Cyber threat intelligence: Learn to become a cybersecurity tactician
Take a deep dive into the world of cyber threat intelligence with today's guest, Charles DeBeck of IBM’s X-Force Incident Response and Intelligence Services. Threat intelligence is all about research and storytelling, combining hands-on know-how with analytical thinking skills to make a true cybersecurity tactician! You’re not just preparing for the battle in front of you, but for the waves of attacks you’ll see in the future.
Charles DeBeck is a Strategic Cyber Threat Expert for IBM’s X-Force Incident Response and Intelligence Services. He’s had a connected passel of job titles that encompasses risk management, risk analysis and vulnerability assessment, all of which have helped him in his current position.
[00:00] Chris Sienko: It’s a celebration here in the studio, because the Cyber Work With Infosec podcast is a winner. Thanks to the Cybersecurity Excellence Awards for awarding us a Best Cybersecurity Podcast Gold Medal in our category. We’re celebrating, but we’re giving all of you the gift. We’re once again giving away a free month of our Infosec Skills platform, which features targeted learning modules, cloud-hosted cyber ranges, hands-on projects, certification practice exams and skills assessments.
To take advantage of this special offer for Cyber Work listeners, head over to Infosecinstitute.com/skills or click the link in the description below. Sign up for an individual subscription as you normally would. Then in the coupon box, type the word cyberwork, c-y-b-e-r-w-o-r-k, no spaces, no capital letters, and just like magic, you can claim your free month. Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week.
Enough of that, let’s begin episode.
[01:04] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of Infosec professionals while offering tips for those trying to break in or move up the ladder in the cybersecurity industry. Today we’re talking about a specific job within the cybersecurity ecosystem that of threat intelligence expert. This is a job title that involves both hands-on knowhow but also a great deal of analytical thinking skills as you’re identifying not only threats as their currently presenting themselves, but a whole host of potential threats on the horizon. Maybe if you can think of threat intelligence as the tactician of security. You’re not just preparing for the battle in front of you, but for the waves of attacks that you might see in the future.
Here to talk with us about this today is Charles DeBeck of IBM’s X-Force Incident Response and Intelligence Services. He’s had a connected pestle of job titles that encompasses risk management, risk analysis and vulnerability assessment, all of which have helped him to get to his current position now. We’re going to talk about similar tracks you could start on right now and what challenges you should look forward to in the future.
Welcome to the program, Charles.
[02:09] Charles DeBeck: Thanks, Chris. Thank you so much for having me.
[02:12] CS: Based on your job and education background, I’ll admit, I ransacked your LinkedIn a little bit for this info, but it looks like security and tech aren’t the only interest in your life. Some of the guests we’ve had have been hacking since childhood or they were walked off their high school campus in handcuffs for hacking government mainframes. Your background shows interest in mathematics, law, political science and more. How did you find your way to security and threat analysis and what was the spark that first set you on the path?
[02:40] CD: Sure. I started off, I kind of grew up with computers, right? I was sort of in that same generation with a lot of folks that grew up with computers in household and used computers for a long time. When I graduated college, I was kind of looking around trying to figure out where I wanted to go. My interest has always really been in logical reasoning. How do we get from A, to B, to C. So you kind of see that theme playing off in my education. Mathematics, very much about logical progression of how do you get from A to B. Same with law, but that’s more from a written sense. How do we get from argument A to argument B. Political Science, I maintain, is a lot of ways about logical interactions between different groups. There’s sort of a common theme there of an interest in logic, logic problems, logic games, understanding how to get from A to B.
When I was looking at where I wanted to go, for me, cybersecurity made sense because it’s sort of the next step of taking logical problems and applying that to computers. And having this background in computing and background using computers and sort of seeing the relevance of computers in our everyday lives, to me, it made sense to kind of look at cybersecurity as a potential realm for a career.
[03:48] CS: Okay. I like hearing that, because as I try to sort of repeat in these episodes over and over, like you can come to cybersecurity with a whole host of different types of skillsets or interest. You don’t just have to have been coding for decades. You don’t have to be able to do assembly language in your sleep and all these kind of stuff. You can have other interests and still contribute really strongly to the entire sort of enterprise.
[04:14] CD: Oh, absolutely. One of the best guys I knew, he was a police officer. He had no cyber experience. He was a policeman, but that he decided he wanted to go into threat intelligence and he was just really passionate about it, really excited about it. So we started working him, and the guy ended up being one of the best guys we had on the team after a little while. You can train anyone technical skills. That’s sort of technical training is widely available. So you certainly don’t have to have a tech-heavy background.
Especially for younger generations who have grown up with a mobile device on hand for a long time and had grown up using computers or using mobile devices for a long period of time. Just that life experience by itself in a lot of ways gives you a leg up in this field, I think.
[04:54] CS: Yeah. You already know more than you think you know.
[04:56] CD: Exactly. Exactly.
