How to become a cybersecurity threat intelligence professional | Cyber Work Podcast
Neal Dennis of Cyware talks to us about building a collective defense via increased threat intelligence sharing in the global security community. Dennis has worked with customer success and clients, helping them map out new intelligence workflows, and has also built out several intelligence analysis programs for Fortune 500 companies. Neal started his career as a SIGINT specialist while serving in the United States Marine Corps and later supported cyber initiatives for USCYBERCOM, STRATCOM, NSA, 24th Air Force, USAF Office of Special Investigations and JFCC-NW.
0:00 - Intro
2:10 - Origin story
3:57 - Military and linguistics influence
6:10 - Work in counterintelligence
8:51 - Digital forensics work
11:02 - Changes in open-source intelligence work
13:00 - Building a global defensive network
15:46 - Why aren’t we sharing info?
18:41 - How to implement global changes?
23:42 - Areas of friction for sharing
29:15 - Threat intel and open-source intel as a job
32:55 - Do research analysis
35:03 - Hiring outlook
37:15 - Tell us about Cyware
39:38 - Learn more about Dennis and Cyware
40:06 - Outro
– Download our ebook, Developing cybersecurity talent and teams: https://www.infosecinstitute.com/ebook
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
[00:00:01] Chris Sienko: Today on Cyber Work, Neal Dennis of Cyware talks all about the job of intelligence analyst. As someone who learned his craft at the dawn of modern cybersecurity, Neal will tell you all about getting your foot in the door as an open source security analyst and the importance of implementing a global threat intel sharing network. That’s all today on Cyber Work. But first, I want to point your attention to an all-new ebook published by Infosec. It’s called Developing Cybersecurity Talent and Teams, and it’s free to read if you go to infosecinstitute.com/ebook. It collects practical team development ideas for industry leaders sourced from professionals from Raytheon, KPMG Cyber, Booz Allen, NICE, JP Morgan Chase, and more. Did I mention it’s free? Well, it is. infosecinstitute.com/ebook. And now, on with the show.
[00:00:59] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week we talk with different industry thought leaders about cybersecurity trends, the way those trends affect the work of Infosec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry. Before joining Cyware as a threat intel specialist, Neal Dennis spent 20 years building a robust career in cybersecurity across various roles. He has worked with customer success and clients helping them to map out new intelligence workflows, and has also built out several intelligence analyst programs for Fortune 500 companies. Neal started his career as SIGINT specialist. I don’t know that one. That’s a new one on me. While serving in the United States Marine Corps, and later supported cyber initiatives for US Cybercom, Stratcom, NSA, 24th Air Force, USF Office of Special Investigations and JFCC-NW.
So our topic today is building a collective defense by an increase in threat intelligence sharing in the global security community. So I’m looking forward to finding more about that. Neal, thank you very much for joining me today. Welcome to Cyber Work.
[00:02:05] Neal Dennis: Hey, Chris, thank you for having me. Looking forward to the conversation today.
[00:02:08] CS: Looking forward to it as well here. So we always like to start by getting the story of our guest’s cybersecurity journey in their own words. So you’ve been involved in this industry for a long time. Where did you first get interested in cybersecurity? And how far back does your interest in computers in tech go? What was the initial draw to you?
[00:02:25] ND: Yeah, I’m a product of the 80s and 90s. So when desktops that weren’t run exclusively on DOS first came out is when I found out what a computer really was. And it started off, I think, like everybody in my age bracket back then. Let’s get something to play games on. Internet really wasn’t a big thing. Bulletin board systems and chat were. Those are kind of fun. But I didn’t give two shakes about security or any of that. I didn’t know anything about any of that.
So when I joined the military, started off as a linguist. I was doing some stuff. I came back to formation one day after being gone for a while. And I was bored sitting in a desk. I was like, “I’m done. Let’s go somewhere.” First thing in formations, the platoon sergeant, platoon commander comes out, does a head call, roll call, and then looks around and goes, “Alright, I’ve got positions open for blah, blah, blah, blah, blah, blah, blah, blah.” And so basically asking if anybody wants to go to training. So before he even had the chance to start the phrase, I just raised my hand. I was like, “I don’t know what it is. Don’t know where we’re going. I just wanted to go somewhere.” And that somewhere ended up being the equivalent of what was to eventually become kind of the cybersecurity intel training courses for the military. And so I literally got ordered to go learn about what would become cybersecurity down the road. The term cybersecurity, I don’t even think was a thing yet in the early 2000s.
[00:03:45] CS: Yeah. So what year would this have been roughly?
