From Intelligence Analyst to Cybersecurity: Scott Small's Journey and Insights on Geopolitics Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

From Intelligence Analyst to Cybersecurity: Scott Small's Journey and Insights on Geopolitics

September 23, 2024 • Joe South • Episode 169

Send us a text

What if you could pivot from a career in intelligence analysis to becoming a cybersecurity expert, all by leveraging self-taught skills and open-source intelligence? Join us as Scott Small reveals his inspiring journey, transitioning from dealing with physical security threats to mastering cybersecurity. He shares the invaluable role of supportive hiring managers and highlights how programming in Python opened doors in the private sector, showcasing the diverse paths available in this dynamic field.

Creating your own opportunities is crucial in technical fields, and Scott emphasizes the power of initiative. From starting a blog to contributing to community repositories, he offers practical advice for building a robust portfolio. We also discuss the importance of networking, the impact of geopolitical events on cyber threats, and how storytelling bridges gaps within the security sector. Scott’s insights provide a roadmap for aspiring professionals eager to break into cybersecurity.

Artificial intelligence is revolutionizing cyber threat intelligence, but it comes with its own set of challenges. Scott and I delve into the complexities of AI-generated data, the necessity of rigorous validation, and the importance of frameworks like MITRE ATT&CK. We explore enhancing detection capabilities and the role of consistent practice in writing and data visualization for professional growth. Whether you’re a seasoned expert or just starting out, this episode is packed with actionable insights to help you navigate the evolving landscape of cybersecurity.

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1: 0:53

How's it going, scott? It's great to get you on the podcast. I think that this has been in the making for a while now and I'm really excited for our conversation.

Speaker 2: 1:03

Yeah, for sure, joe thanks a lot for having me on.

Speaker 1: 1:05

Looking forward to chatting as well, excited about it, feeling you know what made them want to get into IT, what made you want to get into security? Because you know. I find that if other people that maybe are looking to get into security or maybe they're trying to get into IT, hearing similar background is always very helpful, right, because you can get into that mentality of, oh, this isn't for me, this isn't, I don't have the right background, right, I didn't start coding when I was 10 or whatever. You can get into that mentality and hearing someone else with that similar background, right, you can say, oh well, maybe if he did it I could do it too.

Speaker 2: 1:48

Yeah, absolutely. So I totally agree with you. I've been very much driven throughout my career by, you know, watching others that I admire and learning about how they kind of grew, and either folks from a distance or people that I knew directly. So, yeah, I've had very much kind of a winding path to cybersecurity. I'm more and more convinced every day that no one has a traditional path into this field, and I'm very representative of that.

Speaker 2: 2:12

So I kind of always, from a very early age, wanted or hoped to work in security and national security specifically. I always figured that I would work for the government, a three-letter agency. That actually never has been the case, but I've loved the career that I've had so far. So I actually did academic studies in security studies, but it was very focused on physical security and international security risks and geopolitics, and that's actually how I started my career. So I got started working as an intelligence analyst for a firm that looked at country-level risks for physical security threats, so things like terrorism and even down to drug trafficking and cargo theft, so very different than what I'm doing right now, but it actually very much introduced me to first of all on like open source intelligence and research and also just thinking about kind of risks generally, which is very, very important for security, taking a little bit higher level look at what you're doing, but really about how it works.

Speaker 2: 3:16

From there they kind of started the transition to more quote-unquote, traditional cybersecurity. My experience with doing research online honestly taught me a lot of the skills that laid the foundation for what I'm doing right now. So being able to look up and find information that you're searching for led me to looking at threats that were playing out online so threats to brands, phishing and domain risks, things along those lines and then that kind of transitioned me more into what is probably the more traditional cybersecurity and the technical skills that I now have. So starting to dabble in entirely self-taught in programming and Python, but just realizing that those skills were literally necessary to do data analysis and intelligence research. And that brings me to my current role, which is Director of Cyber Threat Intelligence for a software as a service.

Speaker 1: 4:08

Yeah, it's really, it's fascinating. You know, I've done over 200 episodes at this point and I haven't heard anyone else with almost a similar background to mine, right, but you know, you kind of had that same mentality, or I did as well to you, where I went to college and I fully intended on working at a three-letter agency, fully intended on, you know, like, living abroad and, and you know, going to like the darkest hole on the earth to, you know, do whatever, right, like I fully intended on that. I applied several times, never worked out for whatever reason. It was very frustrating, very like almost heartbreaking even to me, um and so that that's just really fascinating, right, like I've I've never had someone else on that was like, oh yeah, I, I wanted to go down this path and I ended up in in it, you know, yeah for sure.

