- Welcome to the Cyber Five, where security experts and leaders answer five burning questions on one hot topic in actual intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation and cyber threat intelligence. I'm your host Landon Winkelvoss, co-founder of NISOS, a managed intelligence company. In this episode, I talk with head of global cyber threat intelligence for Equinix, Sean O'Connor. We talk about attribution, the cyber threat intelligence investigation space and what the private sector can learn from public sector intelligence programs. We talk about different levels of attribution, the outcomes and disruption campaigns that are needed to make an impact on cyber criminals around the world. We also define the impact with attribution with different stakeholders throughout the business and how the intelligence discipline will likely evolve over the next five to ten years. Stay with us. - Sean, welcome to the show, sir. Would you mind sharing a little about your background for our listeners, please? - Yeah, absolutely. I am the head of a global cyber threat intelligence operations at Equinix and what really that's comprised of is threat hunting, threat analytics and of course threaten intelligence. Before that, I mostly come from predominantly an intel background. I joined the US Army, focused on human intelligence collection, pivoted into counter-intelligence, started working for the Department of Defense doing counter-intelligence and then pivoted again into doing more tactical SIGINT work and then after three years of Afghanistan, I had enough overseas, decided I wanted to move back kind of state side, but I didn't want to live at DC. Pivoted again into cyber intelligence or cybersecurity. Worked for Dell Secure Works for about six years in their counter threat unit, providing different threat intelligence services. Worked for KPMG for about a year. I stood up their threat intelligence program there for KPMG US, for KPMG Latin Americas as well as KPMG Israel, and then I moved over to Equinix and that's where I am now. This is, on behalf of myself, my own opinion, and not that of my employers. - Sean, I love talking to folks like yourself who bring a public sector and private sector experience. You could probably know as well as I do that people that have put themselves in harm's way, who've done the public sector work, whether it's through DOD or the intelligence community, actually know how intelligence is used to guide national level priorities. It's just a little different than the private sector in terms of protecting business risk. And I think that two very much augment and compliment each other a lot. So I guess from that perspective, kind of starting out, what can the private sector learn from the public sector with regard to intelligence analysis and understanding adversaries that bring risk to business in that same lens of the risk to national security priorities? - The private sector's already learned quite a lot from the public sector and for those who haven't, there's so much that we can look at from the public sector and take away from that and then apply it within the private sector. You look at things like the intelligence life cycle created by the CIA, which, we then adopted into the threat intelligence life cycle or the cyber threat intelligence life cycle. Or you look at the MITRE attack framework, which was inspired by the counter-terrorism kill chain model, which would identify terrorists tactics, techniques and procedures and if that sounds familiar, good, that's essentially the MITRE attack framework. Also, you've got things like the cyber kill chain, which was developed by Lockheed Martin. That shows us the life cycle of an attack, which could also look at how the public sector has helped us to become better through doing better analysis through things like structured analytic techniques, which we can thank Richard Heuer at the CIA for this. These different analytic techniques allow us to produce better products by ensuring that we produce unbiased intelligence assessments. You also look at things like private sector is hiring more and more intelligence-based talent from the public sector. Which just kind of shows an organic growth or organic adoption of public sector sort of training and public sector different methodologies and things like that and how that's just kind of organically created a whole new cyber intelligence focused discipline. So, I mean, there's a number of things that the public sector has taught the private sector already. And for those who haven't listened, within the private sector yet, there's just so much information that you can glean from the public sector through those frameworks or through different analytic techniques, through just the life cycle in general. Going from PIRs and collecting priority intelligence requirements as part of your initial part of that life cycle going to collection, going to exploitation or analysis, going to dissemination and then going to review or feedback from each of those stakeholders. So there's already been so much that the public sector's taught the private sector and kind of how that's evolved or been adopted by the private sector to essentially have a whole new purpose, which is to serve the business. - And when we talk about serving the business I guess, I'm kind of curious, before we dive into attribution and cyber threat intelligence and investigation and kind of get into this. When we talk about serving the business I guess, what part of those public sector learnings have you found to be most valuable? Some people would think that intelligence analysis, they just want somebody who's technical and who knows how to pipe a variety of different data sets into a SIM. Other people would say that they found it more relevant just to have an a non-technical background at all. And they can just ultimately the focus on the analysis and really focus on answering those PIRs, priority intelligence requirements, that you think of. What do you think has been useful for you? - It really depends on who the stakeholder is. If you have a tactical focused or an operational focused stakeholder like a SOC or the