June 24, 2025 • 56 mins
What happens when traditional intelligence methodology meets modern cybersecurity? Scott Scher, CTI Associate Director with expertise in nation-state threat actors and cybercriminal groups, reveals a powerful perspective: successful CTI professionals are intelligence analysts first and cybersecurity specialists second.
Drawing from his background in international security policy and experience across government and private sectors, Scott breaks down the critical distinction between collecting data and generating actionable intelligence. He unpacks how established intelligence frameworks provide the foundation for effective cyber threat analysis, while the technical cybersecurity knowledge can be built on top of this analytical foundation.
Scott shares practical wisdom on building effective CTI programs, beginning with establishing clear processes, creating functional data pipelines, and most critically, understanding stakeholder needs. He explains that many organizations fall into the trap of overcollection – gathering excessive threat feeds without the capacity to transform them into actionable insights. Instead, he advocates for regular evaluation of intelligence sources using frameworks like the Admiralty Code to assess reliability and value.
The conversation delves into the crucial difference between threat (composed of intent, capability, and opportunity) and risk (which incorporates business impact). This distinction becomes essential when communicating with executives who need to understand potential consequences in business terms. Scott provides concrete examples of how to tailor intelligence for different stakeholders – from tactical information for SOC analysts to strategic insights for CISOs making resource allocation decisions.
Whether you're building a CTI function from scratch, looking to improve stakeholder engagement, or seeking to make your intelligence more actionable, this episode offers a masterclass in intelligence-driven cybersecurity. Subscribe now to learn how to transform technical threats into business insights that drive meaningful security improvements across your organization.
Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Scott Scher (00:00):
Being an intelligence professional first
and a cybersecurity professionalsecond.
Rachael Tyrell (00:06):
Hello and welcome to Episode 9, Season 1
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional, or simply curiousabout the digital battlefield,
our expert guests and host willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host Pedro Kurtzman will
chat with Scott Scherer, who isa CTI Associate Director but is
(00:28):
also a trained CTI analyst withexpertise in nation-state threat
actors and cyber criminalgroups.
Scott spent many yearscombining his education in
international
Pedro Kertzman (00:36):
Scott, thanks so much for coming to the show.
It's great to have you
Scott Scher (01:01):
Yeah, Pedro, thank you so much for inviting me out.
I look forward to ourconversation today.
Pedro Kertzman (01:05):
Awesome.
Usually I start asking theguests their journey into CTI.
Would you mind walking usthrough that, please?
Scott Scher (01:14):
Yeah, of course.
So actually, I might be one ofthe few people who could say I
knew I wanted to go into CTI orat least the cyber kind of
policy world before actuallykind of starting that journey.
My journey really started, Ispent a handful of time living
kind of in a non-technologybased kind of environment.
(01:36):
I'd spent a few years kind ofliving off the grid for a little
bit.
And after doing that, kind ofrealized that most people
weren't really prepared tosurvive outside of modern
convenience, right?
The technology we use everyday.
And then I started askingmyself, okay, well, what do I
want to do with the rest of mylife?
And, you know, what am I goodat?
(01:56):
You know, it's, hey, politicsand policy is kind of my
background.
And then...
realized hey you know like intotechnology and cyber and knew
that cyber kind of existed andknew this was a thing right this
was late 2012 2013 time and itwas okay well i think this is
what i want to do so i went touniversity for you know to study
(02:18):
political science internationalsecurity policy and public
policy all with a focus on cybersecurity uh so that was really
kind of my journey was kind ofroundabout, but directed towards
cyber and everything that I didkind of moved me towards
moving, getting into a CTIanalyst position.
Pedro Kertzman (02:34):
Oh, that's awesome.
That's awesome.
And, you know, if we werethinking about like pivoting
from like a, political orstudies background and general
Intel type of role into morespecific into like a CTI
specific type of space, likeIntel first and the cyber aspect
(02:59):
of it second.
Any insights on how to do thatmove or that you learn doing
that move?
Scott Scher (03:06):
yeah absolutely so uh yeah i like you know you use
the term that i that i kind oflike to talk about and say a lot
the way i was taught andtrained to do uh intelligence
and do cti work uh and my teammy one of my old teams we really
kind of all kind of focused inon this was we are intelligence
professionals who do cybersecurity we're not cyber
(03:27):
security people who dointelligence and kind of what we
mean there right is uhintelligence has been around for
decades right the the intelcommunity the way you do
intelligence processing analysisthe life cycle all of that is
really well developed and notnew uh and that is the
foundation of really of all thethe intel side right even on the
(03:49):
cti perspective it's reallyunderstanding how to do that
intelligence, how to process theinformation that you're
getting, turning it intosomething that's actionable,
relevant, timely for yourstakeholders.
That's really the key.
And then you learn thecybersecurity aspect of it as
you go, right?
You learn the technologies,which are super important and
you need to understand howcomputers work and that
(04:11):
foundation there, but you do itfrom a lens of here's the
process of intelligence andanalysis work.
Pedro Kertzman (04:17):
Got it.
And then you add up the cyberaspect into that solidify.
Scott Scher (04:20):
Exactly.
You add the cyber, the specificthreat actors, right?
It's really the idea that youcan, as an intelligence
professional, right?
Intelligence can happen in lotsof different industries,
different subject matters.
It could be a geopoliticalintelligence analyst.
You could be, you know, a cyberanalyst.
You could be a you know, in anyof these kind of spaces and
(04:41):
kind of move around.
And it's really the processthat is, that that's driven by
it.
And then you can, you know, youhave to add in that, that topic
there, who the threat actorsare, who the, you know, how they
do what they do, theirbehaviors, their tactics,
techniques, procedures, all that
Pedro Kertzman (04:55):
kind of stuff.
Yeah.
Military weapons,
Scott Scher (04:58):
military technology assessment.
That was, you know, some of theeducation background, you know,
that I spoke about wasspecifically around, you know,
how do you compare systems toeach other, right?
Like take a, you know, is itimportant to buy a, new F-35 or
buy 15 F-15s, right?
Like where's the like technicalcapability there.
So the analysis is really thesame.
Pedro Kertzman (05:18):
Awesome.
And then you're mentioningabout your teams and building
that around the intelligenceframework and expertise.
From a CTI specifically, anylike...
do's and don'ts or bestpractices, how to start like a
good CTI program, solidify it,and how to make sure CTI is
(05:42):
properly understood across theboard?
Scott Scher (05:46):
Yeah, that's a really good question and
something that luckily a lot ofmy work experience has kind of
been around.
A lot of the teams I've been onand joined have been either
brand new or fairly new, and alot of it is around building
that program.
Awesome.
So the first thing I would say,probably the most important
(06:09):
thing is really getting a handleof your process.
And that can be something asintricate as, you know, going
through the entire Intellifecycle and building specific
processes for each step, youknow, and going through.
But it's really getting youridea of, you know, how you're
going to do intelligence as ateam.
(06:29):
And, you know, that's sometimesbespoke.
You know, every shop kind ofhas a different way that they
sort of do intelligence, butit's all based on that, you
know, what we talked aboutearlier, you know, that
foundational, you know, analysisprocess.
But it's really defining all ofthat, getting, you know, and
now in into the CTI spaces,defining your data models,
right?
Like how are you definingterms?
You know, how are you doing theanalysis work to, you know,
(06:53):
link threat actors together?
Like what does attribution kindof look like for you?
How much of a, you know, kindof like thinking quantitatively
is like how much of an overlapdo you need in order to
understand that this might berelated to this other threat
actor?
It's really that first piece isthat is building that process.
Some other really good piecesthere are just your pipeline
(07:19):
from your collections all theway to your finished and your
output.
Really being able to understandthat whole process start to
finish, what it looks like,where you're pulling all your
data sources from, and then whatyou're doing with them because
that's the most important.
A lot of places we tend tocollect a lot of stuff and then
it's, oh yeah, there's these 150reports that I have on my
(07:41):
desktop that I've never openedand read them over, you know,
I'm reading them here and there.
It's, you know, making sure youhave that, you know, start to
finish.
And then it's reallyunderstanding your stakeholders,
right?
And I think this will lead intothat last piece of, you know,
that question of how do you, youknow, kind of make it
understood across the board, youknow, from your stakeholders is
getting to build thoserelationships and understanding
(08:04):
your stakeholders, right?
We talked about in CTIintelligence requirements,
right?
You're, hey, how are youunderstanding what it is that
your company agency, whatever itmight be, does what it does,
and how do the individual teamsthat you are there to support,
how do they do what they do?
What are their main metrics ofsuccess?
(08:24):
What are their obstacles inorder to achieve their mission?
Really getting an understandingof what Intel can provide to
make their job easier, better,more effective, because that's
really, in the end, we as Intelprofessionals, we're a support
function, right?
I know, and I more so maybethan others.
(08:45):
Like I like to be a Intel's inthe lead and we were in the
front and we do, and we doeverything.
And that is kind of the modelnow, right?
That like threat informeddefense and intelligence led
penetration testing and allthese new things that are coming
down from regulators andframeworks and all that.
But, uh, even with that beingsaid, yes, we may drive that
action, but it's really to drivethe capabilities of those teams
(09:07):
that we're there to support.
Pedro Kertzman (09:08):
That's, that's great to hear.
And, uh, if I can maybe breakdown in two separate topics that
I heard you mentioning that aresuper, I think are super
important.
First one is like, doesn'tmatter the amount of information
you're receiving, if you'rejust piling that up, it's not
actual intelligence per se,you're just receiving feeds and
(09:33):
reports and all that.
If you don't actually transformthat data into actionable
something it's not actuallyintelligence right so you cannot
produce an action coming fromthat pile of of data any
(09:56):
pitfalls around that you nameit, open-ended feeds, piling up
feeds or piling up reports, anypitfalls on those aspects or any
other consumable source ofinformation that maybe avoid
this or focus on that type ofapproach?
Unknown (10:19):
Yeah.
Scott Scher (10:20):
That's another good.
Actually, I really do like theway that you broke it down
there, drilling that questiondown a little bit more.
With pitfalls there, I thinkthe first and foremost is the
over-collection piece of it.
I think that is a big pitfallthat we all fall into is we need
to collect everything or weneed 100 data sources and we
(10:44):
need every threat Intel vendorand we need all these things.
If you're not doing much withit, your point right it's not
actually intelligence rightyou're collecting data you're
collecting information but youhaven't transformed or you
haven't analyzed it and turnedit into that uh so really that
first piece and the best way tokind of you know, approach that
is, you know, kind of narrowingyour sources down, go through
your sources and, you know, doan efficacy of them, evaluate
(11:08):
the, what you actually arecollecting from them and how
often you're using it, what it'sbeing used for, right.