[00:03:47] ND: This would have been in 2003 when I officially stepped into that.
[00:03:49] CS: Yeah. Yeah. That’s like the dawn of cybersecurity as we know it pretty much then. Yeah. So I want to make a sort of connection there. Your initial work with the Marines obviously involves cybersecurity and counterterrorism. But you mentioned your early training in linguistics. Do these disparate interests tied together in anyway with your cybersecurity work post 9/11? Were there things that you took from your sort of linguistics background that you were able to sort of apply in the cybersecurity sphere?
[00:04:18] ND: Yeah, it was a weird dichotomy. I think for a non-native speaker of a language to become a linguist, it’s a different mentality than it is to become an intel analyst in general. The way the brain works to become a linguist versus an Intel analyst, they’re kind of juxtaposed against each other. But it did help me, because, one, the study has become a linguistic there, right? You have to learn and be willing to learn, or else you’re not going to become a good linguist. And two, just the career path in the military back in the early 2000s, at least in the Marine Corps, it was very geared towards be a linguist, then be an intel analyst and then see where you’re at in 10 to 12 years. So as I was coming into it, it allowed me to basically be a linguist and then become a cybersecurity analyst. And the fundamental understanding at how to interpret data, how to manage data, how to even collect information and process it at scale all lent itself over to doing that cybersecurity role. And then bonus perks in the early 2000s, everybody was looking for somebody who was a linguist and had an intel background. True today I think still. I know we’re going to talk about this a little bit. But it was kind of a trifecta. If you were a linguist and you were an Intel analyst, and in day, had a security clearance, you pretty much had a job guaranteed, because that was kind of the unicorn back in the early 2000s. So yeah, it definitely helped a lot. It helped get my mentality wrapped around the right format of the information flow and build into my further career.
[00:05:46] CS: Okay, that’s always good to hear as people like to get into or try to get in cybersecurity later in life and they’re already well-down a certain type of path. And if it’s language, or psychology, or whatever, that can tie in quite nicely in its own right.
[00:06:00] ND: Yeah. And I know, once again, when we talk about some of the open source stuff. I’ll wait for that. But it ties in great to some of the career paths out there, for sure.
[00:06:07] CS: All right, well, you won’t have to wait for long because that’s my next. So I want to have you take me through your work with SEIC as a counterintelligence agent and open source intelligence analyst. For people who are listening who might be interested in this type of work, can you tell them what you’re doing on a day to day basis? And what types of qualifications and skills you need to have to do that kind of work? And if you don’t have those qualifications and skill now, what do you need to do to acquire that kind of work?
[00:06:32] ND: Yeah. So I was a firm believer, it’s always easier to take a linguist to make them an intel analyst than take someone to try to teach them a new language.
[00:06:40] CS: Oh, yeah. Yeah. I’m a 45 year old duo-lingo loser. So I agree with that. It’s too late now. I mean, I should have done it when my brain was squishier. Anyway, I’m sorry.
[00:06:49] ND: Right. No, you’re good. Yeah, I’m right there with you. I’m also trying to learn another language right now to expand my horizons on what I can do in the cybersecurity realm, funny enough. So as a linguist, when I got hired on with SAIC to go work at OSI off Special Investigations, it was strictly for open source research before it was the cool thing to do. This is pre-Mandaean report. This pre-APT1. But the government and some other companies had recognized that put a language in a seat, point them at forums, find fun data. And that’s exactly what I did. Now we have companies that do this for a living, right? That there’s a whole slew of resources out there that take linguists, put them into places of interest, let them collect data, strictly as a collector. They don’t necessarily have to interpret it in the sense of like the meanings. They provide translations. They provide back to an analyst, and the analyst at those companies produce whatever content. And that’s today as well. So when I did it, that’s pretty much what it was. I’d go into forums. I would look for – Back then, pick a Southeast Asian threat, and look for what was going around in the forums in Myspace. Pre-Facebook days, right? And just see what we could find. And then sometimes you get lucky and you find dumps that were open that had no references back to some of the threat actors, potentially, maybe. Who knows? And then just write all that up. Hand it off to someone who sees the bigger picture, a little higher up the food chain, and then let them do that strategic intel analysis on all that.
And it holds true today. Be a linguist. Get a job as a collector of some sort for one of these private intel companies. And it’s a great fundamental start. You learn some terminologies, like I had to. I was already in the cybersecurity world, but I had to go relearn the idioms and some of these phrases for the languages that I started to focus on. So it’s kind of a neat thing to plus up. And then, yeah, that’s kind of it.