SERT or C-SERT, then that's a completely different intelligence product. But I think what you're mostly describing is the strategic stakeholder. That of the business or business decision makers. And that is still an intelligence based trait or an intelligence analysis based trait in that you have to identify who your audience is. Is this intelligence that would be useful to one of those business decision makers in making one of those critical decisions? An example of this would be let's say there's a merger and acquisition, and we're looking at potentially acquiring a company in, I don't know, Spain. What does the threat landscape look like there within that specific industry of that company that we're looking to acquire? What is the risk from a threat perspective as well as a business perspective and just a general risk perspective? And then identifying those and then translating it to that specific strategic audience. That's all still intelligence analysis. It's just a different level of intelligence analysis for a different stakeholder. - What you're talking about is really the consumers of intelligence. When we talk about the different levels of attribution, and I think that that means a lot of things to a lot different people. That can mean the who, what, where, when, how and why. But when you talk about those different stakeholders I think it really depends on what the level of attributions needed for that stakeholder. A good follow on question there is, what are the different levels of attribution needed when really defining the risk to the business? - From a threat intelligence perspective, I think attribution is extremely important to the business. Within our own internal environment as well as monitoring for emerging threats external to our environment. But kind of let's focus on internal for a minute. If we don't know who's targeted us in the past then how are we ever going to learn to defend against them in the future? Or let's look at how we define risk to the business. I think a good example, especially with Log4j in recent weeks, using zero days as an example, a simple question from strategic stakeholders might be, okay, well, what is the impact to the business? Well, do we have vulnerable systems within our environment? Or the specific APT group or campaign that's currently using this zero day in the wild, what sectors are they targeting? Or what regions are the victims located in? All of these can kind of become factors when we look at defining that overall risk to the business and as far as how critical this is. Do we need to prioritize patching for this zero day over other patching? And kind of all that sort of rolls in together with defining that risk. - When do you find, particularly in the cyber threat intelligence lens, usually the way we've seen it play out is you usually have a target of opportunity and you have a target of intent. So I guess when is it necessary that you believe that you go beyond the how and the why and maybe even to the who? Let's just take an example. And again, there are all very different, so let's say you have an initial access broker who's brokering access. Does that all of a sudden rise to the level of who is this? Or how do you kind of know when to go to that different level? And then I guess the following question is, when does the consumers and stakeholders? What's their level of usually of ask when they want to kind of go into the level of attribution? - So let's say we have an initial access broker who is known to sell or even be an affiliate of specific ransomware groups operating in Russian cyber criminal forums like XSS or exploit. Let's say we're a big energy company and this initial access broker is advertising access to oil or energy company that kind of fits our MO or what our company is and where we're located. Typically those advertisements will include things like revenue of the business, geolocation of the business, a little bit of information about the business, and then typically once you get to DMs or private messaging with that initial access broker, you can glean a little bit more information from them. But from an attribution perspective or from a stakeholder perspective, really what's important there is the conclusion of our investigation into this. Is this us? If it's not us, who is it? What is our assessment of who this is? Obviously, because this is still an initial access broker that's active within our sector, as well as maybe even the regions that we operate out of, this is somebody that we want to map to our business or threat model, essentially. It's definitely somebody that would be on our radar even if it isn't us and we conclude that it's not us in that specific advertisement. So from a tracking who is targeting our industry or who is targeting us, that's extremely important. - When is that level of attribution needed? And then how do you kind of make that actionable? Are you just ultimately putting rules in place that keep confidentiality, integrity and availability of data systems and networks and maintaining availability? Is that how you make it actionable? And then of course, are you going all the way to have some kind of disruption where you want to take down their infrastructure are you going to law enforcement? Do you have that kind of set up in different tiers so to speak? - Man, that was quite a loaded question. I think that was about four questions in one. But I think a few good examples of attribution that's actionable is looking at things. Let's look internally, let's look at our phishing telemetry or let's look at our end point telemetry and identify which groups or actors are actively targeting our organization and then we could pivot off of these details and let's say we've got these five groups through our phishing telemetry that are the ones that are most targeting us over the last year. We can pivot off of that and get more granular and look at, okay, well, what are the most common tactics, techniques and procedures that are used by these actors? Okay, now with this information we can say to the SOC or the CERT, let's create custom rules or detections for these most common techniques that are