelligence, highlighting a crucial revelation for newcomers: you don't need special access or expensive tools to begin gaining CTI experience. With abundant open-source resources available, anyone can practice analysis workflows, build a portfolio, and demonstrate genuine passion before landing their first role.
Beyond technical foundations like the Diamond Model and Kill Chain, Josh emphasizes communication as perhaps the most critical skill for CTI professionals. "Your entire CTI process will fall completely flat if you are not able to communicate that intelligence in a way that lands with your stakeholders," he notes. This challenge becomes especially apparent when teams struggle to translate their value into language business leaders understand—a persistent hurdle for many CTI programs.
The discussion explores how collaboration across traditionally competitive organizations creates powerful intelligence sharing networks, particularly within industries facing similar threats. Josh also tackles AI's impact, warning that "your job won't be replaced by AI, but by someone who can use AI," encouraging analysts to embrace tools that automate repetitive tasks while preserving human judgment for critical analysis.
Looking ahead, Josh predicts short-term challenges for CTI teams proving their worth during economic uncertainty, but remains optimistic about the field's future as cyber attacks continue increasing in volume and severity against a fractured geopolitical landscape. For those intrigued by this dynamic field, his advice is simple: dive in, leverage free resources, and discover if this intellectually stimulating career path is right for you.
Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Josh Darby MacLellan (00:00):
CTI is supposed to inform
decision-making and enabledecision-makers to calibrate
defenses to protect anorganization and make it more
resilient.
Rachael Tyrell (00:09):
Hello and welcome to Episode 5, season 1,
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host, pedro Kurtzman, will
chat with Josh Darby-McLellan.
Josh is a cyber threatintelligence professional with
(00:31):
experience in CTI andgeopolitical risk in the North
American and European financialand tech sectors.
He has spoken at conferences,including SANS CTI Summit and
FIRST CTI Conference, and holdsthe CISSP and CCSP
certifications.
Josh enjoys contributing tocommunity by publishing articles
, mentoring and has heldleadership roles in industry
associations, including ISC,Square, tier and ASIS.
(00:55):
Over to you, pedro.
Pedro Kertzman (00:59):
Josh, thanks so much for coming to the show.
It's great to have you here.
Josh Darby MacLellan (01:05):
My pleasure.
Very happy to be here today.
Pedro Kertzman (01:07):
Awesome, and usually I start asking the
guests how their career startedmaybe early start on their
career and all the way to theCTI, current CTI related role
they might have today.
Would you mind walking usthrough that please?
Josh Darby MacLellan (01:24):
Sure Right .
So this takes me back a fewyears.
My career started in quite aninteresting fashion.
I originally was studying inthe UK and then one day stumbled
kind of aimlessly into adepartmental talk which was all
(01:45):
about doing a second master'sdegree over in Canada.
And this ended up being one ofthose small dominoes that set
off like a really big cascadingeffect and I ended up doing my
second master's over in Canadaand this master's was more
vocationally focused than theaverage one and there was a
component of it where you couldgo and do a co-op semester and
(02:08):
this is essentially like aninternship in industry for one
semester.
And that was my kind of waythrough the door.
And I did that internship in thefinance sector, but
specifically working in acorporate security department,
and I was focused ongeopolitical risk and that was
(02:28):
my first experience with privatesector intelligence.
Prior to that I thought that youcan only really enter the Intel
space if you went national ormilitary and I knew that
companies had securitydepartments but I didn't realize
there was really space forIntel there.
So this was like a hugeeye-opening experience.
(02:52):
And then I realized throughnetworking conversations that
pretty much every householdcompany has a corporate security
department and infosecdepartment and typically they'll
have one or two or sometimesthree Intel teams, depending on
their configuration.
And after that I was hooked andthat led me to my first.
So the co-op internship led tomy first short-term contract,
(03:16):
which led to my first full-timejob in threat intelligence.
And then, after a couple ofyears working on the physical
geopolitical risk side, Ipivoted over into cyber threat
intelligence.
So I came up more from thenon-traditional route and it was
definitely a bit of a zigzagjourney to get into CTI and it's
been a blast ever since.
Pedro Kertzman (03:37):
Awesome, awesome .
Thanks for walking us throughthat.
And you mentioned that, thenon-traditional route, that the
non-traditional route, anythingthat you used, let's say, to
fill some gaps, through allthose reflecting about your
career, the things you need tohave to jump on a more CTI
related role, any strategy youused to maybe fill some gaps you
(04:01):
found along the way.
Josh Darby MacLellan (04:03):
I hadn't studied cyber in university, and
the thing that really helped meonce I started to explore a
pivot into CTI is I invested alot of time reading and studying
up on cyber threat intelligence.
There are a ton of textbooksout there.
There are free resources online.
A bunch of the CTI vendorspublish reports and guides that
(04:26):
you can use, and then it wasjust doing as many webinars as
possible I'm getting involved inindustry associations, go into
educational and informativeevents, attending conferences,
both physical and virtual.
I'm missing something.
Oh, certifications as well.
That also helped me to ramp upmy CTI knowledge, because not
(04:47):
only are you studying aparticular domain or multiple
domains, but you're also testedon it.
So part of that is you need tomemorize certain aspects of
cybersecurity.
So once I decided, okay, I jumpover into the CTI space, all
those things helped me with thatpivot over, but it was
definitely a lot of likeevenings and weekends because
you were, because I wasessentially retraining for a job
(05:09):
whilst also moving into thatjob.
Pedro Kertzman (05:11):
So, um, yeah, a lot of, uh, additional time had
to go into it I imagine, Iimagine and uh, do you think
still nowadays you use some ofthe more specific knowledge that
you used to have before your,let's say, cti migration, kind
of thing like the more physicalintel and stuff like that.
(05:34):
Do you think it's still helpfulto you nowadays?
Josh Darby MacLellan (05:37):
Yeah, it's kind of come full circle a bit
because with the last few years,we've seen so many geopolitical
disruptions that have bled overinto the cyberspace.
I really started to see thisresurgence in geopolitical risk
with the pandemic and then,straight after the pandemic, we
had the invasion of Ukraine.
Then we've had the Middle Eastkick off and people are getting
(06:00):
worried about China and Taiwan.
Each of these crises andsituations has had implications
on cyber or IT infrastructure,and I've started to notice more
of a demand for CTI teams toalso be analyzing the
geopolitical drivers ofdifferent cyber attacks and more
(06:22):
of a ramp up in strategicintelligence and then an overlap
and blending of geopoliticalteams with CTI teams.
So yeah, a lot of the knowledge, a lot of the subject material
that I studied back inuniversity.
It's proven itself as veryrelevant and, beyond this,
working in risk as well has alsohad a lot of benefits in CTI.
(06:45):
Understanding the risk equation, how we address risk, how we
treat risk, what are our optionsand then also how to manage
risk.
All of this has ended up beingvery relevant for the CTI space.
Pedro Kertzman (06:59):
It just helps illuminate more domains that you
can bring in to ensure thatyou're a more well-rounded cti
analyst cool and uh, you know,after now, after a few years, uh
into specifically, the ctispace, any uh type of advice or
things, uh, or a thing you wouldlike to know way back in the
(07:20):
day when you first decided to dothat pivot to the CTI industry.
Josh Darby MacLellan (07:25):
One thing that I wish I'd realized sooner
is that you can gain hands-onexperience in CTI without having
a CTI job.
Nowadays there are so many opensource tools, open source data
that you can use inside of opensource tools, like tips, for
example, that you can actuallygo through the kind of analyst
(07:45):
workflows that cti analyst doeson a daily basis and you can run
through investigations.
You can run through intelanalysis and assessments and you
can practice answering um, pirsor priority intelligence
requirements, and rfis orrequests information, and you
can actually essentially playthe job of a CTI analyst in a
(08:07):
much lower stakes environment.
Before you start to apply toCTI jobs, I always thought that
there was kind of a barrier toentry, like you can't start to
do CTI until you have access tovery expensive commercial tools
or until you've done an officialtraining course or
certification.
But nowadays, just with theabundance of open source
information out there and opensource resources, like you can
(08:30):
do it today.
One reason why I also wish I'dknown that earlier is because it
gives you so much evidence andproof of your passion and
interest in CTI A hundredpercent, for example, like
(08:57):
nowadays.
I do a lot of interviews withpeople 100%, but they say that
you know this is what I'vealways wanted to do.
I've dreamed about moving intoCTI.
If that's true, then there'snormally some kind of evidence
they can point to, like blogposts.
They've written analysis thatthey've done or online courses
that they've taken that areeither cheap or free.
