the CYBER5

In episode 50 of The Cyber5, we are joined by Paul Kurtz. Paul’s career includes serving as Director of Counter-Terrorism, Senior Director for Cyber Security, and Special Assistant to the President of the United States for Critical Infrastructure Protection. He was previously the CEO of Threat Intelligence Platform TrueStar and is now the Chief Cybersecurity Advisor, Public Sector at Splunk. 

In this episode, we discuss the Biden Administration’s executive order for cybersecurity and how it impacts the public and private sector in relation to intelligence management. We also talk about an inside-out network approach and the criticality of cloud migration in detecting cyber threats at scale. We further discuss the value of threat intelligence and the importance of integration with enterprise systems. 

6 Topics Covered in this Episode:

1. Three Key Points of the Executive Order:

While important topics such as zero trust identity access management and third party risk management get the major attention, three important, but often overlooked, points covered in the executive order are:

1. Cloud Transition
2. Information Sharing
3. Data Collection and Preservation

From an intelligence management and security perspective, the migration of the US public sector to the cloud, coupled with information sharing and data preservation are the most important actions to reduce mean time to detect and alert, mean time to respond, and mean time to remediate. 

2. Need for Automation of Internal and External Telemetry

Endpoint Detection and Response, next generation anti-virus, next generation firewalls, and IAM (identity and access management) are examples of the advancement in enterprise security solutions. These technologies are now being augmented by threat intelligence solutions. Integrating and automating this suite of advanced capabilities is key to optimizing intelligence and defending against increasingly sophisticated threat actors.

3. MSSP are Critical to Protecting SMBs

MSSPs must integratie their alerting and detection ability to the cloud in order to protect small and medium sized businesses. Small and medium sized businesses don’t typically have the security teams or expertise to patch, remediate, and threat hunt. MSSPs with MDR capability can effectively serve this market. 

4. Threat Intelligence Must Be Integrated to Augment Existing Telemetry

Threat intelligence must be actionable. A key action to achieving actionability is the integration into an internet ticketing system, a Security Event Management Tool (SIEM), a Threat Intelligence Platform, or an Endpoint Detection and Response solution. 

5. Behavior is King for Appropriate Context

The ability to detect malicious behavior from actors inside a network and initiate an appropriate response. This is not possible without the context provided by cloud integration, log aggregation, a retrospective “look back” capability, and the integration of external data and internal telemetry. 

6. US Civilian Agencies Need a Roadmap for Cloud Integration

If the Central Intelligence Agency can embrace the cloud, so can other agencies. A federal roadmap is urgently needed to defend against attacks by sophisticated adversaries.

In episode 49 of The Cyber5, we are joined by Cassio Goldschmidt. Cassio is Senior Director and Chief Information Security Officer at ServiceTitan. We discuss building a security company in late stage tech startups, including what to prioritize when starting a security program. While tech startups have a mantra of “move fast and break things,” Cassio talks about how a security program should enable business and adapt to the culture. He also discussed the pitfalls to avoid when starting a program like this. 

4 Topics Covered in this Episode:

1. Reasons a Business Starts a Security Program:

It’s critical to understand why a technology company is hiring it’s first Chief Information Security Officer. Typically it’s for one of four reasons:

1. Compliance: If a company is in a highly regulated industry, a stronger security program is mandatory.
2. Reputation: Security products, for example, need to have the reputation of safety being core to their business model. 
3. Breach: Some companies have a breach and the board mandates a stronger security program.
4. Customer Demand and Losing Business: Competitors use stronger security programs as a business differentiator and oftentimes a security program gives consumers or clients peace of mind that their data is safe.

2. First Initial Priorities of Security Program

The growth of the company is important to understand when starting a security program because security professionals need to think about the future of the company tomorrow, not today. New security programs are the “guardians” to secure initiatives, not the “gates.” Key tactical aspects of a security program are:

1. Assess Risk: Perform a risk assessment to baseline maturity as it stands today. Map out the challenges to fix items that are critical to the business with the understanding the business cannot stop for security initiatives. 
2. Listen: Engage different parts in the business (sales, marketing, engineering, etc).
3. Educate: Build a good educational program to train the workforce.

3. Common Pitfalls to Avoid for Initial Security Programs

Common pitfalls a CISO is likely to face when starting a security program include: 

1. Misconfigurations
2. Poor patch management
3. Abuse problems (spam)
4. Not centralizing spear phishing emails
5. No education towards the workforce on security
6. Credentials are used in the wild
7. Weak password policies
8. Poor onboarding/offboarding policies allowing old accounts to remain active and exposed to the internet
9. Prioritizing against problems of nation state lateral movement or zero day vulnerabilities when smaller issues can be solved first

4. Enabling Business: “Move Fast But Don’t Break Things”

For setting up security programs, security professionals should adopt the mantra of “move fast but don’t break things”. They need to implement their program and remediations, but they must keep constant availability as one of the highest priorities. Other items like red team (penetration testing), blue team (threat hunting), and threat intelligence should be out-sourced initially after the initial remediations from a risk assessment are complete. 

