The Cyber5 Podcast

EP86: Properly Defining a Threat Management Department within Enterprise

Episode 86 | Nov. 30, 2022

In episode 86 of The Cyber5, we are joined by Senior Manager of Threat Management for Nvidia Chris Cottrell.

Episode 86 | Nov. 30, 2022

In episode 86 of The Cyber5, we are joined by Senior Manager of Threat Management for Nvidia Chris Cottrell.

Here are the 6 Topics We Cover in This Episode:


1) What is a threat management department within enterprise security?

Threat management departments are usually formed when security teams become mature and have table stakes functions within threat intelligence, red team, penetration testing, and threat hunting. These functions are usually formed after compliance, risk, governance, vulnerability management, and security operations center (SOC) are operational. Unfortunately, threat management is not a well defined lexicon in enterprise. For example, “threat hunting” in one organization could mean a SOC escalating alerts in another company.

2) Incident Response’s Role in Threat Management

Incident response is usually a separate capability from threat management (red team, threat hunting, threat intelligence) and the governance, risk, and compliance (GRC) roles. Incident response is a reactive capability and has the ability to find an actor inside the environment, whereas SOC is the first reactive capability to stop the attacker at the perimeter. Threat management is still considered a proactive capability to keep attackers out at the perimeter.

3) Defining the Roles within Threat Management

Threat Hunt: Expert level investigators that know how to review network telemetry with a variety of tools and alerts and find an anomaly to investigate if an adversary is inside the environment. They usually take their clues from incident response, red team, or threat intelligence.

Threat Intelligence: Expert level analysts and engineers reviewing the types of threats that could attack an organization and develop alerts and playbooks for threat hunters. They also have many other roles depending on the business.

Red Team: Penetration testers that emulate or simulate adversaries within the environment to determine what alerts should be created and prioritized.

4) Threat Intelligence Must Start with Business Requirements

Threat intelligence is meaningless and not contextualized until analysts understand how the business makes money and the corresponding risks that could disrupt the business. Building a threat intelligence program from scratch can take up to a year, and the first six months will be building relationships with the business before any feeds can start to be incorporated.

5) Stories are the Best Metrics for Threat Intelligence Programs

Mean time to respond and mean time to alert are table stakes metrics for SOC, but are out of the control of the threat management team (red team, threat intel, etc). However, the better metrics for threat intelligence teams are success stories when information was actioned by a business unit and risk was averted.

6) Reactive Capabilities When An Incident Occurs

The threat management department becomes critical during a security incident. Red teamers have the mindset to look for a mistake in a vulnerability or network defense. Threat hunters have mindsets to look for mistakes in adversaries. The same mindsets are critical to investigating security events and incidents with the incident response team. Threat intelligence can conduct external threat hunting outside the firewalls when an incident occurs.

Listen to other podcast episodes

Read Transcript

CHRIS: I have seen threat intelligence teams that have six, seven, eight people on them. And, they get circles ran around them by a team that has like one really good threat intel person.
And, it all boils down to does the threat intelligence capability understand the actual business itself?

A highly functional threat intel program that delivers value, real value that has impact, it’s gonna take at least a year. And, I would say six months of those, of that year, is gonna be building relationships, because you can go just ingest data a threat intel feed.

LANDON: Mm-hmm .

CHRIS: And, it’s not gonna matter to anyone if you’re like, “Hey, look. I got all this data.” If nobody wants it, nobody cares. But, if you find one business unit that’s like, “Hey, I’m really interested in this. Give me more of that.” That’s your inroad.

So, you gotta find that one business unit. Typically, that’s gonna be the one that’s making money. So, you gotta go meet people. You gotta go find out what products are making money. You gotta go find out what the threat landscape for that product is. And, you can say, “Okay, thank you. I’ve done my homework. I’ll be back in a month. I’ve got a lot of like fine tuning to do on my, you know, my feeds and everything.”

LANDON: Before you go buy an open source feed, a dark web feed, a net flow feed.

CHRIS: Yeah.

LANDON: Doesn’t matter. You said, you gotta ask those questions, get those relationships first. 