Speaker 2: 5:02

Yeah, yeah, so I've definitely been there. I know exactly what you, what you mean and what it's really. It's. It's been so fulfilling working entirely in the private sector. Um, I was definitely fortunate at the time that I was graduating, that, uh, an opportunity opened up that was near my college and I was able to get that foot in the door. That's so important. But I'm very, very much seeing a lot more opportunities in the private sector right now, which is very encouraging. There's just so many more of them available that people can get their start, and if they transition into maybe what they thought they might be doing, then that's great. But I think getting the experience it's going to open your eyes so much to so many different paths that you may never want to go back to the way you originally thought, because that's very much kind of how I was in the beginning as well. But, yeah, cybersecurity roles, intelligence roles with large organizations, banks, all types of companies, everyone has digital assets, everyone has cybersecurity needs and, finally, the jobs are starting to drop.

Speaker 1: 6:03

We're in a weird spot right now, in 2024, but it comes and goes. Yeah, that's fascinating. You know when you were. So when you were, you know, in college, I guess, looking at that first initial threat intel job, did you do any online training? Did you do any certifications? You know what was? What was your entry path other than that degree in? You know, in security? Right, because a lot of people are trying to piece that together and they feel like, oh, this is an industry where I need direct experience. Right, I need that experience. I need that 10 years of experience coming right out of college to get in and whatnot, and that's not typically the case, right, if you at least have a halfway competent hiring manager, you know they'll understand like, hey, we can take someone out of college, but what was that like for you?

Speaker 2: 6:54

Yeah for sure. So it's definitely super tough. Even entry-level jobs are looking for some sort of experience, which is a complete catch-22. What I really credit to allowing me to get my start it literally helped me kind of bump up above a few other candidates when I was getting my first job is my college program, and this might be a little bit specific to Intel and cyber Intel, but I know it's important for cybersecurity generally or anyone doing Intel type of work.

Speaker 2: 7:20

My college program had basically like an intelligence newsletter that students were. It was optional, I think now it's actually required, which is probably for the best, but you could work, you know, as an extracurricular to support this newsletter. Essentially, that gave me the foundations. I had no idea what I was doing when I started working on it, but just through trial and error again doing some of that online research, learning how to analyze a news report and a news story and then write about it it's, I think, kind of common knowledge these days. But if it's not, writing skills is super important or just communication ability. At the end of the day, whether you're doing a written term, that experience starting in college allowed me to reference back and say, hey, yeah, I mean, it was a club basically, but I have examples of a small portfolio that I can point to that allowed me to do that. Yeah, I was putting in some extra time on top of classwork but again, it gave me that foundation to be able to reference back to.

Speaker 2: 8:19

So not every program has that, but it was definitely something that actually encouraged me to go to the school, that I did and be riddled. So, as you're evaluating and getting into a program, see if they have something like that or there's increasingly community initiatives that maybe you can contribute to as well on these days, which is encouraging too, we can go down the discussion of certifications. I actually do not have probably any of the major well-known certifications. Again, I think I was lucky to have those initial work experiences and the club experience in college that I've been able to keep building upon, so it's not that they're not important. If you want to go that route, that's great, but I just want to encourage folks that it's not an absolute necessity and fortunately there's some new, very encouraging free certifications as well. There's like a google foundations of cyber security that I've heard really good things about as well, so it doesn't have to be even paid once you can do things with free resources too.

Speaker 1: 9:19

Yeah, it's interesting you using that newsletter right to kind of pivot into the industry to some extent. And I feel like people always get caught up in, you know, no opportunity being handed to them, right, you know, if you're, you know I'm just thinking back to when I was in college. Right, you know, if you're, if you're you know, I'm just thinking back to when I was in college, right, let's say I, let's say I wanted to go down that security path. Right, I am, I'm doing everything that I possibly can to get in there. Right, because I know after school I need experience. Everyone's going to want something you know to some extent that you can at least talk to. Right, and if they don't have that newsletter, you know, say I'm in your situation. They don't have that newsletter.

Speaker 1: 10:03

I'm going to try and put something like that together on my own and maybe it is only, you know, unofficial to like all the, all the students you know at my college or whatever it might be right, it doesn't have to be an official sort of thing, but doing that analysis, doing that breakdown, getting that practice in, even if you look stupid to the other 20,000 students at your school, right, and it's just another email that they delete immediately. You're still getting that experience. You still have a body of work that you can show for it. You know and I think that that is also something really critical that people miss oftentimes, right, if the opportunity doesn't already exist for them, it's like they're they're stopping right there and they're saying, okay, this probably isn't for me, when in all actuality, it's like no, there's a gap, like you saying that there's nothing there. There's a gap, obviously, and you should be, should be, working to kind of fill it.

Speaker 1: 11:01

That's when I decided to start this podcast. Right, I felt like there was a gap between getting someone's honest, unfiltered opinion in different areas of security, getting their unfiltered story of how they got in. When this episode goes live one, this sentence will be in it and two, your story is going to be untouched, right. So I give people the opportunity to tell their story how they want it to be told, and that's something you know. Go to these other podcasts, right, I'm not going to name any, because I know a lot of the creators and I like them, right. But you go to a lot of these other podcasts and they're cutting up and dicing up these interviews and it's like man don't know that person at all right. It's a different feel.