(09:17):
So doing the job before youmove into CTI, I think it just
gives you so much practice andso much evidence that you can
point to when it comes to thoseinterview type situations.
Pedro Kertzman (09:29):
Awesome.
Uh, that's my fault.
I'm sorry I didn't release thepodcast or didn't think about
the podcast two years, fiveyears ago maybe, because, uh,
funny enough, that's a commontheme.
Uh, honestly, so far with allthe guests oh yeah, everybody's
talking about, uh, hands-onexperience with open source
platforms.
You name it like spin up a MISPserver or anything like that.
(09:53):
Right, getting hands-onexperience.
And we have so many OSINT.
You name it like a bunch ofthreat intel information out
there now, podcasts, so on andso forth yeah, 100, and like
it's something which it's kindof a shame.
Josh Darby MacLellan (10:10):
You often don't realize it unless you know
people in the industry or untilyou you start to work in it and
it's like what, once you havethe job, um, it's almost like
the, the the information iscoming in, um, like a bit too
late.
I think.
Often receiving thatinformation that you can go and
get practice right now is supervaluable before you start to
(10:31):
consider moving into a job incybersecurity, especially
because there's no greater wayto find out if you are actually
going to want to build a careerin a certain job specialization
than actually doing the jobbeforehand.
Agreed, and I think with cyberthere's almost this like unique
position that because there areso many open source tools and
open source data that you can goin and run through the
(10:54):
day-to-day workflows that youwould do when you eventually get
that job, but you can do itbeforehand and then you can
assess like, okay, is thisengaging enough?
Is this going to keep mecaptivated for the next two,
five, ten years?
Pedro Kertzman (11:06):
100.
Agree, and that's probably oneof the reasons.
Uh, I have the podcast nowbecause it's honestly cti.
We can get going forever.
It never stopped.
You mentioned, like thegeopolitical interference now on
our day-to-day activities andall that, so it's just
fascinating ever ending learning, um, and that's really good
(11:28):
yeah, I'm sorry to interrupt,but um it.
Josh Darby MacLellan (11:32):
It sounds like one of the motivations for
the podcast is that you'remaking the podcast you wish you
had earlier on.
Is that right?
Pedro Kertzman (11:39):
uh, yeah, I mean I think the.
As a subset of the industry,cti is probably not the most
mature one, so it feels we haveto have more blogs, podcasts,
people talking about it,conferences, just more buzz
(11:59):
around CTI.
It's such an important part ofthe whole cybersecurity equation
.
I might be biased there, but tobuild a proper cybersecurity
program without CTI as aguidance where to focus, how to
(12:19):
prioritize, it's just going tobe like way more effort and you
might not even get into the bestpossible result.
That's, you know, my little twocents, definitely.
Josh Darby MacLellan (12:33):
I attended a webinar by SANS and they were
talking about the origins ofCTI and apparently the first
Google searches for CTI startedaround 2013, 2014.
So you're absolutely right Likeit's a young specialization and
(12:53):
I definitely think that CTI asa field has gone a long way
already, but there is stillthings that we can do to further
professionalize the field, andit's great to now see some
certifications that are focusedsolely on CTI, like the G-CTI.
That's really cool becausethere are so few rigorous
certifications that are focusedsolely on cti, like the gcti.
That's really cool becausethere are so few rigorous
certifications that are solelyfocused on cti.
And uh, and I really commendthe folks who came up with that
(13:14):
one because it was much neededin our industry and I think it
just helps mature cti evenfaster I agree, I agree.
Pedro Kertzman (13:21):
And uh, other areas of expertise, you name it
firewall endpoints.
I see those areas as likepillars, you have to have those,
but they at some point mightlook like more mechanics or
logistics.
You got to just do and liftthat stuff up.
(13:43):
You got to just do and liftthat stuff up when, on the other
hand, cti will be more in theplanning, strategic, where to
focus and how to use that bruteforce, fireballs, endpoints to
do something that you need tofocus on, kind of thing.
Josh Darby MacLellan (14:04):
So, yeah, I could not agree more with you,
Josh, yeah on On that vein.
I think that that's one of thebig value adds of CTI.
It's like when InfoSecdepartments want to move from
being reactive to proactive,Perfect.
You need those teams that canbring you information and
intelligence on attacks beforeit hits your environment.
Otherwise, you're always justgoing to be one step behind the
attacks and constantly in thatfirefighter mode, which I know
(14:26):
is burning out a ton of teamsright now.
Pedro Kertzman (14:28):
Yeah, that's a great point.
So instead of waiting forpeople to hit you, analyze the
logs and then react, you can dothings before that happens.
Josh Darby MacLellan (14:38):
Yeah, exactly Like analyze the fist
that's coming towards your headso you can dodge it quickly.
Pedro Kertzman (14:43):
That's a good example.
Yeah, You're talking aboutconferences as well, or
certifications.
Any top of mind eitherconferences or certifications
that you think it would beimportant for the listeners to
know about?
Josh Darby MacLellan (15:01):
If you're early on in your cybersecurity
career journey and maybe you'reconsidering moving into cyber or
you're looking to kind of likemove around inside the industry,
zans does a really good one newto cyber and this is one that's
, I believe, virtual only still,and they publish a lot of the
(15:24):
talks on YouTube.
So I came across this when Iwas quite early on into my like
pivoting journey and I just wentback through and watched pretty
much every single talk thatthey published under the New to
Cyber conference and that, Ithink, is a fantastic resource
for those slightly newer intheir journey.
Now, if you're already in CTIand you're looking to find
(15:48):
conferences that are morefocused on CTI specifically,
then SANS CTI Summit is a greatone.
It was just held in the US, inAlexandria, virginia, and that
was at the end of January to thestart of Feb time.
And then there's also first CTIconference.
(16:10):
Last year it was in Berlin inApril.
Those are two conferences thatI found that are CTI focused,
and I'm on the lookout forothers.
So if any listener, if you haveheard of any other like pure
CTI conferences, please let meknow.
I've definitely be interestedin attending.
But those would be my top threerecommendations if you're
(16:33):
either new to cyber or if youare moving more, or if you're
more specialized in cyber threatintelligence specifically.
Pedro Kertzman (16:39):
That's very interesting.
Yeah, I didn't know that.
Thanks for sharing.
So we mentioned quickly aboutskills from a CTI standpoint
other than or including malwareanalysis, any other top of mind
skills that you think areimportant for a basic CTI
analyst or CTI advisor, anyanyone on a CTI related?
Josh Darby MacLellan (17:06):
role.
So the clue is in the job title.
If you're going into a CTIanalyst role, learning analysis
based on best practices is superimportant, and I think there
are different ways to approachanalysis, but the ones that I
find are most rigorous inteaching really good analysis
(17:28):
are structured analytictechniques, and this is a best
practice in the CTI field thatis gaining more and more
exposure.
More and more people aretalking about it, and these are
techniques that can really teachyou how to approach thinking
about information, analyzing itand turning that information
(17:51):
into a relevant, actionableintelligence.
How much and how often you willuse SATs does also depend on
your job focus.
For example, if you're atactically focused CTI analyst
and you're there to supportincident response, the time you
have to produce intelligence isgoing to be very limited, so
(18:11):
you're less likely to go throughsome of the like deeper SAT
exercises whereby you'rethinking of different competing
hypotheses.
But for those who have a bitmore time to do more finished,
polished CTI products andservices, that's where I think
SATs can play a really strongrole.
So for people who are morefocused on CTI, on operational
(18:35):
intelligence and on strategicintelligence, I think taking
time to learn about SATs isgoing to be super, super
valuable, and also justoperationalizing them in your
day-to-day role will really helpyour analysis skillset.
Pedro Kertzman (18:49):
Got it.
Just to make sure everybodyknows sats, structured analytic
techniques, got it, thank you.
And uh um, do you think any uhcti hands-on type of role for I
don't know analysts, ctianalysts on a more hands-on
approach would ever need todouble check or criticize or
(19:16):
have a second guess when itcomes to attribution the
information they're receivingfrom you know a feed, osint, a
vendor, anything like that Doyou it's like a cti teams in
general would go that deep todouble check attribution, make
sure if that uh threat actor,for example, is really the one
(19:37):
trying to poke into theirenvironment or do anything?
Josh Darby MacLellan (19:41):
I've picked up, uh, quite a
controversial topic attributioncti.
Uh, this is a big debate overwhether or not it's actually
worthwhile and whether or notattribution is just a
distraction.
I know that we kind of havethis obsession with knowing who
did what.
In particular, there arerecipients of cyber threat
(20:03):
intelligence who will ask okay,well, who committed this?
Do we know about them?