[04:57] CS: Yeah. I want to start out today by clarifying the topic of our discussion, specifically threat intelligence. Just for baseline, let’s just sort of define what it is. What is threat intelligence and what differentiates it from areas of related but different activity? Maybe threat monitoring or security analysis or incident response? What does the job entail as a career track, and can I ask you a little bit about the ways that IBM does threat intelligence gathering and monitoring?
[05:24] CD: Sure. The way I kind of like describe threat intelligence is when you think about computer security, a lot of times you’re looking inside the perimeter. If I’m an organization, I’m a company, I’m looking at what do I see hitting my walls and what do I see within those walls and how do I best protect against what’s going on there? Threat intelligence actually looks outside the walls. Imagine you’re a scouting party. Outside the walls of the castle, looking around, trying to see where are the bad guys. The options are either –
[05:55] CS: You’re looking into the woods almost, make sure that – Okay.
[05:56] CD: Exactly. You can either build up all of your walls same time and just hope that you hit the right spot, or you can try and see where they’re going to come from and build the walls up just right there, and that’s a much more efficient way to do your security, right? Because if I know that the bad guys are using SQL injection all the time, then I know I need to invest resources and ensure and that my SQL testing is effective. But if they’re not doing that, then I can invest those resources somewhere else. It’s a good way to get a sense of where do we see the bad guys coming from on the outside. It’s a little bit different perspective. You’re not looking from the inside out so much. You’re looking at the outside and seeing what they’re doing to see how they might try to get in. Does that make sense?
[06:35] CS: It does make sense. Yeah. Yeah, can you tell me a little bit about how sort of IBM does this? Where you are right now?
[06:41] CD: Sure. At IBM, we actually have a kind of interesting model. We are combined with our incident response component. It’s incident response and intelligence services at IBM. What’s kind of cool about that it’s a hand-in-hand process, when we respond to incidents, we can use our threat intelligence to more effectively respond to incidents. If we see an incidence occurring on a client site, we can say, “Okay, we’re going to respond to what’s happening there on-site at the time, but we’re also going to take that information and look at our threat intelligence data and try and figure out are there other stuff we should be looking for that otherwise we might not be? A lot of times it’s very easy to get sort of that myopic in your view when something is happening. You sort of say, “I just got to take care of this fire. This is the biggest fire.”
The nice thing about incorporating threat intelligence is we say, “Okay. So here’s the fire that we see right now, but where else might there be fires that are hidden behind the smoke of this big fire over here?” So that’s what’s kind of cool about it. What I really like about IBM’s model is by combining those two elements, we’re able to more effectively respond to incidents. Also, those incidents can help inform our threat intelligence. So we’re able to research more effectively as well. It’s a very good symbiotic relationship.
[07:45] CS: Is this sort of hand-in-hand relationship between the incidence response team and the threat intelligence team, is that a common thing or is that a fairly unique sort of symbiotic relationship with your organization?
[07:57] CD: In my experience, I think it’s becoming more common. I think a lot of threat intelligence organizations want to get into that sort of area, because it’s a great relationship to have. There’re a lot of challenges to sort of combining these two elements. So I don’t think it’s not prevalent everywhere yet. I think it’s something a lot of organizations are looking into. But I think IBM, kind of the unique benefit that we have is we started off saying let’s do it this way. Let’s use our incidence response, intelligence services from the get go, and that gives a little bit of a head start I think in that regard.
[08:29] CS: Okay. I sent you the questions in advance, but I got one extra question that someone on my team asked. Do you see small and medium businesses using threat intelligence? Because it seems like at the moment, like threat intel is kind of the domain of huge enterprises due to the cost of the resources. But it seems like there could be a use for SMBs too to say get some sort of like threat weather report showing maybe secondhand data of some of the threats happening to other industries that are like theirs. Is there anything like that out there? Is that something you think about?
[08:58] CD: Yeah. I think you make a fair point. I think for a lot of small, medium businesses, the most effective strategy that I’ve seen is to leverage outside provider. Generally, the kind of the model that I’ve observed, and this is just my personal observations, is that as you get to larger enterprise, you might have an internal threat intelligence team that just focuses on threat intelligence for your organization, which is great. If you can afford that and you’re a large organization that has a large digital footprint, it makes sense to do that.
But if you’re a small and medium size business that can’t possibly afford that sort of payroll, then it might make more sense to outsource that to another organization that does – All they do is threat intelligence, and then they just give you the reporting. That’s a great way for you to get that sense of what’s going on so that you can help direct your teams.
One thing that I found really helps for an organization is if you can’t afford to have a threat intelligence team, even having one person who’s sort of your threat intelligence person helps quite a bit. Because sometimes what might happen is you get the reports and everybody kind of assumes that somebody else is taking care of the reports, or reading them. But you have one person whose job it is or at least part of their job is to look at those reports, and at least one person is doing it. It could be a half-time job or a quarter-time job, which doesn’t have to be their fulltime. But as long as you have that sort of designated POC, that helps quite a bit for small and medium businesses to digest threat intelligence, because it’s a two-way street. It’s not just receiving it. You also have to actually act on it.