Speaker 2: 11:45

Yeah, yeah for sure, and it is pretty rare and you know, if you haven't had the opportunity to go to the conferences and all that and do you know face-to-face networking, you're going to have a certain impression of folks from a distance. So I think that's definitely super important, huge advocate and fan of the networking. It's not easy to do. I think most of us are introverts, but I always find it actually easiest to talk about when we're talking about technical subjects and things that I know are in the least interest of them. That's where I'm actually super capable of doing that. I definitely wanted to validate or support the Institute about just working on something because if, yeah, there's a chance that a gap does exist, or even if it doesn't, it honestly probably does. But even if it doesn't, the experience of working on something is going to let you grow and evolve or nothing else. Have that portfolio.

Speaker 2: 12:35

I have seen actual criticism just at least in my discourse but of people writing blogs that were kind of reiterating something that was already out there. And no, don't go copy what other people have done. But even if you are kind of re-analyzing, re-synthesizing other stuff that's already out there, you will grow as a researcher and an analyst. In doing that You'll learn so much. So, yeah, already out there, you will grow as a researcher and an analyst. In doing that You'll learn so much. So, yeah, go out there.

Speaker 2: 13:00

Set up the Medium blog. Do something on GitHub it's completely free. You know bare bones kind of thing. It's not just about writing. I don't want to make it seem like that. If you are more on the pure you know, coding or technical side, I've contributed to specifically push myself with my skills to. There are community repositories for creating, like cyber detection rules. You can go learn about the format that they use. There are great trainings out there and you can contribute to the main repository. Put that on your resume. That's an actual contribution that you have made, and you probably learned a lot along the way too. So there's lots of projects out there along those lines yeah, it's a really good point.

Speaker 1: 13:43

You know someone, someone was talking to me years ago about how to get their start as a developer. Right, it wasn't even getting into security, like they just graduated and they couldn't land a job as a developer, and my very, very first question to them was do you have a GitHub? You know, like, what's your GitHub? How is someone going to hire you if they don't know you know your work, right? Like, as a developer, that's probably your most valuable thing. I mean, like if you were going to invest time anywhere, it should be your own personal GitHub. Yeah, and you know, I think he didn't take my advice very well and he's still in the same position. You know that he was in before. It's like man, you have to take that initiative. You know, if you're not taking that initiative, you're probably not. You're not going to go far in this field, right? You're not going to go far in this field, right.

Speaker 1: 14:37

But to kind of circle back to threat intel, right, with the craziness in the world, I always wonder how that impacts the different attacks that you might be seeing, potentially in different specific countries. That may not be a part of a kinetic attack right now. Let's just use. What's going on with Israel, palestine and whatnot? Right, what's going on over there? Does it impact the EU in some way? Does it impact America in some way? Have you noticed anything like that with the different threat feeds and whatnot?

Speaker 2: 15:16

Oh yeah, absolutely. I think in many ways, most ways, cyber is kind of a reflection of the physical space for sure, both in terms of attack surface. So as we see more of a shift towards cloud environments, we see attackers shifting that way, but very much in a geopolitical context as well, I think, probably one of the most notable most recent. So we can definitely go back to kind of Russia, ukraine and maybe the attacks stemming from there. The one that's been top of mind for us. We tracked very closely with the conflict in the Middle East of attempts to disrupt any operations, organizations, countries that had any remote association with Israel, and some of these attacks actually were quite disruptive or at least had the real potential to be disruptive. Quite a few of them are.

Speaker 2: 16:08

When we talk about hacktivism, it is traditionally seen as maybe a less impactful type of attack. Many actors have maybe let's call it basic ways to you know, get their name out there, maybe promote a message and deface a website, and that's notable against media usually. But it's not the most disruptive attack. What we did see is adversaries, most likely aligned, if not directly supported, with Iranian government, going out and successfully into critical infrastructure in the United States, water utility organizations and what they were doing, targeting them, maybe because it's, you know, low hanging fruit, but because of the attention that it was going to get. Attention that it was going to get.

Speaker 2: 16:58

Hey, we hacked a water company in the United States and putting up defecitant messages on the actual controllers for some of the water facilities and treatment plants Definitely something that got a lot of attention. But they were in a network for critical infrastructure and that does show that there was at least potential for a series. I think they adjusted some water levels. It didn't lead to running out of water in a town or whatever, but it was more notable than a basic website that they used.