Security professionals should use department budget money like it is their own personal money, not the company's money. Understanding what the technologies will do for the program and having a way to show success metrics are important to justifying the spend. Dynamic application analyst tools are important for technology companies as these ideally protect the main business technology applications.

Topic: Using Intelligence Analysis in InfoSec: Think Globally and Act Locally

In episode 48 of The Cyber5, we are joined by Rick Doten. Rick is VP of Information Security at Centene Corporation and consults as CISO for Carolina Complete Health. We discuss shifting the operating model of threat hunting and intelligence to a more collaborative model, “think globally and act locally.” We then dive deep into the intelligence analysis for collecting and analyzing the vast array of network data to prioritize network protection. Finally, Rick makes an argument for the outsourcing of an intelligence function as a viable model. 

5 Topics Covered in this Episode:

1. Security Operations Integrating with Cloud, Applications, and Mobile: (01:00 - 06:00)

Security operations involve integration with key elements of the business such as the cloud, applications, and mobile team. Risks to a container are much different from a server and force security operations to integrate with many teams, especially in large enterprises. This will guide how we protect proactively with alerting and reactively with incident response. 

2. Using Intelligence Analysis with Information Security Data Collection (06:00 - 08:52)

Intelligence includes tracking specific campaigns of threat actors, their intentions, and capabilities. Intelligence analysis in the disciplines of information security is linking the human to the malicious act. For example, suppose a criminal threat actor uses email phishing and credential harvesting. In that case, the data collection model and instrumentation will be different than looking at actors who use exposed RDP or take advantage of supply chain risks. It will also be very different from a nation-state actor who is known to go “low and slow” and persist in 10 different places in a network. 

3. Value of Attribution and Communicating to the Board of Directors: (08:52 - 13:26)

The mindset of keeping confidentiality, integrity, and availability of information safe and not wanting to attribute the threat actors and building appropriate threat models is becoming more antiquated. Understanding the human who perpetrated the act is critical. Their job is to break into a network and collect and/or monetize. This used to be easier in the defense industrial base because there are cleared environments for information sharing; however, this is becoming more efficient with Information Sharing Analysis Centers (ISACs). Boards of Directors understand competitors stealing intellectual property, so framing cyber threats in the same vein is the most productive way to get them to understand the importance of nation-state espionage or cyber criminals. 

4. The Right Way to Do Threat Intelligence: Think Globally Act Locally (13:26-24:00)

The most important threat intelligence is internal network telemetry. The wrong mentality is to buy threat intelligence feeds and load indicators of compromise (IOCs) into a security tool like a SIEM. This will result in tremendous workloads with little results as good actors change their signatures constantly. Instead, it’s important to get timely, actionable, and relevant finished intelligence on actors and their campaigns, not data or information. Finished intelligence might be reviewing technical methodologies of Russian GRU (or REvil ransomware) actors and identifying behaviors that can be detected internally on the network. At the highest level of attack campaigns are assignments of individuals to attack one particular company and steal/monetize something very specific. After gaining this intelligence, a security team can “dogpile” with the different entities of the business (SOC, applications, IT, development, mobile, etc.) to hunt and defend, “think globally, act locally.” Threat intelligence could certainly be outsourced, especially for companies who do not belong in an industry with ISACs. 

5. The Hardest Part of Intelligence Analysis: Determining Targeted Attack Versus Commodity (24:00-31:00)

The hardest part of intelligence is being able to quickly identify if the attack is targeted or commodity. An actor who persists on Active Directory and the domain controllers is much different from those who want to exploit a bug in a cloud application or mobile application. Security teams who have minimal visibility gaps with internal network telemetry that can quickly detect these differences separate the mature security teams from the less mature security teams.

In episode 47 of The Cyber5, we are joined by Lena Smart. Lena is the Chief Information Security Officer at MongoDB. We discuss how security can be an enabler of a business during fast periods of growth. We review how different departments can set up their own applications without needing an arduous approval process. We also discuss different cultures in departments and best practices for assessing vendor risk. 

4 Topics Covered in this Episode:

1. Avoiding Shadow IT and Enabling the Business: (01:47 - 06:00)

In big organizations, “shadow IT” refers to information technology systems deployed by departments other than the central IT department. Individuals add these technologies to work around the shortcomings or limitations of the central information systems. Oftentimes IT security is not aware of the implementation of these systems until vulnerabilities are exploited and security is called to investigate the incident or breach. 

Security can enable the business through education and automation of processes. Communication is key to success. We recommend regular meetings with legal, human resources, technology, engineering, sales, and marketing. A “security champions program” is also helpful because it brings together those who are interested in security to show transparency of the risks security faces: incidents, vulnerabilities, patch management cycles, etc.

2. Transparency of Reporting Incidents Back to Stakeholders (06:00 - 08:37)

Great security programs start with the CEO and board of a company. If they recognize these issues as existential threats to the business, it’s easier to gain insights and selective transparency, as needed. While a “see something, say something” approach is highly advised, it’s more important to have a feedback cycle so closure is brought to the employees outside of security who report incidents. Security acting in a “black box” where information comes in and nothing gets returned is not going to keep employees reporting the issues that matter. 

