The Voice of Cyber®

KBKAST
Episode 280 Deep Dive: Mary D’Angelo | The Power of Dark Web Threat Intelligence
First Aired: October 23, 2024

In this episode, we sit down with Mary D’Angelo, Cyber Threat Intelligence Solutions Lead from Filigran, to explore cyber threat intelligence. Mary dives into the challenges of decision-making fatigue and discusses the essential role of integrating threat intelligence across organizational silos. She emphasizes the importance of a top-down cultural shift, advocating to demonstrate threat intelligence’s ROI to C-level executives. Highlighting real-world examples, such as the LockBit ransomware attacks on US hospitals, Mary reinforces the urgent need to democratize and streamline intelligence sharing. She also discusses the potential of AI in improving threat intelligence processes while noting the necessity for human oversight in decision-making.

Mary D’Angelo is a Dark Web Threat Advisor dedicated to empowering organizations with the knowledge and tools needed to effectively combat cyber threats. With a strong focus on threat intelligence, Mary guides businesses in leveraging advanced security strategies to thwart malicious actors.

Her commitment to raising awareness about cybersecurity risks is evident through her extensive work, including insightful interviews and thought-provoking blog posts aimed at educating the public.

Mary holds a Bachelor’s degree from the University of Washington. Actively engaged in the InfoSec community, Mary is a familiar face at industry events, contributing her expertise and staying abreast of emerging trends.

Beyond her professional endeavors, Mary is deeply invested in nurturing the next generation of cybersecurity professionals. She dedicates time to mentoring university students, sharing invaluable insights and guiding them toward successful careers in the field.

Mary’s influence extends beyond traditional realms, as she actively participates in esteemed think tanks such as the Dagstuhl Seminar 2024 and the Tortora Bradya Institute. Through collaborative efforts with leading experts, Mary continues to shape the discourse and advance cybersecurity strategies on a global scale.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Mary D’Angelo [00:00:00]:
A company is truly like an intel driven organization, they know the value of having intel permeate in every different aspect of that company. And that’s how decisions are made and just enriches their cyber operations, and it helps reduce incident response times by having this intel.

Karissa Breen [00:00:40]:
Joining me today is Mary D’Angelo, cyber threat intelligence solutions lead from Filigran. And today, we’re discussing democratizing cyber threat intelligence. So, Mary, thanks for joining and welcome.

Mary D’Angelo [00:00:51]:
Yes. Thank you so much. I’m excited to be here.

Karissa Breen [00:00:53]:
Okay. So let’s start right there. What do you mean by democratizing cyber threat intelligence? It’s a term that I think you’re talking about a lot on LinkedIn and some of your posts, so I’m keen to sort of get into a little bit more.

Mary D’Angelo [00:01:05]:
Yeah. So democratizing cyber threat intelligence, it’s a bit vague. Right? And so there’s a ton of different meanings behind it. But really how I see it is it refers to making cyber threat intelligence more accessible, more usable, more valuable to a broader range of audience. Because, if you recall, like historically, CTI was it was a very niche practice about like 10 years or so ago. It was very it was limited to just a few experts, and what they did was just produced very long detailed reports and other, you know, cyber cyber offer durations didn’t find it to be as valuable. And so over time, as there’s, you know, more increasing the accessibility to different data, open sources, different feeds that came out, that started the process of democratizing threat intelligence. And that also had to do with the standardization of it through STIX, which is a, framework used to represent threat intelligence just to make it easier to operationalize it, and then as well as having it more bidirectional sharing.

Mary D’Angelo [00:02:16]:
So not only would I be the one to receive the intelligence, but also I would in turn give the in intelligence back to the appropriate folks, you know, my experiences, my insights, my thoughts on how this would be useful. And so all of those parts play a huge component in the democratizing of cyber threat intelligence. I will say, especially open CTI, the open source threat intelligence platform, played a very pivotal role in this as it made threat intelligence easier. I guess it lowered the barrier for those who wanted access into threat intelligence, and so that not only you were, like, a large fortune 500 company who had access to this type of intel, but even smaller organizations had the ability to start and then build their capabilities as they continue to learn.