[00:08:48] CS: Okay. I’m going to lurch towards a comparison. You can tell me if I’m getting this right or wrong here. But what this what this sounds like to me, I’ve had people on the show who have talked about being in digital forensics, and especially in terms of like mobile forensics, where someone who with a psychology background, child psychology background, is going through 100,000 text messages in a plaintiff’s phone to see if they can see patterns in terms of what they’re talking about, or whether they can sort of break through idioms to see if they are indeed making threats and things like that. Is this sort of a similar thing like this where you’re – But it’s on a different scale, where you’re sifting through, like you said, public forums, or other forms of intelligence. And you’re and you’re just trying to sort of like find meaning in this sort of immense dump of data? Am I on the right track there?
[00:09:39] ND: You are, actually. And I think that’s a great connection there. So from a skillsets perspective, the polysci people with a language background, the philosophical majors, things like that, once again, maybe with a language background. All the people who have training on how to intuit [inaudible 00:09:56] are within that language that they specialize in, those are all valuable assets that could get into cybersecurity pretty easily. They’re going to be doing that, once again, as a collector. They’re going to be learning what the cybersecurity terms are. But that that’s some cool valuable insights and some training that’s kind of hard to come by. I mean, you’re one part spelunker inside the forums, but you also have to be able to kind of interpret the meanings to suss out value of what’s actually there before you create that report getting off to someone.
[00:10:27] CS: Now, are you being pointed in the direction in terms of where you’re looking for the intelligence or the data? Are you just being told like fine where things are getting hot?
[00:10:37] ND: Ah, back then it was pretty much me just poking and prodding and finding what I could find. Nowadays, most of these companies kind of have their own collection requirements, their own set of guidance for their specialists. And then they’ll kind of point them to X, Y and Z forms and stuff like that. But definitely still room for the more tenured people to go out and make their own sources for sure.
[00:11:00] CS: Okay. Well, that brings me to my next question here. On a larger scale, have you seen any changes in how open source intelligence work has changed since your time in the early 2000s? Has the improvements in technology or processing power change the way this work has done? Or the scope? Or is it still pretty similar?
[00:11:18] ND: Yeah, when I was doing this, there was an open source company out there. There was no such thing as a dark forum, underground forum, dark web scraping company like there are now. And now there’s – I mean, they’re their own genre on pick a quadrant report or something like that, right? And some of them have some really wonderful automated ways to scrape some of the more public and open dark web places. And then some of them have their own collection specialist that they have deployed in various parts of the country, or the globe rather, that are actively engaged in like going to a bar and talking to some cybersecurity or cyber criminal croonie that they want to source information from. It’s kind of neat in the way that these private companies have done all that wonderful covert type stuff for us today.
So someone like me, who maybe I’m rusty with my language, or maybe I’m just rusty with my access isn’t where the data sits. I can come in, get access to one of those companies [inaudible 00:12:17] collected for me, and then make a judgment call on the scale of my company if I want to kind of focus on an open source project inside my own company and have that due diligence around the security of it and all the other fun stuff, or just rely on those third-parties. But yeah, it’s definitely changed.
What took me probably a month plus to sort, and capture, and categorize, and write up [inaudible 00:12:42] capture screenshots and all these other fun things while I’m on the internet nowadays. So yeah, it’s definitely changed it for the better from a research perspective. I say, what took me a month, I could probably do in two to three days when researching nowadays.
[00:12:57] CS: Okay, so the topic that you suggested for today’s episode, and this is something I don’t know very much about, but it’s about the importance of building a global collective defense. And you said that enabling threat intel sharing within the global security community to bolster defenses and enable organizations to block threats proactively to prevent harm. So before we get to your recommendations, I want to hear about what some of the shortcomings are as you see them right now to your way of thinking about the way threat intelligence is or isn’t being shared in the global community. What what’s the current situation look like versus the one that you would prefer?
[00:13:29] ND: Yeah. Current situation, we have all these wonderful sharing communities out there, ISACs, ISAOs, private communities, trust groups, all these other things. There’s a lot of little [inaudible 00:13:40] out there for information sharing that have been built. Some of them more successful obviously than others. So we have the infrastructure concept around all of this. We’ve had it for, I mean, since [inaudible 00:13:53] in the 90s. And then when we had the Cyber Information Sharing Security Act eight, nine years ago, whenever that was under Obama, that opened the door for ISOAs officially to come out of the door. And so no longer were we critical infrastructure key resource-focused ISACs. Anybody could have a sharing community now and officially label it as a nonprofit and also the fun stuff. So, architectures there.