Speaker 1: 17:26

Yeah, it kind of sounds like they may have been kind of just more testing, right, kind of like, well, let's see, let's see if we can get in oh, we got in. Well, let's see if we could, you know, change water levels you know we won't do anything that'll damage anything right now and then let's show that we were there, right, let's prove it, let's deface it, make sure that people know that we were there, whatnot? We do see that a lot and I wonder, because, you know, right now we're, we're really in a tumultuous time, kind of all over the world, you know, and in america, for sure, you know, it's election season and it's, um, you know, as being a security expert, right, or maybe that's the first time I've ever called myself a security expert, but being in security, right, you kind of identify different attacks, different attack vectors, you know, because I'm starting to think, if I wanted to control how a population thinks, I wanted to control how a population votes, right, irrespective of the actual attacker. How am I going to do that? Well, I'm going to do that, you know, through social media, I'm going to do that through the news, I'm going to do that, you know, from all these different angles and whatnot. I think I kind of like shield myself from it, right, because I do like 15 minutes of Twitter a day and like that is that's like more than enough internet for me for the day. Right, I don't watch any other news or anything. But you know, as a security person, right, I'm starting to think like that could absolutely be propaganda, or this news outlet could absolutely be influenced in some way, even if they are unwitting to the influence.

Speaker 1: 19:10

Right, are you also tracking, you know, threats like that internally in America? Because it's always very easy for us I feel like in America, it is so extremely easy for us to think of an attack, think of a terrorist attack, a kinetic attack, of really any kind, and I mean we just think about it in another country, right, it's so hard for us to ever think of even the riots that take place in the EU, in France, for instance, in the UK, for instance, of that level of I don't want to even call it violence, but you know what I'm saying. It's a different kind of riot than what we would ever experience in America. It's hard for us to picture that internally, right?

Speaker 2: 19:57

Yeah, yeah, for sure. Yeah, I mean, I think we have witnessed, and we are very much still in the thick of it and we will continue to witness, this information inability to kind of trust and rely on. Basically, in my opinion, you know most of what you're reading, especially on social media, do you think? You know, given my career, I've always taken a lot of skepticism to basically anything that I read, because you don't have to do that if you're talking about sources, but, man, you absolutely have to with basically everything that you're reading, not to say that you can't trust anything. You have to have some sort of kind of baseline but you can't just go in and take everything at face value or a lot of it.

Speaker 2: 20:38

We absolutely saw an impact on our previous elections with disinformation and influence operations and we're seeing a lot of those kinds of activities kind of playing out right now. I think the you know the damage has been done in terms of, you know, weakening confidence in you know the information that's out there, and so I think we're just operating, at least right now and for this next selection cycle, under kind of the new normal. Unfortunately there's no you know kind of consistent way to go in with verifying you know who you are and what you're publishing out there. There are some systems, but even those are being manipulated with everything that's at Twitter and X right now. I think one thing that's been really interesting I never would have wanted it to play out this way, but with the change in ownership at Twitter and X I mean, I think, most of us I can say that my feed has dramatically changed in terms of, without me changing anything in terms of you know what I was following or anything.

Speaker 2: 21:37

The nature of the information on there is just change, and so you know, that's been, I think, maybe kind of a wake up call for more folks and there's not a lot of remediation to be. There is. I've used the platform so much less now for, you know, never used it much for personal purposes, definitely not anymore, but even for, you know, work purposes it's useful, um, right now. So I don't know, that's a bit doom and gloom, but if nothing else, I think, uh, a lot more, uh, wake up call to what is going on. This is easy to get siloed and maybe isolate yourself away from the worst of the disinformation. A lot more wake-up call to what is going on. This is easy to get siloed and maybe isolate yourself away from the worst of the disinformation. Previously that's how I saw myself, but now you can't avoid it.

Speaker 1: 22:19

Yeah, yeah, it's a weird place right now and you know, full honesty, right, like I think I had a Twitter account, you know back when, right like I think I had a twitter account, you know back when it was twitter, right, um, I never, like never, literally never used it. Um, I I think when I actually decided to start using it a little bit more, it was when this podcast kind of kicked off. Right, it was actually probably like a year or two into it being kicked off, so it wasn't even like an immediate thing. So I also that kind of coincided with new ownership and I've only seen this feed being just like I don't know, constantly feel like I am being socially engineered to some extent when I'm, when I'm in my feet and I'm not like I'm not someone that's like anti, you know Elon or anything like that. Like I, I drive a Tesla, my wife drives a Tesla. Like I like the product and all that sort of stuff. Right, like I like SpaceX, I like space overall, but so I don't have that reference point of like beforehand, right, because I literally didn't even use the platform. But now I mean, like when I go into it, it's just like it's depressing, because I'm not really into politics, you know, like that's not really my thing, even though I kind of studied it a little bit in college, but like now, it's just like nonstop. It's just like nonstop, you know, telling you about one side or the other.

Speaker 1: 23:51

And one thing you know that you mentioned that I recently experienced, right, so I saw someone post like on Facebook, saying that, like you know, chatgpt didn't even acknowledge, you know, the assassination attempt on Trump's life, right? I was like surely, surely that's incorrect, right, surely that's wrong. And so I went into Chad GPT and I pay for Chad GPT for different reasons, right, so I have that, like that enhanced or whatever it is, you know the enhanced capabilities of it and I go into it. And I just asked a simple question when did the assassination attempt on former President Trump take place? And it took it a couple minutes, right, and several prompts of me saying, no, you're wrong, it took place in 2024. No, you're wrong again, it took place in Pennsylvania, 2024. No, you're wrong, again, it took place in Pennsylvania.