[10:19] CS: Right. Yeah, not only do you need someone who’s looking at this for some portion of their day, but I imagine that it’s also the importance of having some degree of reporting within like the weekly briefings or whatever, like some actual sort of – Because I’m sure it’d be very easy to say, “Oh, we got Bob looking at the threats. I’m sure he’ll let us know if something is wrong. But if you’re not like reporting on it each week in you standups or whatever, I’m sure that’s something to watch out for.
[10:47] CD: A big concern as well with threat intelligence, and this is something that I highly recommend when people are looking at threat intelligence vendors to consider is you want to make sure it’s actionable threat intelligence, because sometimes the profession gets a little bit of a bad rap, because people say, “Well, threat intelligence, that’s just random horror stories. It’s interesting, but who cares? What’s the point?”
Good, valuable threat intelligence will not just tell you something that’s happening out in the wild and just leave it at that, because that’s not really helpful. I could say, “Well, they’re using SQL injection. Okay. So what?” A good threat intelligence not only tell you what’s happening out there, but also what it means for you and what do can you do as sort of action or a follow-on after that. Otherwise, it is just sort of campfire stories, which I love the campfire story, but that’s not helpful for me as a business or an organization.
[11:33] CS: Yes. I mean, it’s kind of like the way like a boring teacher teaches history versus one that can make a narrative around it where like there’s this thing that happened, but if you don’t tell the story so that people can understand, “Well, it could happen to you if it’d be happening right now,” whatever. Then what’s the point?
[11:49] CD: Exactly. Exactly.
[11:50] CS: That’s interesting. Because, again, if you’re thinking about threat intelligence, make sure you know how to tell a good story. That’s how you get people interested.
[11:57] CD: The storytelling is really critical. Yeah, it’s really critical to provide that context and information, and also to a wide variety of audiences. You might be talking to a CISO who wants a really high-level thing, or you might be talking to network defenders who want to know all the technical details of what’s going on. You have to be able to speak both languages pretty effectively.
[12:15] CS: There you go. Let’s talk about that. Let’s start with where you are right now. Let’s walk through your current job title. You are a strategic cyber threat expert. What does this job entail? What are some of your primary responsibilities and how much of it is job management of threat intelligence team and how much is the actual sort of threat intelligence information gathering in an average day?
[12:37] CD: Sure. My current role, it’s sort of – I’d say about 50-50 split between more tactical level threat intelligence research and 50% leading projects, leading initiatives in threat intelligence space.
[12:47] CS: So you still get to do the hands-on stuff.
[12:49] CD: Exactly, and I kind of like it that way, personally. I like having hand in the tactical level stuff, because to me that it makes it so that you keep a good sense of what’s happening in the world and you have a good understanding of what you’re seeing.
I guess I’ll break the title down. Strategic parts, that just means that I tend to work it up into the higher level when I’m doing my threat intelligence products. That distinction is, in my mind, there’s sort tactical where you’re looking at what are the indicators of compromise that are associated with threat actor activity, or you’re going out and you’re really diving deep into a few actors. That to me is a much more tactical level. What’s happening right here right now from a threat intelligence perspective?
A strategic threat expert like myself, what I tend to do is more broad-based. What trends are we seeing? What are we seeing over the last 6 months, a year? How is 2020 different from 2019? A good example here is if you look at the IBM threat intelligence index, we release those once a year and we just released our index for 2019 not too long ago and we said that ransomware was way up, which was kind of interesting, because the previous year, ransomware had been a bit down. It’s kind of when you see these trends, there’s the immediate strategic statement of ransomeware is higher or lower, but then there’s the – Again, the important part is why does this matter and why do we think this is happening? That’s what I do with sort of strategic level, is I look across a wider time screen and say, “What are we seeing threat actors trending and how can we use that information to most effectively implement defenses?” Does that kind of make sense?
[14:22] CS: It does, and it sort of brings up a follow-up question. What sort of like resources, research materials? What is your sort of analytical thought process? I mean, let’s take that specifically, ransomware, and we had seen some reports too that ransomware is going down in 2019, but it’s back up again in 2020. You see something that doesn’t quite make sense like that to your mind. What are some of the first steps that you take to sort of break down what the numbers actually mean?
[14:48] CD: Sure. The first thing that you always got to do is make sure you got good numbers, right? If you see something that doesn’t make sense, it’s always good to double check your data. I look at open source and make sure that matches up. I’ll look at our internal data here at IBM and say, “Okay, what is our data showing us?” Then once the data is clarified and sure looks like there’s a trend there, yeah, my sort of process is I start first off by just thinking about logic. What are the possible rationales as to why this could be the case? We could say ransomeware is more effective because we’re seeing a higher payout, that we’re seeing people paying a ton of money for ransomware. It could be that ransomware has gotten better. Just the technology, the malware itself is increasing in overall quality, or it’s become easier to use. That’s another very strong possibility as to why we see ransomware increasing.
