November 15, 2022

Challenges & Opportunities in Cyber Threat Intelligence with Brian Kime

by Hacker Valley Studio

Show Notes

Brian Kime, VP of Intelligence Strategy and Advisory at ZeroFox, talks about all things threat intelligence this week. Brian explains why he chose threat intelligence as his focus, where he’s seen opportunities for growth in recent years, and what challenges for cyber threat intelligence lie ahead. Using his intelligence experience developed first in the US Army Special Forces, Brian delivers his argument for intelligence-driven security, instead of the marketing-driven security industry we have today.

 

Timecoded Guide:

[00:00] Diving into the VP of Intelligence Strategy role

[05:25] Learning intelligence in the Army Special Forces

[10:09] Seeing the past, present, & future of threat intelligence

[19:31] Measuring efficacy & ROI of cyber threat data

[25:18] Building your own cyber threat intelligence capabilities

 

Sponsor Links:

Thank you to our sponsors Axonius and NetSPI for bringing this episode to life!

The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.

 

A lot of folks shift from intelligence into other areas of cyber, what inspired you to continue down the intelligence route?

After Brian graduated from Georgia Tech and the nation experienced the tragedy of 9/11, Brian felt called to enlist in the US Army Reserve. While the war in Afghanistan was not as short-lived as anyone expected, Brian found his calling in military intelligence, where he was inspired to put his experiences in IT and intelligence together. It turns out that fusion already existed in the form of cyber threat intelligence, and Brian wanted to focus on that completely.

“I want to bring all these things together and really start pushing our customers and pushing the security community in general towards more intelligence-driven security. Mostly, what I see even today still just feels like marketing-driven security.”

 

Where are we today with threat intelligence technology, in terms of challenges and opportunities?

Brian believes we’re already in a really exciting place today in terms of threat intelligence technology. What feels especially opportune for him at the moment includes opportunities and technology that involve internal data from previous threats, freely available external data from sources like blogs, and third-party vendors. However, the challenges facing threat intelligence now involve how to make that technology available for small and medium businesses.

“That's what I would love to see become the standard, that big corporations incorporate threat intelligence to the level that they can start to actually extend that value into their supply chain. That way, the whole system becomes more resilient, more secure.”

 

How does a security team measure the efficacy and ROI of intelligence?

In Brian’s opinion, most cybersecurity practitioners don't track the ROI of their intelligence vendors, or they fail to measure intelligence for effectiveness. The metrics cyber teams should focus on include number of new detections created, incidents discovered, adversary dwell time, and improved security decision making. Unfortunately, improved decision making is the hardest to measure because it requires practitioner feedback.

“At the end of the day, if stakeholders are making security decisions based on intelligence that I'm providing, that's a really good measure of effectiveness. All the security decisions that were influenced by threat intelligence, that's what we're going for.” 

 

When you don't have an intelligence capability and you want to create one, what is typically the first thing that an intelligence team member does?

If you’re intending to collect data from your customers (which almost every company out there is trying to do), then Brian believes that privacy and security need to be considered from the start. Critical security controls and a solid framework are key to early success for even the smallest security team. The best place to start? Software and hardware inventory. If you don’t know what you have, you won’t be able to secure your technology properly. 

“At the beginning of the critical security controls, it's always software and hardware inventory. If I don't know what I have, then I really can't do anything well in security. I can't do incident response because I don't know where my data is.”

---------------

Links:

Keep up with our guest Brian Kime on LinkedIn and Twitter

Learn more about ZeroFox on LinkedIn and the ZeroFox website

Connect with Ron Eddings on LinkedIn and Twitter

Connect with Chris Cochran on LinkedIn and Twitter

Purchase a HVS t-shirt at our shop

Continue the conversation by joining our Discord

Check out Hacker Valley Media and Hacker Valley Studio



Transcript

Hacker Valley Studio 00:07
Who says tech can't be human?
Brian 00:10
All the lessons learned from that intrusion, and you can do a lot of great things. With that, you can see how a threat that hopefully hasn't targeted you accomplish their objectives. And then, you can build new detections and improve your security architecture based on that type report.
Hack Valley Studio 00:30
Welcome to the Hacker Valley Studio podcast.
Axonius Ad 00:36
We get it; another vendor running another podcast ad, trying to get you to check out their product. Instead of explaining to you what our amazing sponsor Axonius does, we've brought in an Axonius customer to fill you in. Take it from Jason Loomis, Chief Information Security Officer at Mindbody.
Jason from Mindbody 00:55
The sheer excitement of my team to have visibility into what's in our environment, and have it all in one location is just— I can't express how important it is for us.
Axonius Ad 01:06
Want to learn more about how Mindbody enhanced their asset visibility and increased their
cybersecurity maturity rating with Axonius? Watch the video at Axonius.com/Mindbody.
Chris 01:18
What's going on, everybody? You are in the Hacker Valley Studio with your hosts, Ron and Chris.
Ron 01:31
Yes, sir.
Chris 01:35
Welcome back to the show.
Ron 01:38
Glad to be back again. In the studio today, we brought with us a special guest. We're going to be talking a little bit about intelligence, and to kick this topic off, we've brought in Brian Kime. Brian is VP of Intelligence Strategy and Advisory at ZeroFox. Brian, welcome to the podcast.
Brian 01:59
Ron, Chris, thank you so much for having me.
Chris 02:01
Oh, we are pumped to have this conversation. We met in 2019. We met at the threat intelligence summit with SANS, had some great conversations about intel at that time in. Coincidentally, that is when I really started speaking and doing a lot of the talks and outward communication for our community. One of the things that we talk about quite often in intelligence is this concept of feedback. It's part of my framework, the easy framework, it's part of a lot of the things that I talk about, but it seems like people kind of put feedback on the backburner, but this is one of the most important things, from my perspective, when it comes to intelligence. Why would you say feedback is important to you?
Brian 02:42
Well, we have to understand what is valuable to our stakeholders. It's easy for us to shoot an email over with some statement about a threat, and we don't know if there's any actions that have been taken to reduce risk if we don't get any kind of feedback. From our perspective, from my perspective, as an intelligence professional, no news is actually bad news in that case. If no one is telling me that, "Yeah, we took some action and we reduced risk, we changed some security controls, we talked to someone else and we did something," then it's hard for us to understand if we're doing something that is adding some value, or if we're just generating noise.
Ron 03:31
So, let's dive into it then. Chris just mentioned feedback. We all really know that feedback is really important, but there's also a lot of things that go into intelligence, building security programs, before you hit the feedback stage. I would love to hear a little bit about what it is that a VP of Intelligence Strategy is really laser focused on. Tell us a little bit about what you're doing day to day, and what makes it so impactful.
Brian 03:57
Yeah, sure. So, in my role, I'm really working across the company to make ZeroFox much smarter about intelligence. So, I do a little bit of internal training, I also own the company's competitive intelligence functions. I have a competitive intelligence manager with his eye 24/7 on our competitors,
that we can make better, faster product decisions, so that our sales team can counter and stay ahead of the competitors when they're in a competitive scenario. Also, I find our subject matter experts within the company, aka thought leaders, and I get them out into the public wherever it's appropriate. So, if a journalist or a podcast like Hacker Valley Studio has a particular need to bring someone on interview for some topic, maybe it's ransomware, maybe it's the automotive industry, or it's the Uber breach that was just announced, I have the pulse on the whole company and all of our experts. I can say that this person over here is who you want to talk to. And I help them get their voice out there in the public. In part to build their own brand, but of course, to build the credibility of ZeroFox, as the jet tier one type of intelligence company.
Chris 05:25
Let's go back to the beginning. I know you got your start in the intelligence arena, much like myself. What inspired you to continue down the intelligence route? A lot of folks go from intelligence and they pivot into other aspects of cybersecurity, or even different types of intelligence. What kept you on the straight and narrow when it came to intelligence?
Brian 05:47
