In today’s episode Monica Verma talks to Katie Nickels on importance of cyber threat intelligence, evolution of threat landscape over the last decade, trends today and moving forward, as well as security and privacy challenges with threat intelligence.
Looking for your dream job in cybersecurity?
Don't know where to start or how to go about it?
Follow Monica Verma (LinkedIn) and Monica Talks Cyber (Youtube) for more content on cybersecurity, technology, leadership and innovation, and 10x your career.
Monica Verma 0:00
Hey folks, welcome to a brand new episode of We Talk Cyber with Monica. Your one and only platform for real world stories with renowned global experts, making the impact every single day within security, privacy and leadership. So if you wish to hear the stories directly from the source, and learn and understand what does it take to build a personal success story? What are some of the biggest challenges that we're seeing within security, privacy and leadership? And what can we do about them? And more importantly, how can you build your cybersecurity career even stronger, break into leadership and take it a step further, then this podcast is the right place for you. So before we hop into the episode, make sure you subscribe to my YouTube channel, Monica Talks Cyber; you'll find all my videos there, including the podcast videos. And if you want to listen to podcast audio, then please tune in and subscribe to We Talk Cyber in your favorite podcast app. Do it right away so you don't miss any of his amazing stories and conversations. So let's hop right into the episode. This is We Talk Cyber with Monica.
Monica Verma 1:19
In today's episode, we'll be talking to an industry leader with the cyber threat intelligence. We'll be talking to Katie Nickels, on what is cyber threat intelligence and why should organizations care about it? What role does human aspect play within threat intelligence? Has the cyber threat landscape really changed within the last decade? Why do we need to understand the tangential part of it? What are some of the trends that we've seen recently within the threat landscape in the last years, and some trends going forward? What are some of the security and privacy challenges that we face with regards to both gathering and using Intel and also some of the benefits? So if you want to hear about all these and more within threat intelligence, let's meet our guest right away. This is We Talk Cyber with Monica. Hi, Katie, how you doing? Welcome to the show today.
Katie Nickels 2:06
Monica, thanks so much for having me. It's such a pleasure to chat with you today.
Monica Verma 2:11
Lovely. Let's just hop right into it. What do you say? Would you like to say a few words about yourself what to do and maybe share a fun fact with the audience?
Katie Nickels 2:21
I'd be happy to. So I like to share my story a little bit. Because I think that sometimes people think that there are only people from computer science backgrounds in cybersecurity, which that is not my background at all. I went to a liberal arts school, I actually, my fun fact is that I went to a women's college. It's kind of rare nowadays. So kind of an interesting fact about me, especially because, you know, we work in such a male dominated industry, but I went to a women's college and wanted to go into journalism. But that didn't work out. And luckily, I met my now husband who said you might enjoy intelligence analysis, a lot of the same things that you do in journalism, research and writing and thinking, actually, you do an intelligence analysis. And so I started applying for jobs and got hired by the US Department of Defense over a decade ago, and found that I actually really love cyber security. I love the fact of it, though. I like not just the code, but tracking the humans behind the keyboard. And for me that was how cyber threat intelligence just became a perfect fit. And so from there, kind of continuing my career with different contractors for the government, I landed in the right place at the right time with mitre attack previously, and then I was ready for a change. And so currently, I'm the director of intelligence at Red Canary, where I get to look at a whole bunch of different threats. We do manage detection and response; I get to see threats in different environments; And I'm just loving it. And on the side, I should mention that I also teach for the SANS Institute, their cyber threat intelligence course. So this is my passion. This is what I do.
Monica Verma 4:02
Fantastic. That is so wonderful. And I feel like actually, finally, finding passion in what you do when your daily work is so important. And it has become even more important in today's world. So lovely, lovely. I think I can say it for everyone, every woman in the industry, who is a part of it, and who is joining in, who is struggling, but also then enjoying and doing the part with passion. Nothing to begin with. But other than that.
Katie Nickels 4:30
Agree, agreed. Yeah, I mean, the passion is what you know, keeps me going through long days and tough incidents. And you know, it's interesting because I started in government service, and I was concerned about moving to private sector and I was like, what I feel that same sense of mission, but I really do, because now private industry is part of the sector too. And vendors like Red Canary are awesome ones like FireEye and CrowdStrike, so many others, protect businesses and that's important too. So it's been fun to, you know, continue that mission in a different way.