3. Security Adapting to Cultures of Departments: (08:37 - 12:31)

Security teams cannot be seen as the “people that say no”. Security teams cannot live with a reputation of fostering fear, uncertainty, and doubt (FUD) within the business. Bringing people that are interested in security together for two hours a week for events like capture the flag, security book club, and table top exercises helps increase awareness and gives tangible results in the business buying into security programs including reducing shadow IT. 

4. Critical Elements of Third Party Risk Management (12:31-17:00)

Performing security checks when new vendors onboard and going beyond questionnaires is critical now more than ever following SolarWinds. A particular focus should be to categorize the high-risk vendors that could be used to be a pivot point for gaining access to your organization. Lena recommends the use of subject matter experts to map out connections from high-risk vendors and have an investigations mindset and not just a compliance box checking exercise. This is likely a year-long effort and not a one-month level of effort. The results of such a deep dive should be to have a process of engaging with critical vendors when a supply chain attack occurs rather than considering terminating the relationship. 

In episode 46 of The Cyber5, we are joined by Charlotte Willner. Charlotte is the Executive Director of the Trust and Safety Professional Association. We will define what trust and safety means within organizations and how it differs from traditional cyber and physical security. We’ll focus on fraud and abuse of user-generated content on platforms and marketplaces of technology companies. Finally, we’ll discuss how security professionals can grow a career in trust and safety. 

5 Topics Covered in this Episode:

1. Defining Trust and Safety: (02:20 - 04:30)

Trust and safety emerged from different disciplines within technology companies, including security and customer support. The security teams focused on how people were using the platforms for fraud or illicit financial gain. Customer support dealt with abuse by the users and the posting of inappropriate content (e.g., illegal narcotics or child sex exploitation). In the last 15-20 years, these two disciplines have converged to form the core of the trust and safety mission.

2. The Differences Between Fraud and Consumer User-Generated Content Abuse such as Disinformation (04:30 - 09:17)

Fraud and abuse of user-generated content overlap considerably with trust and safety teams. Bad actors routinely use technology platforms to defraud individual users, especially within online marketplaces that deal with real-world spaces and objects. For example, Airbnb could combat fraud where an individual bad actor misrepresents listings and tries to take them off-platform to engage an individual to steal money from them. There could also be a scenario where that engagement is taken off-platform, and more violent criminal acts occur such as assault, physical theft, or carjackings. User-generated content and fraud schemes also deal with the nature of truth. Someone impersonating a US military member asking for help and money is a pretty common user-generated scheme within platforms. When trust and safety teams have to pivot into addressing user-generated content that deals with disinformation, misinformation, and even equality issues, teams have to be adaptive to dealing with an appropriate response that is fair and right to all.

3. Addressing Risk Mitigation and Incident Response in Trust and Safety: (09:17 - 15:30)

When the barrier to entry is minimal or non-existent (platforms are free to use), trust and safety teams deal with thousands of problems a day, and prioritization is critical. Compared to other industries (finance, retail, manufacturing), the principles are the same: 1) Evaluate the quality of inputs, meaning evaluate the sources and access, and 2) Align with business principles and corporate values. These principles have become more focused due to the nature of moderating content that is equitable for all socioeconomic and political classes.

4. Metrics for Trust and Safety (15:30-17:00)

Prevalence metrics are the gold standard in trust and safety. Once a threat is identified, building automations to find out how much of that threat is on the platform and could affect the platform is important. The caveat is if you can’t find the exact numbers of threatening events, you can approximate with simple search functions to drive a program and mitigations. 

5. Building a career in Trust and Safety (17:00-21:00)

The same principles of intelligence analysis are important for trust and safety. A sense of curiosity, integrity, and adaptability are critical skill sets as no day and problems will be the same. Entry-level positions are often content moderators who elevate through fraud or customer support and eventually rise into more senior positions that deal directly with threat actors to make them stop, including working with law enforcement. Specialized investigations, tool development, or a leader in trust and safety are often the professional development path. 

In episode 45 of The Cyber5, we are joined by John Grim. John is the head of research, development, and innovation for Verizon’s Threat Research Advisory Center. In this episode, we discuss the differences between threat actors who engage in cybercrime and those who are nation state espionage actors. We explore their motivations around computer network exploitation and how threat models on these actors need to adapt to enterprise security and IT. 