To what we talked about alittle bit earlier of having
that start to finish, uh, youknow, end to end understanding
of your process.
If you are tagging your reportswith their sources, you can go
in and see, Hey, How often do Iuse this source?
(11:28):
Maybe I don't need it anymore.
Maybe it's, or maybe it's a, itonly gives me a little bit of
data that's actionable everyonce in a while, but the actions
are really, you know, highvalue.
You know, those are all kindsof things to think about.
What I would also say is whenlooking at that is you know, I
always kind of move towards alittle bit more on the quantity
over quality piece of it is, youknow, even if you only have a
(11:50):
handful of sources you can, ifyou're, if they're all providing
actionable, you know, data thatyou can then turn into
intelligence or at least turninto something that is usable
for your stakeholder, thenthey're of value.
And you may not need more.
Obviously, the more mature youbecome, the more data you can be
able to consume.
But until you get to thatpoint, it's always better, I
(12:12):
think, to start slower than itis to start and move too fast.
Yeah.
Yeah, was there any otherquestions around that, kind of
like the collections and thepitfalls or anything that I
didn't
Pedro Kertzman (12:28):
answer?
Now that you mentioned thisparticular piece, if there is
any recommended frameworks onhow to analyze the efficacy of a
given data source?
NIST?
Yeah.
Any other publications aroundthat that you would recommend to
the people listening that wantto kind of fine-tune their
(12:49):
collection of data and trim itdown to the most useful ones?
Any recommended frameworks orstandards to put as a filter
through their collection ofdata?
Scott Scher (13:03):
Yeah, that's really another really good kind of
drill down on the topic for theaudience.
So what I would say is thefirst piece on just the value of
the intelligence and how muchit's being used in action,
that's really something youprobably want to build internal,
right?
Because action is, you know,relative, right?
(13:24):
Like, or like value is kind ofrelative to your organization.
So, you know, an IOC feed couldbe valuable, even though like
we always say, IOCs aren't, youknow, always valuable.
They have a value.
They're just not maybe asvaluable as some other things.
And if you're feeding yourdefense teams with good
actionable indicators ofcompromise, that is a valuable
piece of intelligence thatyou're providing, right?
(13:46):
So it's not always good, badthere.
So one piece, make it internal,but The advice I would say is,
again, mapping it toactionability and relevance and
that seed.
The other thing in terms ofactual frameworks, not so much
for the value of the source, butreally a little bit more in the
(14:07):
reliability of the source, butit also gives you...
inputs for value as well,right?
Like, it kind of is built inthere, and it's the Admiralty
Code.
It's what NATO uses for theirsourcing.
It's all public, open, youknow, you can kind of pull it
down, something we built in,right?
And it basically gives you aranking system to say, this
source is reliable, this sourceis highly reliable, right?
(14:31):
Like, it breaks you down allthe way to where, you know,
value as well like they'retrustworthy same thing we use it
not just on sourcing but i'veused it and recommend using it
for uh you know when you'reevaluating threat actor claims,
right?
We deal with a world wherethere are criminals, cyber
criminals out there who aresaying they do things and they
don't always tell the truth,right?
(14:52):
So there are times when, youknow, a threat actor posts
someone's data on the internetand says, hey, we compromised
this organization or we did thiswebsite defacement or this DDoS
or whatever, you know, theirkind of, you know, bread and
butter is as a, you know, theirMO is a threat actor.
And it's, I've used it forvalidate or, you know,
evaluating their reliability,their trustworthiness.
(15:15):
How often does this threatactor actually have the data
that they claim to have?
How often are they actually,have they done successful
operations against a sector orthings like that?
So you can use it that way aswell.
That is what I would say is thebest framework for evaluating
how much this source providesyou value.
Pedro Kertzman (15:33):
That's awesome, thank you.
I heard the other day somebodysay, how could you not think
threat actors would sometimestry to sell snake oil as well.
So all those claims like, oh,we got X amount of terabytes of
information.
Like, come on, you have tovalidate that.
Scott Scher (15:51):
These are criminals, right?
Like, should we always trustthem?
Maybe not.
Unfortunately, sometimesthey're the only source that we
have to go off of.
But again, it's while you'retracking, right, which is part
of your analysis and, you know,the core of your CTI function.
Like, you're probably trackingthreat actors, you know, even,
you know, depending on thematurity of your organization,
(16:12):
the individuals in forumstalking, you may know and track
certain ones.
You can evaluate them in thesame way as you do your
legitimate sources and say, thisthird actor is usually telling
me the truth.
They're an initial accessbroker and they usually do have
access.
So when they make a claim, I'mgoing to trust it a little bit
more than I would someone elseor something like that.
Pedro Kertzman (16:32):
Absolutely.
Yeah, that's a good point.
If they are one of those...
pieces of the puzzle, like justan info stealer, initial access
broker, so on.
So those guys trying to sellstuff to other bad guys, yes,
they might rely more on theircredibility, so they need to be
(16:54):
careful, but still, they are badguys.
So you need to always validateif their claims are actually
true or not.
Coming back to the firstinitial breakdown of that
previous topic, you were talkingabout stakeholders, right?
(17:14):
And how would you mindexpanding a little bit more on
that?
Like how to quote unquote sellCTI internally for different
stakeholders, strategic level,executive level, when it, you
name it, internally, in general,any best practices around that?
Scott Scher (17:36):
Yeah, so in terms of just kind of, right, like
selling CTI, right, that is,it's the nature of the Intel
space, right?
You, even internally, we'redoing the same things that all
the other, you know, customers,you know, salespeople and
vendors and all that are alwaysdoing.
How do you sell your service?
Because, and that's really theway we should be thinking about
(17:59):
it.
And the reason I say that isbecause that gets at the heart
of answering this question ofthink of yourself as the same
way marketers think of like themarketing team and the
communications team.
Your job is to market CTI,right?
Like you need to get yourstakeholders to understand that
this is something that isvaluable and that this is
(18:20):
something that they want toconsume and they want to
participate in and they want togo to you to ask questions
instead of going to somewhereelse or figuring it out on their
own.
and like you need to sell it,right?
So part of that is to, youknow, what I mentioned earlier
is understanding their needs.
Right?
Like again, think of yourselfas a support.
You're there to sell yourservice.
(18:41):
So one, your service needs tobe pretty tight, right?
That you need to have a goodunderstanding of what it is, how
you do what you do so that youcan sell that.
Second, that process piece,right?
Like having that process reallyunderstood and defined, it's
very easy to go to a stakeholderrather than, you know, which is
what, how a lot of us dointelligence requirements
gathering, which is kind of howyou get at understanding your
stakeholder and their needs andtheir pain points and all of
(19:02):
that is Instead of, like, a lotof times we go to them and we
say, what are your intelligencerequirements?
And they say, I don't know whatan intelligence requirement
even is because this is thefirst time I've ever talked to
someone who's got intelligence.
I don't know what you mean.
So not always directly askingthem.
Sometimes, right, the maturityof your organization, you may be
able to go in and just ask foror eventually get to a point
(19:23):
where you can just have aconversation about intelligence
requirements.
But it's selling it that way.
So using the terminology theymay be familiar with, it's
getting them kind of like we'redoing right now and just having
a conversation about, well, whatdo you do here?
How do you do what you do?
You know, all that kind ofstuff to get those intelligence
requirements.
But it's also around, you know,what makes it easier sometimes
(19:48):
is when you do have that processbuilt out is going to them and
saying, we offer this, right?
Like we, as the CTI team cando, you know, cybercriminal
underground monitoring, right?
Or DDW, depending on who youtalk to, they may use a
different term.
Or, hey, we can provide threatactor profiles on the most
(20:11):
relevant threats to ourorganization.
Or, you know, we can do, youknow, enrichment of case data
that you're seeing for theactual, like, you know,
incidents that are happening orthe activity that's coming
there.
Basically offering yourservices the same way you would
in a catalog, in a menu, in avendor, you know, system.
This is what we offer ratherthan always coming and being
(20:34):
like, tell us what you want fromus as the CTI team.
Because a lot of times theydon't know.
So again, it's No, I love it.
Pedro Kertzman (20:49):
Yeah, it reminds me of the famous Henry Ford
quote.
If I asked people back in theday what they wanted, they would
say faster horses, right?
So that's super interesting,insightful to understand your
kind of audience own goals.
Scott Scher (21:06):
Absolutely.
Understand your audience,right?
That is the key.
And I think that dives intothat last bit of, you know,
particularly how do you do thisto senior leaders or in a more
like executive or strategic kindof a stakeholder.
It's really, what I would sayis, and sometimes some people
may think of it this way,sometimes it kind of gets lumped
together, but when it comes tointelligence work and CTI is,
(21:30):
there's your tactical, youroperational, and your strategic,
which is kind of what we'regoing to focus in on.
But there's also a piece thatcould be kind of sub-strategic,
which is executive.
I know sometimes that might notseem like they're different,
but they could be if you wantthem to be and they don't have
to be kind of thing.
It's, you know, kind of how youguys, how your shop may do
(21:50):
things.
But in terms of, you know, theidea of executive is it's what
is most relevant to the businessin terms of business, right?
And what I mean by that is whatis it that you're, company,
your organization, what do youdo from a business perspective?
And how does all of this CTIstuff that you're talking about,
how does it translate tobusiness?
(22:12):
Is it business impact?
Is it, you know, hey, we'retalking about ransomware, we're
talking about this, like, what'sthe dollars, right?
Like business likes to talkabout money, right?
Like a lot of your seniorstakeholders, your executives
are going to be, if it's not theCFO, right?
Like you're going to be tiedinto what the finance officer is
thinking.
And they're thinking, how muchis this going to cost us in
whatever, you know, stands thatmight be?
(22:33):
That could be resourcesdowntime whatever like and then
how do you translate it intothat how do you translate what
you're talking about from acyber threat right threat actor
is you know likely to target ourorganization because of blah
blah blah like what is it likehow does that translate to
business risk right like one ofthe team key stakeholders is
your risk team uh and it'sunderstanding like what's the
(22:55):
except what what's risk for forthe organization how do you
translate threat into thebusiness side of uh of your
organization.
And I think that's really whatit comes down
Pedro Kertzman (23:05):
to.
Perfect.
No, that's super insightful.
Thank you.
To maybe follow up on that,you're mentioning risk, right?
And that's, I would say, withrisk, combining risk with dollar
value, sometimes it's, quoteunquote, easier to communicate
(23:25):
with the higher levels of theorganization.
