The Voice of Cyber®

Episode 126: Andrew Slater
First Aired: August 31, 2022

Starting his career in Army Signals, Andrew has spent the last 20+ years working across a variety of ICT roles. As a Technologist, with a passion for security Andrew has designed and delivered secure solutions across Government and Private organisations.

In his current role as the Director of AUSHIELD, Andrew leads Cybermerc’s technical teams to deliver sovereign cyber threat intelligence solutions along with protecting Australian organisations.

Andrew is regularly engaged for bespoke technical research and enjoys giving back to the industry through volunteer work and technical presentations at conferences.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Introduction (00:27) You're listening to KBKast, the cyber security podcast for all executives cutting through the jargon and height to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (00:42) Joining me today is Andrew Slater, director of AUSHIELD at Cybermerc. Today we're demystifying threat intelligence. I wanted to explore what some of the assumptions people have when it comes to threat intel. Thanks for making time, Andrew. Andrew Slater (00:55) Thanks for having me, Karissa. It's a pleasure to be here. Karissa (00:58) Yeah, I think it's just going to be a good conversation because it's something that I think people still don't quite understand, maybe the value that threat intel office to organisation. So I wanted to sort of start off with your definition of threat intel, as many still have different versions in their minds. I'm curious to hear what your take is. Andrew Slater (01:18) Yeah, well, I guess where I'd like to start is before we define threat intelligence is to define threat. So it's really key to understand that a threat is the intent, capability and opportunity. And in this case, we're talking about cyber threat intelligence. So a cyber threat, so that's the intent, capability and opportunity of a threat actor to exploit our environment through a number of means, if you like. When we talk about threat intelligence, what we're talking about, if you refer, there are two main sort of definitions I like to refer to. So the first one is NIST. And this defines threat intelligence as threat information that has been aggregated, transformed, analysed, interpreted and or enriched to provide necessary context for decision making. So that's bang on. And that really relates to the process of intelligence in general. And the other definition I really like, and this sort of brings it home in the cyberspace, is from MITA and they talk specifically about cyber threats intelligence is the process of analysing information about adversaries as well as the output of that analysis in a way that can be applied to help network defenders and decision makers. Andrew Slater (02:43) So I really like that one because it starts to incorporate who the audience is. And one of the most important things for me about threat intelligence, specifically cyber threat intelligence, is this is not a self serving capability. We are serving our clients within the organisation and we are there to produce products in MITA's definition to help network defenders defend against threat actors, our adversaries, but also help the executives and decision makers make decisions in a risk-based manner for the organisation as a whole. Karissa (03:21) Wow. Thank you. I love that. I love that definition. I love where you started and where you sort of, in your words, brought it home. Do you still think, though, from your perspective, people are confused by thread intel, because I think I know people sort of just throw the term around and maybe it's not correctly represented or what are your thoughts on that? Andrew Slater (03:40) Yeah, and look, we see this all the time within cyber threat intelligence, and my background is technical and so this is something I had to learn as well, which is it comes down to understanding the intelligence lifecycle. And just because we're talking about cyber and cyber threats, it's still an intelligence function. So as part of that intelligence function, what we need to understand is collecting data is different to information and information is different to intelligence. So there's a number of intelligence life cycles that are available. There's six step, five step, four step. At the end of the day, it doesn't really matter which one the organisation adopts, as long as they're engaged and they understand the various definitions. So by me going out and collecting IP addresses, for example, about infrastructure that may be used by certain threat actors, part of the Ransomware gang, etc, so that is merely collection, that's not intelligence. And we take that and we validate that and we collate that, that then becomes information. And it's not until we've processed and exploited that information, done some analysis and made it appropriate for our organisation, only then does it become intelligence. Andrew Slater (05:03) Right? Intelligence needs to answer a few basic questions. Does this match other information or intelligence we have surrounding this subject? Whether the subject be a threat actor or a campaign malware family, et cetera, what is the source of the data? What's our confidence in that source? But at the end of the day, the commonality between cyber threat intelligence and an intelligence function, is it really answers for the organisation that sort of so what I've got this data, you've analysed it, you've enriched it with a few bits and pieces. So what is the assessment? This is where the analyst highlights the way that the intelligence will impact the organisation and start to talk about mitigations and things like that. Karissa (05:56) So going back to threat intelligence lifecycle, what do you mean specifically when you say that? Andrew Slater (06:03) So the lifecycle is how we define the intelligence function within an organisation. At Cybermerc, we work on the five step intelligence lifecycle. So the first step is planning and direction. Planning direction