5 Topics Covered in this Episode:

1. Motivations of Cyber Crime versus Espionage Actors: (01:30 - 08:00)

According to a study conducted by Verizon in late 2020, over a seven year period, financially motivated threat actors were responsible for 76% of breaches, whereas espionage actors were responsible for 18% of breaches. PCI attacks, business email compromise, and fraud (such as COVID-19 scams) were more prevalent than advanced attacks. Of those 18% of breaches perpetrated by espionage actors, 57% of the time, manufacturing, mining, utilities, and the public sector were the largest industries dealing with espionage threat actors. However, financial, insurance, retail, and healthcare are mostly targeted by financial organized crime actors. The vectors most used by either organization (nation state or crime) were social engineering attacks through phishing and credential thefts, as well as backdoor access through applications. A big difference, however, is that in most espionage cases, native Windows command techniques such as “living on the land” (LOL) were used to avoid being detected in log entries. These are pre-installed system tools to spread malware.

2. Defending Against Cyber Crime and Espionage for the CISO: Understanding Environment and Threat Modeling (08:00 - 12:16)

The number one discovery method for breaches, according to Verizon, was investigating suspicious traffic. A two part, multi-step strategy should be implemented to protect crown jewels and alert on suspicious traffic. The first is understanding your own environment: 

Step 1) Identify critical data and the assets that hold that data and 

Step 2) Ensure network devices are configured and patched properly and 

Step 3) Restrict access. 

Defenders need to understand and have the proper tooling that flags anomalies in suspicious traffic especially when so much of it could be native Windows commands in the environment (LOL). 

The second part of this strategy is conducting threat modeling against the threat actors that are likely to attack your environment and leverage intelligence sources to build proper defenses and controls.

3. Evolution of Threat Intelligence Driving Investigations: (12:16 - 15:30)

In the last five years, threat intel has evolved:

4. In the early days of threat intelligence, forensic artifacts (known as indicators of compromise) were shared to tip off network defenders of known signatures of an attacker present in an organization’s environment. 
5. Tactics, techniques, and procedures outside of an organization’s environment being actively shared to give context on the modus operandi of the attackers. Dark web and open source threat hunters going outside the wire to gather information that could be used in a breach.
6. Intel effectively drives the investigation that prevents an incident from becoming a breach.

4. Threat Models Differ from Cyber Crime and Espionage But They are Similar: (18:47 - 21:00)

In espionage attacks, desktops, laptops, and mobile phones are the assets that are targeted most often. For financially motivated attackers, the assets targeted vary tremendously including web applications servers, customers, customer devices, and employee devices previously mentioned. To compromise the integrity of data systems, targeting software installation (such as Solarwinds third party) was the number one attribute of financial and espionage actors. Secure configurations of software, hardware, applications, and network devices are the most important remediation efforts.

5. Embracing Business Terms Important to CEOs and Executive Leaders: (21:00 - 26:00) 

Security leaders need to write reports and convey technical findings in terms of risk to the business to generate revenue. While data breaches have become more complex over the years, they are more complex to the stakeholders outside of security and IT, particularly HR, legal, and Finance. Breaking down technical findings and capabilities to various threat actors to make sense to different levels of the business is the biggest adjustment needed to the security industry.

In episode 44 of The Cyber5, we are joined by Ronald Eddings. Ron is a Security Engineer and Architect for Marqeta, host of Hack Valley Studio podcast, and a cybersecurity expert and blogger have earned him a reputation as a trusted industry leader. In this episode, we discuss the fundamentals of automating threat intelligence. We focus on the automation and analysis of forensic artifacts such as indicators of compromise and actual attacker behaviors within an environment. We also discuss metrics that matter when the objective is to show progress for a security engineering program. 

5 Topics Covered in this Episode:

1. Define the Use Cases: (01:19 - 04:17)

For a mature security team, the automation of cyber threat intelligence should start with defining use cases. An enterprise should ask, “What problems am I trying to solve?” Detecting malicious binaries on devices is a good place. For example, let’s start with a problem that plagues all organizations: phishing. Creating an inbox for phishing emails is a good first step. Then, an organization needs to make a decision whether to automate the extraction of file hashes, URLs, and IPs for analysis or to direct employees not to click on the link or open the file. 

2. Storage and Logging Components that Need to be In Place: (04:17 - 06:59)

For security engineering to be effective, data must be available. Security engineers should define a data acquisition strategy by eliciting stakeholder requirements and assessing your collection plan. The right data is often spread across multiple tools and systems. This must be consolidated into one location for automation to be effective. For example, if an organization wants to detect lateral movement from an Advanced Persistent Threat and is only storing a month of Windows event logs, success is unlikely. To be effective, the following logging should be in place: 1) Windows event logs 2) Netflow (which can be expensive) 3) Cloud logs 4) EDR logs from endpoint devices, and 5) VPN and RDP logs.

3. Prioritizing MITRE ATT&CK in Security Engineering: (06:59 - 10:12)

When beginning a program, security engineering should resist the temptation to automate APT groups. Instead, they should automate alerts in the reconnaissance stages within MITRE ATT&CK and then work down the cyber kill chain towards exfiltration. Reconnaissance stages are easier to automate and by the time an attack escalates to the lateral movement stage, automation will facilitate and speed human analysis. 

4. Security Orchestration and Automated Response (SOAR): (10:12 - 12:00)

Python and Go are helpful languages to learn in the SOAR process and useful with incident response. 