So, I enlisted after 9/11. I was in my fifth year at Georgia Tech and I had never considered serving my country before, went and enlisted in the US Army Reserve after I graduated in 2002. I went Reserve because, you know, we kind of kicked the Taliban's ass, and I thought, like, this is gonna be a shortlived thing and I was like, "I'll serve, but you know, I'm gonna go to grad school and all this stuff." And so, I started doing the grad school thing, and of course, this wasn't a short-lived war. So, while I was in grad school, I thought, "This is pretty cool. Maybe I could do even more than being an enlisted soldier." So, I signed up for ROTC and I had been assigned to an intelligence unit in the Atlanta area, but I was not an intel analyst. I started to talk to these officers, Warrant Officers and CEOs and stuff, and I thought like, "This is pretty cool. I should look into that."
Brian 06:45
I was lucky enough to branch as a military intelligence officer in 2006, and went back to being a regular reservist after my military intelligence, basic officer leadership course, and then got hired on actually, as a federal civilian with the Government Accountability Office. I didn't really like the pace of being a federal civilian, so then, I took some active duty tours and one of those culminated, the last one, I went overseas to Afghanistan and I got attached to Army Special Forces. I helped support the village stability operations thing, and all these little jobs over time, I started to really enjoy the intelligence thing, and started to think: What could I do with this in the private sector? I wanted start to settle down, really, and get a real job. In one of my other active duty tours, in about 2008, 2009, I was basically an IT manager for a SCIF. SCIF, if you're unfamiliar, Sensitive Compartmented Information Facility, it's where we have
all the top-secret networks and stuff. So, basically, I was the guy that helped, along with the contractor, keep all the systems both the networking gear and the individual analyst workstations up and running. And like, man, maybe I can put intelligence and kind of IT stuff together and do some cool things.
Brian 08:16
Thankfully, some people were already starting to do what we're calling cyber threat intelligence today. I was really fortunate that I live in Atlanta and one of the largest managed security service providers is headquartered out of here. They had a need for someone like me and I got hired full time. Originally, my first title was IT Security Intel Analyst, which is kind of funny considering what we call it today, and then I've moved on, you know, other roles within that company and elsewhere. I've been able to realize that merging of the IT stuff, and then, intelligence, and I hope to move things forward. And now, I'm here at ZeroFox, I think I am helping one of my peers, AJ Nash, he leads a big bulk of our intelligence capability here. We have some intelligence capabilities elsewhere in the company. I want to bring all these things together and really start pushing our customers and pushing the security community in
general towards more intelligence-driven security. Mostly, what I see even today still just feels like marketing-driven security, where people are buying the latest and greatest tools, but there's no strategy really beyond those purchases, or the opposite end it's the YOLO sec. I'm gonna stealing that term from Kelly Shortridge because I think it's brilliant, but YOLO SEC basically just like, not care like, "No one's gonna breach us. I mean, what do we do that's important?" Throwing all caution to the wind. So, hopefully, you know, when I retire, whenever that happens, we actually do have intelligence-driven cybersecurity across the board, and even small and medium sized businesses are benefiting from the value of threat intelligence.
Ron 10:09
I would love to hear where we are at with that, because when I first started in cybersecurity and learned about intelligence, I was actually working with Chris. I was an offensive operator for a while, and then me and Chris started working together, and he was telling me about all of the intelligence capabilities that threat intelligence could bring to security operations. I thought to myself, "This is amazing. Who has all of this information about threats out there?" I learned that there's no one source I can go to. As someone that is spending money on behalf of my organization, I would imagine that working with a threat intelligence provider would give me all the threat intelligence I need, but I know it's not that simple. So, I would love to hear, where are we at today? Where are the challenges? Also, what opportunities are we seizing on?
Brian 10:58
Oh, man, that's a great question. So, this can go in a couple different directions. After five minutes, make sure that I'm still on track here, because this could go off on a tangent. So, when I talk to folks, and I did this at my talk recently at the FSI SEC European Summit, is let's not talk about what we talked about in the military, like human intelligence, or signals intelligence or SIGINT. Like, those things don't really matter in the private sector. A CISO doesn't care, the Board of Directors doesn't care, right? But if I'm looking to help people build a mature and intelligence capability, think about three places where I'm going to get my data, my intelligence.
Brian 11:48