used by the most observed actors that are targeting our environment internally. We can also do things externally looking at the external threat landscape and mapping threats that essentially matter to our organization. So let's say we're not a big energy company anymore. Let's say we're a financial services organization. Say we have all this ransomware victim data, which I know you know is not that difficult to get, looking at victimology of all these different ransomware groups that have a data leak sites. So let's look at all the groups that have historically targeted the financial sector. Which ransomware groups have done this in the last 30 days? Okay, so now let's do a targeted threat hunt for some of the TTPs that are associated with these, say top three or top five ransomware groups. We can now say that we have hunted for some of the most active threats that are targeting our industry. We can even go so far as to help the SOC create custom detections that monitor for these behavioral indicators that are associated with these threats that are so active within our industry. So I mean, that's just one example at a tactical or operational level of how you can action that kind of intelligence. And then as far as when is disruption needed? So you got to be really careful with disruption, especially at the enterprise level, but it is obviously important. But it needs to be done at the right time. What I mean by this is, so if you look at this from a instant response perspective, it's kind of like remediating in the sense that if you don't have all the facts or all the information at the time of remediation, well, that adversary's likely going to still remain in your environment after you remediate, which is why the intelligence collection process is so important in that. But the same can be said for disruption. You look at examples like Emotet or Clop ransomware or even Trickbot. What that shows us is that if you don't take down the entire infrastructure, or if you haven't arrested every member of that specific group, well, they're likely going to return. And you're basically just playing whack-a-mole at that point. So disruption is extremely important. But you need to make sure that it's done at the right time. What some enterprises do, and it's mostly CTI service-based vendors, is sometimes they will promote that they have TLP red information and then share that through a blog post because sales. But you really need to strategically do that from a disruption standpoint if you really want it to be meaningful. So, less of the sales-based blog posts that share that kind of information and more of the strategic thinking of how can we do something that's actually going to put a dent in this operation or this cyber criminal operation? - I couldn't have said that much better myself. which of course leads me to curiosity question. Certainly coming from public sector and private sector backgrounds that we both do. And yourself, even having customer side solution security experience as well as solution side experience. Are there aspects of public sector that we can take into account of that collection based mentality to keep collecting, collecting, collecting until that disruption point can happen? And here's what I'm asking; in the public sector, you collect on things sometimes for years. Just years before there's an actual activity, whether it be a military, a diplomatic, an economic type of action, so to speak. I think really in the public sector and certainly sales and marketing efforts are part of this as well, there is ultimately that aspect of let's get it out there. Playing a game of whack-a-mole. Could the private sector improve on that ability to kind of collect more quietly so to speak, to then have a larger impact on disruption? - As an example, some of the best disruption campaigns from the private sector that have occurred have been because of successful information sharing. That's one thing that the public sector's starting to do more of in partnership with the private sector. And that is one thing that the private sector is starting to do more of within other entities within the private sector. And the reason is because we don't all have full visibility. Even the NSA doesn't have full visibility in everything. Which is why information sharing is so important. However, if something's TLP red, something needs to be TLP red. If something should not be shared publicly or should not be shared just for the sake of sharing, that needs to be respected or else we're not going to have a successful disruption of a cyber criminal or a nation state operation. But some of the most successful disruption campaigns from the private sector have occurred through information sharing. I don't want to name vendors, but a lot of vendors coming together and working together and sharing all the telemetry that they have through their customers and then through that combined visibility, they're able to successfully disrupt, at least temporarily, a cyber criminal operation. - How do you measure the impact of what you're kind of describing there? To different stakeholders, security is a risk management function, an enterprise, and therefore, ultimately, you have to have, I think, a different lens in terms of measuring impact. How have you found measuring that high impact is most successful? - Have we been breached? How many incidents related to the specific threats have we observed? What's interesting about cybersecurity is that it's not about what you've done to successfully defend. Typically you're measured by the bad things that have happened. You don't normally see all the good things. So it becomes difficult to measure that. However, working with those that work within risk absolutely help you to measure those successes. But typically, most people just see the failures that occur, unfortunately. - From that perspective, and I don't disagree, I'm just kinda curious. I think to me there's a security incident and then there's of course there's the B word. - I guess, have we successfully remediated? - There you go. - I think that's a good way to measure. If you look at it just from an incident perspective, how