5. Useful Metrics and What Cannot be Automated in Security Engineering: (12:00 - 19:00) 

Mean time to detection, response, and remediation are critical metrics for security engineers to measure. Case management systems such as JIRA can facilitate interaction between the security team roles, including SOC, Incident Response, Security Engineering, Threat Hunt, Threat Intel, Vulnerability Management, Application Security, Business Units, and Red Team. Identifying new threats and understanding why a threat occurred is almost impossible to automate and will always require analysis.

In episode 43 of The Cyber5, we are joined by Steve Brown, Director of Cyber & Intelligence Solutions for Europe at Mastercard. Steve discusses the key aspects of cyber defense learned while working international cyber crime investigations with the United Kingdom’s National Crime Agency. He will discuss the proven approach of prevent, protect, prepare, and pursue. We will also discuss the role Mastercard is taking in fighting cyber criminals, key aspects of adversary attribution, and how the public and private sector can forge better partnerships to combat cyber crime. 

5 Topics Covered in this Episode:

1) Four P Approach: Prevent, Protect, Prepare, and Pursue: (01:59 - 06:08)

Cyber criminals are not siloed. They coordinate on what is working and adjust quickly to take advantage of new vulnerabilities. To combat their adaptive approach, enterprises must have an equally collaborative model.

• Prevent: Mastercard is working with charities, non-profits, research centers, and universities to encourage individuals with technical backgrounds to pursue a career outside of cyber crime. 
• Protect: Providing customers of Mastercard with the right knowledge and intelligence to proactively protect themselves.
• Prepare: Complementing playbooks with red teaming and resilience for Mastercard and its customers to ensure business continuity when an attack occurs.
• Pursue: It’s not just about arrests; it’s about Mastercard providing intelligence on infrastructure takedowns, victim engagement, and witness testimony.

2) Mastercard’s Cyber Security Strategy: Pioneering the Security of the Digital Eco-System: (06:08 - 09:57)

Mastercard’s cybersecurity strategy is about securing the entire digital eco-system, both within and external to the perimeter. They want to be actively involved in the cybersecurity community and prioritize technologies that better define authentication across payment systems, identify anomalies that are congruent to compromised data and fraud, and improve standards and best practices. In November 2020, they launched Mastercard Cyber Secure, a unique AI-based technology that better addresses account data compromise events through identification and notification. In practice, victims are generally notified after initial intrusion. After the alert, cyber criminals use the compromised data to facilitate other crimes, including fraud, human trafficking, and espionage. Using risk assessment technology, Mastercard identifies, assesses, and prioritizes those vulnerabilities to Mastercard acquirers around the world. This is particularly critical for the small business community.

3. Mastercard’s Role in Third Party Risk Management: (09:57 - 11:43)

A critical part of securing the external perimeter is understanding third party suppliers. Mastercard’s acquisition of RiskRecon is a testament to their dedication and diligence around third party vulnerabilities. 

4. Know Your Adversary: Attribution is an Aspect of Resilience: (11:43 - 20:45)

Attribution must be a critical part of enterprise cybersecurity strategy. Proper attribution can be a major source of resilience when responding to a cyber attack. Understanding infrastructure, personalities, actor groups, and TTPs informs proper controls and response strategy. Data collected by enterprises is critical to fighting cyber crime, and enterprises must facilitate ways to legally process and share data and experiences. Enterprises must rely on gaining information and attribution on cyber crime and espionage efforts without the assistance of government organizations. Illustrating the ability to scale security operations and recover from a cyber attack is of critical concern to boards, investors, and shareholders.

5) Private Sector’s Increasing Role in Preventing Cyber Crime: (20:45 - 26:00) 

The private sector must increase collaboration with the public sector. While this is happening at the tactical, strategic, and inter and intra-governmental levels, it is still not happening at the speed and scale necessary to be effective. The National Cybersecurity Center in the UK and the National Cyber Forensics and Training Alliance (NCFTA) are two organizations that bring together cybersecurity practices and investigative techniques.

In episode 42 of The Cyber5, we are joined by A.J. Nash, Senior Director of Cyber Intelligence Strategy at Anomali. A.J. discusses the steps and key components of building an enterprise intelligence program. Among the topics covered are frameworks, roles and responsibilities, critical skill sets, and metrics.

5 Topics Covered in this Episode:

1. Defining the Requirements with Key Stakeholders: 

Defining the intelligence requirements necessary to ensure the success of business stakeholders should always be step one. Sales, marketing, engineering, customer success, information technology, legal, and human resources will have different requirements. The security or intelligence team must prioritize the requirements in the context of what is best for the business and what meets the needs of the stakeholders. 

2. Security and Intelligence Should Be Viewed as a Business Enabler: 

Regardless of industry or company size, the second key to success is committing that the security and intelligence team will be an enabler of business and not a cost center. As a result of the nature of their business, the many regulations they face, and the assets they hold, the finance industry has led the way in building intelligence programs. Other industries are following their lead as criminals are branching out to target a wider range of digital assets and PII. 