Karissa Breen [00:03:10]:
Okay. So you said before more usable and more valuable. So what do you mean by that?

Mary D’Angelo [00:03:16]:
Yeah. So there’s different types of threat intelligence. Right? So we have the 3 main buckets. You have your strategic, your tactical, and your operational threat intelligence. Your strategic has to do with more high level what is done at the executive level. Tactical is usually responding to more on a daily basis, things that are happening right then and there. So responding to certain alerts, and then operational is just in between both of them. So what you’re doing on a daily basis.

Mary D’Angelo [00:03:44]:
And most of the time, it’s hard when you’re getting intel because you can’t really intel is only important when it’s relevant, when it’s actionable, and when it’s timely. And if it doesn’t fit those three points, then it then it’s not very useful. And so back in the day, they used to write just very long, detailed reports that didn’t hit on any of those points. And so by the time it got to the right hands of the folks who needed it, the data might have been old, probably not relevant, and not something that they could use for the broader, security operations team.

Karissa Breen [00:04:23]:
Yeah. That makes sense because I I was an analyst before specialising in more the reporting side of it. And I guess from my point of view, it’s like, well, if I’ve got all of this information and this data, but I can’t do anything with it. It’s kind of obsolete. It’s redundant. So how do you think now it’s sort of shaping? Is there more to your point? Is there more is it more relevant? Is it more actionable? Is it more timely now with things that you’re sort of seeing with your with your role?

Mary D’Angelo [00:04:49]:
Yeah. So there’s a there’s a few parts into it. I guess it’s it’s hard because there is an increase in the amount of intel that’s out there. Like, just within the past few years or so, you know, we’ve seen, like, Mandiant, Recorded Future, all of these companies popping up, providing a ton of different intel, which is awesome. It’s really, really great for the community. But then it’s a matter now of, okay, how to synthesize it, how to break it down, and and then how do we disseminate it into the right folks for them to offer action upon it. And so I think there is an that’s why we have, like, standardizations in place, which I do think some of them need to be a little bit more refined. But the standardization process really helps so that you can make make the process of gathering this intel with more easily without having to create custom solutions for each different source of intel.

Mary D’Angelo [00:05:46]:
You know, it’s great with all the intel that we have there, but now it’s a matter of like, okay, how can we make sure we’re actioning up on it in the best way possible?

Karissa Breen [00:05:55]:
So can I ask more of a rudimentary question? Would you say, historically, with everything you’ve mentioned, would you say that companies in the past have, like, yep, tick in the box, we’ve got threat intel, but then as a result, did nothing with it? Because like you said before, maybe it wasn’t relevant, it wasn’t actionable, it wasn’t timely. Would you say, originally, it was just we’ve got the thing, we’ve done our job, but to your point before, no one’s really disseminating it properly or synthesizing it or making any insights derived from from all of this intelligence. Would you say that was a thing?

Mary D’Angelo [00:06:26]:
Yeah. It was kind of it was, really, about 10 years or so ago. It was it was very a practice that was done by a few number of experts or those in government. And beyond that, really, most organizations didn’t see the value in it. And as it changed over time, then it became especially, like, with incident response teams, that became something that they realized, you know, they it was crucial to their operations. So it yeah. It’s definitely changed. It actually it changed pretty quickly, I would say, as well in from what we’ve seen.

Karissa Breen [00:07:02]:
So with your experience, you said before synthesize, how would you go about synthesizing all of this intel, for example?

Mary D’Angelo [00:07:10]:
Yeah. So there’s usually pretty good solutions out there to do that. So, like, Open CTI, for example, the platform that I was mentioning, the open source threat intelligence platform, they do a very an incredible job at at synthesizing it. There are other tools and capabilities out there, but it just requires doing it manually. It just requires a lot of effort, and it’s probably not worth the amount of time spent in it. So if you have something that can follow all the stages that, you know, of the threat intelligence life cycle, then it could break it down for you. And then if there are, you know, duplicates of certain threat actors or terms, it’ll it’ll it’ll break it down so that it won’t have to it won’t be so redundant with doing your investigations.

Karissa Breen [00:07:58]:
Okay. So walk us through the threat intelligence life cycle.