The problem that I think we see today is there’s a lack of understanding of what’s actually valuable [inaudible 00:14:26]. People like myself coming from the government intel side of the house, we didn’t have Intel sources that didn’t originate from ourselves ultimately. The data we worked with came from with our own four walls. Yes, it may have came from another three letter agency’s four walls, but we were used to sourcing information of value from our own sensors, from our own data sets to make heads or tails of what was going on.
And I think we’re kind of in that crossroads where some people grasp that idea that my gateway is the most valuable information I could ever have and what’s going on at that entry point. And people still think that the only way to get intel is to go buy it from another source, and that’s it. There’s a happy medium between the two. So that’s kind of stage one is getting people to understand what information is valuable. There’s a lack of that. And then there’s a lack of kind of cultural adoption of information sharing as a whole. We have a lot of people who think of it as more of an altruistic thing to be able to share back to a community, instead of part and parcel as part of their day to day jobs, and cultural shift. Those are probably my two biggest things, lack of understanding of what’s there, and that cultural issue around, “Well, I’m doing it because I’m being a nice guy,” as opposed to, “I’m doing it because I should see it as a requirement for day to day life.”
[00:15:45] CS: Okay. I mean, can you – On sort of a macro. I guess that is pretty much a macro level. But in regards to the sort of tactical missteps, do you think that there are people who are attempting to sort of make this change? Is this a lack of resources in terms of not wanting to sort of level up? Or is it kind of like – I keep hearing about all the sort of unsecured networks and municipal infrastructure just waiting to be hacked. Is this a result of poor planning? Or even no planning? Or where do you think this is all coming from?
[00:16:15] ND: Yeah. So when I do some of my webinars and stuff, I try to ask people what they think is the issue why they’re not sharing information. So the general answers come back to lack of knowledge in some varying degree. Either they don’t understand what they should share, or they don’t understand that they could even share. And then there’s technical knowhow. Some people don’t see the technology stack as being supportive in information sharing, whether it’s coming off whatever they built out. And so that’s kind of the more down in the woods for what they are starting to perceive.
Now, technical side of the house, once again, it’s just a matter of day one putting the right things in play. Most companies have some kind of automation orchestration tool nowadays, or access [inaudible 00:17:00]. Most of these companies have access to a really quick one or two click option to share back to these communities that they’re a part of in a more human to human interaction. So kind of educating them that way to get the right steps out of the door. I mean, play for that.
And once again, the knowledge hurdles. Now from like what’s going on with the exposed infrastructure out there and the items like that, some of that’s just obviously boils down to unfortunate poor security practices as a whole. But if we think back to like the colonial pipeline and stuff like that, I think there’s a lot of lessons learned for that entire group, and us in general as a whole, because there was a congressional hearing about this, right? The gentleman in charge went and talked to Congress and got grilled on these things. And one of the questions he was asked was, “Are you not a part of an ISAC?” He was kind of up in the air about, “Yeah, I’m part of a lot of things, unfortunately,” right?
I get it in his place that that’s going to be the answer, because he is right, he is a part of a lot of groups. But once again, this goes back to a previous thing about cultural dynamics, right? Because the follow on question was, “Did you or did you not share information back to these groups?” Once again, the response was, “Don’t know.” Because, culturally speaking, they just never had the push to do that, right. So it starts from day one when you get these new people on board. If you want to secure your infrastructure, if you want to do right with information sharing and get on board with all this, you got to get the people at that junior level indoctrinated. And yes, it is indoctrination because of where things are at, and push them into this. And then at some point in time, everybody’s obviously a little bit better off for it.
[00:18:40] CS: Right. So can we talk about some sort of concrete ways to sort of implement this stuff? What are practical foot on the floor sort of way? What tangible changes have to happen for this to take place? Is that something that gets implemented via GDPR like set of regulations? Or does this require sort of changing perceptions over a long term? Like how do you sort of sound the alarm on the importance of sort of connecting everything globally like this?
[00:19:09] ND: And I apologize if you can hear my chickens. They’re outback. [inaudible 00:19:13].
[00:19:15] CS: Their opinions are valid as well.
[00:19:19] ND: Yeah. So moving towards this, first steps, once again, back to technology stack stuff as the fundamental nature of automation and orchestration and the whole grander thing of score comes on holistically across smaller security stacks as we move forward. Day one should be about how do I fix the low-hanging things like my fishing? Like why you originally bought this tool device to help alleviate stress on the SOC? That’s obviously step one. Step two should be how do I get that same exact information that I’m alleviating stress from from my SOC into a playbook to just automate sharing back out? And most people, once again, they don’t think about that. They think about only how to take care of their internal stuff, because that that is obviously front of mine.