And you'll get those likethreat actor attribution type
questions.
I think everyone in their ownrespective, like team and role
needs to ask themselves like theso what?
Question if we are to attributea certain intrusion data set to
a known threat actor, what'sthe so what?
(20:24):
If it can provide value, ifthat can actually help you, um,
do additional pivoting andanalysis and understand broader
campaigns and operations, then,yeah, it makes sense to dive
into attribution.
For many of us, it can be a bitof a distraction and we get a
bit obsessed trying to name orpin an intrusion to a certain
(20:46):
threat actor, to a certainthreat actor, and often that
process can be riddled withcognitive biases whereby there's
pressure to say or to label acertain threat actor and then we
go for one that we think it isor that we have a suspicion it
is, as opposed to one that wecan prove with all of the
(21:09):
available evidence that it isthat particular threat actor it
brings up a good point prove, uh, with all of the available
evidence, that it is thatparticular threat actor, and it
brings up a a good point.
Pedro Kertzman (21:13):
Um, what do you see about like collaboration?
Uh, I think one of the thingsthat would solve this type of
problem would be morecollaboration with people
receiving that raw telemetry orbreach information, if you will
(21:35):
and instead of just doingattribution and releasing part
of the information.
If more stuff could be properly, safely shared with other
vendors, researchers and so on,it could prevent this type of
mismatching when it comes toattributions and so many other
problems.
How do you see collaborationhappening right now between,
(21:57):
again, researchers, vendors, endusers or companies with CTI
teams?
How do you see collaborationnowadays?
Josh Darby MacLellan (22:05):
I think collaboration is a very
important part of cyber threatintelligence and I actually
think in the security industryat large we're quite uniquely
positioned to collaborate withother organizations or companies
that would otherwise be ourcompetitors.
So this is a link that Iexperienced in particular in the
finance sector.
I worked for one of the majorCanadian banks and there are
(22:28):
five banks which are typicallycompeting over everything Market
.
They compete over differentmarkets, over market share, over
different types of products,and they'll be trying to win
over each other's clientscontinuously with, like new
deals, new promotions, newcredit cards.
But with the securitydepartments we had full
(22:50):
permission to go and actuallycollaborate with these other
banks and go and speak to theirintel teams and we would set up
these information sharing groupskind of more informally.
Some are more formalized,thinking about the FSI sects of
the world and it's created thisspace of collaboration whereby
we're sharing information andintelligence on the attacks and
(23:12):
intrusions we're seeing on ourside, because we know that
typically organizations in thesame country, same industry,
they're going to be facing verysimilar threats.
So if one organization gets hit, it is uniquely positioned to
warn the other organizationsabout a threat.
That is more pertinent versusmore generalized intelligence
(23:34):
being published out there.
Pedro Kertzman (23:35):
Cool, awesome.
And you see any collaborationon the vendor side, or research
side, or more on the customerand user side, like you
mentioned.
Josh Darby MacLellan (23:43):
I do see some for sure.
I think it varies though ofsome CTI vendors are essentially
in commercial competition witheach other, so they'll be less
inclined to collaborate.
But saying that, I have comeacross numerous reports that are
collaborative, either becausethey analyzed an extended data
(24:05):
set together or because oneorganization published based on
their intrusion data and thenothers took that and then, kind
of like, built upon it.
So there is an element ofcollaboration.
But I see a lot more with thekind of in-house nuclear CTI
teams, whereby it's a companythat has its own infosec
department own a CTI team andthey are collaborating between
(24:28):
other companies that have asimilar profile to theirs, um,
or function in the same regionor industry cool.
Pedro Kertzman (24:34):
I think it might be part of the maturing uh in
the industry as well.
Uh, yes, where I see vendorscollaborate, collaborating like
you mentioned.
It's like a dark web scrapingvendor plus an endpoint security
vendor, because they're notsuper overlapping each other.
Then they feel more comfortableabout collaborating on a
(24:58):
certain research or or anythinglike that, which is not perfect,
but maybe it's the beginning,right yeah, definitely, and it
does raise a good point.
Josh Darby MacLellan (25:07):
we we are seeing a lot of integrations
between different, let's say,like Intel feeds and different
threat intelligence platforms,or integration between threat
intelligence platforms and SIEMsor SOARs and a lot of these
tool-based collaborations andthese integrations.
Are they recognizing thatintegration between two tools
(25:29):
can be mutually beneficial aslong as they aren't like a
direct competitor?
So, yeah, good point there.
When it comes to the toolsecosystem, there is also that
opportunity for integrationoutside of a direct competitor
Awesome.
Pedro Kertzman (25:45):
And, from a skill or learning standpoint,
any important soft skills, hardskills you think are a must-have
or should have for anybody inthe industry or trying to get
into the CTI industry.
Josh Darby MacLellan (26:04):
Yeah, let's start with some of the
hard skills or the technicalskill sets.
I think there are certainfoundations that are super
important to learn in CTI, inparticular, learning how to
analyze intrusions, how to takeinformation and move it through
the Intel cycle those things aresuper important and then
(26:25):
understanding cyber attacks.
So I think there are a couplemodels out there that are super
useful and still foundational inCTI, such as the diamond model
and the kill chain.
Getting to grips with these two, I think, will position you
very strongly for CTI.
And in terms of the other hardskill sets, being a good
(26:47):
investigator is super importantand this kind of strays soft and
hard skills, but having acurious mindset, combined with
knowing how to pivot fromindicators of compromise into
other IOCs, building up more ofan understanding of an attack
and then pivoting intounderstanding tools, malware,
(27:08):
and then moving more intoattacks and campaigns and then
understanding different threatactors.
I think that that whole processof taking a small piece of data
from an intrusion, knowing whattools and processes you need to
run against it in order to addadditional context, and then
running through the wholeprocess of continuously pivoting
(27:30):
and analyzing is superimportant.
Now on the soft skills side.
You know, ironically, theyoften say that soft skills are
harder to teach, and I thinkthat's definitely true in CTI.
Your entire CTI process willfall completely flat if you are
not able to communicate thatintelligence in a way that lands
your stakeholders.
(27:57):
I think investing incommunication whether that's
written, verbal presentationsetc.
Is so important because ourfunction is a support function.
Generally speaking, cti issupposed to inform decision
making and enable decisionmakers to calibrate defenses to
protect an organization and makeit more resilient.
You won't be able to providegood support if you can't
communicate in a way that worksfor your stakeholders, or
(28:20):
communicate in a way that theintelligence is received
positively or received and usedeffectively.
So learning communicationskills is super important.
Beyond that, relationshipbuilding this is a big topic.
I don't like to say networking,because networking is kind of
transactional and supercorporate, but building
relationships is something thathas helped my career in every
(28:42):
single stage.
It's super useful in CTIbecause, as mentioned, it's a
support function.
We're supposed to be supportingother teams.
Without building relationships,it's a lot harder to provide
that support and it's muchharder to build a reciprocal
relationship whereby you'rereceiving relevant information,
that timely information, andthen also able to give good
quality intelligence when it'sneeded.
(29:04):
The ability to build goodrelationships underpinned by
communication, I think, are twoincredibly important aspects of
CTI Awesome.
Pedro Kertzman (29:12):
Now I feel you.
I was on a meeting the otherday and somebody brought up that
a big university actually has ameetup, how to make
relationships and friends for,you know, young students, and
I'm like, oh my God, it soundedlike a it's.
Josh Darby MacLellan (29:32):
it's an interesting one because I think
it like it shouted about a lot.
You know, you go to linkedin.
You look at like uh, differentposts and like articles
published about careers andcareer advice.
Everyone's saying, oh, you know, like, make sure that you
network, build a brand.
Um, you know, expand your, yournetwork and impact, but so few
people take the time to reallywalk you through like like how
(29:52):
to, how to quote, unquote,network and how to build
relationships.
To me it's like training anymuscle.
So few of us are born naturallygifted at communication in all
of its different facets or areinstantly good at building
relationships.
And, like a muscle, it takeswork and it takes continuous
practice.
It takes feeding your body withthe right information to fuel
(30:17):
those muscles and then it alsotakes going out there into the
industry or the gym to work itout.
And then it's just constantrepetitions and things only
improve if you're constantlygaining that exposure therapy
and working through every singlerelationship building
opportunity, awkward or notawkward, to a point whereby
you've gained good practice tobe better at that particular
(30:40):
skill set 100% Awesome.
Pedro Kertzman (30:46):
And one big topic, especially within the
overall cybersecurity industrynowadays it's AI.
Any impact insights you name itspecifically about the CTI
space that AI is having?