Unknown (23:29):
Yeah.
Pedro Kertzman (23:31):
How you explain the differences between threat
and risk?
How you start migrating maybefrom threat to risk or tying
those things together whenyou're going to explain this to
the stakeholders?
Scott Scher (23:48):
Yeah, so that's a really good question.
That's a really good one thatwe should definitely talk about.
First thing I'll say is threatdoesn't actually equal risk or
doesn't always equal risk.
They're not always the same.
They can be, but I think theysometimes get misused or become
(24:11):
synonymous for each other andthey're not always.
a key element of understandingrisk, but it's only one piece of
that, right?
It's not the same.
And in terms of that, right,like that kind of what that
really means is, you know,something could be a high
threat, but it might be a lowrisk, right?
(24:32):
Like threat is really the ideathat, you know, and I'll break
the formula down just becauseit's the kind of look at threat
and this may be different foreverybody, but threat is in a
combination of the intent, soit's understanding the threat
actor, it's their intent, theirmotivations, like why they're
(24:52):
doing what they're doing, whatis it that they're trying to do,
their capability to do saidthing, and then their
opportunity to do it, right?
Like those are really like thethree, like the intent,
capability, opportunity.
And that kind of breaks down toany number of things, right?
You have the motivation of whatthey're trying to do, whether
they're financially motivated,espionage, whatever it might be.
Their other component of intentis would they do what they try
(25:15):
to do against us as anorganization, right?
Like if they're an espionageactor who's going after, you
know, grants and research.
Maybe if you're a financeorganization, you don't act like
they're not likely to want totarget you specifically because
you don't have the thing thatthey want.
So they may be capable and theymay have an opportunity, but
they don't have the intent to goafter you.
So, you know, that's how youkind of do the threat.
(25:36):
The risk piece is really, okay,let's say they have intent,
capability and opportunity,some, you know, measure of that.
And now you've come up with athreat assessment and now it's,
well, what is the negativeconsequence of this thing
happening if it happens.
And that's really where you getinto the risk, right?
The traditional is just theimpact, right?
(25:58):
Like that's kind of how youtalk about risk.
But what I would also say isimpact and likelihood, which is
very much the major componentsof risk.
play a lot into threat as well.
I use those for my assessmentsalso with like, you need to have
some understanding of that tosay that something is, with
whatever confidence you have inthe data that is the level of
(26:19):
threat that it is.
So it's not exclusive to risk,but the thing that I think is
exclusive to risk is, how doesthis what's the negativity from
or like you know the theconsequence here for us right if
threat actor has intentcapability opportunity to do
something and they do it what isthe actual like outcome of that
is it reputational harm is itfinancial harm is it our
(26:42):
business goes is down and we goout of business forever is it
you know lives lost in certainsituations right like depending
on the industry depending on youknow the threat actors and you
know where this is if it's youknow kinetic space if it's a
hospital things like that uh youknow working in government for
a little for a while right likethis was like you know you're
taking care of like the energyyou know or the water for for a
(27:05):
company and things like that uhyou know for for city they uh
you know there could be veryhigh risk, then it can be very
low risk, right?
Like if, hey, this is a threatactor and they, you know, deploy
malware or whatever, but theytarget HR systems, right?
It's like, okay, cool.
maybe that's not as bad for youas an organization than if
(27:25):
you're ICS, if you're also inlike, you know, that space goes
down.
So that's really where the riskis.
It's like how critical is thething that's going to be
impacted or the action onobjective that the threat actor
takes?
How is that going to impact us?
Pedro Kertzman (27:40):
Yeah, no, that's perfect.
And kind of reminds me, wespoke a few times on other
episodes Of course, especiallywhen we're talking about the
cybersecurity space, CTI got tohave a lot of technical
understanding of what's goingon.
So technical people, you know,reverse engineering sometimes
(28:04):
and all that.
But if you don't understandyour own business and is able to
translate stuff back and forth,especially when you're talking
to stakeholders, you'rementioning there are probably
more aware of risk only notthreats but risk only and dollar
value associated to risk ifyou're not able to translate
(28:27):
there you're gonna probably betalking gibberish uh to people
and they won't basically getyour back right
Scott Scher (28:35):
that is exactly right to to you know a lot of i
think a lot of what we've talkedabout kind of led us to where
we are right now in this in theconversation right is uh That is
right.
Intelligence needs to beactionable.
If you don't put it into andyou don't understand your
audience, you don't understandyour stakeholders and what they
the business piece that they door their component of your
(28:55):
organization, then it doesn'tbecome actionable.
Right.
If they can't understand it orthey it doesn't translate, not
physically translate, but itdoesn't like translate in their
minds to the thing that mattersto them or their, or their grasp
of it, then they're not goingto action it.
They're not going to know howto action it.
Right.
Like there's any number ofthings where it's not, you know,
(29:15):
you never want to tributemalice to, you know, a mistake,
like, but there's always thatpiece of it of it can't.
And then it's not intelligenceanymore.
Right.
If it's not actionable, likeeven if you write this amazing
threat Intel report and it'shits every mark of what CTI
should do every singlecomponent, everything in there.
And then you give it to theperson as a senior leader or,
(29:37):
you know, right.
We're talking executives andstrategic and you give to
somebody who needs to make asecurity deployment decision on
like, should we buy a tool,should we not, you know, or
whatever, and they don'tunderstand all the stuff that's
in there, then it doesn't reallymatter, right?
Like, it's cool, you wrote thisawesome Intel report and other
Intel analysts are gonna read itand be like, this is great.
And then the person making adecision is like, ah, yeah, I
(29:58):
didn't understand that this, oh,you meant this meant that if we
don't deploy this technologythat we're gonna lose a million
dollars, like, oh, I get that.
Pedro Kertzman (30:05):
Yeah,
Scott Scher (30:06):
exactly.
Pedro Kertzman (30:06):
That's a perfect example.
Next time you write a report,you put something like this.
if we don't do this, people inthe hospital will die, right?
So, or, you know, we're goingto lose a million dollars if we
don't do this.
So if you write, you start withsomething, everybody probably
heard of it, executive summary,you start with that.
Scott Scher (30:30):
That's the risk.
Yeah, always, right?
Like for Intel writing, we'rethe bottom line up front, right?
Like put the most importantpiece of information in the very
first sentence of every singleparagraph that you write, right?
People usually think of it, oh,executive summary.
You put all the importantinformation in the top and then
you talk all the rest.
And that is absolutely thestructure and truth.
But you should be, especiallyas Intel analysts, right?
Like we're writing, you shouldbe writing every paragraph as a
(30:53):
bluff, right?
The first sentence ofeverything you write should be
the most important thing theyneed to know.
So if they don't read any ofthe rest of the six or seven
sentences in your paragraph,they know the thing they need to
know, right?
Hey, this is going to cost Xamount of dollars or this threat
actor is going to cause thisimpact or whatever it might be.
Pedro Kertzman (31:09):
Yeah, and I agree that you can never control
their decision after they'rereading a report, but at least
you know they saw that, right?
That's the quote-unquote maingoal.
Make sure they know it, right?
That's the risk.
If we don't do this...
The likelihood of having thisrisk coming to fruition is this
(31:34):
or that, or that's theconsequences that we could face
if that happened kind of thing.
No, that's perfect.
So you're mentioning aboutunderstanding your stakeholders'
goals, their metrics, their ownmetrics.
Do you think it would bevaluable for other CTI leaders
to actually go in and ofquote-unquote interview their
(32:00):
peers or the other stakeholdersto better understand what are
their motivators or triggersmetrics so on and so forth
Scott Scher (32:09):
Yeah, absolutely.
So that's actually, you know,if anyone who isn't a CTI person
is listening to this, you know,in the future, what you just
asked is what the termintelligence requirements
gathering really means.
It means go interview yourstakeholder and find out
everything you can about themand the things that they do and
(32:30):
why they do it and how wellthey've been doing it, what's
been causing them, you know,problems in there for their
team.
You know, one of the things Ialways like to ask about is
their pain points or theirobstacles.
What is preventing you fromdoing the things that you need
to do?
Because there may be a placefor CTI to be like, oh,
actually, we can help.
If you're not getting somethingyou need, maybe CTI is the team
(32:53):
that can help give you that.
Is there an obstacle that CTIcan help support?
So yeah, the interview piece,that is really the key there.
And it's around building arelationship, which is the first
piece of it, but then it'sasking the questions to get to
really understand theirfunction, because that's really
what it comes down to, right?
It's understanding what yourstakeholder does.
(33:16):
And then it's also trying tounderstand how they do it.
And then it's understandingwhat causes them to do it right
their triggers their inputswhatever it might be uh because
then from the cti perspectiveyou want to tailor the way you
support them into that right youwant to say okay your function
(33:38):
is you know if you're a sockit's you know first line defense
of the organization uh so thatis the function that you do
right and that could how you doit here where's your run books
where what are your playbookswhat are you know you all what
is your actual process fromstart to finish of hey an alert
comes in what do you do with itlike what's the process and then
the other piece is okay wellwhat triggers your action for
(34:00):
the sock it's easy right it's analert comes in you see some
kind of malicious activitywhatever it might be so then
from CTI we understand that wecan then go in and say okay we
wouldn't necessarily be atrigger or an input because
we're not going to give youalerts and things like that but
maybe we can come in somewherein your process right like this
is where CTI should be and thisis where our intelligence should
(34:23):
go and depending on what thatprocess is and where it is uh we
would tailor and that woulddictate the format that we give
you intelligence or the type ofintelligence that we give you
right the sock it's going to bemore tactical but is it tactical
in a report maybe not rightthat's not probably not super
useful for the sock animalstrying to determine if the
activity they're seeing from analert is bad or not is to go and
(34:45):
that'll be okay let me readthis report right even if it's a
short report it's like i don'thave time to do that uh maybe
it's you know maybe it's youknow here's a detection rule, or
here's, you know, TTPs that areassociated with, you know, the
types of alerting that you'regetting, right?
Like, and I use the SOC justbecause they're an easy example.
They're an easy support fromCTI to their team.
But one of the things, and Ican give like a concrete example
(35:08):
here of kind of how we can dothis pretty well is working with
the SOC to understand, well,what types of alerts are you
seeing on a daily basis, right?