Monica Verma 5:05
Right and talking about protecting businesses, so let's hop right into the episode. What is cyber threat intelligence for, just to explain for our audience, and why should companies really care about it?
Katie Nickels 5:18
Yeah, it's interesting because so many people misunderstand what cyber threat intelligence is. They think it's either an indicator feed of IPS or the other side of the spectrum. They think it's all about state sponsored advanced persistent threats. But Cyber Threat Intel or CTI is so much broader than that. It's really all about empowering decision makers, defenders leadership, with actionable insights about what adversaries are doing. And so that can take so many different forms. You know, one way that cyber threat intelligence can be so helpful is by helping organizations prioritize the threats that really matter to them. Because there are so many malware families and groups and adversaries out there, that by focusing on, hey, these are the threats that are likely to target us or that have targeted us in the past. cyber threat intelligence analysts can help defenders go from a state of being completely overwhelmed, to really focusing on what matters.
Monica Verma 6:16
And I feel like one of the questions that I keep on getting asked by a lot of people who don't really understand cybersecurity, or technical level load or understand threat intelligence has the cyber threat landscape really changed over the last decade, because the thing is, even though the different malware classes and different types of attacks, ultimately, the cyber criminals and the non ethical hackers and the attackers, they use the least and the easiest method, basically, to attack an organization or a business. And if you look at the last 10 years, I mean, obviously, we have seen certain evolution in the landscape. But it's not like they have stopped using the attack vectors that they've used before. So what would you recommend? Or what would you say to those people? Why do we need to really understand the intelligence part of it, then?
Katie Nickels 7:09
Yeah, it's a great question and a great point. And I absolutely agree that there's a lot that hasn't changed. And it's fascinating, because, you know, we're how many decades into this industry, and we're still telling people to patch, right patching is always going to be a good way to protect against all right. But I think what we've seen over the past 10 years, as the community and the CTI community has advanced, is that we're realizing that there are so many different threats out there. And so I hear from a lot of analysts and leaders throughout this community, who are just overwhelmed by all the blog posts, all of the tweets, all of the social media content, all the reports from governments and private sector, about so many different threats. And given that we're in kind of this wealth of knowledge that's out there about threats, we have to prioritize it somehow back to my first point about that point of CTI. And so I would say that, especially now, when we have so much more information about breads in one way, that's a good thing, because we can better protect ourselves. But another way, we kind of need a guiding light to, you know, harvest through all this information that's being thrown at us. So I think that's where CTI can can help quite a bit. And the other thing I would say is that, while some trends haven't really changed, you know, adversaries still use email and web to get in. There are other trends that we're seeing. And, of course, you know, some of these more advanced techniques are sometimes edge cases where adversaries are particularly advanced exploiting a new technique from researchers like the recent one Herpa derping. But keeping an eye on what adversaries are doing, what cutting edge red teams are doing is really important, especially for protecting against really advanced adversaries, though a lot of the adversaries most workspace are not going to be that advanced.
Monica Verma 9:02
Right. Can you mentioned some of these trends that you have seen in the last years? What has evolved better in the last years? And what trends have you seen?
Katie Nickels 9:14
Yeah, I think one big trend is that with users and environments moving to the cloud adversaries are too. And this is one that worries me a little bit, because a lot of organizations are moving to the cloud, justifiably so a lot of benefits there. But they're doing that without understanding kind of the shared service model with a cloud provider, who monitors what, who tracks what. And so I think some of those misunderstandings and gaps are giving opportunities for adversaries to create a additional attack surface, right, traditional attack vectors. For example, something that organizations need to know about is something called OAuth, which is basically you know, you click you're in Google or you're in Microsoft Office, you click on a link in an email and it says, allow this application to use your account on your behalf. You click OK. Or that's doing that behind the scenes. And the challenge is that that's a newish technique. I love it. Because it's, you know, prevents me from having to remember another password and username, but that in my password manager, but adversaries are doing this too. So they're creating malicious applications. And users are just consenting to allow those malicious applications, permissions, their accounts. And so that kind of thing can be really tough for organizations to identify if they don't have the right logging and visibility setup. So I would say cloud is one trend for the environments and adversaries. And then the other big one, of course, we have to talk about is ransomware. Right? Fascinating because it's just skyrocketed throughout 2020 and into 2021. Ransomware has just hit almost every sector of every country. And we talk about prioritizing the threats. And sometimes threats are not evenly distributed, they might target a certain sector type of organization. But I would say ransomware is one that affects almost every organization, or has the potential to affect almost every organization. And it's been overwhelming from a CTI perspective, because almost every day, there's a new ransomware operator popping up a new family. And my real concern about that is that I don't see it going away anytime soon, because it's just so profitable. And I don't blame victims for paying, because they're in such a tough spot. But I think it's going to take a lot of really smart creative people around the world working together to figure out a solution to ransomware.