Josh Darby MacLellan (31:05):
Yeah, ai Everyone's favorite buzzword of
the year.
Yeah, it's an interesting topic.
I think the most concise way tothink about it is it's a
double-edged sword and I thinkit's got benefits for defenders
and those in CTI, and it alsohas benefits for attackers.
I don't think AI machinelearning has proven today to
(31:28):
make cyber threat actorsexponentially more dangerous.
That could happen in the future, but right now we aren't seeing
as many.
I don't think cyber criminalsand threat actors are fully
utilizing the full benefit of AI, so I don't think we're doomed
by it.
But I do think it's incrediblyimportant for CTI analysts to
(31:49):
learn how to leverage AI andmachine learning tools.
I was listening to a podcastwith Scott Galloway and he was
talking about that.
Your job won't be replaced byAI, but it will be replaced by
someone who can use AI.
So when we think about a CTIanalyst, it is an incredibly
tough job and there is so muchinformation to process and
(32:11):
exploit that if you're doingthis all manually, with minimal
automation and with minimalassistance by machine learning
tools, it's going to beincredibly challenging, and then
you'll be out-competed bysomeone who's faster because
they are taking full advantageof the full suite of tools out
there, so I would say it's adouble-edged sword.
(32:32):
It presents a risk to CTIanalysts, who are more resistant
to using AI tools, and I thinkit's got huge potential upside
for organizations and teams whoare looking to incorporate it to
speed up their pace of work andmake them more effective.
Pedro Kertzman (32:50):
No, that's a great point, I think.
Uh, on the other topic as well,uh, we were talking about
communication.
Right, sometimes, especiallynow, the llms we have can help
writing better emails moreengaging emails, more better
communication.
If you're not, if you're justattacking a co-guy super nerd,
but you're not there yet, from acommunication standpoint, maybe
(33:13):
they can leverage that to writedown good you know emails or
engaging emails and so on.
Josh Darby MacLellan (33:22):
Yeah, yeah , I I do think that it can help
do some of the heavy liftingwhen it comes to writing.
It's also a great way to editand check work, but what I've
noticed is that nowadays,currently, people can spot when
(33:42):
something is AI written orgenerated, generally speaking.
So I do always recommend use AItools for the heavy lifting,
but make sure that you're stilladding your own kind of
humanized flair to it and giveit your own style, your own tone
and your own voice.
The other thing that I shouldadd is AI tools are incredibly
(34:04):
helpful for people whose firstlanguage is different to the
language they work in, or viceversa, and they're cut to come
up with reports that eithertranslate um a material from
other sources or they are tryingto come up with reports in a
language which which they've gotless practice in.
Ai tools are a great way totranslate things and to also act
(34:26):
as your own editor.
They can do it incrediblyquickly.
So that, to me, is one hugebenefit is it does kind of open
up different opportunities to towork in languages that might
not be someone's strong suit.
Pedro Kertzman (34:39):
Got it, Thank you.
Any pitfalls you've seen alongthe way either creating a CTI
team or trying to advance theteam to like a higher level?
Any pitfalls or things tomention that people maybe don't
repeat?
Josh Darby MacLellan (34:54):
One of the biggest things I think CTI
teams are being tested on rightnow is proving their value and
shifting the perception thatthey are a cost center that
that's expendable.
This was one thing that Ireally liked that came up at the
SANS CTI conference this yearis rethinking CTI as supporting
decision-making and taking it astep further by viewing it as an
(35:17):
essential tool inorganizational resilience.
Right now I've noticed some CTIteams are going through layoffs
and cutbacks and they're havingtheir tool-in reduced because,
number one, they're expensive,but, number two, they haven't
been able to translate theirvalue into a language that
decision makers and businessleaders understand.
(35:37):
So for me, it's an ongoingstruggle, but incredibly
important for CTI teams to beable to demonstrate their value,
do good work and then telleveryone about it.
I think it's again whycommunication is so important.
I think it's again whycommunication is so important.
It's because if you're doingthe best high-quality analysis
and assessments and that'shelping to prevent different
(35:59):
attacks and future intrusions ifyou aren't giving that message
to the right people, they'llstill hold that perception that
the CTI team is not as essentialas our other cyber teams.
They're all a nice staff thatwe can get rid of if we need to.
So that's one of the biggestpitfalls that I see with CTI
teams is they're struggling tocommunicate.
Well, we'll first quantify andthen communicate their value,
(36:21):
and I'm glad that this isstarting to get recognized more
and more, because I've startedto see more conversations around
KPIs, metrics and KRIs and CTIteams are starting to adopt them
, which I think is definitelyneeded if we want to avoid and
develop through these pitfallsthat CTI teams are facing.
Pedro Kertzman (36:39):
Awesome.
It feels a little bit thattrying to think on an org chart
for CTI teams and if we have,across the board management,
even the highest rank for a ctiuh leader in the organization,
if we're just looking for peoplefrom technical backgrounds,
(37:01):
super technical, skilled people,but they don't know how to
properly quote, unquote, sellthe value or the worth of their
team, it might not be like along-lasting uh initiative.
What do you think?
Josh Darby MacLellan (37:18):
yeah, that's a really good point.
How many folks in cti know howto sell and obviously vendors
different story.
But thinking about the the likein-house nuclear cti team, how
many of them have got practiceat selling the value of their
program to people outside ofcyber?
And I think that's also whythere is a role for translators
(37:39):
in CTI teams the people whopivoted from other sides of a
business into a cyber threatintel team, because they will
know a language outside of CTIand outside of cyber and
typically a lot of decisionmakers and executives.
Their language is around riskand dollars.
Their language is less aroundthreats.
So having some people on yourcti team who who can speak that
(38:05):
language is is incrediblyimportant.
And then again having peoplewho can sell, that's massive
awesome.
Pedro Kertzman (38:12):
Um, and what about the future of CTI?
What would be your vision forit?
If you're going to throw somepredictions, you name it how you
see the industry moving, sometrends around.
Josh Darby MacLellan (38:27):
CTI.
I think CTI is going to gothrough a bit of a struggle in
the short term.
I think the next four years aregoing to be incredibly volatile
and I think that there could besome economic pain and in those
situations, some CTI teams willcome up to battle with the
(38:48):
problem of proving their value,of proving their value.
But once we have worked out andrefined ways for CTI teams to
communicate their valueeffectively, I think CTI has
some very green pastures aheadof it.
Thinking about the threattrends we're seeing cyber
attacks aren't going away.
(39:09):
They aren't decreasing in theirvolume or severity.
We're seeing the opposite andat the same time, we're seeing a
more fractured geopoliticallandscape and with more
fracturing comes more potentialtension points and flash points.
So, with that in mind, I dothink that CTI does have a very
strong future and through thesecrises, it's gonna be in demand,
(39:32):
as organizations will alwayswant to have foresight and
understand situations that couldimpact their organization.
Pedro Kertzman (39:42):
Awesome.
Any technology in particular ortype of technology, I should
say that you think it'ssomething to look at for CTI
teams.
Josh Darby MacLellan (39:50):
I would take full advantage of the
machine learning and AI toolsthat are being made commercially
available at a very inexpensiveprice.
Test them to see which of yourworkflows they can help speed up
and what the limitations are.
I don't think any of the toolslike ChatGPT, reflexity, claude,
(40:15):
et cetera.
I don't think any of them can douseful, actionable intelligence
analysis that will help yourorganization, primarily because
they don't have all of the dataand the understanding of your
internal organization, but thereare certain aspects of the
Intel cycle they can really helpwith and it's worth exploring
how you can quicken yourcollection, structuring,
(40:40):
processing and exploitation ofdata.
That gets everything ready forthe human analyst to do the
analysis stage.
I think that's where there's alot of potential value add.
I think that's where there's alot of potential value add.
So I would encourage teams totake full advantage of these
tools that are being publishedcontinuously, because threat
(41:02):
actors certainly are, and weneed to be moving at least in
lockstep with them, ideally onestep ahead.
Pedro Kertzman (41:08):
Awesome, Josh.
Thank you very much.
Super insightful conversation.
I really appreciate it.
Any closing thoughts?
Josh Darby MacLellan (41:16):
My closing thoughts are cyber threat
intelligence is an incrediblyinteresting field.
The threat landscape isshifting so much and you spend
your time analyzing new types ofattacks and new types of
attackers and this, I think,keeps it incredibly stimulating
intellectually and challengesyou to be continuously
(41:36):
increasing your skills and yourtradecraft, because you aren't
just in competition to meetcertain quotas or to hit certain
revenue each quarter.
You're in competition with thethreat landscape and with threat
actors, so it keeps thingsincredibly interesting.