LANDON: Welcome to the award winning Cyber5 Podcast. Here, we discuss the most relevant cyber and physical security challenges facing enterprise businesses today. I’m your host Landon Winkelvoss, co-founder of Nisos, a Managed Intelligence company.

Welcome to episode 86 of the Cyber5. I’m Landon Winkelvoss. Today we’re talking with Chris Cottrell, one of the runs threat management for Nvidia. And, we’ll be talking about really how to develop a threat management department within enterprise.

Chris, welcome to the show. Would you mind sharing a little of your background with our listeners, please?

CHRIS: Yeah, sure. I’ll try to keep it succinct and not ramble too much. I got started in the cyber realm when I was in the military. I was in the Army for about five years. I was a linguist.

And, when I got to my first duty station, they were like, “Yeah, don’t do that anymore. Go do computers instead.” And, ever since then, I’ve kind of been in the field, bouncing from, you know, being an analyst to red team operator for the government.

And then, now, I’m in the private sector. And, I run, like a threat operations team that includes, you know, like hackers, threat hunters, pen testers, all those kind of offensive operations. That’s generally my day to day is kind of making sure that they’re good to go and that they got the right targets and that they feel motivated to do what they do best, go break stuff.

These are my opinions and not that of my employer, just my personal philosophy on a lot of things.

LANDON: Kind of curious of your thought. When you talk to folks getting out of the military, and they want to get into the private sector, what’s the biggest piece of advice you give to them?

CHRIS: I see a lot of transitioning military not use networking platforms like LinkedIn or anything like that. They really, they start trying to build their network when they already need it. But, when you have a network, you’re supposed to build it for when you need it in the future.

So, I do recommend, if you think you’re gonna get out in like a year, start building your network. Start getting to know people, because a lot of the cyber positions really just boil down to luck and timing. So, you’re not gonna you know you don’t have to get every job. You just have to get one. And, give yourself the best shot to be that one lucky person. And, the easiest way to do that is just to have a lot of people that are in your network.

LANDON: You’re pretty active on social media. You have your own platforms, your own hacking platforms, newsletters, content if you will.

CHRIS: Mm-hmm .

LANDON: I think that’s not something that a lot of people that come out of the military generally understand as well. You know, they’re in the sensitive compartmented spaces. They think that, you know, going to the media, going, doing open source and public facing content is risky. How would you say to get beyond that, how important is that?

CHRIS: Well, I definitely, I had my own version of that, when I, you know, first transitioned out. And, you know, it’s scary, because it’s like, “Oh, I can’t put myself out there.” But, you have to like, once you make the transition to private sector, like full private sector, there’s like three stages of it.

There’s like I work for the government as a civilian, or stage two is I work for the defense industrial base. You’re still kind of there a little bit. You’re like, “Ooh, I don’t want to put my social media stuff out there.” Phase three is, “I work for private sector.” Once you start approaching phase three, you need to go full blast on some social media platform, because it’s, whether or not you realize it, you’re building influence with yourself. And, that kind of power you bring with you to a team, to a company, to a job interview.

And, the only way you cultivate it is to put it out there. So, yeah. Find something. There’s always somebody starting out. Even if you don’t think you have anything worth saying, I guarantee, at least one person would value what you have to put out.

LANDON: There’s no shortage of people that ultimately, you know, have their own speaking platforms. Very rarely do I see people that are actually able to use those platforms to actually build a team. What are your thoughts on that perspective?

CHRIS: Yeah so, when I do the things like the videos or the newsletters, I make sure I take a really good philosophical moral stance on it. And, I say, “I’m not doing these things, I’m not putting this content out there to make myself feel better. I was given opportunities when I was in the military and transitioning. I had mentors. I had people looking out for me.

I want to give back.” So, when I make content, that is my general idea of like, this is what it’s gonna be. So, anything that I try to put out, I say, “Yeah, I may talk about oh, this is how I would do it,” but I always try to present, “Here’s how you can do it,” as well, or like, “Here’s the learning for it,” at the same time. Because, you never know when that full circle, that karma is gonna come back in maybe 10 years.