intel's provided that incident response team with what they need to successfully remediate, that's a win right there. - I mean, that's a win? Do you think the industry's there yet where we can extrapolate where we've been able to come in, we, being the intelligence team or the incident response team, have been able to come and say, we've kept these to be incidents or events where they have not escalated? Meaning, we have the right visibility to what we're seeing is complete, accurate and truthful. Therefore, we can say with confidence that this is just an incident. This phish might have landed, they were not able to escalate to domain admin. But we were able to work fast and we were able to work smart to be able to make that happen. Are we there yet or we still have a ways to go to measure from that perspective? - I think we're there yet in most mature security programs that have a more mature threat intelligence program. I think we're there. Obviously there there's some that are less mature that may not necessarily be at that level. But I think most organizations that do have that more mature program are at that level. - So I guess, how do you define impact with attribution to different stakeholders throughout the business? - One of the things that comes to mind is that CTI or cyber threat intelligence is a service-based discipline. And typically what I do is I'll let the stakeholders define what is important to them through priority intelligence requirements or IRs or PIRs. So whatever is important to them, I will go to them through, before I even start collecting and before my team even starts collecting, and ask them, what is important to them? The physical security stakeholder is probably going to be more concerned about the physical intrusions or infiltrations through physical mediums like using thumb drives like WICKED PANDA APT group, that's a really good example of one that has historically gone in and physically infiltrated using physical mediums such as thumb drives. Or say you have an ICS stakeholder. Threat groups who are known to target ICS and OT organizations. Obviously historic victimology that will allow us to do things like threat model for that particular stakeholder. As an example, the Lyceum APT group, they've historically targeted ICS, OT organizations in the Middle East. So if I have a stakeholder or a customer that is located in the Middle East that fits that industry, that's probably a threat group that I would keep an eye on and probably provide intel every now and then where relevant and where timely to that particular stakeholder. But really, I don't define it until I get that feedback or that initial requirement or need from each of those stakeholders. So through that PIR process, which is the very first part of the intelligence or the threat intelligence life cycle. To answer your question, I think it's important to let the stakeholder define that. And where they can't define it or they don't understand it, you try and explain, you try and hold their hand and explain it to them in a way that they can understand so that you're not just collecting nonsense, you're not collecting non-actionable intelligence. - And that's a fascinating point. Let's take a financial institution. If I was going and approaching a senior vice president of wealth management, in terms of what he's thinking about of risk of his overall business. I do not know what he does on a day-to-day basis to make the company money just like he doesn't understand security. How much do threat intelligence experts really need to understand the granularity of how the company is making money and really be able to translate that and kind of use it? - So I think it's extremely crucial for any intelligence analysts to understand that. Because otherwise, you're not going to know your audience. I wouldn't throw indicators of compromise over to a senior director or a VP and expect them to be receptive of what I just sent them or even understand what I just sent them. They want a very high level overview of why we care how it impacts the business and things like that. And it needs to be translated in a language that they can understand, and then they can then either present to the board or they can make some kind of a business decision on. If ransomware is the top threat, or if phishing is the top initial access vector, these are types of things that we can translate to that strategic stakeholder so that they can make a business decision to say, well, maybe I should invest more in phishing intelligence or phishing security. Or maybe I should invest more in ways to detect or mitigate ransomware operators. But that needs to be translated in a language that they understand. We can't just say, XYZ threat group who operates ransomware and we have high confidence that they target this industry, and these are the IOCs and TTPs associated with this group or with this operation and then expect a strategic stakeholder to take that and understand it. Things need to be taken and translated into their language. Like Pew Pew Maps. You're not going to give them Pew Pew Maps. That's at the SOC level. - You might want to explain what a Pew Pew Map is. - Yeah. So I like to use Pew Pew Maps as an example as far as knowing your audience. To most SOC analysts that see a Pew Pew Map, they typically scoff or laugh at it because the Pew Pew Map is not for the SOC analyst. Usually it's for the executive that's walking by or maybe a sales person who's walking by with an executive, a potential customer and trying to show off their SOC and the analyst and everything. So those Pew Pew Maps are typically for those, and typically just a visual depiction of, quote unquote, what the SOC is doing or the threats that are being observed. And it's not necessarily for the tactical or operational folks within the SOC. So I like to use that as an example of knowing your audience. - I think this is always helpful. I've talked to some CSOs who really it's just those CSOs and VPs that really quote, speak to the business. And I think it's just a good message to continually articulate that even to threat intelligence folks, really anybody at that level, can