So, internal data, we'll start there, because I think this is the most important. So, unlike in a lot of different scenarios, the threat is not leaving behind a whole lot of information. But in cybersecurity, if you get phished, the threat is sending you their tool, the links to all their infrastructure, it's all right there. They do a vulnerability scan, and they're leaving artifacts all over your network. If they do breach your network, they're leaving tons of artifacts everywhere. I mean, all your logs are showing exactly how someone moved through your enterprise. That's just tremendously valuable. It's the most relevant, raw intelligence that you have and you've already paid for it. It's all your systems are logging this all the time. So, use that internal data, first and foremost.
Brian 12:37
Secondly, then, there's just so much data that is freely available out there in the internet. It's so easy to collect, take advantage of that. I mean, you have vendor blogs that will walk through an intrusion that their company responded to and all the lessons learned from that intrusion. You can do a lot of great things with that. You can see how a threat that hopefully hasn't targeted you accomplished their objectives. And then, you can build new detections and improve your security architecture based on that type of report. And then, you have just people on social media just vomiting up great nuggets of data all the time. You have some independent researchers that will post hashes where they can go grab the malware off a virus total, and check it out and implement any kind of technical things in your own environment. So, there's so much data everywhere there.
Brian 13:30
And then, lastly, when you still have gaps in your intelligence collection plan, then go seek out vendors, that should be like, third in your order there. Of course, everyone should be looking out for phishing, domain type of squatting and things like that, and that's gonna be really hard to get good coverage on from your own internal data, right? Unless your own employees are seeing like, every phish and every domain type of squat out there. Most of the time, it's your customers and partners that are going to see these domain type of squats and these phishing things. So, you do need to go in that case to a third party that is monitoring for those things that adds visibility. So, that's one answer to your question.
Brian 14:15
The other one was, I think, referencing small and medium sized businesses. They don't have big security teams, like the big banks or big energy utilities, big oil companies and things like that. So, how do we get threat intelligence into their hands? And there's a couple of ways. So, before ZeroFox, I was the analyst at Forrester that led all the threat intelligence research. I got asked this question, you know, how does SMBs get the value of threat intelligence? And I just wanted to do some research to see if I could use teams like the Microsoft Threat Intelligence Center and Cisco Talos, Palo Alto's Unit 42 and all the other product intelligence teams within the cybersecurity vendors as some kind of proxy for: Which vendor should an SMB buy? Should they buy Palo Alto firewalls or Cisco firewalls? Can they use Unit 42 as somewhat of a proxy for the efficacy of those tools?
Brian 15:22
I never had the time, or honestly, the access maybe to figure out that answer. I don't know if any of those companies would have led me that far under the hood where I could have definitely said that one, vendor intel shop is better than another. But then, my company is out there in the gray space between threats and our customers. Not all small businesses are going to use and can operationalize your AAPT fuzzy, snuggly duck type reports, right? They may not even have a CIO and let alone like, a CISO and security staff and threat intel analysts. But what we find especially in things like professional sports, is you have effectively a small business by employee headcount, and a huge like, global brand. That global brand brings in the scammers and the fraudsters, your customers then get targeted that much more because of your success. So, Champions League is on in Europe right now. Since I just left Madrid, I was there in Madrid when Real Madrid was playing Leipzig, in the Champions League. And
so, just by virtue of Madrid being successful, getting into Champions League, their fans are seeing more counterfeit ticket scams. For small companies like that, like we're a really good vendor to come in, apologize for the product pitch, but there's no way that a small business can deal with the magnitude of these fraudsters and scammers on social media and phishing, and whatnot.
Brian 16:56
But if you are a large enterprise, there's a few that I can think of out there that are capable of doing this, when you get to the maturity level where you really are embedding intelligence into your security operations, into your security architecture, all the security decision making, you can start actually dropping the big vendors that sell your abt, fuzzy, snuggly duck type of reports. And instead of buying someone else's finished intelligence, you buy the raw data necessary for you to track your own threat landscape, and produce your own finished intelligence. When you get to that maturity level, you start seeing potential breaches in other parties, like your suppliers. I know there's a big retailer out there, I don't want to share their name because the research that I participated in with this retailer, the retailer's name was not made public, but I can assure you, it's one of the largest ones out there. Their threat intel