You know, later the person that got help from one of my articles is gonna be in a position to help me. And, that’s kind of what the cyber community is all about, tight, close knit, helping each other out.

LANDON: When we see threat management, we usually start thinking of pretty mature teams. So, as organizations mature, kind of, what’s table stakes for a threat management department, right? I mean, is that a new capability within enterprise? Does that insinuate a mature enterprise? And, what are the capabilities and roles that usually define a threat management office?

CHRIS: Even within the threat management platform where I work, I have one small section of that. And, that’s the red teaming, the pen testing, the threat hunting, you know, threat intelligence. When you get into things like vulnerability management or the risk or incident management or any of the other blue teams, like, traditionally, those platforms have to come first.

Because, those platforms, like risk, blue team, SOC, reactive capabilities, those are gonna form that foundation so that a mature team can start layering on specialty items like threat hunting, red team, pen testing. So yeah, when a company comes out and says, “Yeah, we have a threat management team,” you would assume that they are mature.

Now, one problem that I constantly see with our industry is one definition could mean one thing here, you go to a different company, it means something else. I think at some point, we as the cyber community need to come together and make a lexicon and agree on it. And, I think that that would really help build the community and kind of interactions with the teams and ways forward. It would just help out a lot of things.

LANDON: Extrapolate a little bit. How are they different from other companies you’ve seen, other, you know, peers you’ve seen?

CHRIS: Well, you know, one company may say, “I want a red team,” but really what they want is a pen tester. One company may say, “Oh, we do threat hunting,” but really it’s just a SOC engineer that kind of chases down alerts.

You know, where I’m at, like threat hunting is proactive. We’re gonna go, we got a hunch. We’re gonna go look for something. Like, there might be something going on. You know, like where I work, the pen testers are doing like the open box style assessments. red teamers, closed box. It’s very distinction. But, if you put on your resume, like, “I do red teaming,” you may get job roles or something for pen testers. And, it just, it goes back and forth. It’s different everywhere.

LANDON: Does incident response, usually, when you think threat manager, does that usually mean incident response as well in addition to threat hunting, or is that usually something separate?

CHRIS: In my own personal opinion, and based on what I, the visual aids that I put together at my DEFCON presentation this year was incident response, I consider it a specialty item. So, it comes a little bit later. It is its own thing. And, that is a very reactive capability.

Its specialty is it can track an adversary throughout the business whereas a reactive capability like SOC is we’re gonna stop an adversary at the front door. So, their reach kind of stops the deeper you go where as IR can kind of track them.

Same thing with threat hunting. You know, the big capability for a threat hunting team if they’re fully unleashed is they can also track an adversary throughout every business unit. Whereas, an IR team has to have an initiating event to have that.

LANDON: You said something very critical there. When you think the capabilities of a threat management department, are you still talking about proactive capabilities? And, you know, what are those proactive capabilities? Or, are you kind of talking about both?

Let me just start there. Are you talking about both, or are you talking about mostly still proactive capabilities?

CHRIS: When you have a mature platform, like in threat management, threat operations, it’s a symphony of both. You have to have some reactive. But, those proactive capabilities are those specialty items that traditionally you can start layering on once that foundation of reactive capabilities is made. So, threat hunting, I would consider proactive. Purple team, I would consider proactive. SOC, reactive, right, but like you need one, like you need those reactive capabilities so that you can start getting ahead.

LANDON: So, let’s break it down from the proactive capabilities.

CHRIS: Okay.

LANDON: You have, you’ve built a security team. They’re probably somewhere between 25 and 50 people, head count. You have the GRC functions of governance, risk and you know, the GRC capabilities. You have vulnerability management. You have some security engineers. You have SOC, kind of like what we just talked about. You have the compliance. You’re working with the audit.

And now, you have to, you know, really define, you know, the threat management function of what you just described, right, threat hunting, red team, threat intelligence. Let’s talk about the capabilities of what makes a good proactive stance from that perspective.

CHRIS: When you talk about proactive capabilities, you’re talking about things like threat hunt which is very expert level individuals that know offensive capabilities, or adversarial capabilities. They know how to utilize the tools at their disposal. And they say, “Hey, this data looks a little off, but I don’t have the clues to tell you that 100%. I’m gonna go figure out what’s going on.”