is critical to the success of any programme, any project within an organisation, but especially intelligence. If we're going out. And the thing we see all the time is people do this from a good place, but they go out and collect a lot of data and they don't have the guidance. So understanding what are the threats to my organisation? So before we even decide to go and do any data collection or how we're going to process that, what are the threats to my organisation? How does that translate to risks to the organisation who are going to be my customers. So once we have an understanding of risks and threats, who are our clients or customers within the organisation and we get them on board really early. If those clients and customers are not familiar with an intelligence capability, part of our remit as an intelligence team is to educate them, right? And this is why it's a life cycle, because it never stops. Andrew Slater (07:18) So we start with that planning and direction. We map out if we're not sure exactly what we want, we map out some basics and then at that point, only then do we start collection, because there is no point collecting data that we don't know what to do with it. We collect that data, we choose where, how, when to conduct that acquisition, and then we bring that into the team and we go through the third step, which is processing. This is where we validate and evaluate the collected data to make sure that it's useful and relevant to what our customers need. The next step from that is analysis and production and this is where it ties straight back to planning and direction. Within planning and direction, we're helping guide our clients if they don't know. But basically this is where we're defining the intelligence requirements of the organisation. Analysis and production is where we're producing those products for those various clients. And those products can vary widely. Some of those clients, we might have the vulnerability management team as an example, and they want near real time flash reporting on new critical vulnerabilities that they need to go away in action. Andrew Slater (08:32) Whereas executives might want to pay more strategic level report that allows them to do longterm trend analysis and future forecasting. The last step of the process is dissemination and feedback. This is where we get those products in the right format, to the right people at the right time. But most importantly, feedback. It never finishes, particularly when we've got high numbers of staff rotation within organisations, which is something that everyone suffers from. Changing business requirements, changing in the threat landscape, change risks. That feedback is really imperative to feed into planning and direction. So we can adjust the intelligence requirements, adjust our collection and processing and our production as needed to ensure that the intelligence products that we're producing remain relevant to our clients. Karissa (09:27) Well, thanks for sharing that. I think that sheds a lot of light and fidelity on what that means in terms of the lifecycle. There is a couple of questions that I have, but one of which sort of came to mind is when you spoke about collecting data and information, like you said, like IP addresses, right? So there's something, and I mean, you would probably know this more than I would, but thread intel reversed, like Ocean or open source intelligence. I think there are people that claim they do threat intel, but in fact don't. So it's just merely open source intelligence. Right? So I think that sort of lends itself to what you were talking about before around just collecting information and like the data that already exists on the internet. Can you sort of talk a little bit more about are people doing this? And if so, why are people trying to claim Ocin as thread intel? Andrew Slater (10:16) Yeah, that's a really good question, Karissa. I guess this really comes back to definitions as well. So I want to split this in half, if you like. So for any listeners that haven't heard of the term person, that stands for open source intelligence. So when we start to define this, open source is a type of data collection. So when we're talking about intelligence lifecycle, we're talking about data collection. Data collection covers many things. So from an open source perspective, this might be Twitter feeds, blogs, other social media platforms, GitHub repositories, etc. So they are open source in that anyone can access them. Sometimes you do need to authenticate, but there's no commercial barrier to entry or vouching for someone or things like that. You can register for an account and get access to those data repositories. Collecting data does not qualify as intelligent, as we sort of said before, data, it doesn't equal information and information doesn't equal intelligence. So collecting data from open source repositories is exactly the same as a threat data feed is not a threat intelligence feed, threats intelligence or cyber threat intelligence and open source intelligence, by definition, are intelligence capabilities. Andrew Slater (11:47) So these are true intelligence programmes run within organisations with skilled analysts, et cetera. So they go even OS int teams or OSINT capabilities within a broader intelligence team. They will still have an intelligence life cycle that they follow. They have an understanding of what the threats are, what the intelligence requirements are, what the priorities are, who their clients are, and when they collect that open source data, what intelligence products they're going to produce. We're seeing time and time again, open source is a highly valuable source for data, both the cyber and other intel requirements. We don't have to look too far to see things like the missing Person Tackathon, which is running Australia fantastic event, where experts and enthusiasts come together to acquire and collect open source data about missing people. Now, they're not doing OS int, it's not an OS int capability in full, right? They're doing that collection. Maybe