Then once I kind of have a couple ideas as to what I think it might be, just sort of logically gaming it out. A lot of that comes from that sort of strategic knowledge that most threat actors are financially motivated and are lazy, and I mean this in a nice way.
[15:49] CS: Yeah. Easiest way possible. Yeah.
[15:51] CD: Exactly. Yeah. You want to make your money as easy as possible, right?
[15:53] CS: Yeah.
[15:55] CD: Knowing that sort of background and understanding, kind of gaming-out possibilities. Then what I’ll do is I’ll go to open source, I’ll go to my dark web sources and I’ll start trying to find out, are there indications of any of these assumptions being the case? Do we see people posting on forums for dark web marketplaces, “Hey, my ransomeware as a service is on sale now.” Am I seeing a lot more offerings on marketplaces, or am I seeing a lot of people saying, “Man! This is so easy. Anyone should do it,” or more YouTube tutorials about how to use these sorts of products. That’s very often the case as well. Or do I see when I look at the data, are there like collections of activities. A bunch of stuff happens in March, and a bunch of stuff happens in May. That might indicate to me that it’s a matter of copycat attacks.
That’s sort of the way I would approach it, is look at what – First off, try and kind of guess what the possible options might be and then go up and see what the data supports from these sources you have available. Usually open source, dark web, internal are kind of the key three ones I look at.
[16:56] CS: Right. Yeah. I mean, that’s straight up scientific method right there. You make your hypothesis and then you test it against the facts and see what happens.
[17:04] CD: At the end of the day, threat intelligence is sort of science and an art, I think. I mean, there’s always so much the data can tell you, because we don’t have perfect data. We don’t have 100% collection all over the place. If we did –
[17:12] CS: Yeah, you’re not going to find the fortune cookie that says this is how we did it. Yeah.
[17:15] CD: Right. Yeah. You wish that some guy would just say, “This is why I’m doing it.” You can be like, “Oh! Well, that’s great to know.” Tell me more about your personal motivations. But that never happens. So lacking that, the other key element to threat intelligence that’s sort of subtle is using analytic confidence language. You can look this up on Google. There are a lot of different ways that you can count statements to make it as accurate as possible. You could say, “I’m medium confidence that this probably occurred.” That suggests that – That tells you how confident I am in the next statement, and it tells you that probably means that’s more likely than not, but not almost certain to be the case. That’s sort of fine detail language. It’s kind of a technical skill, but once you get really good at it, it’s a great way to be able to make statements based on data without sacrificing your integrity when you make a statement.
[18:06] CS: Okay. This is great, because like you said, this sort of opens up into my next question here. But we’re talking about your background a little bit that you have a math background, political science, law background, and all these things obviously contribute strongly and it’s hard not to see. But what are some specific sort of skills or educational tracks or learning experiences or projects you did in these other fields that you think sort of directly translate to doing good work as a threat intelligence person? If you these kind of backgrounds and this sounds interesting to you, like what are you sort of highlighting for someone saying, “I want to get into threat intelligence and here’s how I can do it.”
[18:44] CD: Absolutely. Very easy question for me. Whenever anybody ever asks about education, my number one first answer, and this should be like the number takeaway for anyone listening to this, is to check out the National Science Foundation Scholarship for Service Program, or the NSFSFS, which is always easier to say.
[19:02] CS: Yeah, rolls off the tongue.
[19:02] CD: What I did is that I was a graduate student at Iowa State through this program, and at the time what they did is they paid for the tuition, room and board and a stipend for you to get a degree in cybersecurity. It was a two-year master’s degree. In exchange, you have to work for the federal government for two years.
Now, I remember when I was – This was I guess a decade ago now for me. But 10 years ago, two years sounded like a really long time to work for the federal government. But what ended up happening was I got a free master’s degree out of the deal and I got a great experience from the government for five years in exchange for them paying me to do all of these.
If you have any interest in cybersecurity, whether it’s threat intelligence specifically or a variety of other fields, this is a great way to get the educational background you need, plus, potentially you get a food in the door at the government to be able to get the actual hands-on experience that you need. Really, be able to jump into a cybersecurity career. It’s really fantastic. I really can’t recommend it enough. That’d be my number one recommendation if you’re looking to kind of get the right education for cybersecurity. Just jump into that program. It’s a very sweet deal.
[20:07] CS: Walk me through your average day as a cyber-threat expert. What time do you start work? Where does your work take you in the course of the day? Can you structure a day or are you just constantly putting out fires? Are you able to turnoff in the evenings? Are you always on-call?
[20:23] CD: Yeah. One nice thing about threat intelligence I find is that it’s not really on-fire source situation. Of course, there’re going to be situations where it is. Again, since we work with incidence response, sometimes you might have an incident come up, and in that case, yeah, it’s all hands on deck. You have to take care of things right away. Occasionally, there are major fires something like WannaCry, which has such a broad impact, such a major event that it’s all hands on deck and you pretty much are working until everything is taken care off. You have people working through the weekend back when that hit, as I recall.