That is one aspect of proactive capabilities. When you add in, or when a company add in something like threat intelligence, the threat intelligence piece can say, “Based on the context around the company where I work or this industry or this sector, these are the kinds of attacks that we’re seeing.” So, that, even the threat intelligence can get proactive. And then, once you start meshing those two things together, threat intel can say, “Hey look. Threat hunts. These are the kinds of attacks that we’re seeing on to horizon.” And then, threat hunt can say, “Okay. Oh, maybe I can go look over here.” red team can say, “Okay. We can start testing not like true adversary emulation, but we can start testing some of those things as well. We can proactively see if we’re vulnerable to that stuff. We don’t have to wait for an initiating event. We can be the initiating event.”

Then, you can also start proactively pushing data out to enrich the reactive capabilities so that they’re able to react a little bit faster and make those decisions a little bit quicker.

LANDON: How do you hone threat intelligence to be specific to your organization? Because, I think it’s easy enough to go out and find a report that says, “Here’s what ransomware group A through C looks like to the technology industry.” Or, “Here is what this organized crime or this APT group is doing for this, you know, industry.” That’s table stakes in my opinion. How do you make that action for an organization?

CHRIS: I wish there was an answer I could give you that said, “Oh, you just do this.” But, really, it’s a lot of hard work. I have seen threat intelligence teams that have six, seven, eight people on them, and they get circles ran around them by a team that has like one really good threat intel person, and it all boils down to does the threat intelligence capability understand the actual business itself?

That is one thing as I’m growing in my management career is I see this lack of people entering in the cyber realm mapping what they’re doing to business capabilities, business impact, business functions. For something like threat intel and for it to be contextualized, the person that’s running that program or doing the intel, they gotta go out and meet people. They gotta go out and understand why these things are important.

And then, they can take that data back and say, “Okay, well, even though we’re in this specific sector, that’s not really applicable to us. We’re actually really over here in this sector.” And then, they can even start cleaning up their feeds and finding people who actually do stuff with the intel that they would produce.

LANDON: Right.

CHRIS: It’s a lot of work. Like, you know, if the more people that are on a team, you would think that they would be able to build those relationships quicker, but, I mean, you still have to bake a cake at the same temperature, right?

LANDON: Right.

CHRIS: You can’t turn it up to 600 degrees and a cake pops out in five minutes. It takes time.

LANDON: Well, threat intelligence at the end of the day is supposed to drive outcomes, right?


LANDON: And, to drive outcomes, you have to be in with the business units. You have to be in with legal. You have to be in with probably human resources, depending what it is, what the threat is.

CHRIS: Mm-hmm .

LANDON: Give me an example where you’ve seen it work well where you take the threat intel that’s actually, you hone it for your organization. That drives the threat hunt. That drives the proper adversary, I’ll say simulation, not emulation, right, and we could probably have a whole podcast on what that means. And then, of course, that actually drives an outcome to the specific business. I’m just curious of an example of what you’ve seen, you know, at a high level?

CHRIS: Okay, so like as an industry, we see these examples of like, “Oh, people are doing phishing, or they’re doing fake LinkedIn profiles, or they are doing like vishing or credit card stealing, all that stuff, right.” Like if threat intel person was to just grab all that stuff and throw it into their organization, people are gonna be inundated, and it’s like analysis paralysis. They feel like they’re under attack from every angle. 

But, to really kind of dig in and say, “Well, actually, the attacks right now are phishing against the automotive sector. We’re not in the automotive sector. We can just get rid of that.” But, password stealers are trending in my sector. So, like if there’s password stealers or something, and, you know, as that threat intel analyst is looking, you say, “Hey, look. This is actually applicable to the industry that I work in.” I’m gonna focus on that instead. 