Speaker 1: 24:54

Like I had, I literally had defeated the details of that attempt for it to acknowledge and say, oh, I was wrong, you know, it took place on this date, this time. Um, the, these people were involved, right, like, and figured, okay, like, well, this is a, an LLM, right, so it's learning for me, kind of like I'm also learning from it, right? And so, surely, a couple of days later, I went and tried the I mean the exact same question, like I. I literally just started a new chat, copied the question that I had initially put it into the new chat, and it gave me the same kind of response Right, no, that never happened. And I'm just sitting here like this is like blatant disinformation, like whether you're right or left right, like we're not even talking about politics, like this is a historical event that occurred and they're trying to say that it didn't happen.

Speaker 2: 25:45

But it's like what is going on here, you know, like it's crazy I think not to not to spin it too optimistically because it's it's like what is going on here, you know, like it's crazy.

Speaker 2: 25:55

I think not to not to spin it too optimistically because it's not optimistic, but I think the process that you took is exactly what I want to see happening more.

Speaker 2: 26:00

And again, it's unfortunate that we have to do this.

Speaker 2: 26:02

But I mean, I would have encouraged this and I think this would have been smart, you know, 10, 20, 50 years ago, to kind of evaluate the information through that lens.

Speaker 2: 26:11

So you took an approach that I've definitely had before, which is like there's no way that that's right, but then you actually like looked into it a little bit and you tried to experiment it yourself and at the end of the day it is very unfortunate that it was correct, but like taking the lens and then taking the steps to kind of look into it a little bit yourself, man, that is like super important and I'm not trying to paint it too rosy, but like doing some of that evaluation yourself like teaches you, like when red flags should go up and maybe when you maybe trust something a little bit more, without needing to check every single thing. So you know, uh, the use issues are present on on both sides of the aisle. I feel pretty confident it's worse on one side, but it's definitely an issue on all or both sides. So you always have to take all the information through at least some sort of critical lens for sure.

Speaker 1: 27:03

Yeah, yeah, absolutely. It's kind of the unfortunate state of the world, you know, yeah, like you know, when the 2020 election was going on, you know there was a huge like push for like fact checkers and you know all this sort of stuff. Right, and me, being the security person that I am, my first question was like, well, who runs the fact checker? Because if I'm an opponent right or a threat to America overall and I want to influence the population, well, don't I just have to go and buy whoever owns that thing? I'll just pay them off and have them tweak it a little bit, right? That was my biggest thing, and I had some friends that were like, oh, you're just a conspiracy theorist. I'm like, no, that's what you do, that's literally what you do. That's what America has done in other countries. That's literally what we've done in all over Africa. That's literally what we've done in other countries. That's literally what we've done in all over Africa. That's literally what we've done in other elections. It's not necessarily like a Russia or Iran or name your opponent of America. It's something that we've done. It's just something that I always tell people. You know, yeah, you can, you can trust different sources. But if it sounds a little bit, just a little bit off or a little bit weird, right, like you should absolutely do your own checking there.

Speaker 1: 28:41

There's been several times when and I'm not saying I'm, I'm like on the right or on the left or anything like that I'm I'm literally not trying to have a biased, you know, discussion about it, right, but, like there were, there was some like you know, accusations, right, that was made about Trump saying something and I had to go back and find the actual, like the legit video, right, and I had to basically watch it all the way through. It came up to the point where he said what they claimed that they said, and they took it like completely out of context. They like literally took different words in the sentence, put them together as if it was his own only statement in that sentence, and it just took it completely out of context, right, and I'm just sitting here like, like man, this is frustrating, right, because I'm someone that'll do it, you know, if, if I'm like interested, you know, like, if I have the time or whatever, Right, um, and I'll do it, you know, for both sides, all sides, like it doesn't even. It's really frustrating because 99% of the people out there that are not in security, are not in threat intelligence at all, do not have the background in international relations and politics and whatnot, like you and I might do.

Speaker 1: 30:01

They're not going to do that. They're not going to do the research right. They're going to take whatever news outlet they believe in and take that as fact and then take everything else that's wrong and it's like. It's like we're in a weird place and I I apologize, I mean I didn't mean to take this conversation this direction right, but I think it also plays into threat intel right, because we're in a really interesting time where, as threat intel, as a threat intel expert that you are right and as a security person that I am we're like seeing some of these like tactics, you know, being played out in real time, like against actual populations, and it's a it's an interesting time yeah, no, you're, you're absolutely right.

Speaker 2: 30:47

you, you, uh, you know, uh for better, for we can't get away from a lot of these topics because they touch literally everything, including cyber. For sure, I think, one of the things that stands out that loops back very directly to what I do and AI, uh and and increased interest and desire, and there are a lot of benefits of using AI for cybersecurity, but that automatically introduces, you know, bias and a lot of concerns with how is the algorithm generating the answers that it is, and if you're using those uh utilities for cyber threat intelligence work, you're exposing yourself big time to misinformation or just, you know, unvalidated info that's making its way into your work. I absolutely use AI as part of, you know, my daily work, but in a very kind of limited slice.