You have that occasionally, but that’s pretty rare. Usually it’s a pretty good 9 to 5 job. I’m a morning person myself, so I start first thing in the morning, like 7:30 or 8:00 and get done around 4:00, 4:30. But it’s not crazy long schedules. Kind of a standard 40-hour work week in a lot of ways. There’s a lot to like there I think from a work-life perspective.
In terms of the work-life balance, I find that it’s nice, because when it’s done, there’s not a lot keeping me up over the weekends. Because usually if I’m working on a research project, especially a broader strategic product, like I’ve been doing my current role, it’s not really something where I’m too worried about it because this is a 6-month to 1-year trend. We’re talking about pretty long time frames. So I don’t think a weekend is going to really change that too much, but hopefully not. I think with COVID we don’t know, right?
[21:36] CS: Yeah.
[21:37] CD: Usually, a weekend’s not too big of a deal.
[21:40] CS: Yeah.
[21:40] CD: That’s kind of how it goes for me.
[21:42] CS: Yeah. What are some of the sort of common tasks you’re doing every day? Are you talking with clients? Are you sort of reporting to your board, your C-suite, whatever? What do you do a lot? What are you have to be read to do a lot if you want to go into this job?
[21:57] CD: Right. Writing. Writing is one of the number one things. Personally, I wasn’t somebody who grew up saying, “Man! I love writing papers.” Some people love that. I didn’t love writing papers. I’m more of a people person. But what I do like is writing logical papers. I like writing out logical arguments. If doing a lot of logical writing and precise writing, if that’s something you’re kind of into, then that’s something that could be a good fit, because that’s what a lot of my day is. When I’m writing up threat intelligence reports, a lot of it is connecting dots.
Also, as we talked about a little bit before, storytelling is a lot of my day, where I’m maybe writing out stories to people, sort of explaining here is the background. Here is where we are now and here’s what it means… what a future might hold. That’s sort of progression and logical storytelling in a written form is a lot of what I do.
I also brief clients on occasion and I do enjoy doing that quite a bit, because it’s nice to be able to just orally brief someone so that you can get the questions back in real-time. That’s generally less common, but it’s something that I do do as well. But most of my work is written in nature and other lies just researching, researching and reading the news and seeing what’s going on in the world. Keep track of things.
[23:07] CS: Okay. Where does threat intelligence generally stand on the average company hierarchy chart? Who do you report to? Where does it slot into in org chart, especially people who have like a full set of different security staffs? Where do you stand?
[23:22] CD: Usually, threat intelligence reports up to the CISO for most organizations that I’ve seen anyways. There could be another level between here and there. Initial threat intelligence, analyst positions, those are kind of entry level positions. That can be pretty low-level. But that said, I’d say generally getting into threat intelligence in the private in my experience requires a little more experience, whereas with government, it could be a bit more of an entry level position just because with the private industry, you’re kind of requesting, you kind of want people who’ve already done this before. Threat intelligence isn’t necessarily a field a lot of people jump into as their first field. The nice thing about government is there are some agencies that all they do is intelligence. It can be an entry level position for them, because anybody can fill that out.
Once you get up to sort of the C level analyst position, there’re kind of two tracks you can take. You can go either – Go in depth and be just a really deep dive research analyst who just is out the deep and dark web, open source all day every day researching specific threats that you specialize in. Or you can kind of go the leadership route where you’re saying, “Okay, I want to look at sort of how are we doing our threat intelligence. How can we do it more effectively? I think those are kind of the two branching things. But generally, all threat intelligence in my experience sort of reports up to the CISO office for a private industry. And from government, it gets kind of whacky.
[24:42] CS: A little different. Is threat intelligence a position that’s mostly done as sort of part of a company or are there freelance opportunities in this area? Can you sort of offer your service, especially if you’re done it for a while? Can you sort of offer your services to an organization could people mostly just like an in-house threat intelligence unit?
[25:00] CD: Yeah. There’s kind of both I’d say. My experience there is there’re a lot of freelance opportunities available. The way I would capture it is rather than sort of thinking of it as freelance versus a company. I would think of it as there’re companies of all shapes and sizes in threat intelligence. You’ve got large organizations that do sort of consulting threat intelligence where they buy threat intelligence to other organizations. You’ve got smaller companies that provide threat intelligence to small or medium sizes business, or it might have a unique niche in the threat intelligence field. They might be a threat intelligence company that just does dark web, right? That’s something that’s out there as well. There’re also threat intelligence organizations within companies. The way I think of it is sort of I have a legal background. So to me it’s sort of like the difference between in-house council versus working for a law firm. For a law firm, you work for a lot of other companies, but you don’t work for yourself specifically. House council works just specifically for the one company. There are advantages to both, right?
Working in house, the nice thing is if you’re doing in-house threat intelligence, you can really focus on this one organization. Make sure that you’re doing best possible threat intelligence just for that company. But the downside arguably is that it’s not quite as diverse. If you’re having kind of a slow week, you might just be having a slow week. When you’re doing threat intelligence for an organization that works with many organizations, you’re kind of constantly balancing around between different industries, which means you have to understand a lot more industries and it’s a little bit more – Can be even challenging in some ways. But the bright side is there’s always something going on, which I really like. I really enjoy being busy. That’s why I enjoy working for IBM, because we always have things going on. There’s always different industries to be aware of. And being a global company, there are a lot of global components there as well.