And I think a lot of these companies could just take a few minutes to step back, work with whoever their appliance partner is, write a couple of quick playbooks. It doesn’t take a lot. On our part, with our orchestration device, I’ve seen a couple of playbooks that are maybe eight or nine layers deep max to do a couple quick pulse checks. It’s relatively simple habit. When you close out a ticket in X case management system, or when you mark it with B, it’s done. It goes back out into the hub for your sharing community, and you’re done. You don’t have to worry about it. Maybe you want to go back and check feedback at some point in time. But it is a process flow perspective. And most of these people nowadays do have some of the right technologies in place to do this. It’s just getting them to take the moment to step back, implement it.
And then from a federal regulation perspective, I’m all for kind of mass breach notifications that are being mandated. I think that impacts a lot of people obviously, and people have the right to know as quickly as possible. However, I’m not necessarily on board with federal mandates for information sharing outright. I think the guidance is there. I think the appropriate legal structure is there, because a lot of people do worry about, “Well, if I share my customer’s email address, am I going to get in trouble for a breach of PII?” And if it’s in the confines of actual incident, the answer is always no. And the next question is, “Well, if I share this, an the FBI finds it, are they going to come knock on my door and write me up for something?” And the answer that is also no, legally speaking.
So if you’re sharing information, PII, or anything sensitive like that with an [inaudible 00:21:42] actual incident, or actual Intel, or something of that nature to a community, the FBI legally is not allowed to take that data and correspond it to some kind of legal investigation. I think that gets a lot of people over the hump for that, “Oh, my gosh! Bad rep thing.”
And then on the flip side of this, DHS and FBI, especially DHS [inaudible 00:22:05] programs in play that want to help you do exactly that to help you investigate that data without bringing you up on legal charges for breaches and all this other stuff. Because once again, you offer them to come in. All that data they consume to help you with the investigation, they can’t take and put into an actual legal investigation. Once again, bylaws are there plain and clear.
And then they can help you package it up. They can help you ship it back out. And back to Colonial, That’s probably loosely what happened. Colonial didn’t release any observables until the FBI did. I.e. the FBI did it basically for them. Once again, could they have done it themselves sooner? Yes. Had they had a better standing in play? But did they have the opportunity or the knowledge? Probably not. Hence, not being there. But FBI came in. Took that same data about three days later, four days later, after they were brought in and said, “Hey, guys, here’s all the stuff for this recent ransomware attack on Colonial.” And they released a wonderful public report about it. And what happens later is a little bit different. But they were able to help with that and package the day up. So there’s wonderful ways to do this. I think if it’s a big scale breach, getting DHS or FBI involved isn’t a bad thing. They’ll help come in and package stuff up. But, hopefully, in between those, you can automate and orchestrate out some more of that flow. You can, once again, from the ground up, beat people in the head and say, “You know what? You’re not doing this out of the niceness of your heart. You’re doing this because it’s a mandate for your job.” And you’re not looking for kudos. You’re looking simply to hopefully get something back from this process from a feedback or additional intel out of the community, because the more you share, the more it incites other people to do the same.
[00:23:40] CS: Yeah. So realistically speaking in that, what do you think some of the pain points or areas of friction that might prevent mass threat intel sharing from taking place? Is it coming from lack of knowledge about the threat, or lack of resources, or just reticence about adding yet another heavy item on the to do list?
[00:23:56] ND: Yeah, it’s all of the above, unfortunately. When I worked at the retail ISAC, I saw there was a company out there that legally they were able to consume data, they were able to join like a Slack or messengers channel or something like that. But they were never allowed to comment even in that channel, even if it was just to say hi. Basically, they were told you’re not allowed to say anything in any of these channels. You’re not allowed to post anything, do anything no matter what, even if it had nothing to do with cybersecurity. And then on the flip side, there’s companies out there that have created a role that says you are the information sharer for this company. Your sole purpose in life is to liaison with all the communities we’re a part of both federal, and private, and nonprofit, ISAC, ISAOs, all that fun stuff. And so, once again, the dynamic shift between be quiet and only read, and congrats, this is all you’re doing, is sharing information. It’s a weird spectrum to see within the communities out there and how people have approached it. But by and large, the technology hurdle and the understanding of what’s available for you to share.