Like, take a month of activity,like sit with your stock
manager and talk to them and belike, okay, over the last month,
alerts were investigated rightlet's what true positives were
(35:30):
actually looked at right notincidents you know depending on
how you are you may classifysomething an incident someone
else might not like let's justsay like the things that were
activity that caused your teamto investigate and look at and
make a decision on uh what youwant right like the intel should
be supporting that right if weas the intel team are constantly
writing reports about you knowsome key loggers or like some
(35:52):
random threat actors who dosomething and none of the alert
activity that the organizationsees over x amount of time that
you review ever has anything todo with those third actors or
that type of malware or whateverit might be then you're not
really providing much supportfor that team now that might be
useful for a different team butmaybe you don't need to give
them all of that maybe you'reseeing which every sock is
(36:14):
seeing right loads of phishingactivity loads of weird logins
like all this weird stuff rightlike maybe the intelligence you
provide to those teams should begeared towards those type of
alerts.
Because then it actually, hey,we actually have intelligence
that might help us make adecision on, is this bad?
Is this good?
Like, what does this activitylook like?
Is it something we need toescalate?
(36:35):
All of that.
And that example actually feedsme into, right?
Like an example with anotherteam, right?
Like is you should also beworking with your detection
engineers, right?
The people who are designingthe alerting rule and the
detections and security policiesyou have in place because your
intelligence should be gearedtowards that right like you
should be helping them designtrue detections for the type of
(36:58):
activity that is coming acrossthe wire on kind of a daily
basis or you know whatever thecadence is uh and you do that
across your stakeholders rightnow you you go up to your
executives right whether it's ifit's the cso right a lot your
your cso is going to be i meanobviously he's in charge of all
the security right like from thetechnical standpoint but he's
also in charge of resources tooldeployment, you know, all money
(37:20):
that gets allocated, budget,like all those things.
So what you need to tell him orher, right?
Like, and what and how you tellthem is really, is going to
change.
And you need to understand whattheir key function is, right?
We understand what their keyfunction is from a business
standpoint, but sitting andtalking to them and saying, hey,
CISO, what is it that you,like, what is your real, like,
(37:44):
action, right?
Like, what do you need to do?
Oh, I need to make budgetdecisions.
I need to allocate teamresources.
Do we need a new hire?
Do we need, you know, a newpiece of tool, right?
And it's okay, cool.
Here's how intelligence couldsupport those decisions.
Because that's really right.
Like he's a decision or, youknow, the CISO is a decision
maker.
Pedro Kertzman (38:03):
Awesome.
Great examples.
I appreciate it.
That's super insightful.
And, you know, we spoke a lotabout stakeholders and other
things, where would you learnall that?
Because that's not coming froma CTI feed, right?
That's more like how CTI shouldwork in a real-world scenario.
(38:27):
Any books, conferences, blogs,you name it, sources to learn
CTI overall, not necessarily,again, feeds and threat reports?
Scott Scher (38:41):
Yeah, so that's always, I think, a challenge.
Not necessarily a challenge,but it's always a good question.
It's always a good thing thatpeople are kind of like, well,
how do I figure all this stuffout, right?
The first thing I would say isthis is also something that I
would...
Back to our very, very firstquestion, right?
Like all the collection stuffis sometimes more isn't better.
(39:04):
So, right?
Because information overload isa real thing, right?
Like there's...
hundreds of blogs there'shundreds of reportings there's
thousands of people to followthere's all these things uh so
with that being said those areall things that i do right i
follow blogs i follow people iread reports right uh i will say
that like the learning aspectof it one piece is you know,
(39:27):
it's not always the, you know,it's kind of the like joke of
the world, right?
Like you learn on the job,right?
So some of it is you learn bymessing up really is the true
answer, right?
So you learn by going into ahundred stakeholder meetings and
saying, tell me yourintelligence requirements.
And then for six months, youhave absolutely no idea of how
to service them.
And then be like, CTI doesn'tprovide me any value.
(39:50):
And like, we don't want this.
And like, what good is this?
Or give me IOCs because that'sall I think you can do for me.
So you learn by doing that.
But yeah, and I know, right?
I didn't give any like concreteexamples there, I know.
But just because there's somany people to follow, there's
so many influencers, right?
Like there's so many differentthings.
But what I would say is readingvendor reports, reading the
(40:13):
people and the like voices inthe community who are constantly
putting out good analysis work,you know, and that can be on
LinkedIn, it could be on socialmedia, it can be, you know,
wherever.
So like there's a lot ofresources there and it's not
always the most popular and likethe biggest thing, there's a
lot of obscure things out thereout there is constantly on a
daily basis.
I'm on LinkedIn and someone'slike, oh, here's this thing
(40:33):
about like a CTI process.
And I sit and I read it, right?
Cause I may not know it.
I may even, even when it's thisthings I know all the time,
right?
Talking about intelligencerequirements, all that stuff.
It's like, it's still supervaluable because there's always
a different perspective.
You know, I think that's a keything in CTI or in intelligence
in general, across cyber, acrossall these things is diversity
of thought, right?
(40:53):
So there is a lot of differentpeople who have come at this
from a lot of different ways.
and they see the exact samething in a lot of different ways
than you do, right?
So even when they talk aboutthe exact, like, let's talk
about the Intel life cycle,right?
There's a million reports ifyou look at Google, right?
And a lot of them, there aresome that are gonna be unique,
(41:15):
right?
There's gonna be even one pieceof it that's unique.
In terms of like books andthings, you have me kind of
looking at my bookshelf to seeif I have anything like title
wise to like really tell people,but, In terms of, I mean, just
in general cybersecurity things,right?
You know, reading structuredanalytic techniques to like
learn how to do analysis work,that is always super important.
(41:36):
There are, you know,intelligence-driven incident
response is always a really goodone, right?
Because again, that's a lot ofwhat we talked about before is
our function is to support theseother teams and lead from,
which is kind of weird becauseit's not usually the best way to
lead in my opinion, but leadingfrom the back almost, but not
(41:56):
that you're leading from theback and that turns more like
leading from the, you know, fromthe shadows, right?
If we want to talk cool Intelstuff, right?
Saying, you know, things likethat.
It's we're leading action anddriving action, but we're not
the forefront of it.
We're not the ones doing theaction, but more importantly is
we're not always the one gettingthe credit for it, right?
And that is totally okay.
I mean, we should get creditand Intel needs to get credit
(42:17):
that we drove action, but wedon't, we're not telling people
people to do stuff right we'renot saying you have to do this
it's really this is what youalready do this is how we can
support and make that better andand here's you know a more
threat centric approach uh whichis actually another book uh
threat centric approach uh anduh there's another you know
intelligence analysis uh there'sa there's a bunch of different
(42:39):
you know there's a lot ofresources out there uh listening
to you know podcasts like thisi'm sure you've had many a
better uh resource and andspeaker than me before me and
you will probably have evenbetter uh after so oh no i think
you're awesome
Pedro Kertzman (42:55):
and
Scott Scher (42:56):
uh oh no i appreciate that i that wasn't a
self-deprecating or downplay methat was more to say that there
are definitely good people inthe industry that you're
bringing you know together thatthat people should be listening
to and talking to
Pedro Kertzman (43:08):
oh i'm trying my best definitely trying my best
um Yeah, I know.
I appreciate it.
It's super insightful and alsothose sources.
It's interesting.
I heard the other day, one ofour episodes, we were joking a
little bit about if it'sprinted, it's probably outdated
on the CTI world.
(43:29):
When it comes to threats andtechniques and all that, I agree
there.
But when we are talking aboutframeworks, strategies,
intelligence in general, Then Iwould say probably you have
really good books and youmentioned some of them that I
think it's super important topeople pay attention to.
Cause that's like frameworks,you're not writing a fresh new
(43:53):
framework every week.
Imagine that.
It would be super.
Yeah,
Scott Scher (43:59):
no, you're, you're totally right.
And I think making thatdistinction, right.
I think sometimes, and I thinkthis gets back to, you know, two
things we've talked about over,you know, the, the, this whole
conversation is one is, uh, youknow, being an intelligence
professional first and acybersecurity professional
second, you know, is it from Ithink sometimes people get too
(44:19):
caught up in the over technicalpiece of this, right?
Like, and they are absolutelycorrect in saying, right?
And I say it all the time,right?
Like by the time we get areport from a vendor or the time
the government sharessomething, or we see IOCs like
associated with a campaign oreven that, you know, tactics,
techniques, procedures, all thatkind of stuff.
By the time we're looking atit, reading it and then writing
a report on it, it's outdated,right?
(44:40):
Threat actors moved on.
They're not doing that anymore.
Sorry, like they're gone.
So they're totally right whenit comes to all that stuff or,
and then the technology pieceeven quicker, right?
Like every day that sometechnology technology is
outdated.
So that is 100% true to thepoint of, hey, intelligence has
been around for a while.
And the way you do analysis andthe way you do processing and
(45:02):
the way you do collections thathasn't changed much.
The mediums you might use to doit have, and your ability and
pace and scale and scope havedefinitely increased as we've
gone into cyber.
But your analytic mindset,your, hey, I mentioned
structured analytics techniques,right?
process for doing intelligence,that doesn't really change,
(45:25):
right?
Like alternating competinghypothesis, that's always been a
thing.
And even when you didn't knowit was a thing, other businesses
are using this, otherindustries use those terms
without knowing.
They just, right, it's comingup with, every possible idea
that you have that this could bethe answer and give me all the
evidence that supports each one.
And then whichever has the mostevidence is the most likely.
(45:46):
Uh, so, uh, those foundationalthings don't change.
Uh, yeah.
Frameworks don't change toooften unless you're talking
about MITRE and then there's anew version every so often, but
those are pretty good updatesand good changes that you want
to see, you know, uh, in thoseframeworks.
So, uh, Yeah, there's a lot ofresources out there.
I would say definitely payattention to the written
(46:10):
resources, even the old stuffthat come out of the
intelligence community from 30,40, 50 years ago.
The process is still important.
Pedro Kertzman (46:19):
Yeah, I could not agree more.
I would say some of themprobably evolved a little bit.
They've evolved and they'vegotten better.
Well, like upside down kind ofthing or drastic?
Probably not.
I agree with you.
The methodologies to dointelligence are probably more
modernized or digitalized.
Exactly.
(46:40):
The process is fairly similar.
Scott Scher (46:43):
And for the most part, those frameworks, even the
old ones, they don't, at leastin the intelligence world and
the way that like for CTI, theydon't become obsolete anymore.
you build on top of right solike we had the point so we had
the lockheed martin kill chainright that was the standard
framework you know process forevaluating incidents and threats
(47:06):
uh from that for a long timeand then mitre came out that
didn't mean that lockheed martinkill chain wasn't still useful,
right?