Speaker 2: 31:44

I do see again makes me a little bit concerned. This move to prompt the GPT to say, hey, what are the you know latest threat actors targeting my industry, and just taking those results at face value and dropping that into your Intel report to your leadership. That's very concerning to me and quite honestly goes completely counter to, you know, the the basic principles of kind of our field.

Speaker 1: 32:11

I think so again, don't get me wrong very little right, yeah, like you know how I primarily use it is, uh, it kind of like prompts my brain to go down different paths, right, like you know, recently. So I'm getting my phd in like securing satellites that's probably the simplest way that I can explain it and I I was using ChatGPT to give me, you know, critical, like articles or topics on securing satellites, what are the different, you know, components of it, right, and it brought in like propulsion systems and energy systems and how you have to, you know, estimate out the different systems of your, of your satellite for, like, the darker periods when it goes around the earth and whatnot and all this sort of stuff, right, those are. Those are two areas that I would not have thought of as a security, you know, expert security person in this field. Um, I would have thought about propulsion, right, like I never, never, would have thought about that. I would have been thinking about, like, the different computers on the satellite to, you know, accomplish what we're trying to accomplish with, like a communication satellite, for instance, right, and so I think it's, I think the AI is, it's a really good tool, but it shouldn't be like that end all be all.

Speaker 1: 33:36

You know, and I feel like I feel like the same with you know really any like media outlet, media platform. It's a really good tool. It should prompt questions for you to go and check, but it shouldn't be that end-all be-all sort of thing. We always have that question in our head, that kind of nags at us to be like well, is it really like that or is it something else? Is there nuances with it? We're probably like built a little bit differently in that regard, but how do you train people to do that more? Is that even possible?

Speaker 2: 34:15

Yeah, it's definitely a great question, something I've thought a lot about, and I worry that at a certain point, with people who have really strong mentalities, that it may not be able to convince them. But what I always try to do is just exactly the process you talked about earlier is kind of, you know, show the work that got to this answer and if the steps aren't there to be able to recreate it, like to me that's a huge red flag because I am that way and I want to be able to recreate it. Like to me that's a huge red flag because I am that way and I want to be able to verify it. Now, not everyone is necessarily that way. I'm constantly optimistic and I'm of the mind that if I can show someone that maybe, uh, the the evidence that they try to present is is like, literally that's the case and I'm hopeful that that might, you know, change their opinion.

Speaker 2: 34:59

But we all know that there are going to be situations where people won't. Maybe it creates and that's a little you gotta. You gotta come at it with a little bit of kind of a give and take. You can't just say, well, yeah, I'm showing my work and therefore it's right, because that's going to turn people off as well. Hey, the great point about you know, uh, organizations and even countries have have scooped up you know outlets um, to be able to promote certain narratives there. I have found uh uh uh sites, uh, ostensibly portraying themselves as fact checkers, that were, like, literally intended to promote disinformation. So that's a huge concern as well. What I would say is like, like, if you're interested in this and if you care about the validity of the data, take a look at who owns the site or the new site and it's all those thread problems. Maybe it's not leading you to a point that's maybe not very positive, but at least you've taken the steps and if it's not transparent, it's a very difficult problem to solve.

Speaker 1: 36:00

You know, for threat intel in 2024, what are some of the challenges of being in the space, right? I mean, we probably talked about, like the biggest one of misinformation and whatnot, what it's like being in that area with that specialty. Because I've never been in threat intel, right, I've used lightly some you know threat intel solutions out there, right, but that was several years ago, and so I'm trying to find, I guess, maybe the value, what the different areas of threat intel could include, right, because for me, I'm coming at this from a very limited approach. I'm coming at it from okay, you're taking the news in a region and you're developing threats off of that and you're basing it on some other criteria, right, but there might be more to it. What's that like?

Speaker 2: 36:57

Yeah, so the fundamental challenge is exactly what you just described. It's proving and demonstrating consistently the value of a cyber threat intelligence program. And the big reason I say that is because so much cyber threat intelligence is happening these days in the private sector. And intelligence for private sector is fundamentally different than what it naturally evolved from, which was intelligence for military purposes. In the military and in the government, situational awareness quote-unquote is a valid, desired outcome of an intelligence function. You're keeping decision makers kind of in the know. You're dealing with much more access to kind of secret sources that may yield information. But situational awareness is often the end goal and it's a valid one In a private enterprise for so many reasons we can unpack. But situational awareness really means very little. You need to be able to operationally show and demonstrate how the intelligence contributed to some sort of operational change in the security posture, and that's what so many teams and organizations struggle to do. And I think that is because, with intelligence being born out of military and government agencies, the approach to intelligence often has been and very much continues to be.