Monica Verma 11:47
Right. And I think one of the things that I've also noticed in the last years, and I would like to hear your thoughts on it, is that you talked a bit about. As companies and organizations are moving to Cloud, so are the attackers. But I also feel like because of everybody moving into Cloud or digitalising, the supply chains are becoming more complex. So now the attackers don't necessarily just attack the organization directly. But they go on attack the service provider, which provides services to multiple organizations at the same time. So through the complex supply chains, now they're a part of multiple organizations globally, when they attack there, they basically can provide damage at a much more global level. Like if you look at Cloud Hopper, or what happened with Wipro with Cognizant, and I feel like that's one of the trends will also increase. What are your thoughts on that?
Katie Nickels 12:38
Yeah, it's funny, you mentioned Cloud hopper. Some organizations track them as a PT 10, because that's a good example, from recent years. I think that potential for any organization when they're thinking about threat modeling, right, matching up the press, they care about to their organization and their assets, they need to think about those third party suppliers or third party organizations and access their networks and really have a deep understanding of what are those connections? Like? I think the reality is, those are necessary, but minimizing privileges for those services that connect and understanding what organizations have connections into your network. absolutely essential as you're doing threat modeling. And I suspect, as we've seen, we've seen a lot of breaches involving those third party compromises. You mentioned, you know, cloud Hopper, compromising managed security service providers, and then using that access to pivot into their ultimate targets. And that's another one I don't see going away anytime soon. But my hope is that, as these breaches become more widely known and widely reported on, I think that's where CTI has a role in this. Organizations realize, hey, this threat is out there. And so how do we protect ourselves so we don't become the next victim of Cloud hopper?
Monica Verma 13:57
Absolutely. And I feel like for talking a bit about benefits of the CTI, it's kind of natural to go into some of the challenges. I would assume the certain challenges, obviously, that come along with error, one of them being data quality, because obviously you said there's a lot of information out there. And information, which of that is actually intelligence, and whatever that is, what is important for you and your organization filtering through that kind of data quality sets there and so on. And the other aspect, maybe also, are there like some legal and privacy challenges as well, because of the amount of sensitivity into this kind of data? Can you mention some of the challenges that you've seen around these?
Katie Nickels 14:37
Yeah, absolutely. Quite a few challenges in CTI. The data quality issue is an important one. And I think it's important to draw the distinction between data information and intelligence. Because intelligence analysts really have to take data or information, raw information that's out there and all these sources we talked about, and make sense of it, that it validated. Compare data that might differ from each other right? A lot of times, CTI analysts have to make sense of information that contradicts itself, which is a challenge. And so data quality is an issue. But that's where, you know, I firmly believe that CTI is always going to be a human discipline. Intelligence is inherently done by humans. And we have tools and automation that can help us sort through data. But ultimately a human needs to make that decision on. Is this data valid? What evidence do I have that supports my assessment? And so data quality is certainly an ongoing issue. And dealing with disinformation adds another level of complexity. But that's why I think analysts are so important that human judgment. The other challenge you mentioned in terms of privacy regulations, it's such a balance in this community, right, the balance between security and privacy. And, you know, I think that sometimes we get too far one way or the other, but it has to be a balance. And in recent years, I know that certain privacy regulations like GDPR have caused some challenges for CTI analysts, for example, who is data registrant data used to be a great source for CTI endless where you could look up who's a registered name. And now, so commonly, if you look in a domain pivoting tool, it says GDPR, protected, privacy protected, and on one hand is TTI. And that's tough, but it's frustrating, and you want to yell at GDPR. But on the other hand, you know, what, we just have to innovate, we have to get better, we have to use different sources that we're used to maybe looking at TLS certificate pivoting, or different sources than who is so I think that, you know, overall, globally for humans, I think privacy is a good thing. And I think we just have to as a security community, be cognizant of that and columns of that balance of as CTI analysts, things are gonna change information will dry up. And as we do that, we just have to shift and try new things.