Mary D’Angelo [00:08:02]:
Yes. So the threat intelligence life cycle. So it’s made up of 6 stages. So you have your, first, your direction and and planning, then your collection and compilation, your processing, analyzing, and reviewing, and then your dissemination piece. And then finally is the feedback, and then using that to continuously improve your process. So with a threat intelligence platform, you would have components where you would bring in the intel that would match up to each part of those stages, and then you can follow it along so that you’re making sure when you get to the dissemination point, the intel is going to the right folks that need it.

Karissa Breen [00:08:43]:
Okay. So from your experience, where would you say the main issue had sort of live? I know you’ve touched on before on the dissemination side of it, but what about the direction, even way at the beginning? Do you think people are still a bit lost perhaps even from the start of the life cycle?

Mary D’Angelo [00:09:00]:
Yeah. So the start of the life cycle is probably where people that and the dissemination part are, I think, where people struggle the most just because, one, it it requires gathering tons of different intelligence. And oftentimes, there’s too much intelligence. You don’t know which is where to begin. Right? And so that can be kind of overwhelming. And then with the dissemination piece of it, you have to know, you know, as you’ve narrowed it down, you have to know exactly, okay, who what team would best be able to respond to this information. And so that kinda trips Drupal up as well.

Karissa Breen [00:09:39]:
So how would you sort of navigate who’s the best team from your experience?

Mary D’Angelo [00:09:43]:
Organizations will know this themselves pretty well. So if you’re doing dealing with, like, tactical intel, so if you’re doing, like, with IOCs, that would go mostly to the security operations teams. If you’re dealing more with strategic intelligence, so if you’re looking at, like, you know, the overall let’s say, you’re you’re tracking their ransomware group within your sector and you’re seeing their their trends and, you know, where who they generally target, what geographical areas, that would go more at, you know, a c level. So then they can build a plan for the their security team to make sure that it is protecting against any of those points. So, you know, again, it kinda breaks it up into those different buckets of what would be strategic, what would be tactical, what would be operational. And then from there, you’d be able to disseminate it into the right folks.

Karissa Breen [00:10:35]:
Okay. So that sort of leads me more to my next sort of question or point. Now your view, Mary, is that intelligence should be available for everyone as you’ve mentioned already. And to your point earlier around if it’s more strategic intel, that we should be tracking them, should go to c level. But I want you to walk us through perhaps that recent example of the lock bit targeting US hospitals. So maybe talk us through it.

Mary D’Angelo [00:10:57]:
This is a really good example because this is how sort of the path that I came down into finding the company that I am right now about really the importance of democratizing cyber threat intelligence. So last year, it was around November, October timeline of 2023. This was when LockBit was going pretty crazy. You know? So they were hitting hospitals hard. What’s sad about hospitals is most of the time, you know, they are so overworked, overstaffed understaffed, and they don’t have the right right security stack to respond to this, let alone intelligence. And so what we were seeing is an initial access broker was selling it was, like, almost every single day was selling on the dark web new credentials for a hospital within the US. But they were very, you know, they’re very smart about it. They make sure not to name the hospital.

Mary D’Angelo [00:11:51]:
They just say where the hospital is generally located, and then the revenue sides of the organization. They do that on purpose because they don’t want the hospital to get a notification like, hey. Your credentials are being sold. Right? So it’s a little bit sneaky. But there were so much of it happening that

Voice Over [00:12:04]:
and you know these hospitals

Mary D’Angelo [00:12:05]:
don’t have access into this intel. And if they did have access, it would it wouldn’t be through their own means. It would probably be something, you know, either working with law enforcement, with some government agency, or maybe with an ISAC. And at that point, by the time it reaches the hospital, it kind it might be too late. And so when I saw and I guess I have more of a soft spot when it comes to hospitals because, you know, there’s real lives on the table here. And so, you know, saw this, like, this information needs to be sent out to the hospitals ASAP, ASAP, but they we didn’t have a system in place. And even if we did have a system in place, there’s also again, back to the standardization is how then do we feed them this intel and how do we help them action upon this intel? So, you know, so it was a kind of a it was very eye opening for me to see that there was a major gap here because we had the intel, there was something we can do about it, and yet the hospitals, you know, weren’t able to receive it. And that’s also not to say that if they had this intel, it would have stopped a cyber attack.