I tell people, share a single IP address. It doesn’t matter know how much context you have around it. Just share it. Put some who is information in there, and tell them why you’re sharing it and why you think you should share it, whether it’s because you would like more information on this, or because you hit the firewall. You may have blocked it. But maybe it’s a recurring IP address that you just have no clue why it’s coming in. It could be something completely mundane. It could be someone’s cellphone that you didn’t let through to get to your interweb, right? Or something like that. Put it out there. And almost always, someone’s going to come back in almost every community I’ve ever and be like, “Oh, that IP is related to this, this, this and this.” And maybe on occasion, you get the, “Oh, this is a mail spam campaign. This is a VPN bot, whatever it may be.” And it’s just getting people to do that one little initial nugget to understand the total value of what they have access to. And then once they do that and they get even one response, the floodgates open. And then next thing, , they’re your top information sharer in that community for months.
[00:26:03] CS: Yeah. That sounds so much like you hear in like true crime documentaries, where it’s like this person was happening in several different counties, but like the police departments didn’t share their information, because it was so proprietary. Just kind of coming and going. Well, it couldn’t be the same guy because it’s down there, and whatever. So is that a similar thing there where you think things are kind of falling through the cracks simply because everyone’s kind of like holding on to their own information? And like you say, not just doing that kind of like stab in the dark? Like this is weird. You want to take a look at that?
[00:26:37] ND: I do. That gets us into kind of the fundamentals of like the federal fusion centers back when they first stood up a little bit, both the private public sector mashups, as well as the actual just fusion centers inside our own intel operations and the government, and what we’re going here in the private space here, out here in the commercial world. I completely think that. I see this inherent to even a company not just within a community where – So back on like maybe a financial company or a retail company, again, who has a financial presence with their membership base. They have gift cards. They have point of sale systems, right? They have all this other potential fraud avenues. Even their website for fraud, shopping, all this stuff, Amazon, stuff like that. But then in a lot of these companies, the SOC operates independently because they’re focused on corporate security. And so the fraud team may see a DDoS against – Well, let me rephrase. The SOC team may see a DDoS come in against the network somewhere. And then the fraud team may see an account takeover attempt around that same website, and they just kind of crossing the night. And until you start to mesh-up the dots, you don’t realize that that DDoS was a precursor for an account takeover attempt for your customer information.
And then that happens within sharing communities, same thing to your point. I see this DDoS event on my website, I may not publish it because it’s so low-hanging fruit. But still, it’s a DDoS event. It maybe a couple hundred megs, or maybe a gig, and maybe had to rework a little bit. That’s about it. But that event could have been something that was a test, a recon, some kind of recon ordering against your technology stack, because now they’re going to go after the mom and pop shop that you’re also friends within in your membership base who has the same exact technology, and it’s more wide open and more susceptible to this type of event. So you probably say, “I should get these things out there.” And then when it happens, the mom and pop shop goes, “Oh, it’s the same exact botnet that’s hitting me. How did you mitigate this? How did you handle this?” So yeah, definitely, there’s a lot of information that goes missing. The little nuggets, the single IPs, the singular hashes, or even the subject line in an email that comes into your system. Threat actors, as a whole, minus the really advanced guys and gals out there, don’t modify what they do a whole lot to go from you to another to another. And that’s to our advantage for the moment, right? Answer the same thing, mouse span events. The only thing that change is the little numbers, right? But it’s open your DHL package, blah, blah, blah, blah. All these things like that help build a bigger picture of the scale, the capacity of the threat actor, and better mitigation strategies for everyone in play. So, definitely.
[00:29:15] CS: Okay, so from a career standpoint, can you talk about the current state of threat intel and open source intelligence as a job? Like if you were hiring someone right now, what types of skills, or background, or natural talents would you be looking for as indications that this is a person that could do this job really well? And are there sort of different subsets of this type of job that can fall under a big overall umbrella of threat intel?
[00:29:39] ND: Yeah, definitely. So it’s definitely a hierarchal kind of growth pattern. For the junior people, in my opinion, anyone who’s done a really good job in college, or in high school, or some kind of program, just doing basic research, categorizing it, capturing it and packaging it back together in something coherent, is a great person to start off doing open source research or any kind of intel research for that matter.
[00:30:03] CS: I’m sorry. Can you talk about like what kind of research you would be doing in high school or college in that regard? Like what are you cataloging at that age?
[00:30:12] ND: Yeah. So in high school, funny, if there are some programs called – Or the cyber patriots and some other programs out there that focus these guys on doing SOC type things, right? But really, anyone, research agnostic topic wise. If you can come and put together stuff that you’ve done online and form a coherent statement around what this data is, source it accordingly, screenshots, basically your own personal forensic path of how you did your research. I don’t care if the topics on how to woodwork a bet, or how to take down in APT. If you’re cognizant enough on how to get around the internet and package the state up into a report style format that someone like myself can consume multiple times and make bigger pictures out of, that step one for me.