3. An Inquisitive Mindset is Critical When Building Intelligence Programs:

The ability to view disparate pieces of information with an inquisitive mind, and then communicate business risk is a critical skill set. Businesses often look for a combination of public sector and private sector intelligence experience when building an intelligence program. While enterprises often start by hiring a technical leader, a key to success is building a team of individuals with inquisitive minds. For example, former journalists have been known to become fantastic enterprise intelligence experts.

4. Risk Must Be Prioritized: 

An intelligence program is no different than any other enterprise program. Profit and risk must always be considered, and intelligence should be driving security requirements to enable the business. An intelligence program should identify adversarial intentions and capabilities, estimate the risk and cost of a successful attack, and consider the costs of controls that need to be implemented to defend against such adversaries. This must be properly communicated to the CEO, who ultimately owns key decisions. Intelligence programs span fraud, information security, physical security, executive protection, trust and safety, third party risk, and mergers and acquisitions. 

5. Important Metrics for Intelligence Program: Mature programs build and provide key metrics based upon intelligence requirements. Metrics should focus on actions that were taken, intelligence that was analyzed, the subsequent controls that were put in place, and the decisions that were made by key stakeholders. There are currently no well-defined and accepted frameworks for intelligence programs. Most programs combine several existing frameworks, including MITRE ATT&CK, which is specific to information security. Intelligence programs need to proactively alert on threats and risk and quantify the success and failure of actions taken. 

In episode 41 of the Cyber5, we are joined by Director of Cyber Defense Integration at Thomson Reuters, Cliff Webster. Cliff discusses the building and scaling of cyber fusion centers and their integral part in reducing risk to all facets of the business.

Here are the 5 Topics We Cover in this Episode:

Differentiating a Cyber Fusion Center over a Security Operations Team: (01:59-07:16)

A cyber fusion center (CFC) is an evolution of the traditional security operations center (SOC). A SOC is mostly focused on reactive activities such as detection and incident response around detected malicious activity, whereas a CFC supplants the reactive detection mission with proactive activities such as new frameworks and identifying new threats before they hit an enterprise’s logs and firewalls to gain efficiencies of speed in responding. Creating connective tissue through technology and process is a unique function of a CFC. A key function that differentiates a CFC from a SOC is moving data and information between teams and business units in a way that reduces attacker dwell time. Critical security functions that overlap with IT and are important to come together are threat intelligence, threat hunting, vulnerability management, asset inventory, and red team. 

Going Beyond Cyber Threat Intelligence: (07:16-09:03) A SOC is generally focused on threats against the confidentiality, integrity, and availability of data, systems, and networks. A CFC typically evolves with the same focus initially. However, over time, with the processes and technologies in place, a CFC can tackle other security challenges such as third party risk and elements of physical security because inevitably, it will require integration of other data sources to be successful such as questionnaire information and entry/exit badging.  

Critical Elements That Need to be in Place from a SOC: (09:03-14:20)

The core capabilities that need to be in place from a SOC to make the evolution to a CFC are the following: 1) Threat intelligence is the engine that makes a successful Cyber Fusion Center that can drive priorities in vulnerability management, red teaming, application security, and even larger business unit product security. 2) A SOC with a SIEM to do basic log aggregation 3) A threat hunting team that can identify and correlate hypotheses from the threat intelligence or red team. This usually comes with significant investment in technology and security stack to tailor hunts on threat actor behavior. Critical data and log sources internally are: 1) User access logs 2) Server logs 3) Endpoint and EDR logs 4) Threat intelligence feeds 5) firewall logs 6) VPN logs 7) internal netflow 8) Application logs 9) PCAP if available. A critical element of strategic growth plans within a CFC is the ability to acquire all these datasets and correlate them with a SIEM in a meaningful manner that gives actionable alerts when there is a problem.

Support from the Business Units and External Threat Hunting: (14:20-27:30)

Engaging with the business units is a critical part of data acquisition strategy not only for appropriate log aggregation and correlation but also to work through outputs from the CFC when a security event occurs. With regard to external threat hunting, there is no shortage of external telemetry that can be collected, but this should be prioritized after an organization knows its own internal environment first. For third party risk management, this is a fundamental intelligence problem many enterprises are grappling with due to the challenges of monitoring key vendors at any type of scale with any consistency. 

Important Metrics for Cyber Fusion Centers: (27:30-37:00) Mature security teams aspire to be data driven organizations, and thus metrics are critical to capture: 1)  From an intelligence perspective, baselines are important to record as metrics of what can be detected in addition to identifying gaps 2) Intelligence leading to an accelerated patching cycle that closed visibility gaps 3) Informing security architecture decisions that lead to policy changes such as removing a remote access tool to measure reduction in time that a gap was visible 4) Number of intelligence products helped an organization understand an initial security incident data 5) Intelligence tippers lead to the discovery of a security event.

In episode 40 of the Cyber5, we are joined by Professor of Cyber Psychology and former Producer of CSI Cyber, Mary Aiken. Mary discusses the psychology of online behavior, particularly with regard to social media and how it plays a critical role leading to extremist ideology.