program was so mature that they were able to defend many of their suppliers, as well. So, if I can remember the stats from a couple years ago, in 24 out of 30 cases, that this threat intel team, this large retailer discovered indicators of a breach at a supplier, they were able to get in touch with that supplier, get someone knowledgeable on the phone, plead their case, validate their data and everything, and then, help them identify where that threat was. They were able to prevent ransomware breaches in those cases. And so, all those vendors that have some of the retailers' customer data, maybe employee data, like that, that prevented that retailer from having to do any kind of breach notifications themselves. They didn't have to fire the supplier go and find a new one because of this. There were no lawsuits involved. It was truly proactive, reducing risk across their own company and their customers, but also their suppliers. And so, hopefully, to come back full circle on this question is, that's what I would love to see become the standard, that big corporations incorporate threat intelligence to the level that they can start to actually extend that value into their supply chain. That way, the whole system becomes more resilient, more secure.
Chris 19:31
I love that, and that's a great positive story for people to take with them. One of the issues that I've seen in my time in threat intelligence, is this idea of prioritization and really measuring your sources. Because, like you said, there is a lot of information out there. There's a lot of information out there in open source, and there's a lot of vendors out there pushing finalize intelligence products. How does a team really measure the efficacy of a feed, the efficacy of certain data that they collect and utilize? What are some of the tenants you see folks use to really get to the signal that's within the noise?
Brian 20:09
Most people don't really track the ROI of their intelligence vendors, frankly, or they just track the wrong things. Coming from the Marine Corps, you probably use similar terminology, you know, measures of performance versus measures of effectiveness. So, for most people, they're really only tracking those measures of performance. Did we get IOCs from this vendor? Like, yeah, we got maybe 1 million this month, 2 million next month, whatever, right? Data is flowing, things are working, but that's not really adding a whole lot of value. So, in addition to some of the other earlier stuff I mentioned from my FSI Sec Europe talk, I also did do a few minutes on threat intelligence metrics. Like I said, I break them down into measure performance, measures of effectiveness. Those at fuzzy, snuggly duck style reports are great, but frankly, I think a lot of us in the threat intel community kind of write for each other, a little
more than writing for our security decision makers. So, simply the number of reports that you download from a portal, it's a measure of performance, things are happening, but what makes intelligence effective? Some examples of some good threat intel metrics are things like the number of new detections that you've created in your environment based on threat intelligence. So, you get a good assessment, a good profile of a threat, you hand that to your threat hunters, and they go and they find in the environment where they can detect that threat based on your assessment. And then, detection engineers, maybe that's the same person as your threat hunters, go and write new detections, they make some correlation rules in your SIM, maybe they do some clam AV rules or snort rules, whatever format they're using, and push those down into your security controls. Now, you're able to detect other threats you were not able to detect before. So, we're actually improving our prevention and detection
capabilities from that threat intelligence.
Brian 22:22
Another good metric is incidents discovered via threat intelligence. So, let's say all your controls failed, and your data was taken and it ends up in some underground forum. Some threat actor that stole it is offering it for sale. If you've got a vendor out there that has placement and access in these underground forums, then that intelligence vendor might be your IDS, right there. They may come to you and say, "Hey, we saw this data in this forum, does it belong to you?" And sometimes, that happens there. So, in that case, you're able to start the incident response and the breach response process before Brian Krebs gets on it and writes about you on his blog.
Brian 23:12
Moving kind of down, adversary dwell time, I think, is a really useful metric. Effectively, we're trying to shorten the time when a threat gets first access to your network, and when they get detected by whether it's a security control, whether it's a vigilant user, or that data is in that underground forum, we want to shrink that. If we're applying for intelligence, well, we have controls detections throughout the environment that threat intel has influenced and we're able to detect lateral movement earlier, we are able to go find exfiltration tactics, rules and protections for those things, and reduce the amount of time that a threat actually has to achieve their objective. So, you reduce adversary dwell time, you also will reduce your mean cost of breach. We obviously want to reduce the cost of breaches. And then, at the end of the day, what we're trying to do as threat intelligence professionals is improve security decision