Mary D’Angelo [00:13:23]:
We don’t know that for sure, but I think it would be more helpful if the hospitals were able to keep have this intel.

Karissa Breen [00:13:31]:
Absolutely. So this is interesting. So maybe so from your point of view, and you obviously have explained it quite well around they didn’t use their name, they redacted the name, or else there would be an alert. It’s a lot more, you know, obvious. Take that example. So should people go hunting for this then in terms of, like, well, we don’t know. And and like you said, like, it’s you know, people’s lives is very, very different to I mean, I worked at a bank and security. It’s kinda different to, you know, the money side of things because you can always replace the money.

Karissa Breen [00:13:59]:
But, you know, when it’s people’s health records and stuff, it’s a bit more sensitive. So what would be your advice then for there’s probably another hospital going through the exact same sort of situation. Again, their name’s been redacted. What’s your thoughts then on sort of countermeasuring this?

Mary D’Angelo [00:14:15]:
Yeah. So that’s it’s really difficult because at some point, you wanna say, like, okay. The hospital should invest in a robust cyber threat intelligence program. But, you know, after that costs a lot of money, and finding great CTI analysts is is hard to find. And so and in order to build a program up like that from the bottom up would would cost a lot of time and money as well. And so that doesn’t seem like a realistic solution here. I think that’s where sharing the intel would kinda come into this space. And I and I I don’t wanna say that we don’t do enough sharing because I think we do.

Mary D’Angelo [00:14:55]:
I mean, much better than we have, you know, 5 to 7 years ago. And especially with ISACs, you know, like the HS ISAC is is an incredible job of giving these hospitals who wouldn’t have access to any of this intel, access into some of these intels that are only available to very large organizations. But I do think that there’s a gap, something that is being missed. There has to be a way of how we can streamline this intelligence to the right hospitals so that they receive it on a timely and actual relevant timeline. So I think from now, that’s something we have to think about, and obviously, we’d have to work with certain private companies who specialize in this intel and then how they think it would be best to feed it.

Karissa Breen [00:15:40]:
Yeah. Most definitely. So I think okay. So you said before that’s not the most, you know, cost effective solution. So do you think that companies out there are thinking, like, all of this process that you’re discussing here with me today is, oh, it all it just costs too much. Like, it does make sense, but maybe if I don’t know it’s there, I won’t have to deal with the problem. Do you think there’s a little bit of that in there?

Mary D’Angelo [00:16:01]:
I do think there’s a lot of, I would say, like, perceived lack of value, and that’s kind of why a lot of people sort of gatekeep intelligence or they’re not so on board with sharing their intel with other industry folks, or or even internally, you know, within their internal cyber ops, is they think they can see it as being like, okay, cool. Like, we have this piece of intel. Now what? Like, because they don’t see any sort of immediate or clear benefits. And so with that, they might want to invest, you know, less time into CTI where they feel like they could spend more time in different parts of cyber.

Karissa Breen [00:16:40]:
Okay. Going back to the sharing for a moment. Now if you envision just say you’re a utilities company and you’ve got 2 of the largest competitors, do you think they’re really wanting to share with their competitor? Have you seen that? Now I know that sounds like a you know, the the as a security person, you you wanna think, you know, our goal is to combat, you know, the cyber criminals. That’s the real adversary. Right? However, I have seen people saying, well, I don’t wanna share my threat intelligence with my competitor. That’s their problem. How are we gonna sort of, you know, close that gap?

Mary D’Angelo [00:17:14]:
Yeah. So I I I see that point, but I also think within the cyber community, they’re they have, in just dealing with, you know, my clients and partners in the past is they have pretty good like, for example, oil and gas is who I work with very closely. Even though most of them are major competitors with each other, they all seem to, you know, have either Slack channels or different ways to communicate with one another. So if something comes in, let’s say they receive a notification from the dark web that an initial access broker is selling credentials for, you know, a large oil and gas firm. They immediately it doesn’t say the name of the oil and gas firm, but they immediately know someone within their industry. And so whoever sees it first will share it will then take the initiative and share it with each other. Because there is sort of no one even though they’re your competitors, no one really wants. It hurts the industry as a whole if one of them gets, you know, if one of them gets hit.