And, you may pick up like a whole bunch of things that you would’ve missed if you were focusing on phishing, vishing, fake LinkedIn profiles. So, it’s really like, you gotta do your homework. And, it’ll pay off in the long run. And, one thing I’ve seen from a very broad perspective is threat intel, the biggest value that a threat intel program can bring to a company or whatever is they just need somebody to go to to ask, “Are we good with this? Like, tell me what’s going on?” And, it just has to be simple as, “Yeah, we’re covered,” or, “Yeah, we should be concerned,” or, “No, I wouldn’t worry about this.”

LANDON: Does that then drive Jira boards for the threat hunt team as well as the red team to actually simulate and look for those types of threats what the threat intel team provides?

CHRIS: In a perfect world, yes. It really just depends on the maturity of the team. And, the program itself. Not even just, not threat management or threat operations, but like the cyber program at that company. They have to be ready for those things.

Emulation does a company no good if they don’t even know what they can and cannot react to, because they haven’t done those baselines. So, yes. It does help. As that maturity of a program increases, the value of a threat intel program increases as well.

LANDON: If anyone asks you, “Hey, I’m just getting a new threat intel job or threat management job.” And, they need to allocate budget. And, they want to think about, you know, starting this capability, timeline, what would you recommend when people go into those type of interviews, how long that’s going to take to have, it’s always a crawl, walk, run approach with these things, right. How long would you say before you’re at any kind of maturity, on a given, on average?

I know it’s different per organization, right, but I’m just kind of curious what you would say to a new threat intel managers who are interviewing?

CHRIS: Because a lot of the groundwork for a good threat intel program, a good emotive language there, a highly functional threat intel program that delivers value, real value that has impact, it’s gonna take at least a year. And, I would say six months of those, of that year, is gonna be building relationships. Because, you can go, just ingest data, a threat intel feed.

LANDON: Mm-hmm .

CHRIS: And, it’s not gonna matter to anyone if you’re like, “Hey, look. I got all this data.” If nobody wants it, nobody cares. But, if you find one business unit that’s like, “Hey, I’m really interested in this. Give me more of that.” That’s your inroad.

So, you gotta find that one business unit. Typically, that’s gonna be the one that’s making money. So, you gotta go meet people. You gotta go find out what products are making money. You gotta go find out what the threat landscape for that product is. And, you can say, “Okay, thank you. I’ve done my homework. I’ll be back in a month. I’ve got a lot of like fine-tuning to do on my, you know, my feeds and everything.”

LANDON: Before you go buy an open source feed, a dark web feed.

CHRIS: Yeah.

LANDON: A net flow feed. It doesn’t matter, right? You said, you gotta ask those questions, get those relationships first. It’s fascinating.

CHRIS: Yes. Yep.

LANDON: Fascinating. I think you’ve talked about metrics a little bit. And, from the proactive stance, okay. So, once you build, once you get all that, you get to that year. You have what you can, you have what you need to protect your relationships. You’ve maybe started to ingest some feeds. You’re starting to do some blocking, some threat hunting, some good adversary simulation.

We’ve talked about dashboards a little bit. What are some other metrics that you can show, so that year comes up, right? You’ve gotta go into year two of budget season. How do you show progress and lobby for more budget?

CHRIS: That is a very, we could probably do an entire podcast just about the answer for this, right.

LANDON: Yeah, right.

CHRIS: And, it would be more of a like heated debate, probably. But, so, I don’t like to do metrics as numbers. That may be a little bit controversial. My personal stance on it is I can send anybody a spreadsheet at any time and say, “Here, reference the numbers when you want.”

LANDON: Mm-hmm .

CHRIS: But, the approach that I try to take, personally, is let’s tell a story instead.

LANDON: Mm-hmm .

CHRIS: Because people will remember stories. Like, that’s just, it’s kind of ingrained in our human condition. We remember stories. We like hearing stories. So, how do I take metrics about threat operations, threat hunting, red team, pen testing, how do I turn that into a narrative?

And, I found success by doing that with understanding the business units and the impact. Yeah, there may be a number in there every now and then, but it’s really this like the threat hunt team got this tipper. We, you know, we used these tools that we pay for, by the way, so that you can see we’re getting value out of it. We used these tools to do hunting. We discovered, you know, some impact in this business units. And, we corrected it. And, we used these tools to correct it. 