Here are the 5 Topics We Cover in this Episode:

1. Defining Cyber Psychology as it Relates to Cyber Space: (01:00-05:52) Cyber psychology is the study of the impact of technology on human behavior. We maintain that human behavior can fundamentally change or mutate in cyber context. Key constructs include ODE, or the Online Disinhibition Effect, which dictates that people will perform actions in a cyber context they would not normally do in the real world. In addition, anonymity is a powerful psychological driver online and while some argue that online anonymity is a fundamental right, they are not accurate; it’s an invention of the internet and behavior is evolving at the speed of technology.
2. Defining Cyberspace for Corporate Enterprise: (05:24-09:52) In 2016, NATO ratified cyberspace as an environment, acknowledging battles of the future will take place on land, sea, air, and computer networks. In addition to thinking about how the military fights these future battles, it’s also important for enterprises to understand how their businesses and employees operate online and address various threat actors.
3. Psychology Evolving as Extremism Transitions Online: (09:52-12:00) People are prone to write more adversarial thoughts online because they are not receiving the same micro-expressions, body language, proximity, and feedback they would receive in person. Mary feels addiction does not exist with technology because we rely on it just like we rely on air or water; however, we have to play catch up as a society for how to recognize and curb aggressive online behavior.
4. Online Safety Technology: (12:00-16:00) While a lot of threat intelligence is geared toward the confidentiality, integrity, and availability (C.I.A.) of data, systems, and networks, it does not focus on what it means to be human. Many in the business community, including Paladin Capital, are starting to invest in safety technologies and services that combat the relationship between the C.I.A. of data systems and the behavioral aspects of cyber security, such as insider threat, harassment, cyber bullying, and disinformation to deliver holistic security capabilities.
5. Extremist Behavior Online Filtering into Violence in the Real World: (16:00-21:00) When people are constantly circulating in echo chambers online, fueled by false information and hate speech, combined with ODE, this has huge potential for violence in the real world, as displayed during the Capitol Hill riots in 2021. It’s going to be critical for enterprises to monitor cyberspace from a brand reputation perspective, and not just for negative sentiment against products and services. It will also be critical to understanding the sentiment behind how employees behave in a manner that is not detrimental to the brand’s image. 

In episode 39 of the Cyber5, we are joined by Director of Adversary Management & Threat Intelligence at Intuit Shannon Lietz. Shannon discusses external threat hunting and an enterprise practitioner’s perspective of active defense.

Here are the 5 Topics We Cover in This Episode:

1. Defining Active Defense and External Threat Hunting: (01:34-02:51)

We start with a proper definition of active defense and external threat hunting. While both terms are often misunderstood, an appropriate definition is the deep understanding of adversaries and the company’s capabilities to defend from the outside the firewall looking in.

2. Industry Trends versus Organizational Realities: (02:51-04:30)

When discussing intelligence gained from external threat hunting, industry should recognize the difference between what’s happening across industry and what is happening within the organization. Advice: Enterprise should focus on discerning threat intelligence and making it relevant to the organization through the lense of DEVSECOPS - resilience of prioritizing who is going to attack a certain business function/application - and matching with attack emulation.

3. Determining Urgency and Response Speed: (04:30-07:55)

To apply this to use cases, it’s critical to understand an ideal state of security within different functions such as, but not limited to, email security and fraud. The ability to decrease attacker dwell time and respond through meticulous log aggregation and analysis is important and needs to be understood at scale. For example, if one out of 250 emails is malicious but the amount of malicious web traffic hitting critical business applications is exponentially higher, a greater rate of speed and automation is critical.

4. Prioritizing What Requires Attention: (07:55-10:40)

Large enterprises have thousands of applications and no one is going to have situational awareness on all of them. Therefore, security teams need to prioritize threat models defining a target state metric beyond compliance and identify legitimate attacker traffic.

5. Measuring the Ability the Secure Your Business: (10:40-15:49)

Finally, “securability” is a critical metric looking at an organization’s attack surface and is defined in three parts: 

• Attack resilience are risks an organization takes that allow adversary opportunity. 
• Controls escapes are the controls in place to address the opportunity
• Adversary dwell time is the resources and time it takes attackers to convert the opportunity.

In episode 38 of the Cyber5, we are joined by Director at Nisos Seth Arthur. Seth discusses digital identity reduction, a methodology for removing online personally identifiable information (PII).

Outline

We start by discussing what "doxxing" means and how serious enterprise takes such threats, particularly when executives are identified by malicious actors. Analyzing the threat, reviewing the digital footprint, and attributing the actor(s) are common work flows for digital executive protection. (01:00-04:12)

We then get into a discussion of how PII proliferates online and what can be done to reduce online footprints every six to twelve months. (04:13-08:24)

Finally, when a threat becomes probable to someone's physical security and they want to take action against a threat such as filing a restraining order, we discuss steps Nisos takes in online attribution (08:24-11:13)

In episode 37 of the Cyber5, we are joined by Nisos Managing Principal Jared Hudson.