Like you should still be usingthe steps across the kill chain
to understand when and whereyour threat actor does something
across their attack life cycle.
But now you've built on top ofthat methodology and say, well,
(47:27):
now let's understand the waythey do the attack in each one
of these steps and stages and soforth.
Pedro Kertzman (47:31):
That's a great example.
Scott, thank you so much forcoming to the show.
I really appreciate the superinsightful conversation and I
hope I'll see you around.
Thank you.
Scott Scher (47:43):
Yeah, no, Pedro, thank you so much again for
having me and being willing tolisten to me and prod me to
ramble on and then talk aboutCTI, which is something I do
enjoy doing.
Pedro Kertzman (47:54):
Yeah, no, I love that.
Thanks a lot.
See you around.
Unknown (47:59):
Thank you.
Rachael Tyrell (48:00):
Until next time, stay sharp and stay secure.
Being an intelligence professional first
and a cybersecurity professionalsecond.
Rachael Tyrell (00:06):
Hello and welcome to Episode 9, Season 1
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional, or simply curiousabout the digital battlefield,
our expert guests and host willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host Pedro Kurtzman will
chat with Scott Scherer, who isa CTI Associate Director but is
(00:28):
also a trained CTI analyst withexpertise in nation-state threat
actors and cyber criminalgroups.
Scott spent many yearscombining his education in
international
Pedro Kertzman (00:36):
Scott, thanks so much for coming to the show.
It's great to have you
Scott Scher (01:01):
Yeah, Pedro, thank you so much for inviting me out.
I look forward to ourconversation today.
Pedro Kertzman (01:05):
Awesome.
Usually I start asking theguests their journey into CTI.
Would you mind walking usthrough that, please?
Scott Scher (01:14):
Yeah, of course.
So actually, I might be one ofthe few people who could say I
knew I wanted to go into CTI orat least the cyber kind of
policy world before actuallykind of starting that journey.
My journey really started, Ispent a handful of time living
kind of in a non-technologybased kind of environment.
(01:36):
I'd spent a few years kind ofliving off the grid for a little
bit.
And after doing that, kind ofrealized that most people
weren't really prepared tosurvive outside of modern
convenience, right?
The technology we use everyday.
And then I started askingmyself, okay, well, what do I
want to do with the rest of mylife?
And, you know, what am I goodat?
(01:56):
You know, it's, hey, politicsand policy is kind of my
background.
And then...
realized hey you know like intotechnology and cyber and knew
that cyber kind of existed andknew this was a thing right this
was late 2012 2013 time and itwas okay well i think this is
what i want to do so i went touniversity for you know to study
(02:18):
political science internationalsecurity policy and public
policy all with a focus on cybersecurity uh so that was really
kind of my journey was kind ofroundabout, but directed towards
cyber and everything that I didkind of moved me towards
moving, getting into a CTIanalyst position.
Pedro Kertzman (02:34):
Oh, that's awesome.
That's awesome.
And, you know, if we werethinking about like pivoting
from like a, political orstudies background and general
Intel type of role into morespecific into like a CTI
specific type of space, likeIntel first and the cyber aspect
(02:59):
of it second.
Any insights on how to do thatmove or that you learn doing
that move?
Scott Scher (03:06):
yeah absolutely so uh yeah i like you know you use
the term that i that i kind oflike to talk about and say a lot
the way i was taught andtrained to do uh intelligence
and do cti work uh and my teammy one of my old teams we really
kind of all kind of focused inon this was we are intelligence
professionals who do cybersecurity we're not cyber
(03:27):
security people who dointelligence and kind of what we
mean there right is uhintelligence has been around for
decades right the the intelcommunity the way you do
intelligence processing analysisthe life cycle all of that is
really well developed and notnew uh and that is the
foundation of really of all thethe intel side right even on the
(03:49):
cti perspective it's reallyunderstanding how to do that
intelligence, how to process theinformation that you're
getting, turning it intosomething that's actionable,
relevant, timely for yourstakeholders.
That's really the key.
And then you learn thecybersecurity aspect of it as
you go, right?
You learn the technologies,which are super important and
you need to understand howcomputers work and that
(04:11):
foundation there, but you do itfrom a lens of here's the
process of intelligence andanalysis work.
Pedro Kertzman (04:17):
Got it.
And then you add up the cyberaspect into that solidify.
Scott Scher (04:20):
Exactly.
You add the cyber, the specificthreat actors, right?
It's really the idea that youcan, as an intelligence
professional, right?
Intelligence can happen in lotsof different industries,
different subject matters.
It could be a geopoliticalintelligence analyst.
You could be, you know, a cyberanalyst.
You could be a you know, in anyof these kind of spaces and
(04:41):
kind of move around.
And it's really the processthat is, that that's driven by
it.
And then you can, you know, youhave to add in that, that topic
there, who the threat actorsare, who the, you know, how they
do what they do, theirbehaviors, their tactics,
techniques, procedures, all that
Pedro Kertzman (04:55):
kind of stuff.
Yeah.
Military weapons,
Scott Scher (04:58):
military technology assessment.
That was, you know, some of theeducation background, you know,
that I spoke about wasspecifically around, you know,
how do you compare systems toeach other, right?
Like take a, you know, is itimportant to buy a, new F-35 or
buy 15 F-15s, right?
Like where's the like technicalcapability there.
So the analysis is really thesame.
Pedro Kertzman (05:18):
Awesome.
And then you're mentioningabout your teams and building
that around the intelligenceframework and expertise.
From a CTI specifically, anylike...
do's and don'ts or bestpractices, how to start like a
good CTI program, solidify it,and how to make sure CTI is
(05:42):
properly understood across theboard?
Scott Scher (05:46):
Yeah, that's a really good question and
something that luckily a lot ofmy work experience has kind of
been around.
A lot of the teams I've been onand joined have been either
brand new or fairly new, and alot of it is around building
that program.
Awesome.
So the first thing I would say,probably the most important
(06:09):
thing is really getting a handleof your process.
And that can be something asintricate as, you know, going
through the entire Intellifecycle and building specific
processes for each step, youknow, and going through.
But it's really getting youridea of, you know, how you're
going to do intelligence as ateam.
(06:29):
And, you know, that's sometimesbespoke.
You know, every shop kind ofhas a different way that they
sort of do intelligence, butit's all based on that, you
know, what we talked aboutearlier, you know, that
foundational, you know, analysisprocess.
But it's really defining all ofthat, getting, you know, and
now in into the CTI spaces,defining your data models,
right?
Like how are you definingterms?
You know, how are you doing theanalysis work to, you know,
(06:53):
link threat actors together?
Like what does attribution kindof look like for you?
How much of a, you know, kindof like thinking quantitatively
is like how much of an overlapdo you need in order to
understand that this might berelated to this other threat
actor?
It's really that first piece isthat is building that process.
Some other really good piecesthere are just your pipeline
(07:19):
from your collections all theway to your finished and your
output.
Really being able to understandthat whole process start to
finish, what it looks like,where you're pulling all your
data sources from, and then whatyou're doing with them because
that's the most important.
A lot of places we tend tocollect a lot of stuff and then
it's, oh yeah, there's these 150reports that I have on my
(07:41):
desktop that I've never openedand read them over, you know,
I'm reading them here and there.
It's, you know, making sure youhave that, you know, start to
finish.
And then it's reallyunderstanding your stakeholders,
right?
And I think this will lead intothat last piece of, you know,
that question of how do you, youknow, kind of make it
understood across the board, youknow, from your stakeholders is
getting to build thoserelationships and understanding
(08:04):
your stakeholders, right?
We talked about in CTIintelligence requirements,
right?
You're, hey, how are youunderstanding what it is that
your company agency, whatever itmight be, does what it does,
and how do the individual teamsthat you are there to support,
how do they do what they do?
What are their main metrics ofsuccess?
(08:24):
What are their obstacles inorder to achieve their mission?
Really getting an understandingof what Intel can provide to
make their job easier, better,more effective, because that's
really, in the end, we as Intelprofessionals, we're a support
function, right?
I know, and I more so maybethan others.
(08:45):
Like I like to be a Intel's inthe lead and we were in the
front and we do, and we doeverything.
And that is kind of the modelnow, right?
That like threat informeddefense and intelligence led
penetration testing and allthese new things that are coming
down from regulators andframeworks and all that.
But, uh, even with that beingsaid, yes, we may drive that
action, but it's really to drivethe capabilities of those teams
(09:07):
that we're there to support.
Pedro Kertzman (09:08):
That's, that's great to hear.
And, uh, if I can maybe breakdown in two separate topics that
I heard you mentioning that aresuper, I think are super
important.
First one is like, doesn'tmatter the amount of information
you're receiving, if you'rejust piling that up, it's not
actual intelligence per se,you're just receiving feeds and
(09:33):
reports and all that.
If you don't actually transformthat data into actionable
something it's not actuallyintelligence right so you cannot
produce an action coming fromthat pile of of data any
(09:56):
pitfalls around that you nameit, open-ended feeds, piling up
feeds or piling up reports, anypitfalls on those aspects or any
other consumable source ofinformation that maybe avoid
this or focus on that type ofapproach?
Unknown (10:19):
Yeah.
Scott Scher (10:20):
That's another good.
Actually, I really do like theway that you broke it down
there, drilling that questiondown a little bit more.
With pitfalls there, I thinkthe first and foremost is the
over-collection piece of it.
I think that is a big pitfallthat we all fall into is we need
to collect everything or weneed 100 data sources and we
(10:44):
need every threat Intel vendorand we need all these things.
If you're not doing much withit, your point right it's not
actually intelligence rightyou're collecting data you're
collecting information but youhaven't transformed or you
haven't analyzed it and turnedit into that uh so really that
first piece and the best way tokind of you know, approach that
is, you know, kind of narrowingyour sources down, go through
your sources and, you know, doan efficacy of them, evaluate
(11:08):
the, what you actually arecollecting from them and how
often you're using it, what it'sbeing used for, right.
To what we talked about alittle bit earlier of having
that start to finish, uh, youknow, end to end understanding
of your process.
If you are tagging your reportswith their sources, you can go
in and see, Hey, How often do Iuse this source?
(11:28):
Maybe I don't need it anymore.
Maybe it's, or maybe it's a, itonly gives me a little bit of
data that's actionable everyonce in a while, but the actions
are really, you know, highvalue.
You know, those are all kindsof things to think about.
What I would also say is whenlooking at that is you know, I
always kind of move towards alittle bit more on the quantity
over quality piece of it is, youknow, even if you only have a
(11:50):
handful of sources you can, ifyou're, if they're all providing
actionable, you know, data thatyou can then turn into
intelligence or at least turninto something that is usable
for your stakeholder, thenthey're of value.