Mary D’Angelo [00:18:15]:
I guess what’s nice about the cyber community is they kind of look past the piece of being competitors, and they’re are very good. At least I can speak to, you know, oil and gas, maybe financial, services as well as, you know, being able to share the intel.

Karissa Breen [00:18:32]:
And, look, I asked that question because I recently interviewed Jeetu Patel. So he was formerly the executive vice president of, innovation in cybersecurity for Cisco. I think he’s got a new title now. But he was talking all about this on how we actually can work together to combat cyber criminals rather than each other. But just in my experience, I have seen a bit of that of people like, well, I don’t wanna share because they’re a competitor, but it’s not a zero sum game. So what do you think in terms of how do we how do we sort of move forward from that mindset? Now I asked this question as well because I’m in media. When people go and have breaches, I go and approach them, and I’ve had people say no. And I’ve actually said to them, well, your competitors or people in your sort of, you know, arena wanna know, like, how they can potentially, you know, not go down the same mistake.

Karissa Breen [00:19:20]:
And I’ve had people just say, no. I don’t wanna comment on that. So I know it’s sort of different to threat intel, but when I’m on the other side of it, I’m trying to get a response from companies that have had a cybersecurity incident or being breached. I’m getting the no comment side of it as well, and that doesn’t really help the industry.

Mary D’Angelo [00:19:37]:
But see, it’s funny because I have I feel like I have a a totally different experience. I think there’s recently a large gas room that was hit maybe, like, a few months ago or so. But it was kinda kept on the DL, but everyone was in this in this sector knew about it. And then because of that, they were working on it because they were trying to figure out, you know, what sort of what version of the DTPs that start after using, how did they gain access into it, and then could they also replicate the same into our environment. And it was, I guess, it was nice to see that these companies, even though they’re all competitors, they were doing a very, very good job of, like, working with each other, sharing the intel so that it could, you know, if not help mitigate, but stop from happening to other other oil and gas firms.

Karissa Breen [00:20:27]:
Yeah. And maybe because you’re in a, you know, other side of the world, it could be that it could be that I’m in Australia, and maybe things are different here. But you mentioned something before around people sort of you know, they don’t quite understand the the value add of threat intelligence. Do you think that’s changing, though, over time? I mean, having you talk on the show, obviously, is demonstrating the value add, etcetera, but will we start to see people understanding a little bit more fidelity, would you say?

Mary D’Angelo [00:20:52]:
Definitely. I think it’s shifted a lot within the past few years or so. I think mostly at the, higher, larger organization level, they definitely see the value, especially when it comes to, you know, feeding the intel into other parts of an organization. So if a company is truly like an intel driven organization, they know the value of having intel permeate in every different aspect of that company. And that’s how, you know, decisions are made and how it just enriches their cyber operations, and it helps reduce incident response times by having this intel. So I think right now, it’s more so on maybe the the smaller, as you mentioned, like hospitals or, smaller organizations that are coming around to I think they see the value of it, but it’s more so a a costing. And if it’s something they feel like they can they don’t think they can justify just yet. And so that’s hopefully, I think that will certainly change within the next couple of years.

Karissa Breen [00:22:04]:
So your sort of view or philosophy is making it more accessible. Would that also mean then that that cost is sort of reduced then a little bit more? Like you said, like, if it’s a cost thing for some of these companies, like hospitals, for example, I mean, like, cost can always be reduced. So do you start to see that now coming through a little bit more, so it is a little bit more ubiquitous moving forward?