they're doing some processing in there, but at the end of the day, that data sometimes information has been provided to law enforcement investigators and analysts to finish off that life cycle. Right, and they're the ones who trace and find the missing persons. Karissa (13:07) Well, no, I think that makes so much more sense now. Do you think, though, as well, that there are people out there and I'm not speaking badly, but I'm just curious to know, are there companies out there saying we do threat intel, but they're not really? Well, they're just clicking real basic, like IP addresses. Andrew Slater (13:25) I think a lot of that goes on. Cyber threat intelligence, like any technology, whether in cyberspace or not, gets heavily influenced by vendors and marketing and the rest of it. So people will often think that they're getting intel when they're getting technical IOCs or things like in your example, carissa IP addresses without any additional context or evaluation. That being said, I do believe many organisations do ingest this type of data, which I like to refer to as threat data, and they do use it very effectively for analytical purposes. The misconception, I would say, is generally a result of not having a thorough intelligence procedure, not having personnel with the required skills, not having defined intelligence requirements. And this is what you're seeing is data being ingested and used for analytical purposes, but it's not necessarily the data is not getting analysed, so it's not been attached or answering any intelligence requirements to give us a better understanding of the threat environment, that sort of thing. But when we talk about using data for analytical purposes with just a little bit of processing, right? So maybe the data will now consider it information that can still be highly valuable in certain situations when used for things like within a security operation centre, when we're talking about signature based stuff, correlation rules, IOC for blocking, et cetera. Andrew Slater (15:03) Specific example of this was during large scale vulnerabilities like longford joey last year, where at Cybermerc we were sharing, tracking, collaborating on unique IoT that sort of just real low level IP addresses, hashes, real basic stuff. But we're tracking that within the first 24 hours and distributing that within the first 24 hours of sort of exploit code being made widely available. And what that allowed organisations to do, and our clients was before they could get the full handle and the full scope of the risk provided by that vulnerability. Right. Unfortunately, it took 48, 72 hours plus for vendors to be able to identify all versions of their products that were vulnerable and dependent on long fee and things like that. So before they had that sort of visibility, this level of technical intelligence, if you like, or just information, was enabling clients to proactively hunt and detect exploit attempts in their environment whilst they assess the greater risk. Karissa (16:12) Well, that's awesome. I think that makes a lot more sense now in terms of demystifying what all this means, especially for people or business leaders that don't quite understand there's a difference in what that means for them. There's a couple of things I do want to focus on, though, before we move on. You spoke about intel procedure. What do you mean by that and what does that look like within an organisation? Andrew Slater (16:34) Yeah, absolutely. So this comes back to that intelligence lifecycle. So if we don't have the process and procedures in place, we don't have people defining our intelligence requirements, we don't have the collect process in place for identifying where, when and how we're going to collect data, how we're going to correlate and exploit that data, and then from there, analyse it as well. Every step of the intelligence life cycle requires a process and a procedure in order to ensure that the finished products are answering our clients needs and delivering value for the business. Karissa (17:14) So I want to sort of value, that's an operative word. Now, there's something that I was often spoken about in the industry, which is like, people often say, let's just get some intel, or getting intel, but then do you think that many organisations in your experience just have data that they then do nothing with? Because we always talk about adding value, but what does that actually mean? I know that I just asked you two questions, so feel free to answer them as you please. Andrew Slater (17:41) Yeah, it comes down to that definition, right? Yeah. When does data become information and when does information become intelligent? As I just sort of spoke about, it can be a little bit murky, because intelligence isn't just one form. And so four levels of intelligence that we follow are tactical, operational, technical and strategic. So when we're talking about, it's not intelligence, it's just data with just a little bit of correlation, context, colour and enhancement, if you like, that can become technical intelligence. Now, technical intelligence has a short time to live and is considered fairly low level from a value perspective. And the reason for that is these technical pieces of intelligence normally considered like highly specific indicators of compromise or IOCs. So when we're talking about this, I like to refer back to a thing called the Pyramid of Pain. And the Pyramid of Pain is how we define what's easy to detect, but also what's hard to detect and what's easy for a threat actor to change versus really hard to change. So if we start at the bottom of the Pyramid of Pain, down the very bottom there the easiest to detect. But the most trivial to change is hash values, right? Andrew Slater (19:11) So if we are running some correlation detections, some signatures based on hash values, that's quite easy for us to detect. However, it's trivial for a thread actor to change. They can just recompile that very quickly and it's got a new hash value. All of a sudden, the same thread actor using the same malware