Jared discusses the managed intelligence differentiator known as “The Nisos Dogpile,” a collaborative, investigative methodology that combines a wide range of skillsets, data, and technology. This unique approach enables Nisos operators, in partnership with enterprise clients, to rapidly solve security problems (01:38-05:00). We also talk about the technical data, data engineering, and data science, that we fuse with world-class analysis to solve investigations and address third-party risk (05:00-07:40). We provide details on real-world investigations of fraud, disinformation/brand reputation, cyber threat intelligence, trust and safety, third party risk management, and acquisition diligence (07:40-22:00). And finally, we peel back the onion to reveal the attributes we look for in a well-rounded Nisos operator (23:00-25:00).

Episode 36 of the podcast covers the attributes of a robust third-party risk management program including how to use threat intelligence to inform actionable outcomes with third parties.

• Q1 (01:25) Within your threats and safeguards matrix, you identify vendor and partner data as a major threat. How do you rank order each vendor and what are risk factors of vendors you assess?
• Q2 (05:33) How does cyber threat intelligence play a factor?
• Q3 (06:44) What are the critical, actionable outcomes you are looking for with threat intelligence as it pertains to TPRM?
• Q4 (11:15) Are you using threat intelligence to inform other threats to the business such as compliance, financial, HR, or legal?
• Q5 (14:00) What’s the best advice you would give to people coming out of the IC and want to be CISOs?

Episode 35 of the podcast covers the creation, maintenance, and ethics of sock puppet accounts (online personas) and how enterprise can use them to solve numerous business problems. 

• Question 1: (01:35) What are best practices for growing your connections, follows, or friends on sock puppets accounts?
• Question 2: (04:10) With the widespread tracking and analytics conducted by social media companies, how do you prevent cross contamination on your sock puppets from your legitimate social media?
• Question 3: (06:00) What are some appropriate operational security measures that are important in creating sock puppets to ensure they are backstopped?
• Question 4: (10:02) What are some ethical and legal considerations to consider when creating sock puppets? Can/should you ever use a real persons photos? How do you source pictures for a sock puppet to stay consistent?
• Question 5: (12:58) What are some good investigative use cases for using sock puppets? What is a reasonable time frame to have a sock puppet before one would consider it "aged"?

Episode 34 of the podcast covers how enterprise can defend against Chinese state-sponsored espionage efforts to steal intellectual property. 

• Q1 (01:00) What are the computer network exploitation and insider threat TTPs you've seen throughout your career to steal intellectual property on the part of the Chinese government? 

• Q2 (04:09) What are some investigative examples of each?

• Q3 (09:35) What can companies do to protect themselves? What are the critical monitoring mechanisms that are critical to detecting a breach?

• Q4 (13:51) What are the critical monitoring mechanisms to put in place on insider threat?

• Q5 (16:15) If you were advising a CISO with limited budget, and this was your biggest threat, what would you prioritize?

Episode 33 of the podcast covers defending a cloud-based enterprise with a remote workforce. 

• Q1 (01:44) What are the threats that worry you the most? Are you more worried about developer misconfigurations and inadvertent leaks more than an endpoint being compromised?

• Q2 (04:29) What are the controls you put in place that are the most cost-effective? So much is talked about defending a remote workforce; what strategies have you put in place?

• Q3 (13:10) Is logging at scale or even network segmentation even rational for small to mid-sized companies especially ones that are in the cloud? If so, what does that look like in implementation ?

• Q4 (15:25) What are some custom ways you use threat intelligence to alert for developer mishaps in open-source repositories?

• Q5 (17:20) In large enterprise you have TH, SOC, AppSec, Red Team, CTI, VM, TPRM, IAM, etc. Can a lot of this be condensed for a company that is cloud-based and operate more efficiently at scale?

Episode 32 of the podcast covers how intelligence can be used to assess exposure and pricing risk for cyber insurance coverage. 

• Q1 (01:13) What are the challenges for exposure and pricing risk as they pertain to cyber insurance coverage? 

• Q2 (06:45)  What questions are best to help understand exposure risk and pricing risk?

• Q3 (10:45) How can security stack maturity help underwriters understand and price the risk? 

• Q4 (15:30) How can the disciplines around the intelligence cycle (plan, collect, process, analyze, disseminate) be helpful to underwriters?

• Q5 (18:22) How do you communicate these same disciplines to a non-technical board of directors?

Episode 31 of the podcast covers legal options for disinformation and deepfakes. 

• Q1 (01:06): On Twitter, Lebron James mentioned that he is trying to figure out what his legal options are. What do you tell him?

• Q2 (06:27): We’ve heard many cases of deepfakes in the business setting. What are practical measures companies and individuals can take to avoid being victims?

• Q3 (07:40): What are the motivations of the attackers?

• Q4: (14:06) Is legislation on track to help?

• Q5: (20:35) What are other possible solutions to these problems—from technology to detect deepfakes, to how the news media should respond, to what platforms can do?