And you may not need more.
Obviously, the more mature youbecome, the more data you can be
able to consume.
But until you get to thatpoint, it's always better, I
(12:12):
think, to start slower than itis to start and move too fast.
Yeah.
Yeah, was there any otherquestions around that, kind of
like the collections and thepitfalls or anything that I
didn't
Pedro Kertzman (12:28):
answer?
Now that you mentioned thisparticular piece, if there is
any recommended frameworks onhow to analyze the efficacy of a
given data source?
NIST?
Yeah.
Any other publications aroundthat that you would recommend to
the people listening that wantto kind of fine-tune their
(12:49):
collection of data and trim itdown to the most useful ones?
Any recommended frameworks orstandards to put as a filter
through their collection ofdata?
Scott Scher (13:03):
Yeah, that's really another really good kind of
drill down on the topic for theaudience.
So what I would say is thefirst piece on just the value of
the intelligence and how muchit's being used in action,
that's really something youprobably want to build internal,
right?
Because action is, you know,relative, right?
(13:24):
Like, or like value is kind ofrelative to your organization.
So, you know, an IOC feed couldbe valuable, even though like
we always say, IOCs aren't, youknow, always valuable.
They have a value.
They're just not maybe asvaluable as some other things.
And if you're feeding yourdefense teams with good
actionable indicators ofcompromise, that is a valuable
piece of intelligence thatyou're providing, right?
(13:46):
So it's not always good, badthere.
So one piece, make it internal,but The advice I would say is,
again, mapping it toactionability and relevance and
that seed.
The other thing in terms ofactual frameworks, not so much
for the value of the source, butreally a little bit more in the
(14:07):
reliability of the source, butit also gives you...
inputs for value as well,right?
Like, it kind of is built inthere, and it's the Admiralty
Code.
It's what NATO uses for theirsourcing.
It's all public, open, youknow, you can kind of pull it
down, something we built in,right?
And it basically gives you aranking system to say, this
source is reliable, this sourceis highly reliable, right?
(14:31):
Like, it breaks you down allthe way to where, you know,
value as well like they'retrustworthy same thing we use it
not just on sourcing but i'veused it and recommend using it
for uh you know when you'reevaluating threat actor claims,
right?
We deal with a world wherethere are criminals, cyber
criminals out there who aresaying they do things and they
don't always tell the truth,right?
(14:52):
So there are times when, youknow, a threat actor posts
someone's data on the internetand says, hey, we compromised
this organization or we did thiswebsite defacement or this DDoS
or whatever, you know, theirkind of, you know, bread and
butter is as a, you know, theirMO is a threat actor.
And it's, I've used it forvalidate or, you know,
evaluating their reliability,their trustworthiness.
(15:15):
How often does this threatactor actually have the data
that they claim to have?
How often are they actually,have they done successful
operations against a sector orthings like that?
So you can use it that way aswell.
That is what I would say is thebest framework for evaluating
how much this source providesyou value.
Pedro Kertzman (15:33):
That's awesome, thank you.
I heard the other day somebodysay, how could you not think
threat actors would sometimestry to sell snake oil as well.
So all those claims like, oh,we got X amount of terabytes of
information.
Like, come on, you have tovalidate that.
Scott Scher (15:51):
These are criminals, right?
Like, should we always trustthem?
Maybe not.
Unfortunately, sometimesthey're the only source that we
have to go off of.
But again, it's while you'retracking, right, which is part
of your analysis and, you know,the core of your CTI function.
Like, you're probably trackingthreat actors, you know, even,
you know, depending on thematurity of your organization,
(16:12):
the individuals in forumstalking, you may know and track
certain ones.
You can evaluate them in thesame way as you do your
legitimate sources and say, thisthird actor is usually telling
me the truth.
They're an initial accessbroker and they usually do have
access.
So when they make a claim, I'mgoing to trust it a little bit
more than I would someone elseor something like that.
Pedro Kertzman (16:32):
Absolutely.
Yeah, that's a good point.
If they are one of those...
pieces of the puzzle, like justan info stealer, initial access
broker, so on.
So those guys trying to sellstuff to other bad guys, yes,
they might rely more on theircredibility, so they need to be
(16:54):
careful, but still, they are badguys.
So you need to always validateif their claims are actually
true or not.
Coming back to the firstinitial breakdown of that
previous topic, you were talkingabout stakeholders, right?
(17:14):
And how would you mindexpanding a little bit more on
that?
Like how to quote unquote sellCTI internally for different
stakeholders, strategic level,executive level, when it, you
name it, internally, in general,any best practices around that?
Scott Scher (17:36):
Yeah, so in terms of just kind of, right, like
selling CTI, right, that is,it's the nature of the Intel
space, right?
You, even internally, we'redoing the same things that all
the other, you know, customers,you know, salespeople and
vendors and all that are alwaysdoing.
How do you sell your service?
Because, and that's really theway we should be thinking about
(17:59):
it.
And the reason I say that isbecause that gets at the heart
of answering this question ofthink of yourself as the same
way marketers think of like themarketing team and the
communications team.
Your job is to market CTI,right?
Like you need to get yourstakeholders to understand that
this is something that isvaluable and that this is
(18:20):
something that they want toconsume and they want to
participate in and they want togo to you to ask questions
instead of going to somewhereelse or figuring it out on their
own.
and like you need to sell it,right?
So part of that is to, youknow, what I mentioned earlier
is understanding their needs.
Right?
Like again, think of yourselfas a support.
You're there to sell yourservice.
(18:41):
So one, your service needs tobe pretty tight, right?
That you need to have a goodunderstanding of what it is, how
you do what you do so that youcan sell that.
Second, that process piece,right?
Like having that process reallyunderstood and defined, it's
very easy to go to a stakeholderrather than, you know, which is
what, how a lot of us dointelligence requirements
gathering, which is kind of howyou get at understanding your
stakeholder and their needs andtheir pain points and all of
(19:02):
that is Instead of, like, a lotof times we go to them and we
say, what are your intelligencerequirements?
And they say, I don't know whatan intelligence requirement
even is because this is thefirst time I've ever talked to
someone who's got intelligence.
I don't know what you mean.
So not always directly askingthem.
Sometimes, right, the maturityof your organization, you may be
able to go in and just ask foror eventually get to a point
(19:23):
where you can just have aconversation about intelligence
requirements.
But it's selling it that way.
So using the terminology theymay be familiar with, it's
getting them kind of like we'redoing right now and just having
a conversation about, well, whatdo you do here?
How do you do what you do?
You know, all that kind ofstuff to get those intelligence
requirements.
But it's also around, you know,what makes it easier sometimes
(19:48):
is when you do have that processbuilt out is going to them and
saying, we offer this, right?
Like we, as the CTI team cando, you know, cybercriminal
underground monitoring, right?
Or DDW, depending on who youtalk to, they may use a
different term.
Or, hey, we can provide threatactor profiles on the most
(20:11):
relevant threats to ourorganization.
Or, you know, we can do, youknow, enrichment of case data
that you're seeing for theactual, like, you know,
incidents that are happening orthe activity that's coming
there.
Basically offering yourservices the same way you would
in a catalog, in a menu, in avendor, you know, system.
This is what we offer ratherthan always coming and being
(20:34):
like, tell us what you want fromus as the CTI team.
Because a lot of times theydon't know.
So again, it's No, I love it.
Pedro Kertzman (20:49):
Yeah, it reminds me of the famous Henry Ford
quote.
If I asked people back in theday what they wanted, they would
say faster horses, right?
So that's super interesting,insightful to understand your
kind of audience own goals.
Scott Scher (21:06):
Absolutely.
Understand your audience,right?
That is the key.
And I think that dives intothat last bit of, you know,
particularly how do you do thisto senior leaders or in a more
like executive or strategic kindof a stakeholder.
It's really, what I would sayis, and sometimes some people
may think of it this way,sometimes it kind of gets lumped
together, but when it comes tointelligence work and CTI is,
(21:30):
there's your tactical, youroperational, and your strategic,
which is kind of what we'regoing to focus in on.
But there's also a piece thatcould be kind of sub-strategic,
which is executive.
I know sometimes that might notseem like they're different,
but they could be if you wantthem to be and they don't have
to be kind of thing.
It's, you know, kind of how youguys, how your shop may do
(21:50):
things.
But in terms of, you know, theidea of executive is it's what
is most relevant to the businessin terms of business, right?
And what I mean by that is whatis it that you're, company,
your organization, what do youdo from a business perspective?
And how does all of this CTIstuff that you're talking about,
how does it translate tobusiness?
(22:12):
Is it business impact?
Is it, you know, hey, we'retalking about ransomware, we're
talking about this, like, what'sthe dollars, right?
Like business likes to talkabout money, right?
Like a lot of your seniorstakeholders, your executives
are going to be, if it's not theCFO, right?
Like you're going to be tiedinto what the finance officer is
thinking.
And they're thinking, how muchis this going to cost us in
whatever, you know, stands thatmight be?
(22:33):
That could be resourcesdowntime whatever like and then
how do you translate it intothat how do you translate what
you're talking about from acyber threat right threat actor
is you know likely to target ourorganization because of blah
blah blah like what is it likehow does that translate to
business risk right like one ofthe team key stakeholders is
your risk team uh and it'sunderstanding like what's the
(22:55):
except what what's risk for forthe organization how do you
translate threat into thebusiness side of uh of your
organization.
And I think that's really whatit comes down
Pedro Kertzman (23:05):
to.
Perfect.
No, that's super insightful.
Thank you.
To maybe follow up on that,you're mentioning risk, right?
And that's, I would say, withrisk, combining risk with dollar
value, sometimes it's, quoteunquote, easier to communicate
(23:25):
with the higher levels of theorganization.
Unknown (23:29):
Yeah.
Pedro Kertzman (23:31):
How you explain the differences between threat
and risk?
How you start migrating maybefrom threat to risk or tying
those things together whenyou're going to explain this to
the stakeholders?
Scott Scher (23:48):
Yeah, so that's a really good question.
That's a really good one thatwe should definitely talk about.
First thing I'll say is threatdoesn't actually equal risk or
doesn't always equal risk.
They're not always the same.
They can be, but I think theysometimes get misused or become
(24:11):
synonymous for each other andthey're not always.
a key element of understandingrisk, but it's only one piece of
that, right?
It's not the same.
And in terms of that, right,like that kind of what that
really means is, you know,something could be a high
threat, but it might be a lowrisk, right?