will bypass that sort of signature based detection moving up, and I don't want to sort of dig into every single one of these too much, but above hash values, we have IP addresses. Once again, they're quite easy to change, quite easy to detect domains, URLs, et cetera. Once again, fairly simple. Once we start getting into your network communications and post artefacts that are leveraged by, for example, a piece of malware, this is where things start to get a little bit harder to detect and a little bit harder for the threat actor to change. Above that, we have tools and the final at the top of the pyramid pane, which is the nirvana we all want to achieve, is TTPs. So these are tactics, techniques and procedures, which is a military base term, but we use this within cyber security for a variety of things, particularly in the MITA framework. Andrew Slater (20:38) It's all built around TTPs, so you have your high level tactics, lower level techniques, in a lot of CISOs, sub techniques, et cetera. So if we can identify through an intelligence programme, threat actors that pose a high threat and therefore risk to the organisation, and we can identify their TTPs, that makes for a long term capability for detection, analytics, et cetera, within the organisation to reduce that risk. You'll see some sort of TTPs will be very technical focused, but at the end of the day, behind that is a human being. And we're all human and we all have our idiosyncrasies and it's really hard to change some of those. So when we're profiling threat actors and we're looking at doing things like trade craft analysis of particular threat actors, we start to try and map out their pattern of life. This can be any number of things. What time was the code compiled? What language pack was it compiled in? How certain values are written within malware, things like that. And over time, you can see these patterns emerging. And that's how you'll see a lot of intelligence analysts start to be able to attribute certain bits and pieces to certain threat actor groups when we do this analysis. Andrew Slater (22:11) Over time, this is where things become much more valuable to the organisation because we're starting to collect important intelligence products over a period of time. And so we're mapping out the so what to all of these threats to our organisation. And that's when threat intelligence starts to become strategic and starts to get engagement with the executive board. And this allows them to understand the risk over time, the change in the threat landscape, the change in threats to the organisation. And this can drive a whole lot of exciting things. So this can drive different markets that the organiser gets in organisation gets into, it can drive change within the organisation structure, technology investments, et cetera. So this is where threat intelligence capabilities become an integral part of the organisation and deliver that value. The more value you deliver, the more engagement you get from your clients. So it just comes back to that intelligence lifecycle. We get more feedback, we get more engagement at planning and direction, we produce better intelligence products, so on. Karissa (23:29) Thanks for that, I think. Yeah, there's so many questions going on in there because I've come from a reporting and analytics background myself around us having the data. But then what does that data mean in terms of insights? So one of the things that I want to understand from you, Andrew, is there's a few things that you said in the course of this interview. You said data but no guidance. So what does that then mean? And do you think that is that just sort of saying, oh, here's a bunch of screens and a sock and here's all this data, but that doesn't really tell us anything, it doesn't really tell us a story? Is that what you mean by that statement? Andrew Slater (24:02) Absolutely. The products we produce, they tell the story. Right. So what are my organization's intelligence requirements? This shouldn't be driven by the Threat intelligence team. Whether it be Cyber or a physical Threat Intelligence Team or any other intelligence team, this needs to be driven by the business. It needs to be focused purely on risks. So those risks give us an understanding of the threats, and the threats drive our intelligence requirements. So the sort of questions we should be asking internally and we should be from the Threat Intelligence Team, we should be asking the business, what are your intelligence requirements that will drive our life cycle, that will drive what is collected, how it's processed, and also the required resources, and what end products will be produced and how? Karissa (24:58) One of the things that you said, Andrew, which was interesting, is you said a lot of these requirements shouldn't be driven by the intel team, it should be driven by the business. But then I think if you're sort of a business leader, I don't think a lot of people have a clue, like, how to even steer that conversation or even know what Threat Intel even is at that senior level. Are you seeing like, a disconnect? Because I still think that a lot of guys that I speak to at the business level wouldn't really have a clue on what this means, and then they probably wouldn't be able to even answer what are our requirements? Andrew Slater (25:35) Yeah, that's a great point, Karissa. The way I sort of look at this is the topic of this podcast is sort of demystifying threat intelligence. And if we just take a step back for the moment, if we look at executives in any organisation, they have their specialisation. If they're a CFO, there are financial specialists, legal of course they're a legal specialist, a law degree, et cetera. Any of them a technology specialist in anything at all? Of course not. So this is the same as any technology conversation. We don't go to our clients if we are, for example, desktop support, we don't go to these executives and say, right, we're rolling out some new desktops. Would you like 16 or 32 calls? How many gigs of Ram do you need? Those sort of