[26:42] CS: Now, if you have a full sort of threat intelligence stuff, and you were saying that there’s sort of like three or four sort of primary places, the dark web or what have you. Do people have sort of a specialty in terms of like, “Jill here is the dark web person, and Bob looks at ransomware situations.” Can you sort of subspecialize within it where you’re mostly sort of looking at one thing, or is everyone kind of looking at everything and synthesizing data and so forth?
[27:10] CD: It really depends on the organization, and there’s a lot of different theories on best approach. I’m not sure that I necessarily know the best one. The ones I’ve seen most commonly tend to be you can have people who are focused on threat types or specific threat actors. Usually those are sort of geographically aligned. Alternatively, you might have – I’ve seen places that might have somebody who’s like they just do dark web. They’re just really, really good at dark web. And that works well too, because then that person is really your key go-to person. It really just kind of depends on the organization how they want to structure it. If you’re kind of getting into this field trying to think of how you want to best market yourself, I think those are kind of the two main marketing elements. Either say like I speak a language, especially if you speak a language for one of the big countries. You could say I speak that language. I’m going to learn everything there is to know about threat actors from that area and then I’m going to market myself as somebody who is a specialist in this region. That’s a great way to market yourself in this area.
Alternatively, you can say I am just really, really good at open source and I am the open source guy and everyone is going to come to me for their open source needs. In that case, you want to build out those open source skills. Actually, they’re both definitely needed skills in different organizations. So they’re both very good approaches.
[28:22] CS: Okay. Tell me about do you have any certifications and do you feel like there’s any particular certifications that are important for people looking to get into threat intelligence?
[28:31] CD: I have CISSP, which I think is a valuable certification just from kind of writing the executive understanding and sort of learning more about what executives are thinking. I think if you’re just starting out in this field, I’m not sure it’s this critical. But as you get sort of further into the field, the nice thing about CISSP is it does provide insights into what your audience might be worried about, and that sort of insight really helps you make your product more effective for them. But otherwise, for other certifications, I don’t have a lot of recommendations. I know that Security+ is a good one and I’ve heard good things about that, but I personally don’t have it. I did some studying for it and it seemed very good. Also, if you feel like you need more technical acumen, Network+ is also a good one as well. There are many good certifications out there. I can’t speak to all of them free.
[29:15] CS: Of course. Yeah. No. Yeah, it makes sense. Yes, CISSP – I mean, you’re basically studying how perimeters work. It’s perfect.
[29:21] CD: Right. What’s great about that I think is that by understanding sort of what the executive level C-suite is thinking about when they’re looking at things, it helps you tailor your threat intelligence products to speak their language, because ultimately if you’re not speaking their language, they’re not going to read it or they won’t understand it. Both of which are bad.
[29:36] CS: Yeah. You gave us some really good tips for sort of like getting your foot in the door specially the organization that you work with. But sort of what are some of the steps along the way to go from a low-level threat intelligence technician to cyber-threat expert. I remember when we’re talking to a security analyst and he was saying like, “You want to go up to security manager. Automate yourself out of your job.” He was saying like if you create enough sort of automated processes, then you sort of like – The stuff that you’re doing rotely is already handled and then you can sort of handle the next level thing up. How do you sort of “automate yourself” out of a low-level threat intelligence job into what you do?
[30:20] CD: It’s kind of a tough question, but one of best answer to that one. I think the primary way you do it, and it doesn’t sound like a good answer, but the best one I can really give is you have to just learn a lot about what’s going on in the threat intelligence realm. You have to – I think the main way you kind of get to that next level is when you read report that says they’re using SQL injection to drop ransomware. When you start off, you said, “Oh! That’s interesting. They’re using SQL injection to drop ransomeware.” But when you sort of start – After you’ve done this a number of times and you’ve seen ransomeware being dropped a number of different ways, then you could start asking questions like why are they using SQL injection to drop ransomeware? That’s kind of weird. Or why are they dropping ransomeware? This month, usually they’re doing crypto miners.
As you develop experience and start learning the different ways in which things that have been done historically, then you can start sort of seeing the broader picture and picking out the trends that are interesting and why they’re interesting a lot faster. I think that’s really what lead to more effective threat intelligence expert.
[31:21] CS: Okay. What advice would you have for people who are looking to make a career switch in the cybersecurity from other careers? Like you said, you had other areas of interest and stuff. Whether you’re just picking it up from this episode or you’ve been thinking about anyway. From an interview perspective, what are some things that you can sort of put on your resume or in your cover letter to talk about in your interview that would make your – Your perspective employer know that you’d be great for this job even if you don’t have the correct signposts in your resume to indicate that?