Monica Verma 17:01
Hmm. And you talk a bit about the different 10 intelligence sources and I would like to hear your thoughts on that. What would be some of the key or critical 10 intelligence sources that I would recommend to the audience?
Katie Nickels 17:14
Yeah, there's so many different sources. And it sounds silly, but the first one I'll recommend is Twitter. There are so many researchers out there, the malware hunter team, who are daily reviewing malware families and activity from around the world and they are freely sharing that on Twitter. And as you start to track, you know, this, these researchers on Twitter, you can also form relationships. And I think that that is one of the most important things in CTI in cybersecurity is forming relationships with other researchers. Because as you do that, you start to realize that, wow, we're all seeing very similar things. And we can share our insights with each other. So Twitter and other researchers, I would say, this sharing community that we have, you know, throughout the world, is absolutely top. I also recommend any CTI analysts set up some kind of RSS feed, to bring in lots of different blog posts on my personal blog, I have starter list, different vendors, different researchers, because it can there's so much out there. That's open source. So many websites maintained by researchers like Brad Duncan, he's malware traffic on Twitter, just uploads packet capture and really shares information. And so, of course, their commercial CPI sources, but especially if someone's getting started in this field, or you have a small team and maybe not a huge budget, I think starting with open source data and information is a good starting point.
Monica Verma 19:01
Right. And let me ask another question related to that, because 10 intelligence, how can that actually be used for organizations as a part of early detection and response mechanism? Can it be and if yes, how, what would be your recommendations?
Katie Nickels 19:20
Yeah, absolutely. And this is a great question, especially we already talked about ransomware it's fascinating because so many customers come to me and they're concerned and they say, how can you detect ransomware? Well, a lot of times the victim is going to detect ransomware first right if you see your your machine is ransom, your files are encrypted. That's a pretty good indication. But what threat intelligence can help us do in the case of ransomware is trying to detect those precursors. For example, I mentioned bizarre, bizarre loader and bizarre backdoor are precursors to ransomware. We know this there are many families like this CTI suggests that queue bots and other you know malware families and sometimes people would dismiss is just criminal malware. They have led to other activity often using cobalt strike for lateral movements. And then ultimately ransomware like real core other families like Conti. And so that's where CTI can be so helpful, because without that knowledge of Hey, bizarre leads to ransomware. You might see you know, a phishing email come in with bizarre and you're like, Okay, no worries, we'll get to that later. No, no, based on CTI and researchers around the community, you might have minutes. And if you're lucky hours to respond to bizarre before it turns into a potential ransomware attack.
Monica Verma 20:43
Right? That's really fantastic. Because I think one of the keys that we will see going forward is not just using preventative controls to be better defending ourselves against cyber attacks, but also how we use it the capabilities to detect early and to respond early to cyber hacks. Which brings me to the next question, which is about some bit about the unknown threats? Because I mean, obviously a lot of researchers or a lot of information out there about the known threats and the ones that need to be patched. But what about the other threats that either are not? There is no patch available yet? Or the ones that are completely unknown? How do you better defend yourself against these unknown threats?
Katie Nickels 21:27
The phrase unknown unknowns is a common one and intelligence. And I think that while we have to be concerned about we don't know, there's so much we already know about what threat actors do in networks, and I have the mitre attack matrix behind me. One way to think about mitre attack this collection of tactics, techniques and procedures is like, you know, their trip wires around every technique. And even if adversaries might operate a little bit differently, maybe the exact procedure they use is unknown. adversaries like to use the same behaviors over and over. And so if you think of mitre attack that matrix as a tripwire, you know, anytime that an adversary lands in one of these techniques, is a chance for us to catch them. And so there's this old idea that, you know, adversaries only have to be right, once defenders have to be right every time. But I would flip that adversaries can't slip up at all. And so this is the idea of defense in depth that maybe you don't catch them in their initial fish, their fishing attachment evades your defenses, but then they get on a box. And there are only so many things in terms of an operating system that they do. And even if it's maybe a threat actor that we haven't tracked before, we know a lot of adversaries love PowerShell. Still, people say PowerShell is dead, not from where I said. And so monitoring, Yeah, I don't know if you've heard that to kind of silly, but so if you're monitoring PowerShell script lock logs, or no low bins, right living off the land binaries, even if it's a slightly different adversary, or procedure or variation, it's still a good chance that you're going to be able to catch them. And so I think it's all about defense in depth, always about knowing where you have coverage and where your gaps are, are there certain parts of your network you don't monitor, or certain techniques you just can't see? And then constantly trying to fill those in?