So for anyone who's curiousabout CTI, I strongly recommend
(42:00):
diving into it, learning more,spending time on some of those
online conferences, onlinecourses, taking advantage of
open source threat intelligenceplatforms and open source data
feeds, and really get to gripswith what the day-to-day looks
like for a CTI analyst.
Pedro Kertzman (42:18):
Awesome.
Thank you Again, reallyappreciate it.
Super insightful conversationand I hope I'll see you around.
Thank you.
Josh Darby MacLellan (42:26):
Definitely Well, thank you so much.
Bye for now.
Bye.
Rachael Tyrell (42:31):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time, stay sharp andstay secure.
(42:53):
We'll see you next time.
CTI is supposed to inform
decision-making and enabledecision-makers to calibrate
defenses to protect anorganization and make it more
resilient.
Rachael Tyrell (00:09):
Hello and welcome to Episode 5, season 1,
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host, pedro Kurtzman, will
chat with Josh Darby-McLellan.
Josh is a cyber threatintelligence professional with
(00:31):
experience in CTI andgeopolitical risk in the North
American and European financialand tech sectors.
He has spoken at conferences,including SANS CTI Summit and
FIRST CTI Conference, and holdsthe CISSP and CCSP
certifications.
Josh enjoys contributing tocommunity by publishing articles
, mentoring and has heldleadership roles in industry
associations, including ISC,Square, tier and ASIS.
(00:55):
Over to you, pedro.
Pedro Kertzman (00:59):
Josh, thanks so much for coming to the show.
It's great to have you here.
Josh Darby MacLellan (01:05):
My pleasure.
Very happy to be here today.
Pedro Kertzman (01:07):
Awesome, and usually I start asking the
guests how their career startedmaybe early start on their
career and all the way to theCTI, current CTI related role
they might have today.
Would you mind walking usthrough that please?
Josh Darby MacLellan (01:24):
Sure Right .
So this takes me back a fewyears.
My career started in quite aninteresting fashion.
I originally was studying inthe UK and then one day stumbled
kind of aimlessly into adepartmental talk which was all
(01:45):
about doing a second master'sdegree over in Canada.
And this ended up being one ofthose small dominoes that set
off like a really big cascadingeffect and I ended up doing my
second master's over in Canadaand this master's was more
vocationally focused than theaverage one and there was a
component of it where you couldgo and do a co-op semester and
(02:08):
this is essentially like aninternship in industry for one
semester.
And that was my kind of waythrough the door.
And I did that internship in thefinance sector, but
specifically working in acorporate security department,
and I was focused ongeopolitical risk and that was
(02:28):
my first experience with privatesector intelligence.
Prior to that I thought that youcan only really enter the Intel
space if you went national ormilitary and I knew that
companies had securitydepartments but I didn't realize
there was really space forIntel there.
So this was like a hugeeye-opening experience.
(02:52):
And then I realized throughnetworking conversations that
pretty much every householdcompany has a corporate security
department and infosecdepartment and typically they'll
have one or two or sometimesthree Intel teams, depending on
their configuration.
And after that I was hooked andthat led me to my first.
So the co-op internship led tomy first short-term contract,
(03:16):
which led to my first full-timejob in threat intelligence.
And then, after a couple ofyears working on the physical
geopolitical risk side, Ipivoted over into cyber threat
intelligence.
So I came up more from thenon-traditional route and it was
definitely a bit of a zigzagjourney to get into CTI and it's
been a blast ever since.
Pedro Kertzman (03:37):
Awesome, awesome .
Thanks for walking us throughthat.
And you mentioned that, thenon-traditional route, that the
non-traditional route, anythingthat you used, let's say, to
fill some gaps, through allthose reflecting about your
career, the things you need tohave to jump on a more CTI
related role, any strategy youused to maybe fill some gaps you
(04:01):
found along the way.
Josh Darby MacLellan (04:03):
I hadn't studied cyber in university, and
the thing that really helped meonce I started to explore a
pivot into CTI is I invested alot of time reading and studying
up on cyber threat intelligence.
There are a ton of textbooksout there.
There are free resources online.
A bunch of the CTI vendorspublish reports and guides that
(04:26):
you can use, and then it wasjust doing as many webinars as
possible I'm getting involved inindustry associations, go into
educational and informativeevents, attending conferences,
both physical and virtual.
I'm missing something.
Oh, certifications as well.
That also helped me to ramp upmy CTI knowledge, because not
(04:47):
only are you studying aparticular domain or multiple
domains, but you're also testedon it.
So part of that is you need tomemorize certain aspects of
cybersecurity.
So once I decided, okay, I jumpover into the CTI space, all
those things helped me with thatpivot over, but it was
definitely a lot of likeevenings and weekends because
you were, because I wasessentially retraining for a job
(05:09):
whilst also moving into thatjob.
Pedro Kertzman (05:11):
So, um, yeah, a lot of, uh, additional time had
to go into it I imagine, Iimagine and uh, do you think
still nowadays you use some ofthe more specific knowledge that
you used to have before your,let's say, cti migration, kind
of thing like the more physicalintel and stuff like that.
(05:34):
Do you think it's still helpfulto you nowadays?
Josh Darby MacLellan (05:37):
Yeah, it's kind of come full circle a bit
because with the last few years,we've seen so many geopolitical
disruptions that have bled overinto the cyberspace.
I really started to see thisresurgence in geopolitical risk
with the pandemic and then,straight after the pandemic, we
had the invasion of Ukraine.
Then we've had the Middle Eastkick off and people are getting
(06:00):
worried about China and Taiwan.
Each of these crises andsituations has had implications
on cyber or IT infrastructure,and I've started to notice more
of a demand for CTI teams toalso be analyzing the
geopolitical drivers ofdifferent cyber attacks and more
(06:22):
of a ramp up in strategicintelligence and then an overlap
and blending of geopoliticalteams with CTI teams.
So yeah, a lot of the knowledge, a lot of the subject material
that I studied back inuniversity.
It's proven itself as veryrelevant and, beyond this,
working in risk as well has alsohad a lot of benefits in CTI.
(06:45):
Understanding the risk equation, how we address risk, how we
treat risk, what are our optionsand then also how to manage
risk.
All of this has ended up beingvery relevant for the CTI space.
Pedro Kertzman (06:59):
It just helps illuminate more domains that you
can bring in to ensure thatyou're a more well-rounded cti
analyst cool and uh, you know,after now, after a few years, uh
into specifically, the ctispace, any uh type of advice or
things, uh, or a thing you wouldlike to know way back in the
(07:20):
day when you first decided to dothat pivot to the CTI industry.
Josh Darby MacLellan (07:25):
One thing that I wish I'd realized sooner
is that you can gain hands-onexperience in CTI without having
a CTI job.
Nowadays there are so many opensource tools, open source data
that you can use inside of opensource tools, like tips, for
example, that you can actuallygo through the kind of analyst
(07:45):
workflows that cti analyst doeson a daily basis and you can run
through investigations.
You can run through intelanalysis and assessments and you
can practice answering um, pirsor priority intelligence
requirements, and rfis orrequests information, and you
can actually essentially playthe job of a CTI analyst in a
(08:07):
much lower stakes environment.
Before you start to apply toCTI jobs, I always thought that
there was kind of a barrier toentry, like you can't start to
do CTI until you have access tovery expensive commercial tools
or until you've done an officialtraining course or
certification.
But nowadays, just with theabundance of open source
information out there and opensource resources, like you can
(08:30):
do it today.
One reason why I also wish I'dknown that earlier is because it
gives you so much evidence andproof of your passion and
interest in CTI A hundredpercent, for example, like
(08:57):
nowadays.
I do a lot of interviews withpeople 100%, but they say that
you know this is what I'vealways wanted to do.
I've dreamed about moving intoCTI.
If that's true, then there'snormally some kind of evidence
they can point to, like blogposts.
They've written analysis thatthey've done or online courses
that they've taken that areeither cheap or free.
(09:17):
So doing the job before youmove into CTI, I think it just
gives you so much practice andso much evidence that you can
point to when it comes to thoseinterview type situations.
Pedro Kertzman (09:29):
Awesome.
Uh, that's my fault.
I'm sorry I didn't release thepodcast or didn't think about
the podcast two years, fiveyears ago maybe, because, uh,
funny enough, that's a commontheme.
Uh, honestly, so far with allthe guests oh yeah, everybody's
talking about, uh, hands-onexperience with open source
platforms.
You name it like spin up a MISPserver or anything like that.
(09:53):
Right, getting hands-onexperience.
And we have so many OSINT.