So, nowhere in there did I ever say a number, but if somebody was to walk away from like a meeting, they would say, “Oh, yeah, the threat hunt team used a bunch of tools that we pay for, and they found it, but they took care of it.”

LANDON: I love that answer, because I think, you know, any threat intelligence professional, a lot of security professionals really on the reactive side or on that investigative side are just natural storytellers to begin with.


LANDON: So, that answer makes entire, you know, entire sense. And, to your point, like for executives, like a CFO or a CEO who, you know, security usually reports into, or even a CIO for that matter, they like stories, right. They like stories of, you know, how you protected loss.

So, that’s for certain resonates, but I am curious. What are the numbers, and you said, you know, you can give numbers. What are the numbers that people can fall victim to and fall into that trap?

CHRIS: The pitfalls would be, setting your metrics up that you no longer control. Things like mean time detect, mean time to respond. So, pen testers, red teamers, we don’t control that.

LANDON: Mm-hmm .

CHRIS: Threat hunters, we don’t really control that. That’s the reactive capabilities. And, when you set yourself up with those metrics that somebody else truly controls, you lose the ability to tell a story and leverage that for budget in the next year, because all the impact is with somebody else.

LANDON: Kind of switching to the, let’s have the same conversation around the reactive side.

CHRIS: Okay.

LANDON: Whether that’s red team or a threat hunter or a threat intel, you know, professional, when there’s an incident, or an, let’s back up.

When there’s an event, right, because that is a big difference between events and incidents as you know. When there’s an event, right, a lot of people switch into full on investigative mode. Walk through the roles and capabilities that you want to see from that perspective in addition to all of the proactive steps that you’ve kind of just laid out.

CHRIS: I’ve written quite a bit about red teamers and threat hunters being two sides of the same coin. You know, red teamers will, they exploit the mistakes of technology. Pen testers same thing. A threat hunter’s exploit the mistakes of an adversary. Those two mindsets are the same. 

And, in some regard the tooling to do those are the same as well. When an event occurs, it’s very easy to say, “All red teamers, go be threat hunters now,” because they have the same mindset. And, kind of the metrics and the things that you’d want to see from that is it all comes back to warm fuzzies, good feelings.

Truly, when an event occurs, just like with threat intel, somebody, some decision maker, some leader needs to go to somebody and say, “Tell me it’s gonna be okay. Tell me are we still under attack?” Like are we still under threat? And, if you have kind of these roughneck, you know, we’re just gonna go find answers and tell them to you, which is traditionally red teamers, they’re hunters, people with that adversarial mindset. They really shine in those kinds of events. 

So, there’s no real metrics that I would say that are more effective than any during an event or an incident. But, being able to be brought into a meeting and just say, “Hey, yeah. We found something,” or, “No, we still need to like actively look at this. This is bad. And, we’re gonna go do that right now.” And, they just leave the meeting and do it. I mean, it may piss some people off, but really they know that somebody’s out there and they’re going after it, right. So, it’s insurance.

LANDON: Let’s dive into the weeds there for a minute. When you, how critical is prevalence? When you’re looking at those types of events? Right? Because realistically, of course you want to see if it rises to that level of, you know, legit incident, but you also want probably keep it, you know, if we think about the MITRE ATTACK Framework you want to keep it on left of that recon stage, right. And, you’re looking at just prevalence of, you know, pings of IPs, and, you know, date times and those different historic artifacts. How critical is prevalence to what you’re trying to look for from that perspective?

CHRIS: It goes back to are you understanding the business? So, if you know that a certain business unit just got popped, and you see, you know, really bad stuff, you know, showing up all over the network or, you know, internal spam emails are going out, any of that stuff. You know, as the leader of the team, you kind of have to say, “Um, we’re gonna go get involved.”

LANDON: Mm-hmm .

CHRIS: But, that is centralizing that decision making process. Part of building a mature and effective, you know, threat, whatever you want to call it program is building a relationship’s also internally as well.

So, we have had very good success integrating our red team into almost every one of our blue team platforms, integrating them into incident channels to a certain degree, making sure that, you know, the red team isn’t fully siloed in the corner, doing secret stuff. Also, making sure that they kind of have a seat at the table. And, the team is structured, an effective team will be structured so that they can make those decisions on their own.