Mary D’Angelo [00:22:27]:
I like to look back at that LockBit example with the initial access broker selling all of those credentials. At that point, I think that intel should have just been given to those hospitals for free because that would have saved not only lives, but it would save these small hospitals, you know, so much money if they were hit with this cyber attack. But I do understand the importance. And I I think ISACs do a really great job of being able to have the right you know, being able to gather strong threat intelligence reports that might only be used for larger organizations, but then reducing the price on it so that there’s, like, a lower barrier of entry so that smaller organizations can gain access into it as well. So, you know, not necessarily having to be free or although I will say there are a ton of open source solutions out there. I mean, Open CTI being one of them where you can any anyone can sign up and learn how to, you know, track their intelligence, life cycle and depending on what their maturity level is and how they wanna grow and how they wanna gather and use use that intel. And there’s also other places there with a lot of, free intel feeds as well. And I do think that the, you know, there’s various government programs that you can reach out to that could help you with make you know, not only providing you with intel, but also showing you how to action upon it.

Mary D’Angelo [00:23:56]:
So there so there are resources there, and, you know, not all are free, but I think it’s it’s getting to that point where I think the community is really realizing truly the value of this intel. And, you know, intel is just like one piece of the puzzle. It’s only effective if you can, you know, connect it with connect it with the whole with the whole puzzle itself. And so that’s where the sharing component comes in into it.

Karissa Breen [00:24:22]:
Okay. So I wanna maybe get into you said before the threat intel report. Talk me through it. What typically is covered in those reports to get actionable insights that, you know, people can, you know, act upon?

Mary D’Angelo [00:24:35]:
Yeah. So the they so they vary depending on who the audience is. I think for some, like, for more strategic high level, it would have to be usually ports or reports around various ransomware groups and threat actors in your sector. You know, what their TTPs are, who who they generally go after, what their, you know, sort of what their his history looks like and where we see them heading towards. And so that that’s one example of threat intelligence reports. Others are just things that and usually these come from ISACs or, like, common vulnerabilities that we might be seeing, IOCs that we’re seeing that you want to ingest into your platform so you you’re made aware of it, and that’s more of on the tactical side.

Karissa Breen [00:25:26]:
So in terms of moving forward, what are the things you’d like to sort of see happen? As you mentioned, I know it’ll be more accessible. Like, what’s realistic that we’re gonna start to see? So is it that people can’t afford, you know, threat intelligence, so maybe they should head over to Open CTI, But then with that comes its own challenges of time, you know, resource, understanding, you know, upskilling themselves, etcetera, if they don’t have that internal capability. Or the other way is, well, if you don’t have all that, you can just pay a company to do it. Right? So that’s typically how it goes. But you sort of you you starting to see that sort of emerge more, but what other things can people sort of expect now? Because as you said, with the hospital, it makes sense. We wanna see a reduction in these types of things happening. We wanna see more threat intelligence sharing, but talk me through more of your thoughts.

Mary D’Angelo [00:26:13]:
I think this is more more of a, positive perspective on this. I think and I know, you know, you’ve probably talked to a lot of people about the emergence of AI and how it’s it will play a role in,

Voice Over [00:26:24]:
you

Mary D’Angelo [00:26:24]:
know, various various topics. But I think with this particular example, when it comes to sharing of threat intelligence or threat intelligence in general, I think AI will significantly transform and make the process so much better. Of course, there will be. There’s, you know, there’s always gonna be some cons and some challenges and risks involved with it. Well, first of all, I do expect to see more of an increased volume of cyber threat data out there. You know, there right now, we’re already seeing so many players in the marketplace right now, and, like, it’s only expected for more to come. And so with AI being part of that, I I what I would imagine is AI being able to structure and process that intel more effectively. And so now that we have all this influx of intelligence using AI to do the standardization for us, and then, you know, sometimes you might get data in all different types of formats, if it’s a PDF report or raw data streams, right? Having the AI break it down and convert it for the end user so that they can actually operationalize on it, which I think is, is pretty exciting.

Mary D’Angelo [00:27:35]:
Also helping with, you know, the decision making and the

Voice Over [00:27:38]:
actionability when it comes to the threat intelligence. And that’s a, that’s

Mary D’Angelo [00:27:39]:
a very actionability when it comes to the threat intelligence. And that’s a that’s a very difficult piece of especially for a CTI analyst. You know, once the data has been processed okay. Great. Now what to do? What what how can I action upon it? And so I think AI will definitely play a big role in that, you know, identifying who some of these threats are, where they’re coming from, and who would be what would be the appropriate strategies to mitigate it. And then lastly, it’s just again the standardization because I think my biggest issue right now within the industry is there’s you know, each vendor has their own name for these different threat actor groups. Like, I was looking up earlier today, like, muddled Libra, just they were in Hacker News, and there is, like, a 1000000 different aliases for it. And that’s so hard to track.