You name it like a bunch ofthreat intel information out
there now, podcasts, so on andso forth yeah, 100, and like
it's something which it's kindof a shame.
Josh Darby MacLellan (10:10):
You often don't realize it unless you know
people in the industry or untilyou you start to work in it and
it's like what, once you havethe job, um, it's almost like
the, the the information iscoming in, um, like a bit too
late.
I think.
Often receiving thatinformation that you can go and
get practice right now is supervaluable before you start to
(10:31):
consider moving into a job incybersecurity, especially
because there's no greater wayto find out if you are actually
going to want to build a careerin a certain job specialization
than actually doing the jobbeforehand.
Agreed, and I think with cyberthere's almost this like unique
position that because there areso many open source tools and
open source data that you can goin and run through the
(10:54):
day-to-day workflows that youwould do when you eventually get
that job, but you can do itbeforehand and then you can
assess like, okay, is thisengaging enough?
Is this going to keep mecaptivated for the next two,
five, ten years?
Pedro Kertzman (11:06):
100.
Agree, and that's probably oneof the reasons.
Uh, I have the podcast nowbecause it's honestly cti.
We can get going forever.
It never stopped.
You mentioned, like thegeopolitical interference now on
our day-to-day activities andall that, so it's just
fascinating ever ending learning, um, and that's really good
(11:28):
yeah, I'm sorry to interrupt,but um it.
Josh Darby MacLellan (11:32):
It sounds like one of the motivations for
the podcast is that you'remaking the podcast you wish you
had earlier on.
Is that right?
Pedro Kertzman (11:39):
uh, yeah, I mean I think the.
As a subset of the industry,cti is probably not the most
mature one, so it feels we haveto have more blogs, podcasts,
people talking about it,conferences, just more buzz
(11:59):
around CTI.
It's such an important part ofthe whole cybersecurity equation
.
I might be biased there, but tobuild a proper cybersecurity
program without CTI as aguidance where to focus, how to
(12:19):
prioritize, it's just going tobe like way more effort and you
might not even get into the bestpossible result.
That's, you know, my little twocents, definitely.
Josh Darby MacLellan (12:33):
I attended a webinar by SANS and they were
talking about the origins ofCTI and apparently the first
Google searches for CTI startedaround 2013, 2014.
So you're absolutely right Likeit's a young specialization and
(12:53):
I definitely think that CTI asa field has gone a long way
already, but there is stillthings that we can do to further
professionalize the field, andit's great to now see some
certifications that are focusedsolely on CTI, like the G-CTI.
That's really cool becausethere are so few rigorous
certifications that are focusedsolely on cti, like the gcti.
That's really cool becausethere are so few rigorous
certifications that are solelyfocused on cti.
And uh, and I really commendthe folks who came up with that
(13:14):
one because it was much neededin our industry and I think it
just helps mature cti evenfaster I agree, I agree.
Pedro Kertzman (13:21):
And uh, other areas of expertise, you name it
firewall endpoints.
I see those areas as likepillars, you have to have those,
but they at some point mightlook like more mechanics or
logistics.
You got to just do and liftthat stuff up.
(13:43):
You got to just do and liftthat stuff up when, on the other
hand, cti will be more in theplanning, strategic, where to
focus and how to use that bruteforce, fireballs, endpoints to
do something that you need tofocus on, kind of thing.
Josh Darby MacLellan (14:04):
So, yeah, I could not agree more with you,
Josh, yeah on On that vein.
I think that that's one of thebig value adds of CTI.
It's like when InfoSecdepartments want to move from
being reactive to proactive,Perfect.
You need those teams that canbring you information and
intelligence on attacks beforeit hits your environment.
Otherwise, you're always justgoing to be one step behind the
attacks and constantly in thatfirefighter mode, which I know
(14:26):
is burning out a ton of teamsright now.
Pedro Kertzman (14:28):
Yeah, that's a great point.
So instead of waiting forpeople to hit you, analyze the
logs and then react, you can dothings before that happens.
Josh Darby MacLellan (14:38):
Yeah, exactly Like analyze the fist
that's coming towards your headso you can dodge it quickly.
Pedro Kertzman (14:43):
That's a good example.
Yeah, You're talking aboutconferences as well, or
certifications.
Any top of mind eitherconferences or certifications
that you think it would beimportant for the listeners to
know about?
Josh Darby MacLellan (15:01):
If you're early on in your cybersecurity
career journey and maybe you'reconsidering moving into cyber or
you're looking to kind of likemove around inside the industry,
zans does a really good one newto cyber and this is one that's
, I believe, virtual only still,and they publish a lot of the
(15:24):
talks on YouTube.
So I came across this when Iwas quite early on into my like
pivoting journey and I just wentback through and watched pretty
much every single talk thatthey published under the New to
Cyber conference and that, Ithink, is a fantastic resource
for those slightly newer intheir journey.
Now, if you're already in CTIand you're looking to find
(15:48):
conferences that are morefocused on CTI specifically,
then SANS CTI Summit is a greatone.
It was just held in the US, inAlexandria, virginia, and that
was at the end of January to thestart of Feb time.
And then there's also first CTIconference.
(16:10):
Last year it was in Berlin inApril.
Those are two conferences thatI found that are CTI focused,
and I'm on the lookout forothers.
So if any listener, if you haveheard of any other like pure
CTI conferences, please let meknow.
I've definitely be interestedin attending.
But those would be my top threerecommendations if you're
(16:33):
either new to cyber or if youare moving more, or if you're
more specialized in cyber threatintelligence specifically.
Pedro Kertzman (16:39):
That's very interesting.
Yeah, I didn't know that.
Thanks for sharing.
So we mentioned quickly aboutskills from a CTI standpoint
other than or including malwareanalysis, any other top of mind
skills that you think areimportant for a basic CTI
analyst or CTI advisor, anyanyone on a CTI related?
Josh Darby MacLellan (17:06):
role.
So the clue is in the job title.
If you're going into a CTIanalyst role, learning analysis
based on best practices is superimportant, and I think there
are different ways to approachanalysis, but the ones that I
find are most rigorous inteaching really good analysis
(17:28):
are structured analytictechniques, and this is a best
practice in the CTI field thatis gaining more and more
exposure.
More and more people aretalking about it, and these are
techniques that can really teachyou how to approach thinking
about information, analyzing itand turning that information
(17:51):
into a relevant, actionableintelligence.
How much and how often you willuse SATs does also depend on
your job focus.
For example, if you're atactically focused CTI analyst
and you're there to supportincident response, the time you
have to produce intelligence isgoing to be very limited, so
(18:11):
you're less likely to go throughsome of the like deeper SAT
exercises whereby you'rethinking of different competing
hypotheses.
But for those who have a bitmore time to do more finished,
polished CTI products andservices, that's where I think
SATs can play a really strongrole.
So for people who are morefocused on CTI, on operational
(18:35):
intelligence and on strategicintelligence, I think taking
time to learn about SATs isgoing to be super, super
valuable, and also justoperationalizing them in your
day-to-day role will really helpyour analysis skillset.
Pedro Kertzman (18:49):
Got it.
Just to make sure everybodyknows sats, structured analytic
techniques, got it, thank you.
And uh um, do you think any uhcti hands-on type of role for I
don't know analysts, ctianalysts on a more hands-on
approach would ever need todouble check or criticize or
(19:16):
have a second guess when itcomes to attribution the
information they're receivingfrom you know a feed, osint, a
vendor, anything like that Doyou it's like a cti teams in
general would go that deep todouble check attribution, make
sure if that uh threat actor,for example, is really the one
(19:37):
trying to poke into theirenvironment or do anything?
Josh Darby MacLellan (19:41):
I've picked up, uh, quite a
controversial topic attributioncti.
Uh, this is a big debate overwhether or not it's actually
worthwhile and whether or notattribution is just a
distraction.
I know that we kind of havethis obsession with knowing who
did what.
In particular, there arerecipients of cyber threat
(20:03):
intelligence who will ask okay,well, who committed this?
Do we know about them?
And you'll get those likethreat actor attribution type
questions.
I think everyone in their ownrespective, like team and role
needs to ask themselves like theso what?
Question if we are to attributea certain intrusion data set to
a known threat actor, what'sthe so what?
(20:24):
If it can provide value, ifthat can actually help you, um,
do additional pivoting andanalysis and understand broader
campaigns and operations, then,yeah, it makes sense to dive
into attribution.
For many of us, it can be a bitof a distraction and we get a
bit obsessed trying to name orpin an intrusion to a certain
(20:46):
threat actor, to a certainthreat actor, and often that
process can be riddled withcognitive biases whereby there's
pressure to say or to label acertain threat actor and then we
go for one that we think it isor that we have a suspicion it
is, as opposed to one that wecan prove with all of the
(21:09):
available evidence that it isthat particular threat actor it
brings up a good point prove, uh, with all of the available
evidence, that it is thatparticular threat actor, and it
brings up a a good point.
