5 Lessons Learned from 9 Months in CTI
I was Recently At a business dinner, surrounded by friends in the industry...
It was the first dinner of its kind that I attended and I really wanted to take everything in, as my personality doesn't necessarily lend itself to be a driver of conversations. Not saying I'm not personable, but I wanted to feel it out a little bit...As dinner was winding down, I was asked by a very well-respected, deeply experienced member of the group with whom I have worked with very closely since entering cybersecurity asked me, somewhat jokingly,
"Hey Pete, how does it feel working cybersecurity for a Fortune 100 company?"
I smiled, laughed, and replied "If you would've asked me a year ago if I would be here doing what I'm doing now, I would've told you you're lying." I went on to say that it was a blessing to work as closely with and to be supported by everyone that I was joined with in the room. They had welcomed me as being part of their circle and had truly become "my people."
As I boarded the plane home far too early the next morning, i further pondered the question...
Out of those Ponderings, here are 5 things I've learned in 9 months of working cyber threat Intel...
#1: Soft skills matter!
You can have all the technical knowledge in the world, but it is useless to you if you can't convey those ideas in clear, concise language to stakeholders both inside and outside of the cybersecurity part of the organization! You need to be relatable, personable, and not afraid to have conversations cross-team or even cross-organization. Know who's who in the teams that operate around you and their capabilities. You're going to need help eventually and already having strong relationships makes these conversations and asks easier.
Teach yourself to think and share information in what many people in the industry call "the language of risk." Businesses ultimately exist to make a profit and cybersecurity plays a huge part in that, with cyber incidents potentially costing millions of dollars, consumer advantage, market share, and customer trust. Learn how the business is navigating this, what they care about most, and what keeps them awake at night, then adjust your work accordingly. You're going to wear many hats, looking at risk through the lenses of the CEO, the CISO, shareholders, news media, customers, general public, and even cybercriminals.
#2: You can't escape grc!
Try as you might to run away, hide, or otherwise loathe Governance, Risk, and Compliance (GRC), all those acronyms and concepts that you memorized for your Security+ exam aren't going anywhere. I presently have conversations daily with both clients and internal teams around Time to First Action (TTFA), Time to Resolution (TTR), Role-Based Access Controls (RBAC), Mean Time to Recovery (MTTR), Time of Initial Compromise, and countless other concepts. Review these terms, know what they mean, and how your work affects these concepts! In cybersecurity, these concepts are about 90% of your "language of risk" that we talked about above.
I spend hours monthly pulling reports, making graphs, and analyzing trends to present to my teams to be able to categorize and quantify for stakeholders the health of cybersecurity controls, attack surface management, and domain monitoring. The numbers, they say, don't lie...
#3: speak up!
As a Cyber Threat Intel Analyst, it is your job to become the "scout" of the cybersecurity world. We often say that we operate "beyond the firewall," meaning that we are gathering intel out in the world at large instead of within a designated network (not that we are incapable of looking at packet traffic and EDR alerts). We go where the threats live and are looking to get our intel as close to the source as possible.
With that approach, you will have a unique perspective on the world of the adversary, as you live and work amongst them for the most part. You, more than many other people in the cybersecurity structure of an organization, understand how adversaries communicate, plan, pivot, and otherwise operate better than anyone else. Your insights into trends, new malicious infrastructure, scripts, or MaaS/RaaS offerings, what vulnerabilities are trending in deep/dark web chatter, and what threat actors your organization should pay close attention to gives you an incredibly unique perspective.
So, SPEAK UP!
Coming from a strict corporate structure where the validity of one's opinion was tied directly to their seniority/job title, and being a natural introvert, this was a hard concept for me to grasp. I suffered from Imposter Syndrome for a long time. Thankfully, and almost as if by chance, I was leaned on internally and externally during a few high-profile incidents where I was asked, "Pete, what are you seeing on X,Y,Z?" Contributing to these conversations was hard at first, but I got better when I saw the impacts of my analysis and insights directly impacting the organization.
I've said it a few million times to my colleagues and students, "They may have heard it 10 million times, but they've never heard it from you!"
#4: Own It!
You're going to make mistakes, you're going to miss things, you will mispeak, step over your words, you will be tired, under-caffeinated, hangry...remember that you are a human factor in a digital world.
It's important to communicate these things to your teams and externally when you DO come up short, miss something, or otherwise have an off day or two. Transparency goes a long way.
If you have a lot on your plate, own it! Communicate with your boss/clients/team with something like, "Hey, I don't think I'm going to fully make that deadline. Does X day work for you for full delivery on that report? In the meantime, here are a few bullet points on what I've found so far." Usually I've found that people on the periphery of Threat Intel know that this job is both 1) taxing at times and 2) requires subtlety on things. You'll learn as you go along what is priority and what can wait a bit...
At the same time, celebrate and own your wins! This is far easier than the above, so I wanted to start with that. Shoutout the team that you work with loudly and often, you never know the impact that has! Force yourself to take a step back and look at what you've done positively. You're not always gonna get the "atta boy" you want, so sometimes you have to give it to yourself.
Create a Weekly/Monthly/Bi-annual "Win List" for yourself and your team. It will remind you that what you do has an impact and continue to drive you to do your best.
#5: Have fun!
I guess I'll save the most cliché point for last, but have fun with it! Cyber Threat Intel is definitely not for everyone and is one of the most mentally taxing jobs that I've ever had, but I truly do love every minute of it.
Little did I think that a snowed-in weekend in the North Woods of Wisconsin with Michael Bazzell's Open Source Intelligence Techniques and a laser-focus on learning everything I could could lead me to this place. I like to think of myself as an incredibly humble guy, but I will be the first to tell you that hard work does indeed pay off.
My best friend, whom I used to work Inmate Transport with, once wrote in deep black, bold lettering on an old white board in our staff office:
Get Comfortable Being Uncomfortable
I've never lost that attitude and it's led me to be the happiest in my career that I've ever been. The grind to get here has been the most rewarding thing I've done. I get to research, analyze, contextualize, and play the ultimate game of chess against the most sophisticated cyber threat actors in the world. I grew up reading Sherlock Holmes and wanting to be a detective, hunting bad guys. While the uniform of gym shorts and a t-shirt may be a bit different than I intended, I could not be happier.