Mary D’Angelo [00:28:36]:
Right? And so having something like AI, which will combine all of those aliases together or just or even just standardizing across the industry, like, this is the name we will be using for this threat actor. So that it could help with redundancies and definitely help push through some of these processing much quicker.

Karissa Breen [00:28:57]:
Okay. There’s a couple of interesting things in there that I wanna just hear your thoughts on. So you said with AI, you can break it down and then convert it. What do you mean by convert it?

Mary D’Angelo [00:29:10]:
Yeah. So, like, I think of it as convert it into something actionable. If, like, a piece of intelligence comes in, and let’s say, usually, there’s gonna be, at this point where I’m talking about, like, you know, in the future, there’s gonna be an influx of intelligence coming in. And so the AI would have to basically do a lot of deduplication, cross checking, making sure the intel that’s in is relevant and also accurate. Right? We don’t want a bunch of fake fake information out there. And then now that we have this, the next step would be, okay, how can I make this actionable for different stakeholders across the organization? And that’s what it would do. It’d say, hey, this is something that would be, you know, incident response team would need to take a look at. This is something maybe more of a, you know, CSO would like to take a look at as it talks about the greater threat campaign landscape.

Mary D’Angelo [00:30:05]:
And so making it something that is you can action upon.

Karissa Breen [00:30:11]:
Okay. So then I wanna flip over to, you know, with AI is a tool to help, you know, increase decision making, etcetera. The only question I have around that is what about sort of, like, the hallucination side of things? And then there therefore, it says you should take path a because the AI said that, or in actuality, you should have taken path b. How do people sort of discern that information?

Mary D’Angelo [00:30:37]:
Yeah. That’s always that’s always a tough thing to deal with. I think that’s why it’s important to have humans involved in this process as well. Even though AI will will play a very critical role, especially with fast tracking, especially in the beginning, fast tracking the intel pieces. But when it actually comes to actioning upon it, that’s something you would want a human to take a look at and, you know, confirm if that’s the right thing to do. I I would not ever suggest having AI run your entire CTI program, but I think it would be a very powerful tool, especially in the early stages of gathering that intel to help with it.

Karissa Breen [00:31:22]:
So, effectively, having AI in place collects all this information, puts it in a way, and converts it that makes sense, then creates a decision slash but then people at that point would really need to intervene and assess whether that makes sense to do the thing.

Mary D’Angelo [00:31:38]:
Yeah. Yeah. Definitely.

Karissa Breen [00:31:40]:
The only thing I’m am worried about is because people are quite fatigued and everything like that, it might be something that’s super small and they’re like, oh, well, you know, it’s not a big risk, so I might just go and do this. But it actually may be the wrong path, but, you know, I guess these things do happen. Even if there is a human that intervenes, it could just be perhaps they’ve overlooked something and it might not be the right thing to do. What are your sort of thoughts on that?

Mary D’Angelo [00:32:03]:
I definitely I definitely do see something like that happening. Although, I will say at that point, you know, once you’re at the dissemination process of threat intelligence life cycle, there is a few other there’s a few other stakeholders involved. So if someone, you know, gets this piece of intel AI suggesting this is how you might action upon it, they might then send it to someone else on the team to do the actioning on it. And so you have a few a few more sets of eyes looking at it. It’s it depends on how, you know, the gravity of the action might be. But at that point, I think by the time the real action takes place, you’ll there’ll be more confidence behind it given the amount of different people that had to sign off on it.

Karissa Breen [00:32:53]:
No. That totally makes sense. So just going back to the decision making then for a moment, would you say, like, historically or even now ish, people thought, okay. Well, what do I do now with this? And then as a result of not knowing or feeling fatigued or unsure, perhaps, do you think some of these things has, like, went by the wayside perhaps? Because, like, well, I don’t know what to do with the thing, so I’m just gonna, perhaps, ignore the thing.