Speaker 2: 38:19

Here is a daily report or briefing with a summary of the news, maybe some very light analysis sprinkled in. That analysis is always supposed to be kind of a dividing line where you're not offering perspectives and decisions. That can't be the case in an enterprise and in the private sector, because there needs to be some clear action taken as a result of intelligence. So it's pretty rare but it's very much increasing. It's literally the focus of my work. These work is to be able to show it was very clear evidence and backed up by data what steps can you take as a result of this intelligence in very concrete ways and just to not go too deep into it, but to give an example.

Speaker 2: 39:03

So everything I work on and my company is based on it's a framework or a knowledge base known as MITRED. What this is is essentially kind of like a reference library of, at a certain relatively high level, all the known adversary techniques that attackers can use to carry out malicious activity. When I report in my day-to-day job about the latest adversary trends and cyber attacks, I talk about those in terms of minor attack techniques. The value there is you're able to relate an attacker technique directly to some security tool or technology and you're able to say well, if we were exposed to this attack, how would my tools be able to react? Do I have gaps in those tools and, if so, am I able to close them by introducing some new process or detection rule or technology? That's just kind of the mindset and approach. It's oversimplifying it, but it's all geared towards, again, action and operationalization of the intel, and that's kind of where I see things needing to go, because there's been yeah, that is definitely very true.

Speaker 1: 40:18

There's been no real actionable information with it. When you, when you, even, you know, I, I can't remember, literally cannot remember the vendor name and if I could remember it I would not say it because I don't feel like it ensued today. But you know, I had a vendor pitch me very like closely after log4j came out and they're they're like oh yeah, we saw that, you know, month before. It was a big deal. We saw it in october, whatever it was. And you know, we started to you know, notify, right, some customers that may have been impacted. But we didn't really know.

Speaker 1: 41:00

And they then like changed the conversation to like, oh, you have to build in this detection for it. And I literally said this is a zero day. How am I going to build a detection for a zero day? If I build a detection for a zero day, that means I know what the zero day is and I should be selling it because it's worth a lot of money, right, and they like had no real good rebuttal, you know, because it's like, how am I supposed to build something off of something I don't know?

Speaker 1: 41:31

You know, like your whole job is to basically go buy these zero days and create a detection off of it and put it in your platform and say you found it before anyone else. Like that that's what you should be doing on the back end. But you're not doing that, you know. And that that action part was always the most frustrating part to me, because even if it could tell me, like you're at risk, right of this zero day, for instance, it still would not tell me oh, is CrowdStrike prepared for it? Is my PAM solution prepared for it? Is my SIM even set up to log for it? You know, like, what do I need to do? And so, like I'm saying that that detection part that you talked about, that's really interesting because that actually gives you actionable information right, yeah, yeah, absolutely.

Speaker 2: 42:23

So. I've definitely seen those as well. But the example that you talked about is an especially bad one and I almost want to say that maybe it's just due to kind of the unfortunate you know marketing and maybe lack of understanding of you know what's going on under the hood who knows? But to circle it back to what you said, yeah, huge, huge proponent of kind of detections, knowing how they work. This is a little bit newer area and it's typically still reserved for a little bit better resource, more mature teams. But I am a massive proponent of what's known as the simulation and testing, and this is not anything new to those in the programming and coding space. You go out and unit test your code to make sure that everything runs. Precisely that same mindset can and should be applied and it's getting a lot easier to apply it to the security space as well.

Speaker 2: 43:13

There are great open-source projects. The most well-known is Red Canary's Atomic Bread Team project, but they're basically just it's like a framework for running Python and PowerShell scripts that let you kind of run these adversary techniques in a limited environment and let you see how your detections are actually operating. It's definitely a stretch goal and sometimes a little bit easier said than done, but anytime you put in place any new security process or even policy mitigation, you're already taking that mindset. So maybe you go run the test script and see if it actually triggered the detection or if it's more of kind of a policy approach. Go do the tabletop exercise Again, easier said than done, but that's what you want to be thinking about to make sure like all this stuff actually worked the way it did.

Speaker 2: 43:59

Or, you know, do some of the the user training and awareness. You know phishing tests. If you deploy a new email security solution, see how well that's working. That's just the mindset that I want to try to promote because, believe it or not, that's that's not super widely adopted, but that's how you have at least a lot more confidence that the tools, technology, processes are all.

Speaker 1: 44:18

Yeah, yeah, that is. It's so critical and a lot of people don't want to do that work either. Right, and it's because it's long, it's tedious, takes a lot of time and effort, right? I'll give you an example. I was POCing different WAF solutions for our cloud environment and I deployed one solution, very simple solution, right, it was so simple to deploy and I didn't have to configure it at all that I literally, quite literally, forgot it was on my application. Still, it's so lightweight, it's just in the code, you know, you're not doing anything else else.