making. So, this one's tough. It gets back in the feedback we talked about briefly earlier in the podcast, where I need to know what folks are doing with my intelligence. And so, at the end of the day, if stakeholders are making security decisions based on intelligence that I'm providing, that's a really good measure of effectiveness and I want to be able to count that to add a tick mark every time someone makes a good decision, whether it's that SOC analyst that escalated an alert that needed to be escalated or resolved an alert that was safe to resolve, or that CISO that went to the Board and said, "Hey, I need 10% more budget next year because of this forecast that shows activity is going to increase by so much money," or whatever. All the security decisions that were influenced by threat intelligence, that's what we're going for. That's the hardest thing to track because it requires people to talk back to us often, and tell us what they're doing and grade our intelligence.
Ron 25:18
Anyone who's listening, hopefully, you're taking some notes, because these are great metrics to look at, especially if you're trying to build a threat intelligence capability, increase your budget, increase your headcount for the team, like all of these metrics, were really great, Brian. I've got to ask, because you mentioned a lot of technology solutions, a lot of security capabilities that an organization may have, but what about before intelligence is introduced into an organization? Chris always says, "Intelligence should be leading security operations," but what about when you don't have an intelligence capability and you want to create one? How do you typically know that it's the time that you can create one, like you have enough technology and structure in place? What is typically the first thing that an intelligence team member typically does when boots on the ground?
Brian 26:13
Most startups start building things, right? And they acquire what people call technical debt. When does anyone start to do security? My opinion is they're starting too early, and that's how we end up with certain breaches where the security culture wasn't baked in from the beginning, right? Case in point, I guess, would be Musk's testimony recently, where he's just pulling out all the skeletons in Twitter's closet and how admin access and things has just been given out, like the entire like length of the company, and no one's bothered to ever come in and clean that up. So, I think if you are intending to collect data from customers, which— Is there a company out there that isn't going to collect data from customers? Then you need to start considering privacy and security from the start. I think waiting till years down the road, is going to make those things more costly to you and your customers. So, going a little more tactical than simply trying to build a security culture from the beginning, I still think the critical
security controls are really important and a really good framework for even smaller, less savvy types of companies to use.
Brian 27:28
At the beginning of the critical security controls, it's always software and hardware inventory. If I don't know what I have, then I really can't do anything well in security. Can't do incident response because I don't know where my data is, and I don't really know what's important to my company, if they don't have inventories, right? So, if I'm the threat intel guy walking into, maybe I'm just a consultant walking in for a one-week type of engagement, I'm going to help this small SaaS company build a more intel-driven security program, they need to be able to tell me the technologies that they're using and what they're using it for. They can't afford to put security controls everywhere, they can't afford to monitor and log 100% of everything forever, even though I do say that logging is still cheaper than time travel, it's just not feasible or reasonable for any company to retain logs forever. For privacy reasons, of course, you have to purge certain data, but tell me the technologies that are in use here, I can at least start to go with look at exploits for those technologies, and that's a pretty easy way to come in and on the tech side really help reduce risk, right? If I can understand which technologies are the most important for this company, how they're generating value for customers, then I can start to look and help them prioritize their vulnerability management. Which systems should they be monitoring the logs for most closely? And it's those things that are driving value for the investors and the customers
Chris 29:11
I love it. The one thing that I've always found to be appealing about threat intelligence is it tells you where to go. It tells you where to invest, tells you what to look out for. It also tells you what you can do to enable other operations within security and even across the business units. Brian, I mean, really what you're talking about is a lot. You could put everything that you just talked about into a book and sell it and I'm sure people buy it because there's so many things about threat intelligence that people— It's not that they don't know it, it's just that they don't necessarily know how to start, or even to expand their programs. We're gonna drop all your information and everything you have going on into the show notes so people can find you, but with that, just wanted to say thanks again for hopping on the mics with us. This was a great conversation, we're definitely gonna have to bring you back for another one to go even deeper into threat intelligence and all the other stuff that we have going on, but with that, we
will see everyone in the next episode
Hacker Valley Studio 30:17
If you found value in this content, it would mean the world to us if you shared it on social media, sent it to a friend, or talked about it over coffee.

Keeping Cyber Course Prices Equitable with Kenneth Ellington

November 29, 2022 Hacker Valley Studio

00:00:00