Pedro Kertzman (21:13):
Um, what do you see about like collaboration?
Uh, I think one of the thingsthat would solve this type of
problem would be morecollaboration with people
receiving that raw telemetry orbreach information, if you will
(21:35):
and instead of just doingattribution and releasing part
of the information.
If more stuff could be properly, safely shared with other
vendors, researchers and so on,it could prevent this type of
mismatching when it comes toattributions and so many other
problems.
How do you see collaborationhappening right now between,
(21:57):
again, researchers, vendors, endusers or companies with CTI
teams?
How do you see collaborationnowadays?
Josh Darby MacLellan (22:05):
I think collaboration is a very
important part of cyber threatintelligence and I actually
think in the security industryat large we're quite uniquely
positioned to collaborate withother organizations or companies
that would otherwise be ourcompetitors.
So this is a link that Iexperienced in particular in the
finance sector.
I worked for one of the majorCanadian banks and there are
(22:28):
five banks which are typicallycompeting over everything Market
.
They compete over differentmarkets, over market share, over
different types of products,and they'll be trying to win
over each other's clientscontinuously with, like new
deals, new promotions, newcredit cards.
But with the securitydepartments we had full
(22:50):
permission to go and actuallycollaborate with these other
banks and go and speak to theirintel teams and we would set up
these information sharing groupskind of more informally.
Some are more formalized,thinking about the FSI sects of
the world and it's created thisspace of collaboration whereby
we're sharing information andintelligence on the attacks and
(23:12):
intrusions we're seeing on ourside, because we know that
typically organizations in thesame country, same industry,
they're going to be facing verysimilar threats.
So if one organization gets hit, it is uniquely positioned to
warn the other organizationsabout a threat.
That is more pertinent versusmore generalized intelligence
(23:34):
being published out there.
Pedro Kertzman (23:35):
Cool, awesome.
And you see any collaborationon the vendor side, or research
side, or more on the customerand user side, like you
mentioned.
Josh Darby MacLellan (23:43):
I do see some for sure.
I think it varies though ofsome CTI vendors are essentially
in commercial competition witheach other, so they'll be less
inclined to collaborate.
But saying that, I have comeacross numerous reports that are
collaborative, either becausethey analyzed an extended data
(24:05):
set together or because oneorganization published based on
their intrusion data and thenothers took that and then, kind
of like, built upon it.
So there is an element ofcollaboration.
But I see a lot more with thekind of in-house nuclear CTI
teams, whereby it's a companythat has its own infosec
department own a CTI team andthey are collaborating between
(24:28):
other companies that have asimilar profile to theirs, um,
or function in the same regionor industry cool.
Pedro Kertzman (24:34):
I think it might be part of the maturing uh in
the industry as well.
Uh, yes, where I see vendorscollaborate, collaborating like
you mentioned.
It's like a dark web scrapingvendor plus an endpoint security
vendor, because they're notsuper overlapping each other.
Then they feel more comfortableabout collaborating on a
(24:58):
certain research or or anythinglike that, which is not perfect,
but maybe it's the beginning,right yeah, definitely, and it
does raise a good point.
Josh Darby MacLellan (25:07):
we we are seeing a lot of integrations
between different, let's say,like Intel feeds and different
threat intelligence platforms,or integration between threat
intelligence platforms and SIEMsor SOARs and a lot of these
tool-based collaborations andthese integrations.
Are they recognizing thatintegration between two tools
(25:29):
can be mutually beneficial aslong as they aren't like a
direct competitor?
So, yeah, good point there.
When it comes to the toolsecosystem, there is also that
opportunity for integrationoutside of a direct competitor
Awesome.
Pedro Kertzman (25:45):
And, from a skill or learning standpoint,
any important soft skills, hardskills you think are a must-have
or should have for anybody inthe industry or trying to get
into the CTI industry.
Josh Darby MacLellan (26:04):
Yeah, let's start with some of the
hard skills or the technicalskill sets.
I think there are certainfoundations that are super
important to learn in CTI, inparticular, learning how to
analyze intrusions, how to takeinformation and move it through
the Intel cycle those things aresuper important and then
(26:25):
understanding cyber attacks.
So I think there are a couplemodels out there that are super
useful and still foundational inCTI, such as the diamond model
and the kill chain.
Getting to grips with these two, I think, will position you
very strongly for CTI.
And in terms of the other hardskill sets, being a good
(26:47):
investigator is super importantand this kind of strays soft and
hard skills, but having acurious mindset, combined with
knowing how to pivot fromindicators of compromise into
other IOCs, building up more ofan understanding of an attack
and then pivoting intounderstanding tools, malware,
(27:08):
and then moving more intoattacks and campaigns and then
understanding different threatactors.
I think that that whole processof taking a small piece of data
from an intrusion, knowing whattools and processes you need to
run against it in order to addadditional context, and then
running through the wholeprocess of continuously pivoting
(27:30):
and analyzing is superimportant.
Now on the soft skills side.
You know, ironically, theyoften say that soft skills are
harder to teach, and I thinkthat's definitely true in CTI.
Your entire CTI process willfall completely flat if you are
not able to communicate thatintelligence in a way that lands
your stakeholders.
(27:57):
I think investing incommunication whether that's
written, verbal presentationsetc.
Is so important because ourfunction is a support function.
Generally speaking, cti issupposed to inform decision
making and enable decisionmakers to calibrate defenses to
protect an organization and makeit more resilient.
You won't be able to providegood support if you can't
communicate in a way that worksfor your stakeholders, or
(28:20):
communicate in a way that theintelligence is received
positively or received and usedeffectively.
So learning communicationskills is super important.
Beyond that, relationshipbuilding this is a big topic.
I don't like to say networking,because networking is kind of
transactional and supercorporate, but building
relationships is something thathas helped my career in every
(28:42):
single stage.
It's super useful in CTIbecause, as mentioned, it's a
support function.
We're supposed to be supportingother teams.
Without building relationships,it's a lot harder to provide
that support and it's muchharder to build a reciprocal
relationship whereby you'rereceiving relevant information,
that timely information, andthen also able to give good
quality intelligence when it'sneeded.
(29:04):
The ability to build goodrelationships underpinned by
communication, I think, are twoincredibly important aspects of
CTI Awesome.
Pedro Kertzman (29:12):
Now I feel you.
I was on a meeting the otherday and somebody brought up that
a big university actually has ameetup, how to make
relationships and friends for,you know, young students, and
I'm like, oh my God, it soundedlike a it's.
Josh Darby MacLellan (29:32):
it's an interesting one because I think
it like it shouted about a lot.
You know, you go to linkedin.
You look at like uh, differentposts and like articles
published about careers andcareer advice.
Everyone's saying, oh, you know, like, make sure that you
network, build a brand.
Um, you know, expand your, yournetwork and impact, but so few
people take the time to reallywalk you through like like how
(29:52):
to, how to quote, unquote,network and how to build
relationships.
To me it's like training anymuscle.
So few of us are born naturallygifted at communication in all
of its different facets or areinstantly good at building
relationships.
And, like a muscle, it takeswork and it takes continuous
practice.
It takes feeding your body withthe right information to fuel
(30:17):
those muscles and then it alsotakes going out there into the
industry or the gym to work itout.
And then it's just constantrepetitions and things only
improve if you're constantlygaining that exposure therapy
and working through every singlerelationship building
opportunity, awkward or notawkward, to a point whereby
you've gained good practice tobe better at that particular
(30:40):
skill set 100% Awesome.
Pedro Kertzman (30:46):
And one big topic, especially within the
overall cybersecurity industrynowadays it's AI.
Any impact insights you name itspecifically about the CTI
space that AI is having?
Josh Darby MacLellan (31:05):
Yeah, ai Everyone's favorite buzzword of
the year.
Yeah, it's an interesting topic.
I think the most concise way tothink about it is it's a
double-edged sword and I thinkit's got benefits for defenders
and those in CTI, and it alsohas benefits for attackers.
I don't think AI machinelearning has proven today to
(31:28):
make cyber threat actorsexponentially more dangerous.
That could happen in the future, but right now we aren't seeing
as many.
I don't think cyber criminalsand threat actors are fully
utilizing the full benefit of AI, so I don't think we're doomed
by it.
But I do think it's incrediblyimportant for CTI analysts to
(31:49):
learn how to leverage AI andmachine learning tools.