technical details are not the things that we should be asking our clients. However, we shouldn't be forcing the technology onto them either. So there needs to be that consultative engagement, which can be fostered in a number of ways. Training and education is very important. So we don't need to turn our executives into intelligence analysts, nor do we need to go into vast amounts of detail about the different data sources we collect and what OS is and other bits and pieces. Andrew Slater (27:09) But what we need to do is educate them on what an intelligence capability can provide, then working with other areas of the business, get them to have an understanding of the high level threats and risk to the organisation. At that point, they will be able to start getting an idea of, here are the questions that I need answered and I need the justification behind it. That so what that assessment? Right? Once they're in that position, in an ability to start building out the intelligence lifecycle, start to define where we're going to collect from and what products we're going to produce, and of course, come back to dissemination and feedback. So dissemination is really important. It has to be timely and it has to be actionable. And I guess this is another point we sort of haven't touched on too much yet, but when we're talking about defining what the intelligence product should be, it comes down. I've talked about clients a lot. So your executives are going to be clients of strategic intelligence, managerial level are going to be clients of more operational intelligence, talking about security operations and cyber teams. They're going to be consumers of technical, tactical and operational intelligence. Andrew Slater (28:38) But it's not just the SOP team. Yeah, we have threat Emulation teams, we have the vulnerability management capability. All of these people are clients from a threat intelligence capability perspective. And so we need to ensure the products we produce are appropriate for them. But more so, just like a security operations centre, there's no point overloading them with information or more to the point to being actionable, there's no point producing threat intelligence, that's not actionable. So it has to be that risk based approach and unfortunately, we can't action everything all the time. Quite often we go into smaller organisations and they say, oh, I'm so jealous of a large organisation, we've only got a team of ten. I heard this organisation has a team of 100. We then go into that larger organisation with a team of 100, they say, oh, we might have 100, but we're so under start, right? Like, no one ever has enough people, so we need to focus down on what we can action. Karissa (29:44) So if I'm a business leader or executive and I've got a threat intel team, what should I be asking? Just to start things that come to mind. So they've got no idea and they're like, look, I'm aware that we're paying for thread intel capability, whether it's internally or externally, where should people be starting that conversation to ask the right questions? Andrew Slater (30:04) Yeah, so this is a really interesting one, because historically, in a lot of organisations, even if there are teams producing threat intelligence, they didn't always start with planning direction within the lifecycle. Right? So I think the first point to start at is whatever threats to my organisation? What are the risks to my organisation? Once that's understood, what are the capabilities within my organisation and within our intelligence teams as well? So what technologies do you have at hand? What products can you produce? Where other gaps? Are the gaps a data source capability? Are we missing data sources? Do we need to buy a data source? Do we need to acquire technology to get a data source? Do we have a gap in skills? If we do have a gap in skills or a gap in capability, what organisations can we partner with for things like this? Within cyber Threat Intelligence, the last sort of 24 months, threat intelligence sharing is becoming a much more popular conversation and we're starting to see things both privately from what's called an Isaac So, an Information Sharing and Analysis centre. So this is a group of organisations that come together to share and collaborate on threat intelligence. Andrew Slater (31:49) So we've seen ISACs becoming more popular, particularly in Australia. We've seen threat sharing platforms popping up and we've also seen development from the Australian Federal Government, in particular ACC, and what they call the CTIS platform, which is cyber Threat intelligence sharing. That's really covering a lot of ground now and starting to get a lot of uptake, which is really good. So coming back to internally making those assessments, it's not always about buying another product, it's about what can we do to help gain further intelligence to address those threats and reduce the risk to the organisation? Training is always a big one. Training for executives, training for midlevel management and training for people who are on the tools as well. That quite often that training and ongoing mentoring can be far more effective than investing in additional technologies. Karissa (32:53) And I think that's interesting as well that I want to get from you is you spoke before about, look, we don't want to overload people with information, right? We got to find that sweet spot. What is that sweet spot? Andrew Slater (33:05) What can you respond to? The end of the day? No. Cyber threat intelligence is no different to a security operations centre. There's no point having all the alerts in the world, even like, we're not talking about false positives here, but there's no point in the security operations centre generating 200 alerts a day. She can only respond to 100. So once again, we have to prioritise our workforce. So rather than trying to do too much, because what will happen then is you start to shortcut the life cycle, right? So the intelligence capability of the organisation, producing more data does not mean producing more value, or