[31:48] CD: Really interesting question. I mean, obviously, I’m going to go back to the NSFSFS thing again and say if you’re looking to go in cybersecurity, check out this program. It’s great. Get a master’s degree in cybersecurity. But beyond that, I think to me there are two things that really stand out about someone. The easiest one for someone to start doing is read the news. You have to be really well-versed in what’s going on in the world, especially in the threat intelligence world. Or in general, just the cybersecurity world. Beyond just your basic cnn.com’s, right? Also, start reading things like BleepingComputer, where you’re going to get really good security news. Because in an interview, when I’m talking to someone, if they’re referencing the latest and greatest activity that they’ve been seeing based on their reading of open source articles, that indicates to me that somebody has interest in cybersecurity and is willing to take the extra step o actually reading stuff about it and can understand it and digest it in an effective fashion. I’d say one good way to sort of signpost, “Hey, I’m interested in cybersecurity and I get it.”
The other main thing that I’ve always looked for in interviews is just passion. Just somebody who’s really passionate and excited about cybersecurity, and it’s sort of a tough quality to explain how to make that come across, and everybody is going to show their passion differently. But doing your best to show this is something that you’re passionate about. To me, I will 10 times out of 10 take a passion of a candidate, because that’s somebody – I can train anyone. You can teach anyone basic technical skills, but you can train passion. That’s something that’s inherent in you and something that you’re excited about it. Then that’s something that I want you to be able to do.
[33:21] CS: Now, without going into super granular detail, we keep saying, “We can train you the tech and stuff if you have the passion or you have the background.” But like what is the sort of baseline tech that a beginning threat intelligence person needs to know that you’re probably going to train them in?
[33:41] CD: I’d say the two main things are going to be basic network protocols or basic networking. A good way to think about this is you should be able to understand, if I go on my computer to cnn.com, roughly what’s happening from a network perspective. Just because that network understanding of DNS resolution, basic network connection, protocols, how information is sent back and forth. That’s sort of technical understanding, even if it’s medium depth, will help you when you’re reading things to understand what’s happening.
The other key thing from a technical perspective that I have found helpful, and I know there are people on both sides of this issue, is the MITRE attack chain I think is very helpful to understand form a threat intelligence perspective. Because when you’re thinking about how attacks happen, understanding the process here of starting off with commonsense, then you’re moving forward, preparation, the actual attack, and then what happens after that, and a lot of movement. Understanding that sort of front to back process will help when you’re learning what’s going on by being able to slot that in. Say, “Oh, okay. SQL injection is the initial infection, or the vulnerability is being exploited. But then the actual payload that’s being dropped is ransomeware. Okay. I see now how this fit in to the overall timeline.” When I’m telling the story, I can help understand and kind of categorize where things were going. I think that’s a good framework.
IBM also has our own internal framework that we use for threat chain and sort of understanding the chain of events. That’s a little bit unique, and I like it a lot as well, but it’s a bit different from MITRE. I reference MITRE, because that’s one that a lot of people know.
[35:24] CS: Yeah.
[35:24] CD: But if you’re interested, check IBMs attack chain as well. We have a pretty good one.
[35:28] CS: Okay. Yeah. No, we have lots of MITRE attack articles on our blog. If you guys want to get a food in the door, come check out resources at Infosecinstitute.com and also check out – What was it? IBM’s – What was it called? The threat matrix?
[35:40] CD: It’s our attack and preparation framework.
[35:42] CS: Attack and preparation framework.
[35:42] CD: I can talk about that as well.
[35:44] CS: Okay. How is the threat intelligence landscape changed in practice since you began? You’ve been doing it for a while. And where do you see it going in the years to come? Has the sort of methodology changed? What are we doing differently these days?
[35:58] CD: That’s a great question. I’d say the way threat intelligence has done has changed a little bit and that there’s a lot more people doing it. As we were talking about before, in terms of freelance, you’ll see if you go on Twitter, there are a lot of folks on Twitter posting threat intelligence of varying quality. There are some great people on there doing some really good stuff. There’re also some people on there who are kind of just taking their best guesses and then putting it out there as fact.
One of the big risks that you run into is, people go out there and say, “Oh! I saw this on Twitter. Is it true?” It’s like, “Well, I don’t know.” Pardon me. One second here. Sorry about that.
[36:33] CD: The other thing that I’ve noticed has changed quite a bit is we’re seeing a lot more – When I started, CrowdStrike was new. No one heard of them. They were a brand new organization. They were just getting started. Now, CrowdStrike is one of the – Is a big player in the market alongside others. We’re seeing a lot more big players that just do threat intelligence or do threat intelligence as sort of one of their primary missions, and I think that’s great. I think it’s great that there are a lot of folks out there doing threat intelligence, because it makes all of our organizations better, right? I think that by having more competition out there, we’re all sort of forced into doing harder work, which I think is great. But one thing that’s kind of come out of that as well is we found new ways to gather data and new ways to understand what’s happening. We’ve also sort of expanded our strategic perspective because now that we’ve been doing this for a few more years, we can now – We as a broader threat intelligence community, can start drawing on conclusions that for much broader set.