I was listening to a podcastwith Scott Galloway and he was
talking about that.
Your job won't be replaced byAI, but it will be replaced by
someone who can use AI.
So when we think about a CTIanalyst, it is an incredibly
tough job and there is so muchinformation to process and
(32:11):
exploit that if you're doingthis all manually, with minimal
automation and with minimalassistance by machine learning
tools, it's going to beincredibly challenging, and then
you'll be out-competed bysomeone who's faster because
they are taking full advantageof the full suite of tools out
there, so I would say it's adouble-edged sword.
(32:32):
It presents a risk to CTIanalysts, who are more resistant
to using AI tools, and I thinkit's got huge potential upside
for organizations and teams whoare looking to incorporate it to
speed up their pace of work andmake them more effective.
Pedro Kertzman (32:50):
No, that's a great point, I think.
Uh, on the other topic as well,uh, we were talking about
communication.
Right, sometimes, especiallynow, the llms we have can help
writing better emails moreengaging emails, more better
communication.
If you're not, if you're justattacking a co-guy super nerd,
but you're not there yet, from acommunication standpoint, maybe
(33:13):
they can leverage that to writedown good you know emails or
engaging emails and so on.
Josh Darby MacLellan (33:22):
Yeah, yeah , I I do think that it can help
do some of the heavy liftingwhen it comes to writing.
It's also a great way to editand check work, but what I've
noticed is that nowadays,currently, people can spot when
(33:42):
something is AI written orgenerated, generally speaking.
So I do always recommend use AItools for the heavy lifting,
but make sure that you're stilladding your own kind of
humanized flair to it and giveit your own style, your own tone
and your own voice.
The other thing that I shouldadd is AI tools are incredibly
(34:04):
helpful for people whose firstlanguage is different to the
language they work in, or viceversa, and they're cut to come
up with reports that eithertranslate um a material from
other sources or they are tryingto come up with reports in a
language which which they've gotless practice in.
Ai tools are a great way totranslate things and to also act
(34:26):
as your own editor.
They can do it incrediblyquickly.
So that, to me, is one hugebenefit is it does kind of open
up different opportunities to towork in languages that might
not be someone's strong suit.
Pedro Kertzman (34:39):
Got it, Thank you.
Any pitfalls you've seen alongthe way either creating a CTI
team or trying to advance theteam to like a higher level?
Any pitfalls or things tomention that people maybe don't
repeat?
Josh Darby MacLellan (34:54):
One of the biggest things I think CTI
teams are being tested on rightnow is proving their value and
shifting the perception thatthey are a cost center that
that's expendable.
This was one thing that Ireally liked that came up at the
SANS CTI conference this yearis rethinking CTI as supporting
decision-making and taking it astep further by viewing it as an
(35:17):
essential tool inorganizational resilience.
Right now I've noticed some CTIteams are going through layoffs
and cutbacks and they're havingtheir tool-in reduced because,
number one, they're expensive,but, number two, they haven't
been able to translate theirvalue into a language that
decision makers and businessleaders understand.
(35:37):
So for me, it's an ongoingstruggle, but incredibly
important for CTI teams to beable to demonstrate their value,
do good work and then telleveryone about it.
I think it's again whycommunication is so important.
I think it's again whycommunication is so important.
It's because if you're doingthe best high-quality analysis
and assessments and that'shelping to prevent different
(35:59):
attacks and future intrusions ifyou aren't giving that message
to the right people, they'llstill hold that perception that
the CTI team is not as essentialas our other cyber teams.
They're all a nice staff thatwe can get rid of if we need to.
So that's one of the biggestpitfalls that I see with CTI
teams is they're struggling tocommunicate.
Well, we'll first quantify andthen communicate their value,
(36:21):
and I'm glad that this isstarting to get recognized more
and more, because I've startedto see more conversations around
KPIs, metrics and KRIs and CTIteams are starting to adopt them
, which I think is definitelyneeded if we want to avoid and
develop through these pitfallsthat CTI teams are facing.
Pedro Kertzman (36:39):
Awesome.
It feels a little bit thattrying to think on an org chart
for CTI teams and if we have,across the board management,
even the highest rank for a ctiuh leader in the organization,
if we're just looking for peoplefrom technical backgrounds,
(37:01):
super technical, skilled people,but they don't know how to
properly quote, unquote, sellthe value or the worth of their
team, it might not be like along-lasting uh initiative.
What do you think?
Josh Darby MacLellan (37:18):
yeah, that's a really good point.
How many folks in cti know howto sell and obviously vendors
different story.
But thinking about the the likein-house nuclear cti team, how
many of them have got practiceat selling the value of their
program to people outside ofcyber?
And I think that's also whythere is a role for translators
(37:39):
in CTI teams the people whopivoted from other sides of a
business into a cyber threatintel team, because they will
know a language outside of CTIand outside of cyber and
typically a lot of decisionmakers and executives.
Their language is around riskand dollars.
Their language is less aroundthreats.
So having some people on yourcti team who who can speak that
(38:05):
language is is incrediblyimportant.
And then again having peoplewho can sell, that's massive
awesome.
Pedro Kertzman (38:12):
Um, and what about the future of CTI?
What would be your vision forit?
If you're going to throw somepredictions, you name it how you
see the industry moving, sometrends around.
Josh Darby MacLellan (38:27):
CTI.
I think CTI is going to gothrough a bit of a struggle in
the short term.
I think the next four years aregoing to be incredibly volatile
and I think that there could besome economic pain and in those
situations, some CTI teams willcome up to battle with the
(38:48):
problem of proving their value,of proving their value.
But once we have worked out andrefined ways for CTI teams to
communicate their valueeffectively, I think CTI has
some very green pastures aheadof it.
Thinking about the threattrends we're seeing cyber
attacks aren't going away.
(39:09):
They aren't decreasing in theirvolume or severity.
We're seeing the opposite andat the same time, we're seeing a
more fractured geopoliticallandscape and with more
fracturing comes more potentialtension points and flash points.
So, with that in mind, I dothink that CTI does have a very
strong future and through thesecrises, it's gonna be in demand,
(39:32):
as organizations will alwayswant to have foresight and
understand situations that couldimpact their organization.
Pedro Kertzman (39:42):
Awesome.
Any technology in particular ortype of technology, I should
say that you think it'ssomething to look at for CTI
teams.
Josh Darby MacLellan (39:50):
I would take full advantage of the
machine learning and AI toolsthat are being made commercially
available at a very inexpensiveprice.
Test them to see which of yourworkflows they can help speed up
and what the limitations are.
I don't think any of the toolslike ChatGPT, reflexity, claude,
(40:15):
et cetera.
I don't think any of them can douseful, actionable intelligence
analysis that will help yourorganization, primarily because
they don't have all of the dataand the understanding of your
internal organization, but thereare certain aspects of the
Intel cycle they can really helpwith and it's worth exploring
how you can quicken yourcollection, structuring,
(40:40):
processing and exploitation ofdata.
That gets everything ready forthe human analyst to do the
analysis stage.
I think that's where there's alot of potential value add.
I think that's where there's alot of potential value add.
So I would encourage teams totake full advantage of these
tools that are being publishedcontinuously, because threat
(41:02):
actors certainly are, and weneed to be moving at least in
lockstep with them, ideally onestep ahead.
Pedro Kertzman (41:08):
Awesome, Josh.
Thank you very much.
Super insightful conversation.
I really appreciate it.
Any closing thoughts?
Josh Darby MacLellan (41:16):
My closing thoughts are cyber threat
intelligence is an incrediblyinteresting field.
The threat landscape isshifting so much and you spend
your time analyzing new types ofattacks and new types of
attackers and this, I think,keeps it incredibly stimulating
intellectually and challengesyou to be continuously
(41:36):
increasing your skills and yourtradecraft, because you aren't
just in competition to meetcertain quotas or to hit certain
revenue each quarter.
You're in competition with thethreat landscape and with threat
actors, so it keeps thingsincredibly interesting.
So for anyone who's curiousabout CTI, I strongly recommend
(42:00):
diving into it, learning more,spending time on some of those
online conferences, onlinecourses, taking advantage of
open source threat intelligenceplatforms and open source data
feeds, and really get to gripswith what the day-to-day looks
like for a CTI analyst.
Pedro Kertzman (42:18):
Awesome.
Thank you Again, reallyappreciate it.
Super insightful conversationand I hope I'll see you around.
Thank you.
Josh Darby MacLellan (42:26):
Definitely Well, thank you so much.
Bye for now.
Bye.
Rachael Tyrell (42:31):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time, stay sharp andstay secure.
(42:53):
We'll see you next time.
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com