producing more products does not mean more value. Don't shortcut the intelligence lifecycle. Continue to take time to understand the threats to the organisation and your clients needs as part of this. What's equally important is understanding your environment. We see this all the time with vulnerabilities. You could see a vulnerability disclosed that has a quite high. CVS, which is common vulnerability scoring system. But if you have an understanding of your environment, you might understand that that isn't necessarily a high risk threat. The system that's vulnerable in your environment might be somewhere way down the back of your environment. Andrew Slater (34:32) It doesn't have direct internet access. So we come back to the definition of a threat, which is intent, capability and opportunity. Well, we got two out of the three, but there's no opportunity. A thread actor has a very low chance of accessing that system. So therefore it's more appropriate for me to focus my resources in other areas which potentially are a much higher risk threat to the organisation. Back to the point about don't shortcut the life cycle. If you produce good intelligence products for your clients, the clients will continue to build and invest in the capability. Do not ignore the need for strategic intelligence. Strategic intelligence is what ensures the organisation over the long term has the right intelligence to drive future decisions, including technology investments and change. Within the organisation as a whole. I would always recommend, if you can't do everything, focus on what you do well, focus on your core capabilities and partner areas where you can. So partnering might be a commercial engagement or partnering might be engaging actively in things like Cetus and Isaacs. Invest in technologies that provide machine to machine integration as appropriate. This can help empower lower experience analysts. Andrew Slater (35:59) So in that sort of sock example, if we are distributing our intelligence products for the operations team in a matter that is low touch, once the analysis has been complete, so we have machine to machine integration, that is going to provide much more context colour and allow low experience analysts to get much further into a playbook with security incidents and things like that. Once again, with intelligence products for executives, the better that we provide those products, the less education that they are going to require to correctly interpret those products as well. Karissa (36:41) Do you think that people take shortcuts? You said before, don't take shortcuts. Do you think people just doing that maybe because they don't want to do it, maybe because it's like a resource pressure or time pressure? Do you think people are doing that more often than not or not really? Andrew Slater (36:58) I think it does happen. I don't think there's any deliberate malice on individuals. I'm sure possibly somewhere that happens, but the reality is we're all super busy. We see this all the time with things like documentation. People will just build the next thing because we're so busy and we require all this stuff. The key here is to focus on how do I make the biggest impact in reducing the risk? You've got technologies out there like threat intelligence platforms which are extremely valuable assets, and I talked before about that machine to machine integration, that's a prime example of a technology that can provide that integration and allow a lower experienced analyst to go much further. Right. But going down the path of a tip, a lot of people overdo it. They don't look at what's actionable, so it comes back to containing the velocity and the volume of threat data and threat intelligence. More is not better. Focus on what you can action, what you can address and what you can action within a timely manner. Karissa (38:08) So I guess I want to sort of conclude our interview. You spoke before, like, more is not better. So would you say that people need to manage their intel overload? Like, some people just sort of going overboard with it? Maybe it's not their intention, but maybe they just think, oh, I have all the information, but us as human beings, we can't really process all that information and then as a result of being overwhelmed, we usually do nothing. So do you think there's a bit of that that's going on in the industry? Andrew Slater (38:36) I think there is the potential for that to be happening. Karisa we've seen that over the years with other areas of cyber security, to and other areas of technology. All of these things need initial investment and they need investment ongoing. And that's why I keep coming back to that life cycle. This is something that never ends with just constantly going through that, constantly improving. You can't just stand up an intelligence capability or a cyber threat intelligence capability and wipe your hands clean and walk away and say, that's it, we've got one. This is something that needs to be constantly watered and fed and invested in people trained, et cetera. Karissa (39:23) Wow. Well, I think that there are so many questions when it goes on to talking about demystifying threat intelligence. I think that, again, I wanted to sort of bring light to about some of the questions that people are asking, but also ran things online. People have different interpretations, different versions of what it means. So I wanted to bring you on the show today to talk about what this means and how this can help people and organisations. So I really do appreciate your time today, Andrew, and thanks for coming on the show. Andrew Slater (39:52) Thank you very much for having me, Karissa. It's been a pleasure. Karissa (39:56) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. (40:07) This podcast is brought to you by MercSec, the specialists in security search and recruitment solutions. Visit to connect today. Karissa (40:17) If you'd like to find out how KBI can help grow your cyber business, then please head over to This podcast was brought to you by, the voice of cyber.
Share This