I mean, when I started off in this in 2011, the idea of a lot of these attacks were still relatively new. I mean Stuxnet was still fresh in your mind. That was really the only destructive attack you would see. But now what are you looking at? Here we are in 2020, we’ve seen a whole handful of destructive malware attacks, right? Now, IBM was able to put out a paper all about destructive malware, because we’ve seen so many of these attacks. Whereas in 2011 when I started, we just didn’t have that much data. There wasn’t that much – It’s not that necessarily things weren’t happening. We just didn’t have that much access to it.
Really, the only major threat intel groups tended to be government. Now we’re seeing private industry really get into more, which I think is great and there are a lot of opportunities there for people looking to get into the field, but also a lot of great opportunities for us to sort of build a collective framework for threat intelligence was pretty cool.
[38:15] CS: Now, I’m guessing I know the answer to this because it sounds like it’s such a sort of personal and research-based thing. But apart from the ways that all our work lives have changed right now, has the practice of threat intelligence changed at all with the current pandemic?
[38:28] CD: I say the practice of it hasn’t, for me at least. Realistically, threat intelligence in a lot of ways is a pretty decentralized field. There’s a lot of need for people to be in offices. For me, that made a major change. I think that’s probably the case for a number of organizations. I think there has been some changes in terms of what we’re seeing from threat intelligence. But in terms of the way it’s actually practiced, thankfully the pandemic has had relatively minimal effect, in my experience anyways.
[38:54] CS: What are some of the cyber threats currently that are currently looming largest on the horizon in your experience that you and IBM are engaging with the most frequently?
[39:05] CD: That’s always a risky question, because the minute you say anything, it changes.
[39:09] CS: Right. Or they see that you see them. Yeah.
[39:12] CD: Yeah, exactly. I think the one thing that’s kind of looming larger in my mind at the moment is cloud security. I think that organizations are moving to the cloud environment more and more. Realistically, threat actors get that and they see that organizations are moving huge amounts of data into cloud environment and that there’s potential gaps or risks when you’re kind of looking that could be present potentially. So they’re trying to take advantage of those wherever we can and find those that are there. It’s a good opportunity for a threat actor, because it means that if I get in, I could potentially cause more harm than I could by just breaching and endpoint and I don’t have to worry about as much lateral movement. So there’s a lot of benefit there.
To me, where I see things kind of going is looking at how do we best secure cloud environments and what are the security considerations when we’re looking at cloud environments and how can we make sure that we’re best protecting them? Because I’m sure, IBM is very heavily invested in cloud environments, in cloud security. This is something that we’re uniquely interested from a variety of perspective, and including threat intelligence. Understanding how threat actors are trying to kind of break into that.
[40:16] CS: Okay. This has been a great talk. I just wanted to thank you for your time and insight here. Now, if people want to know more about Charles DeBeck or your doings at IBM, where can they go online?
[40:25] CD: You can find my profile on LinkedIn, otherwise, securityintelligence.com, which is IBM’s main site for information. It has my profile on there and then you can look at some of the other work I’ve done as well. I’d say, those are probably my two main recommendations.
[40:37] CS: Okay. Do you have final tips for potential threat intelligence people?
[40:43] CD: No. It’s a great field. I really enjoy it. It’s a great combination of sort of the strategic understanding of how things work and the strategic understanding of geopolitics, and computing, and governance, and networking, and taking all of that information and then somehow crafting it into a story that somebody can understand that doesn’t have all that knowledge. I think it’s a great opportunity for folks to get into. It’s sort of a niche field, which is kind of fun. But I highly recommend it. I think it’s great. I hope you do too.
[41:10] CS: Yeah. Thank you very much, Charles DeBeck. Thanks for your insights. This has been so much fun, and I think a lot of people who are listening are probably doing some quick research right now looking to their new career. Thank you.
[41:20] CD: Thank you so much. Appreciate the time.
[41:22] CS: And thank you all for listening and watching today. If you enjoy today’s video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your work day, all of our videos are also available as audio podcasts. Jus search Cyber Work with Info Sec in your podcast catches or choice. And if you wouldn’t mind, we’d love a five-star rating and review in whatever you listen in. It always does help us to get to new listeners.
For a free month of the Infosec’s skills platform, just go to Infosecinstitute.com/skills. Sign up for an account, and there’s a coupon code there. Type in cyberwork, all one word, all small letters, no spaces, and get your free month. Thank you once again to Charles DeBeck and thank you all for watching and listening. We will speak to you next week.
Cyber Work listeners get a free month of Infosec Skills.
Use code “cyberwork” to get access to hundreds of IT and security courses today.
About Cyber Work
Knowledge is your best defense against cybercrime. Each week on Cyber Work, host Chris Sienko sits down with a new industry thought leader to discuss the latest cybersecurity trends — and how those trends are affecting the work of infosec professionals. Together we’ll empower everyone with the knowledge to stay one step ahead of the bad guys.