Monica Verma 23:29
Fantastic. And you mentioned something there, which was about the behavior analytics. How do you think one can combine and what is the potential benefit of combining that the 10 intelligence?
Katie Nickels 23:42
On my team, we very directly use threat intelligence to inform behavioral analytics. And we do this for example, by looking at new threat reporting out there looking at Sandbox sites, like any run, or many others, and observe, are there any unique strings or attributes that a certain malware family or threat are using and their behaviors and any unique human fingerprint is a chance for us to try to detect the adversary. And so at a very narrow level, we can look for certain strings or unique registry keys or values to try to create an analytic we can also create broader athletics No, this is where Red Team research and CTI working with red teams is really important because CTI analysts can understand what's on the cutting edge that researchers are finding that adversaries might be implementing, and then create analytics based on those newly discovered techniques and behaviors. And so, you know, again, the other way CTI can help is by prioritizing because if you look at all of mitre attack, there's so many techniques but by focusing on the techniques that adversaries that have targeted you have actually used, CTI analysts can help their defenders figure out okay, here's where we should focus first on I'm creating behavioral analytics because it can certainly be overwhelming.
Monica Verma 25:05
And despite the complexity of the digital landscape, and also the convergence of the digital and the physical and the biological and everything that's going on. And we touched upon a bit that a lot of the attack vectors are still very, like simple and easy and phishing emails, than unnecessarily overtly complicated. And something that we know is the human component affair, which gets attacked quite a lot. And how could intelligence help there.
Katie Nickels 25:37
Security awareness programs are so important. And my friend Lance Pfitzner, has done some great work there. And I think CTI teams can provide input to security awareness training, by giving real examples. I found it's so easy for users to ignore guidance, don't click on links and emails, or watch out for suspicious phishing emails. But when you give an example, here's a real example. I think that becomes so much more powerful. It's not just telling users what not to do. It's explaining to them why and bringing users in and understanding a few of the threads behind the scenes, I think, helps build support and understanding of it's not just this nebulous thread, this is actually a real thing that matters. So I think that's one way CTI can provide input into security awareness programs. And the other thing that I'd say around, you know, patching the human and exploiting the human is that user awareness training is only one piece of the puzzle. And I think this community overall really needs to stop victim blaming. You know, it's so tough, especially in these times, if someone gets a phishing email, click here for important HR meeting, they're fearing for losing their jobs, something like that. We need to have more empathy for those victims. And as cybersecurity professionals, we need to understand our threats enough. And that's where CTI comes in, to not just educate users, but also think about how we can secure operating systems so that they can't be affected by these threats. How do we lock things down? How do we do things like disabling macros, or implement application control software, so that we can stop blaming users and work with them to secure our enterprises?
Monica Verma 27:24
Fantastic. Such a lovely conversation with you today, Katie, if you can recommend some reading or listening to our audience?
Katie Nickels 27:33
Absolutely. I have so many CTI books. The classic one I'd recommend is psychology of intelligence analysis by Richards Hoyer. He is one of the grandfather's of this field. And I think it's so important for all of us to understand our cognitive biases, as we are intelligence analysts. And so that's a great one. So many great resources out there. Blog posts my own blog post Katie's five cents. I have a bunch of CTI resources on there. And sources for anyone who's looking to get started in CTI. So those are my recommendations.
Monica Verma 28:05
Fantastic. Thank you so much, Katie for coming on the podcast. It was a lovely conversation with you today.
Katie Nickels 28:12
Likewise, thanks so much, Monica.
Monica Verma 28:13
That was today's episode of We Talk Cyber with Monica. I'll be back with more episodes, fantastic conversations and amazing guests. So continue tuning in. Until then, take care!