Mary D’Angelo [00:33:16]:
I do think it, there is a struggle in that because threat intelligence is most effective when it’s, you know, permeates all aspects of an organization. And so if there are more people involved with the process of, you know, gathering the intel, evaluating the the intel, use actioning upon the intel, then I think it’s way more successful. But if we’re talking about working in silos, so if it’s just, you know, we have a CTI team off in the corner, we are the you know, they’re the ones that are supposed to work through all this intelligence and then pass it off to the right folks. I think that’s kind of where more of that struggle might come in and where I think it would be better if, again, you know, something I’m very big on is making it available making it more an larger part of the organization and less of the siloed piece.

Karissa Breen [00:34:17]:
What do you mean by larger part of the organization?

Mary D’Angelo [00:34:19]:
Making it top of mind, making it more sharing of threat intelligence, more of a a cultural thing. So from the very top of the organization to the bottom, cyber threat intelligence is the most important. And that’s just within the culture of the organization and not just something that is seen for a small department within security to be the ones that, you know, run. Yeah. We have cyber threat intelligence. You know, they sit in the corner. They’re the ones that are doing it. But more so, it being part of every single part of the organization from, you know, risk management to incident response.

Karissa Breen [00:34:59]:
So how would you go about engendering this threat intelligence being larger part of the organization? Because I get it. I just think that, like, I’ve spoken to so many cyber people on, like, 40, 50, 60, 70 topics, etcetera. And every every time someone speaks to me about a topic, I’m like, oh, that’s so important. But then the next person I interview, I’m like, but that’s more important. So what would you do about that to encourage that sort of adoption towards threat intelligence with your experience?

Mary D’Angelo [00:35:25]:
There has to be a little bit of a PR campaign around it, first of all. So you’d have to definitely demonstrate the value of how, you know, this intelligence can help your operation. This is this is how it could help your, you know, ROI, basically. And so you’d have to start, I would say, top down. So dealing with, like, the c level, showing how threat intelligence can help you helps your team focus on what’s important right now. So these are the main threat actors that are targeting our sector. These are their TTPs. This is you know, these are some of our vulnerabilities.

Mary D’Angelo [00:36:04]:
Because we have this intel, we now can have the team focused on responding to all of that. And then also it helps with budgeting as well. So then you know, okay. So if these are some of my weaknesses, these are things I need to keep track of. Maybe, you know, if my biggest weakness is, you can see right now is, like, the human error. And most of the the third actors that are coming for us, you know, specialize in social engineering. Okay. Let me then devote resources and money to building out a more, you know, social engineering program for for the folks at the organization.

Mary D’Angelo [00:36:40]:
And so kind of starting it from that way, from the from the top down, showing what their pain points are, understanding their pain points, and then saying, this is how threat intelligence can play into it, and this is why you’ll see an ROI on it. Because it really if done correctly, it they really will see the ROI. I mean, some of the best organizations that I’ve worked with, they have, you know, the best they are what I call a very threatened intelligence driven organization. And it you can see it across the whole organization. It’s something that they really value and they listen to, but it it definitely took time. You know, it took time to get leadership on board. Because that right away, it’s not something you see, you don’t see the immediate effects right away. It, you know, it has to take time.

Mary D’Angelo [00:37:30]:
So if you can start small, and especially a top down approach, I think that is how it would be most beneficial.

Karissa Breen [00:37:39]:
So, Mary, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?

Mary D’Angelo [00:37:44]:
I think for those who are on the path of kind of playing around with cyber threat intelligence, I I really do encourage you. There’s a ton of different open source platforms out there, different feeds out there, and just really devoting some time into seeing how it could benefit you and your organization. I was just speaking with someone recently a couple days ago. I think it was at I think it was at BlackHat. And he was saying that he never really saw the value. I mean, he’s working on a SOC team, and he didn’t really see the value of threat intelligence until he attended a black a talk at Black Hat. And he was so inspired by it. He went online and, like, downloaded all these open source platforms and these different feeds.

Mary D’Angelo [00:38:33]:
And now he’s totally he’s like, you know, he’s started off of there knowing nothing. And just after a couple of weeks, he feels like he’s built out a stronger, more resilient cyber program for his company.

Share This