(24:32):
Like threat is really the ideathat, you know, and I'll break
the formula down just becauseit's the kind of look at threat
and this may be different foreverybody, but threat is in a
combination of the intent, soit's understanding the threat
actor, it's their intent, theirmotivations, like why they're
(24:52):
doing what they're doing, whatis it that they're trying to do,
their capability to do saidthing, and then their
opportunity to do it, right?
Like those are really like thethree, like the intent,
capability, opportunity.
And that kind of breaks down toany number of things, right?
You have the motivation of whatthey're trying to do, whether
they're financially motivated,espionage, whatever it might be.
Their other component of intentis would they do what they try
(25:15):
to do against us as anorganization, right?
Like if they're an espionageactor who's going after, you
know, grants and research.
Maybe if you're a financeorganization, you don't act like
they're not likely to want totarget you specifically because
you don't have the thing thatthey want.
So they may be capable and theymay have an opportunity, but
they don't have the intent to goafter you.
So, you know, that's how youkind of do the threat.
(25:36):
The risk piece is really, okay,let's say they have intent,
capability and opportunity,some, you know, measure of that.
And now you've come up with athreat assessment and now it's,
well, what is the negativeconsequence of this thing
happening if it happens.
And that's really where you getinto the risk, right?
The traditional is just theimpact, right?
(25:58):
Like that's kind of how youtalk about risk.
But what I would also say isimpact and likelihood, which is
very much the major componentsof risk.
play a lot into threat as well.
I use those for my assessmentsalso with like, you need to have
some understanding of that tosay that something is, with
whatever confidence you have inthe data that is the level of
(26:19):
threat that it is.
So it's not exclusive to risk,but the thing that I think is
exclusive to risk is, how doesthis what's the negativity from
or like you know the theconsequence here for us right if
threat actor has intentcapability opportunity to do
something and they do it what isthe actual like outcome of that
is it reputational harm is itfinancial harm is it our
(26:42):
business goes is down and we goout of business forever is it
you know lives lost in certainsituations right like depending
on the industry depending on youknow the threat actors and you
know where this is if it's youknow kinetic space if it's a
hospital things like that uh youknow working in government for
a little for a while right likethis was like you know you're
taking care of like the energyyou know or the water for for a
(27:05):
company and things like that uhyou know for for city they uh
you know there could be veryhigh risk, then it can be very
low risk, right?
Like if, hey, this is a threatactor and they, you know, deploy
malware or whatever, but theytarget HR systems, right?
It's like, okay, cool.
maybe that's not as bad for youas an organization than if
(27:25):
you're ICS, if you're also inlike, you know, that space goes
down.
So that's really where the riskis.
It's like how critical is thething that's going to be
impacted or the action onobjective that the threat actor
takes?
How is that going to impact us?
Pedro Kertzman (27:40):
Yeah, no, that's perfect.
And kind of reminds me, wespoke a few times on other
episodes Of course, especiallywhen we're talking about the
cybersecurity space, CTI got tohave a lot of technical
understanding of what's goingon.
So technical people, you know,reverse engineering sometimes
(28:04):
and all that.
But if you don't understandyour own business and is able to
translate stuff back and forth,especially when you're talking
to stakeholders, you'rementioning there are probably
more aware of risk only notthreats but risk only and dollar
value associated to risk ifyou're not able to translate
(28:27):
there you're gonna probably betalking gibberish uh to people
and they won't basically getyour back right
Scott Scher (28:35):
that is exactly right to to you know a lot of i
think a lot of what we've talkedabout kind of led us to where
we are right now in this in theconversation right is uh That is
right.
Intelligence needs to beactionable.
If you don't put it into andyou don't understand your
audience, you don't understandyour stakeholders and what they
the business piece that they door their component of your
(28:55):
organization, then it doesn'tbecome actionable.
Right.
If they can't understand it orthey it doesn't translate, not
physically translate, but itdoesn't like translate in their
minds to the thing that mattersto them or their, or their grasp
of it, then they're not goingto action it.
They're not going to know howto action it.
Right.
Like there's any number ofthings where it's not, you know,
(29:15):
you never want to tributemalice to, you know, a mistake,
like, but there's always thatpiece of it of it can't.
And then it's not intelligenceanymore.
Right.
If it's not actionable, likeeven if you write this amazing
threat Intel report and it'shits every mark of what CTI
should do every singlecomponent, everything in there.
And then you give it to theperson as a senior leader or,
(29:37):
you know, right.
We're talking executives andstrategic and you give to
somebody who needs to make asecurity deployment decision on
like, should we buy a tool,should we not, you know, or
whatever, and they don'tunderstand all the stuff that's
in there, then it doesn't reallymatter, right?
Like, it's cool, you wrote thisawesome Intel report and other
Intel analysts are gonna read itand be like, this is great.
And then the person making adecision is like, ah, yeah, I
(29:58):
didn't understand that this, oh,you meant this meant that if we
don't deploy this technologythat we're gonna lose a million
dollars, like, oh, I get that.
Pedro Kertzman (30:05):
Yeah,
Scott Scher (30:06):
exactly.
Pedro Kertzman (30:06):
That's a perfect example.
Next time you write a report,you put something like this.
if we don't do this, people inthe hospital will die, right?
So, or, you know, we're goingto lose a million dollars if we
don't do this.
So if you write, you start withsomething, everybody probably
heard of it, executive summary,you start with that.
Scott Scher (30:30):
That's the risk.
Yeah, always, right?
Like for Intel writing, we'rethe bottom line up front, right?
Like put the most importantpiece of information in the very
first sentence of every singleparagraph that you write, right?
People usually think of it, oh,executive summary.
You put all the importantinformation in the top and then
you talk all the rest.
And that is absolutely thestructure and truth.
But you should be, especiallyas Intel analysts, right?
Like we're writing, you shouldbe writing every paragraph as a
(30:53):
bluff, right?
The first sentence ofeverything you write should be
the most important thing theyneed to know.
So if they don't read any ofthe rest of the six or seven
sentences in your paragraph,they know the thing they need to
know, right?
Hey, this is going to cost Xamount of dollars or this threat
actor is going to cause thisimpact or whatever it might be.
Pedro Kertzman (31:09):
Yeah, and I agree that you can never control
their decision after they'rereading a report, but at least
you know they saw that, right?
That's the quote-unquote maingoal.
Make sure they know it, right?
That's the risk.
If we don't do this...
The likelihood of having thisrisk coming to fruition is this
(31:34):
or that, or that's theconsequences that we could face
if that happened kind of thing.
No, that's perfect.
So you're mentioning aboutunderstanding your stakeholders'
goals, their metrics, their ownmetrics.
Do you think it would bevaluable for other CTI leaders
to actually go in and ofquote-unquote interview their
(32:00):
peers or the other stakeholdersto better understand what are
their motivators or triggersmetrics so on and so forth
Scott Scher (32:09):
Yeah, absolutely.
So that's actually, you know,if anyone who isn't a CTI person
is listening to this, you know,in the future, what you just
asked is what the termintelligence requirements
gathering really means.
It means go interview yourstakeholder and find out
everything you can about themand the things that they do and
(32:30):
why they do it and how wellthey've been doing it, what's
been causing them, you know,problems in there for their
team.
You know, one of the things Ialways like to ask about is
their pain points or theirobstacles.
What is preventing you fromdoing the things that you need
to do?
Because there may be a placefor CTI to be like, oh,
actually, we can help.
If you're not getting somethingyou need, maybe CTI is the team
(32:53):
that can help give you that.
Is there an obstacle that CTIcan help support?
So yeah, the interview piece,that is really the key there.
And it's around building arelationship, which is the first
piece of it, but then it'sasking the questions to get to
really understand theirfunction, because that's really
what it comes down to, right?
It's understanding what yourstakeholder does.
(33:16):
And then it's also trying tounderstand how they do it.
And then it's understandingwhat causes them to do it right
their triggers their inputswhatever it might be uh because
then from the cti perspectiveyou want to tailor the way you
support them into that right youwant to say okay your function
(33:38):
is you know if you're a sockit's you know first line defense
of the organization uh so thatis the function that you do
right and that could how you doit here where's your run books
where what are your playbookswhat are you know you all what
is your actual process fromstart to finish of hey an alert
comes in what do you do with itlike what's the process and then
the other piece is okay wellwhat triggers your action for
(34:00):
the sock it's easy right it's analert comes in you see some
kind of malicious activitywhatever it might be so then
from CTI we understand that wecan then go in and say okay we
wouldn't necessarily be atrigger or an input because
we're not going to give youalerts and things like that but
maybe we can come in somewherein your process right like this
is where CTI should be and thisis where our intelligence should
(34:23):
go and depending on what thatprocess is and where it is uh we
would tailor and that woulddictate the format that we give
you intelligence or the type ofintelligence that we give you
right the sock it's going to bemore tactical but is it tactical
in a report maybe not rightthat's not probably not super
useful for the sock animalstrying to determine if the
activity they're seeing from analert is bad or not is to go and
(34:45):
that'll be okay let me readthis report right even if it's a
short report it's like i don'thave time to do that uh maybe
it's you know maybe it's youknow here's a detection rule, or
here's, you know, TTPs that areassociated with, you know, the
types of alerting that you'regetting, right?
Like, and I use the SOC justbecause they're an easy example.
They're an easy support fromCTI to their team.
But one of the things, and Ican give like a concrete example
(35:08):
here of kind of how we can dothis pretty well is working with
the SOC to understand, well,what types of alerts are you
seeing on a daily basis, right?
Like, take a month of activity,like sit with your stock
manager and talk to them and belike, okay, over the last month,
alerts were investigated rightlet's what true positives were
(35:30):
actually looked at right notincidents you know depending on
how you are you may classifysomething an incident someone
else might not like let's justsay like the things that were
activity that caused your teamto investigate and look at and
make a decision on uh what youwant right like the intel should
be supporting that right if weas the intel team are constantly
writing reports about you knowsome key loggers or like some
(35:52):
random threat actors who dosomething and none of the alert
activity that the organizationsees over x amount of time that
you review ever has anything todo with those third actors or
that type of malware or whateverit might be then you're not
really providing much supportfor that team now that might be
useful for a different team butmaybe you don't need to give
them all of that maybe you'reseeing which every sock is
(36:14):
seeing right loads of phishingactivity loads of weird logins
like all this weird stuff rightlike maybe the intelligence you
provide to those teams should begeared towards those type of
alerts.
Because then it actually, hey,we actually have intelligence
that might help us make adecision on, is this bad?
Is this good?
Like, what does this activitylook like?