And, it would be my job to make sure that they’re not overburdening themself. And, just kind of say, “Hey, the whole team can’t be in the incident. Pick two of you guys.” Or, “Pick two of you and go over there and do it.” And then, if I get indications that like it’s a major event, then I can say, “Everyone get in. Like, this is the priority right now.” ‘Cause I understand, you know, the business from a higher level maybe than somebody that spends all day on keyboard.

So, we can kind of help each other out. So, relationships internally within the team. Relationships among teams and we kind of play that decision by ear. There’s no, “Oh, we’re on the far side of the right of the attack matrix. It’s time to break loss.” It’s really contextualized, just like with threat intel.

LANDON: How about external relationships with FBI and industry, call it the ISACs if you will.

CHRIS: Mm-hmm .

LANDON: Who’s in the best position to have those relationships? Is it the CISO? Is it a level down? Is it two levels down? Is that, how have you seen that work out well?

CHRIS: The larger relationships, it’s best to establish them, you know, from the CSO or the CISO. And, kind of let that matriculate. You know, get those forms signed, and kind of work downwards.

You kind of, if somebody’s running out on their own externally, I mean, anytime you leave the boundaries of your own yard, I guess you want to call it, you run the risk of doing yourself jeopardy as well.

So, when it comes to reaching outside of your own environment, I would, those are times where I’d definitely kind of run it up the chain. Especially when it comes to things like information sharing or data sharing or intel sharing, anything like that. You gotta, once you leave your own protective unit, yeah, it’s time to CYA. Kick it to the person that gets paid to do that stuff like, you know, the CSO.

LANDON: Let’s play out a scenario where there from a reactive scenario that’s hot, you know, in, it’s always hot within vulnerability disclosure. You have somebody, an email that comes in. They say they have data. They said you have to pay a ransom, or they’re gonna release that data.

CHRIS: Okay.

LANDON: What are you doing next?

CHRIS: In this scenario, if we have a mature team and they have those specialty capabilities, like red team, pen test, threat hunting, all that stuff, there’s the reactive way which is, “Okay, we’re gonna deal with the actor.” That’s the front end, right.

But, a mature team now has these additional capabilities that they can take that same data, that same request and hand it to these, you know, these roughneck red teamers, pen testers, whatever and say, “Go find out if this is true or not, and, but don’t leave our network.” Right? You know, you can have threat intel kind of investigate it. You can have red team and pen test work together, white box, or open box, closed box to say like, “Let’s go figure out if we could get this data.” You could have threat hunt kind of initiate like where’s the data at? How would I, you know, get in there and get that? They can work with the offensive security teams to say, “I’m sitting here where the data is. I’ll tell you if I see something come in.” And, they can really, very quickly, typically, provide that insurance that the CSO can come and say, “What are we thinking?” And, the team probably within a day can say, “Nah, it’s probably fake.” Or, “Nah, this is probably real.”

And, that’s really the value of an operational, decentralized decoupled team that can just kind of go where it needs to go and get those answers. And, it helps decision makers make the best informed decisions that they can, especially for something like a ransom. Like, are they lying to me or not?

LANDON: Obviously, you’re gonna run that up the chain to CSO. Who’s interfacing with legal, and you know, potentially law enforcement? Is that a run up the chain type of event that you were talking about?

CHRIS: Yeah. Comes to law enforcement, that’s not me, right. I ain’t doing that. So, I’ll kick that up to somebody else. When it comes to, you know, decentralized ops and getting answers, that’s where teams like the operations teams, threat operations, all that stuff, that’ where they, that’s their specialty.

LANDON: It’s almost like a dog pile, almost of-

CHRIS: Yeah.

LANDON: Finding out the answers.

CHRIS: Yeah, and it really is. Yeah.

LANDON: What’s your opinion on ultimately breaking into cyber? When you have somebody come to you that’s you know out of, whether it’s out of college, out of military, you know, and they want to get into cybersecurity, what’s your advice?