I’d rather see someone who’s very capable at capturing their research regardless of topic and packaging it up, than someone who is focused on cybersecurity, but has no idea how to write it up. That’s kind of junior stage one for me, getting someone who’s a research specialist. So we have people in journalism that do this, right? We have people in legal law firms. All the support staff for legal companies that do all that type of stuff, right? Those are people who I think are critically earmarked to be able to support cybersecurity in a first stage effort. And then they come into the terminologies a little bit more. They understand the fundamentals of what the topics are within cybersecurity. And then once they get there, things start to help package the data up and make assessments on that data. You can start to point them at particular flavors, particular locations, and have to make assessments on, “I saw the bad guy in this forum talking about ABC. Also saw bad guy B over here talking about that. I think they actually mean this.” That’s kind of the next echelon. We start actually analyzing information and providing your own two bits, your comments, your assessments on info. And it’s a growth pattern for that.
By the time you get 8, 9, 10 years into this, you’re hopefully writing intel requirements. You’re hopefully mapping this out to business risk. And so taking it the other direction, someone who understands how to talk to a C suite or CISO about actual business risks, but then also talk to the SOC, or has worked in a SOC, but understands business risk, that’s someone who can be an intel analyst in the true sense of, “We’ve got all these requirements for the SOC. I need to know how to map those intel requirements, those threats, and all those things out. But I need to tell the C suite why it actually matters.” And that’s a unique skill set. Someone who can translate business risk to actual cybersecurity risks and those threats, and then make the dollars request line up and actually get funding for all these things. Because you told the C suite, if I don’t get A, it’s going to cost us B.” That’s a unique skill set in and of itself, for sure.
[00:32:55] CS: Okay, so for real beginning newbies, people in college, people in high school or whatever, like your task for tonight really is to like sort of like look in your community and figure out sort of points of data that you can somehow synthesize and put into a report, whether or not you can send it to anyone right now. Because I’m trying to get – We have so many people who have zero to four years of cybersecurity experience that listen to the show. So I’m trying to get a sense of like what would what could you do tonight? And it sounds like there’s less sort of technical requirements and that you’ll learn the tech on the job. But if you start with a sort of like a research mindset and just start making research analysis without expectation of going it anywhere or whatever, like that’s going to train your brain in the right direction. Is that the right –
[00:33:44] ND: Definitely. Yeah. I think that’s a great start. Now, for those wanting to go from intel analysts are starting to that research phase and maybe do more actual incident response, obviously, that’s a whole different path. But I’m going to plug a couple of quick things that I think everyone who doesn’t have a military intel background should read and/or look to consume. There’s the blatants, like the SANS courses. Their threat Intel course is ran by a Marine and a few others that put all that together. Way more intelligent than me on how to teach and educate. And they’ve also written a book that’s published by another vendor called The Security Intelligence Handbook. That is also a great book to get you onto the road for being an intel analyst in this world and understanding what security intelligence is, and threat intelligence, all these other variations of being an intel analyst.
But yeah, once again, at the end of the day, be able to produce a valid product, regardless of type of material. Capture what it is and the sources and all that fun stuff. And that to me is what I look for. Obviously, to be fair, probably large companies are also hoping that you understand cybersecurity. But, to me, that’s stage one. Just be able to do data research, be able to package it up, be able to make heads tails of what actually is valuable within that topic.
[00:35:03] CS: Great. Now, does threat intelligence and open source threat intelligence analysis have a similar skills or hiring gap right now as other areas of cybersecurity?
[00:35:13] ND: Ah! I guess I’m kind of devil’s advocate to the skills gap discussion, and to be up front, So to answer your question in a roundabout way, I would technically say no, because I think there’s so many people that are really out there trying to break into this career field in any level. There’re so many people that they take the time to take those 24-week boot camps by like UT or some other, these universities, to get those core fundamentals of being like a SOC persona, right? There are people who go out there and take time to take these SANS courses, like the CTI course and all that stuff. So I would technically say no. There’s not a personnel issue from being able to find people. I think it’s goes back to just people willing to take a risk on someone who doesn’t have the actual like in the office experience, but they technically have the background, they’ve done the training, they understand the fundamentals of what’s there. And so for OSINT and threat intelligence, we’re kind of in, once again, a little bit of a paradigm shift where my group of guys and gals coming out of the military are kind of the first ones to get off of active duty and come into this career field in the private space. But now we have all these universities that have threat intel degrees, or intel specialists and all these other stuff. So, in my mind, there’s really no reason why you shouldn’t able to find someone to at least get started. You may have to take a risk on a couple of people, but they’re out there. There’re people willing to do this.