really speak to the business. I think that's kind of here all the time. - One of the things that's really unique about threat intelligence, and it kind of goes back to that it's a service-based role. And because of that, we have to understand the needs of each of our stakeholders. So we get kind of this unique perspective, whether it's from the strategic level, so our CSOs or the executives or the board level that may consume our intelligence at that strategic level, or at the operational level, whether it's CERT or C-CERT or the SOC or the vulnerability management team or whoever. And the tactical level typically, the SOC analysts, that are on the ground and battling every day. Understanding each need of each of those stakeholders gives us that kind of unique perspective of what's important to each of those stakeholders and what's important to the business. And also, it trains us to be able to translate different deliverables or different products to each of those stakeholders. If this is going to the SOC, well, it's probably going to look completely different than a merger and acquisition recon report that's going to executives. Or if it's just tactical indicators like IOCs and stuff. Those are just probably going to be fed through the SOC. Whereas the board doesn't need to know that kind of information, and probably looks like Spanish to them. I think it gives us a unique perspective. But that's kind of why it's crucial to have that understanding of what each individual stakeholders needs are. - Do you think the intel belongs in the SOC or do you think it has a greater role throughout the business? - I'm really happy that you asked me that question. So I personally believe that threat intel should be a floating team. And what I mean by that is if we're under the SOC, as an example, we're mostly going to be detection oriented. We're going to be focused on ways that we can detect different threats and focus on things like that and focus on IOCs and stuff like that. Whereas if we're under the CERT, we're probably going to be reactive. Or if we fall under vulnerability management, well, we're probably going to be mostly focused on zero day exploits. Whereas if we operate more as a floating team where we go from stakeholder to stakeholder and we kind of just sit under our own, whether it's under the CSO or wherever, then we have so many different opportunities to get a better understanding of the needs of even legal's needs or just different teams and different departments that aren't necessarily security. There's different things that we could provide services to. But because of that, it gives us more visibility into not just the business, but the threat landscape as it applies to each of our individual stakeholders. Whereas if I'm on the vulnerability management team, as an example, or underneath vuln management, again, I'm mostly going to be focused on zero day exploits and different vulnerabilities to the business that are currently being exploited in the wild. Things along the lines of that. So I think it's really important for CTI to sort of float around and operate kind of independently. - How does that transition ultimately need to take place? How does that need to be accepted more widely? - I mean, a lot of it unfortunately is going to be growing pains or trial and error. If they see that something doesn't work, whether it's the CTI team is in the SOC or the CTI team is under a specific team, and then something happens, whether it's an incident or something else like that, and they say, "Well, why didn't we get this?" Well, it's because the CTI team is mostly focused around this particular area instead of every particular area. Why didn't we track this geopolitical event that impacts the uptime of our services? Well, because they were under incident response and these geopolitical events weren't being tracked. And that technically wasn't an incident, that was an external, global, geopolitical event that occurred. Whereas if CTI is focused on the external and internal landscapes and has multiple stakeholders, well, then we probably would have caught or tracked that geopolitical event. So it's really going to be trial and error for those who don't currently adopt that model. Again, it's probably the needs of the business. So if the needs of the business translate to the CTI team should be in the SOC well, then that probably works best for them. So a lot of it is going to be based on the needs of the business. - It's certainly an interesting because we have some customers that are manufacturing companies that you have a head of intelligence that sits right next to the CTO and the SOC function reports up to the CTO and they're the intelligence function that reports right to the CEO. I've seen that a couple of our customers. I don't think that's widely accepted. But certainly just interesting that that is being at least more widely recognized. - Yeah. I envision, whether it's a chief intelligence officer, chief threat intelligence officer, to become more widely accepted over the next decade and kind of its importance. Especially if that intelligence is not just focused on cyber threats, but focused on a number of other things like competitive intelligence and other things that could potentially be translated into threat intelligence. And I see that sort of sitting underneath the CSO. Typically in most cases, I envision threat intelligence sitting underneath the CSO. That that's where it makes the most sense at this current time. But again, it's all about the needs of the business. - Sean, it's an exciting time, certainly for the intelligence business within enterprise. Thank you very much for your comments today. And thank you for joining the show. For the latest subject matter expertise around managed intelligence, please visit us at www.NISOS.com. There, we feature all the latest content from NISOS experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all NISOS teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane and conduct high stakes security investigations. Without the value of the team provides day in, day out, this podcast would not be possible. Thank you for listening.