Expert: Sharing intelligence on threats helps everyone fight cyberattacks

TechRepublic’s Karen Roby spoke with Neal Dennis, a threat intel specialist at Cyware and a former U.S. Marine, about cybersecurity. The following is an edited transcript of their conversation.

Karen Roby: Neal, why is sharing intelligence important?

SEE: Security incident response policy (TechRepublic Premium)

Neal Dennis: There’s a lot of good things out there that are kind of one-offs, or staging one-offs, when the campaigns in the cyberwar kick off. So if we think of low key things like email-based threats, mal-spam events, there’s a lot of popular commodity based type malware events out there that they’ll have a trial campaign when they’re doing tools and techniques. As a starting point, if you’re part of that trial campaign, one, you probably really don’t know. You’re just seeing the same traffic over and over, but if you capture those findings and you automate out the sharing of those findings, when it becomes a more legit campaign, the rest of your network within your community is already bolstered against that. So, you’re kind of out in front of the threats as a community.

Then as these things start to cycle up and become bigger, they change minor things within the TTPs. So, if everybody’s at least doing some level of automation and paying attention and sharing those little state changes, instead of it being impacting 50, 60 people in your industry vertical over the course of a week, it’s now really one person at a time and you are kind of sharing the load and forcing the threat actors to change more rapidly, which can be a good or bad thing, but it raises their cost, lowers the burden on you from an information-sharing perspective to get the data out there and kind of help raise all ships if you will.

Karen Roby: Talk a little bit about, Neal, being more proactive versus so reactionary, which just kind of where we are right now, or most companies it seems are just reacting when something happens, unfortunately, sometimes catastrophic things.

Neal Dennis: Yeah, very much so. It’s a hard hurtle because everybody’s got to start somewhere. When we think of phasing things in, everybody starts obviously in that reactive phase. It goes one of a couple ways. They either get there and they take in a crap ton of data and they’re just inundated with alert fatigue and all this other stuff. They’re starting usually with the smaller team or contracted to hire a team like a [managed security service provider], or something like that, to supplement. But they’re still going through a lot of alerts.

To go from that to proactive, they’ve got to learn a couple of lessons around how to customize the data, how to stage that data for their own uniqueness, and how to get quality data relevant to their environment, which is why ISACs [information sharing and analysis center] and ISAOs [information sharing and analysis organization] become very important for that matter.

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

But going from reactive to proactive, grasping the understanding of that data and being able to kind of whittle away at the content that’s available and make it more focused on your engagement. Then if you can get to there, there’s a lot of little things you can automate for that process. Then once you get to that proactive nature, you’re no longer just playing Whack-a-Mole on the sims or the case management systems, you’re hopefully kind of looking at the communities you’re involved in and actually becoming a part of those communities to further propagate your understanding outward.

It’s a hard adventure to get there, to be fair. It takes a really good understanding of your systems. It takes someone who understands the data, the intel that’s available and how it applies to your network. But once you do that, one person can feel like a shop of 20 once you start doing that right application. It’s kind of a fun adventure.

Karen Roby: Yeah, you just mentioned with feeling like a shop of 20, you’ve been in cyber security for a long time now, nearly two decades. I think it would be good before I even ask my question about this, to share how you got into this. As I mentioned off the top, you’re a former marine and then flipped to this. Just give us a quick glimpse into how that happened.

Neal Dennis: It was all happenstance. I was sitting in formation. I was bored from sitting in a chair all day and showed up, the platoon commander was like, “I have an opening for something.” Before he could finish I raised my hand, and I was like, “Pick me. Don’t know what it is, but I’ll do it.” I went from being a linguist to being a cybersecurity specialist almost overnight. So, it’s just sheer happenstance, it fell into my lap, and now the last 15 to 20 years has all been kind of progressionary based off of me just being bored of sitting in a chair.

SEE: Expert: Intel sharing is key to preventing more infrastructure cyberattacks (TechRepublic)

Karen Roby: Good thing it was an assignment that you enjoyed and obviously picked up really quickly, Neal. Having been in this for so many years in different facets and with government work and others, how have the IT teams with companies, how have they changed, evolved? Are they incorporating cybersecurity specialists or not enough? Do they even have the ability to do that? Again, big question I know, but how do you feel like we’re doing in general with that?

Neal Dennis: Yeah, it’s been fun because 20 years ago, the late ’90s, early 2000s, intel as a concept was just a government-based concept. If you wanted an intel analyst and you wanted to understand what an analyst could do for your environment from a cybersecurity perspective, it’s non-existent. Cybersecurity was kind of non-existent 20+ years ago. You had IT guys who were used to running cables, managing firewalls and sims for what little bit there was. We’ve definitely come leaps and bounds, just in 20 years.

Then we had the huge breach issues in the mid-2000s, 2008, 2009, 2010, 2012, with all the big companies. I think that taught a lot of people some initial lessons on what it means to actually invest in cybersecurity. You’re no longer a big box or getting targeted, it’s everybody’s job to maintain cybersecurity now. We saw that move from large companies to small companies in that timeframe.

From an intel analyst perspective, there was maybe about seven or eight years ago a phase where it started to catch on, where I think people from my age bracket were getting out of the military and making ourselves known as a skillset a little bit more verbosely. There’s a couple tools that started to come up, threat intel platforms and things like that. So, I think last year, this year, with remote working and understanding that the threat landscape went from something like this to being this massive piece now, just because of COVID, intel analysis and the need to kind of whittle away at the data more in focus is a huge priority. I see a lot more job openings at smaller companies for some kind of intel specialist persona and analyst of sorts that’s not just a SOC responder.

I think we’re kind of hitting that S-curve growth for this career field out here. It’s exciting. I think the next steps, you get them in there, they help get requirements set, they help your business grow that understanding that you need to be proactive. Then the next stage is automation and orchestration, which we saw that kind of start off three or four years ago really heavy, and it’s just now kind of growing in favor for smaller companies once more. And so now we get to combine intel analyst with automation and orchestration. I think that’s kind of the next big trend, is take your understanding and start to automate out those known knowns, and make life a little less complicated, hopefully.

Also see