And I personally talked to several of them maybe two, three times a week on LinkedIn that are looking for advice like this. So this is one, this is a great podcast to point them to in general. But I get pings two, three times a week about, “Hey, I just finished X bootcamp. What do you think I should do next? Or how do you think I can get a job?” All that other fun stuff. So there’re plenty of people out there for these roles. We just need to kind of lower our actual expectations and that interns [inaudible 00:37:06] 10 years of experience for free, or will give you coffee that’s your salary, intern salary, 10 years of experience, things like that.
[00:37:15] CS: Right. Yeah, I think that’s what we keep coming back to is that all these this hunt for unicorn candidates is really sort of causing a bottleneck that doesn’t need to be there.
[00:37:26] ND: Exactly.
[00:37:27] CS: Yeah. So as we wrap up today, tell our listeners about the company where you currently work, Cyware. I can see Cyware threat intelligence exchange behind you there. What products do your company provide? What’s your work there? And what are some projects you’re especially excited about right now?
[00:37:42] ND: Yeah, Cyware as a whole works back on the collective defense thought flow, and works on cyber fusion as a whole across our product space. And we do that across four primary product offerings now, is we’re building out a few more unique things. And we have a portal for the ISAC, ISOAs and communities that we call CSAP. It’s really good human interaction, chat, info sharing, all these other fun things, feedback mechanisms. That’s where I personally spend a lot of my days as the ISAC liaison guy is working with those communities. The threat Intel platform, CTIX behind my head here. You can’t have sore without a tip. And so we have a tip that does all that kind of intel management type functions and low-key automation and stuff like that. Then we get into the case management and orchestration pieces of that for the automation fun play.
So we take a holistic approach to the whole picture of store in an old product suite. At the same time, each is a pretty modular and how we can deploy them. So if you don’t need a tip, you have one. Cool, we’ll plug in our case management with you or our orchestration device into whatever it needs to be. So Cyware is very focused on the fusion concept at whole.
Something I’m personally really excited about is we’re really overhauling how we do intel management and how we handle the communities at large. We’re doing this pretty large push to find better, more interactive ways to get those individuals within the communities into the information sharing wheel well. And that’s going to come down to a lot of hard work on our part to integrate with more desperate technology stacks, other case management systems, browser plugins, all these other fun things, because our goal is make the communities more efficient, make them quicker and make it easier for people to share. And yeah, it’s probably my number one thing. I’m excited to get my hands into this year, before the end of the year, and just be able to give these tools out to some people that are aching to do the information sharing. Once again, time, knowledge, technology and help overcome those three primary hurdles for it.
[00:39:36] CS: That sounds great. So one last crucial question, if our listeners want to know more about Neal Dennis or Cyware, where can they go online?
[00:39:42] ND: Yeah. So cyware.com, definitely a good place to stop by. There’s a couple of open source intel that you can subscribe to that are free room and get a little bit of a taste of the platform. For me, I’m easiest to find on at LinkedIn. And I’m not a Twitter man outright.
[00:39:57] CS: We’ve already heard that people ping you already, and you don’t mind. So you heard it here first.
[00:40:04] ND: Definitely. Yeah, hit me up.
[00:40:05] CS: Okay, great. Well, Neal, a thank you so much for joining us today and giving us this important perspective. I really enjoyed talking to you.
[00:40:11] ND: Awesome. Thank you, Chris.
[00:40:13] CS: And as always, thanks to everyone listening at home, or at work, or at work from home right now. New episodes of the Cyber Work podcast are available every Monday at 1pm Central both on video on our YouTube page and on audio wherever fine podcasts are downloaded. To read Infosec’s latest free ebook, Developing Cybersecurity Talent and Teams, which collects practical team development ideas compiled from industry leaders, including professionals from Raytheon, KPMG Cyber, Booz Allen, NICE, JPMorgan Chase and more, go to infosecinstitute.com/ebook and start learning today. Thanks once again to Neal Dennis. And thank you all for watching and listening. We’ll talk to you next week.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.
Get the hands-on training you need to learn new cybersecurity skills and keep them relevant. Every other week on Cyber Work Applied, expert Infosec instructors and industry practitioners teach a new skill — and show you how that skill applies to real-world scenarios.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.