CHRIS: My advice for somebody trying to break into cyber is to do it internally. What that means is I personally don’t feel like there should be scoped entry level cybersecurity jobs. And, I feel that way, because I don’t think cybersecurity is an entry level profession. There are no good pipelines that feed into entry level cyber security jobs.

You know, when I went to go get my graduate degree in cyber, I was validating the skills that I already had. It didn’t teach me anything new that I could go break into cyber with. So, you have, it’s my personal opinion, that you have a lot of these programs, these like, “Oh, you go to this program, you get this degree, whatever, and it will help you get in.” Those exist, essentially to steal money from people. The pipeline doesn’t exist in an effective way. But, what does exist are other pipelines.

Things like computer science, IT, cloud security, all those things have these really good pipelines that can lay foundational technical skills. If somebody was to go in there and then transfer after a couple of years of experience into a entry point into cyber, entry point is not the same as entry level. The entry point into cyber is you have a great foundation now. You have something to fall back on. You already have a couple years experience, which isn’t entry level anyway. And now, you can start really layering on those cyber security things.

So, I’m really not trying to like gate keep and say, “Oh, you can’t get in.” I’m trying to really help people find the best way in, the easiest way in, because I hate seeing people like spend all this money on something and then they can’t get a job. Well, it’s not their fault, right. But, there are other pipelines that can get you in quicker and then you just transfer over. Boom. Two years, lateral move, right to the cyber team.

LANDON: I want to say, because I’m just like imagining you, like saying that on a social media post, and like the internet goes wild. And, of course, I’m trying to agree with the internet in this scenario.

CHRIS: Sure.

LANDON: But, I can’t honestly, just because, like the best, I mean, the best red teamers when we used to do red teaming, the best red teamers were always former network admins, just because they knew networks real well. So, of course, they knew how to configure them and design them. They knew how to bypass them and break them. And, that’s frankly no different, you know, when you’re spotting anomalies, you know, on threat hunting perspective as well. You know, even our clients, even now, the best threat hunters, the best threat intel folks often, within the cyber threat intelligence perspective, I wouldn’t say the best, but many of the good ones really truly understood networking-


LANDON: At a very detailed level. Like, they knew how Linux worked at a very micro level. They knew how, you know, corporate, you know, Windows networks and flat Windows networks ultimately had to be segmented from production networks.

CHRIS: Yeah.

LANDON: Right, like they really understood that. And, if you have that base, you know, that’s a good place to start, you know, from that perspective. I might push back a little bit on the cyber threat intelligence side, because as you know, I mean, you can be a good intelligence professional, all right, and not necessarily be uber, uber technical. You know, with understanding that network perspective. It helps, right.

CHRIS: Yeah.

LANDON: But, you just described, like everybody, everything, if the key part of threat intelligence is understanding building those relationships within business, understanding how business works, and making that, again, it’s great if you have that technical knowledge, and you can build that on. But, I think that there’s a level of threat intelligence if that’s the most important part, and you’re just saying I’d say that there’s potentially if you have an intelligence background, that’s probably at least helpful. But, like, look, if you have both, of course, that’s-

CHRIS: Yeah.

LANDON: That’s the perfect combination so to speak.

CHRIS: I would agree with that. I heard an anecdote, I think a long time ago, that said one of the best threat intel professions to switch from was actually a librarian, because they know how to curate everything and catalog and all that stuff. So, if you’re a librarian, and you’re trying to break into cyber, maybe look into threat intel vector.

Yeah, but traditionally, with all the on keyboard stuff, SOC, red team, pen test, the credentials don’t matter. It’s the portfolio that you can present. So, here’s my bug bounty history. Here’s my CVEs. Here’s my hands on keyboard. Here’s my GitLab that has all of my C2 profiles in it that I’ve used in operations. Like, that’s what matters. So, yeah, like cyber is a trade skill. And, you have to have hands on to have a trade skill. And, unfortunately, the schoolhouse isn’t gonna give you that.

LANDON: So well said. Chris, I appreciate you joining the show. Have a lot of expertise. Congratulations on having such a great career. Love what you put out, you know, on open source. It’s very, very helpful. And, thank you for joining the show.