Speaker 1: 44:56

And I eventually deployed, like another, another WAF basically on top of it, and I started launching attacks at it. Right, because I would create very specific rule sets and whatnot. And then I'll I'll launch a test at it to make sure, like, hey, this rule is doing what it should. Be right, because how else are you going to know that it's protecting you from cross-site scripting unless you're throwing cross-site scripting at this vulnerable app? You know, you know that the application is vulnerable to it by default, right, and this security tool needs to do its job. And so I threw all these tests at it. Right, and this this second laugh that I'm talking about it caught something like six or 7,000 attacks.

Speaker 1: 45:39

Well, I threw 40,000 attacks at it, right, um, and so I, I, I ended up logging into the, the lightweight WAF um console, just to see if I still had access, because I wanted to get some screenshots of the stuff that that I had done, you know, and I noticed, caught all of the attacks that this other thing missed. Like I was on the phone with the sales engineer saying like hey, you guys missed you know 30 000 attacks plus right, 33 000 attacks. You missed them. Where the hell did they go? And he couldn't even tell me, like from his you know console view. He's like, yeah, we just never even saw it, you know. And I'm, I'm sitting here like how is that? How, how is that you selling me your solution right now?

Speaker 2: 46:29

yeah, for sure. No, that that's a huge piece that. I've talked a lot about detections and then doing the testing on them, but it's probably one of the least sexy areas, at least, of security. But, like the logging of all this, to be able to have visibility into whether you were even able to detect something. That's a huge gap that we're seeing more and more of as more data is coming in. It's really expensive to store all this stuff, but if you run some of those tests, you'll often. Maybe one of the first points is you're going to find that you actually weren't storing the proper types of logs, or maybe your vendor wasn't giving you access to them. So that's a huge piece of the puzzle as well. It's not super thrilling, but to find out that you probably should have these types of logs coming in if you want to be able to say you're detecting this, it's literally the essential piece to get all the rest of the Right, so you know, where do you?

Speaker 1: 47:21

where do you see this section of the security industry going in the next? You know, five years. I would typically say 10 years, but 10 years is probably way too far out because it's changing so rapidly. But what do you see? Where do you? What do you see as like the next milestones for the industry? Right?

Speaker 2: 47:40

yeah for sure. So obviously a little biased um with with what we're doing, but I really do see more of this, you see, as like the next milestones for the industry, right, yeah for sure, so obviously a little biased with what we're doing, but I really do see more of this shift towards a quicker and more streamlined kind of validation of your security posture and validation of, at least, like, your confidence that things are working as they're expecting to be. I don't think you could ever be 100 validated, and if you ever did get to that state, uh, tomorrow it's going to change with just the nature of the environment. But more of a shift towards, you know, kind of a rapid fire validation of your security posture. More of a shift certainly towards kind of tuning all of those security uh tools, technologies, processes and defenses towards the threats that matter. What I focus on again, being in the cyber threat intel space, is strongly believe that you're not able to defend against every single attack at every single given point in time. So you have to prioritize, kind of what you're looking at, so injecting that threat intel into your defensive work, maybe from the outset. If you're building a new security program, I really think that's the way to go, or at least kind of fine-tuning things.

Speaker 2: 48:49

Probably the final meta trend that's definitely playing out literally right now this year, and I think will continue to play out for as far as I can see, is focus on optimizing your security stack with what you have in place right now. Budgets are super tight. Everywhere In many cases they're being so trying to do as close to the same level as you can, maybe with less, or maybe finding ways to maybe do a little bit more with less. So many of the tools and technologies are so complex right now. They have so many capabilities. I literally talk often with clients who didn't know that they have an ability to do something with one of their tools that they already have access to, and that's not their fault. It's because the tools are so complex and going back to just the communication, it's so challenging. So it's that digging in and sometimes finding new ways to do things with what you already have, just to be able to.

Speaker 1: 49:45

Yeah, those are all very valid, very valid points for sure. Well, scott, you know we're at the top of our time here and I really enjoyed our conversation. It was really fascinating. We went down some rabbit holes that I definitely did not expect, that's for sure.

Speaker 2: 50:14

But yeah, yeah, absolutely Well, scott, you know, before I let you go, how about you tell my audience? You know where they could find you if they wanted to connect with you and you know maybe reach out or whatnot and where they could find your company. I would say the best place is probably LinkedIn. I'm most active there Scott Small on LinkedIn, and it shouldn't be too hard to find me and I would say either titlecybercom or website. We're also very active on, you know, most social media, but especially LinkedIn.

Speaker 2: 50:30

We really do try to do a lot of sharing back with the community. Going back to what we talked about before, it helps keep me fresh, doing a lot of you know writing and you know data visualizations. We me fresh doing a lot of you know writing and, and you know data visualizations. We're put out a lot. I'm in share with you and those are just some of the best places to punch and uh in a central place. So look forward to connecting with anyone. I'll do a lot of you know mentorship and just trying to help folks out who are getting started. So please reach out to the company or to me.

Speaker 1: 50:55

Awesome, well, thanks for coming on again and I hope everyone listening enjoyed this episode. Bye everyone.

People on this episode

Joe South

Host