Is it something we need toescalate?
(36:35):
All of that.
And that example actually feedsme into, right?
Like an example with anotherteam, right?
Like is you should also beworking with your detection
engineers, right?
The people who are designingthe alerting rule and the
detections and security policiesyou have in place because your
intelligence should be gearedtowards that right like you
should be helping them designtrue detections for the type of
(36:58):
activity that is coming acrossthe wire on kind of a daily
basis or you know whatever thecadence is uh and you do that
across your stakeholders rightnow you you go up to your
executives right whether it's ifit's the cso right a lot your
your cso is going to be i meanobviously he's in charge of all
the security right like from thetechnical standpoint but he's
also in charge of resources tooldeployment, you know, all money
(37:20):
that gets allocated, budget,like all those things.
So what you need to tell him orher, right?
Like, and what and how you tellthem is really, is going to
change.
And you need to understand whattheir key function is, right?
We understand what their keyfunction is from a business
standpoint, but sitting andtalking to them and saying, hey,
CISO, what is it that you,like, what is your real, like,
(37:44):
action, right?
Like, what do you need to do?
Oh, I need to make budgetdecisions.
I need to allocate teamresources.
Do we need a new hire?
Do we need, you know, a newpiece of tool, right?
And it's okay, cool.
Here's how intelligence couldsupport those decisions.
Because that's really right.
Like he's a decision or, youknow, the CISO is a decision
maker.
Pedro Kertzman (38:03):
Awesome.
Great examples.
I appreciate it.
That's super insightful.
And, you know, we spoke a lotabout stakeholders and other
things, where would you learnall that?
Because that's not coming froma CTI feed, right?
That's more like how CTI shouldwork in a real-world scenario.
(38:27):
Any books, conferences, blogs,you name it, sources to learn
CTI overall, not necessarily,again, feeds and threat reports?
Scott Scher (38:41):
Yeah, so that's always, I think, a challenge.
Not necessarily a challenge,but it's always a good question.
It's always a good thing thatpeople are kind of like, well,
how do I figure all this stuffout, right?
The first thing I would say isthis is also something that I
would...
Back to our very, very firstquestion, right?
Like all the collection stuffis sometimes more isn't better.
(39:04):
So, right?
Because information overload isa real thing, right?
Like there's...
hundreds of blogs there'shundreds of reportings there's
thousands of people to followthere's all these things uh so
with that being said those areall things that i do right i
follow blogs i follow people iread reports right uh i will say
that like the learning aspectof it one piece is you know,
(39:27):
it's not always the, you know,it's kind of the like joke of
the world, right?
Like you learn on the job,right?
So some of it is you learn bymessing up really is the true
answer, right?
So you learn by going into ahundred stakeholder meetings and
saying, tell me yourintelligence requirements.
And then for six months, youhave absolutely no idea of how
to service them.
And then be like, CTI doesn'tprovide me any value.
(39:50):
And like, we don't want this.
And like, what good is this?
Or give me IOCs because that'sall I think you can do for me.
So you learn by doing that.
But yeah, and I know, right?
I didn't give any like concreteexamples there, I know.
But just because there's somany people to follow, there's
so many influencers, right?
Like there's so many differentthings.
But what I would say is readingvendor reports, reading the
(40:13):
people and the like voices inthe community who are constantly
putting out good analysis work,you know, and that can be on
LinkedIn, it could be on socialmedia, it can be, you know,
wherever.
So like there's a lot ofresources there and it's not
always the most popular and likethe biggest thing, there's a
lot of obscure things out thereout there is constantly on a
daily basis.
I'm on LinkedIn and someone'slike, oh, here's this thing
(40:33):
about like a CTI process.
And I sit and I read it, right?
Cause I may not know it.
I may even, even when it's thisthings I know all the time,
right?
Talking about intelligencerequirements, all that stuff.
It's like, it's still supervaluable because there's always
a different perspective.
You know, I think that's a keything in CTI or in intelligence
in general, across cyber, acrossall these things is diversity
of thought, right?
(40:53):
So there is a lot of differentpeople who have come at this
from a lot of different ways.
and they see the exact samething in a lot of different ways
than you do, right?
So even when they talk aboutthe exact, like, let's talk
about the Intel life cycle,right?
There's a million reports ifyou look at Google, right?
And a lot of them, there aresome that are gonna be unique,
(41:15):
right?
There's gonna be even one pieceof it that's unique.
In terms of like books andthings, you have me kind of
looking at my bookshelf to seeif I have anything like title
wise to like really tell people,but, In terms of, I mean, just
in general cybersecurity things,right?
You know, reading structuredanalytic techniques to like
learn how to do analysis work,that is always super important.
(41:36):
There are, you know,intelligence-driven incident
response is always a really goodone, right?
Because again, that's a lot ofwhat we talked about before is
our function is to support theseother teams and lead from,
which is kind of weird becauseit's not usually the best way to
lead in my opinion, but leadingfrom the back almost, but not
(41:56):
that you're leading from theback and that turns more like
leading from the, you know, fromthe shadows, right?
If we want to talk cool Intelstuff, right?
Saying, you know, things likethat.
It's we're leading action anddriving action, but we're not
the forefront of it.
We're not the ones doing theaction, but more importantly is
we're not always the one gettingthe credit for it, right?
And that is totally okay.
I mean, we should get creditand Intel needs to get credit
(42:17):
that we drove action, but wedon't, we're not telling people
people to do stuff right we'renot saying you have to do this
it's really this is what youalready do this is how we can
support and make that better andand here's you know a more
threat centric approach uh whichis actually another book uh
threat centric approach uh anduh there's another you know
intelligence analysis uh there'sa there's a bunch of different
(42:39):
you know there's a lot ofresources out there uh listening
to you know podcasts like thisi'm sure you've had many a
better uh resource and andspeaker than me before me and
you will probably have evenbetter uh after so oh no i think
you're awesome
Pedro Kertzman (42:55):
and
Scott Scher (42:56):
uh oh no i appreciate that i that wasn't a
self-deprecating or downplay methat was more to say that there
are definitely good people inthe industry that you're
bringing you know together thatthat people should be listening
to and talking to
Pedro Kertzman (43:08):
oh i'm trying my best definitely trying my best
um Yeah, I know.
I appreciate it.
It's super insightful and alsothose sources.
It's interesting.
I heard the other day, one ofour episodes, we were joking a
little bit about if it'sprinted, it's probably outdated
on the CTI world.
(43:29):
When it comes to threats andtechniques and all that, I agree
there.
But when we are talking aboutframeworks, strategies,
intelligence in general, Then Iwould say probably you have
really good books and youmentioned some of them that I
think it's super important topeople pay attention to.
Cause that's like frameworks,you're not writing a fresh new
(43:53):
framework every week.
Imagine that.
It would be super.
Yeah,
Scott Scher (43:59):
no, you're, you're totally right.
And I think making thatdistinction, right.
I think sometimes, and I thinkthis gets back to, you know, two
things we've talked about over,you know, the, the, this whole
conversation is one is, uh, youknow, being an intelligence
professional first and acybersecurity professional
second, you know, is it from Ithink sometimes people get too
(44:19):
caught up in the over technicalpiece of this, right?
Like, and they are absolutelycorrect in saying, right?
And I say it all the time,right?
Like by the time we get areport from a vendor or the time
the government sharessomething, or we see IOCs like
associated with a campaign oreven that, you know, tactics,
techniques, procedures, all thatkind of stuff.
By the time we're looking atit, reading it and then writing
a report on it, it's outdated,right?
(44:40):
Threat actors moved on.
They're not doing that anymore.
Sorry, like they're gone.
So they're totally right whenit comes to all that stuff or,
and then the technology pieceeven quicker, right?
Like every day that sometechnology technology is
outdated.
So that is 100% true to thepoint of, hey, intelligence has
been around for a while.
And the way you do analysis andthe way you do processing and
(45:02):
the way you do collections thathasn't changed much.
The mediums you might use to doit have, and your ability and
pace and scale and scope havedefinitely increased as we've
gone into cyber.
But your analytic mindset,your, hey, I mentioned
structured analytics techniques,right?
process for doing intelligence,that doesn't really change,
(45:25):
right?
Like alternating competinghypothesis, that's always been a
thing.
And even when you didn't knowit was a thing, other businesses
are using this, otherindustries use those terms
without knowing.
They just, right, it's comingup with, every possible idea
that you have that this could bethe answer and give me all the
evidence that supports each one.
And then whichever has the mostevidence is the most likely.
(45:46):
Uh, so, uh, those foundationalthings don't change.
Uh, yeah.
Frameworks don't change toooften unless you're talking
about MITRE and then there's anew version every so often, but
those are pretty good updatesand good changes that you want
to see, you know, uh, in thoseframeworks.
So, uh, Yeah, there's a lot ofresources out there.
I would say definitely payattention to the written
(46:10):
resources, even the old stuffthat come out of the
intelligence community from 30,40, 50 years ago.
The process is still important.
Pedro Kertzman (46:19):
Yeah, I could not agree more.
I would say some of themprobably evolved a little bit.
They've evolved and they'vegotten better.
Well, like upside down kind ofthing or drastic?
Probably not.
I agree with you.
The methodologies to dointelligence are probably more
modernized or digitalized.
Exactly.
(46:40):
The process is fairly similar.
Scott Scher (46:43):
And for the most part, those frameworks, even the
old ones, they don't, at leastin the intelligence world and
the way that like for CTI, theydon't become obsolete anymore.
you build on top of right solike we had the point so we had
the lockheed martin kill chainright that was the standard
framework you know process forevaluating incidents and threats
(47:06):
uh from that for a long timeand then mitre came out that
didn't mean that lockheed martinkill chain wasn't still useful,
right?
Like you should still be usingthe steps across the kill chain
to understand when and whereyour threat actor does something
across their attack life cycle.
But now you've built on top ofthat methodology and say, well,
(47:27):
now let's understand the waythey do the attack in each one
of these steps and stages and soforth.
Pedro Kertzman (47:31):
That's a great example.
Scott, thank you so much forcoming to the show.
I really appreciate the superinsightful conversation and I
hope I'll see you around.
Thank you.
Scott Scher (47:43):
Yeah, no, Pedro, thank you so much again for
having me and being willing tolisten to me and prod me to
ramble on and then talk aboutCTI, which is something I do
enjoy doing.
Pedro Kertzman (47:54):
Yeah, no, I love that.
Thanks a lot.
See you around.
Unknown (47:59):
Thank you.
Rachael Tyrell (48:00):
Until next time, stay sharp and stay secure.
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com