Threat Intelligence Expert Perspective: Interview With Levi Gundert
We interviewed Levi Gundert, who just joined Recorded Future as the Vice President of Threat Intelligence. Our wide-ranging discussion covered why he chose a career in cyber security with a focus on threat intelligence, what are the greatest cyber threats and challenges faced by the industry, his take on Recorded Future’s value, and finally what makes the threat intelligence expert tick.
Recorded Future (RF): Tell us a bit about your background in security. What inspired you to enter the cyber security world?
Levi (L): I was in New York City on 9/11 and it radically changed my world view. The events of September 11, 2001 were a physical manifestation of evil that propelled security to the top of my attractive careers list. I was always interested in cyber-security and growing up in a rural area my modem was my gateway to unlocking that curiosity.
RF: Given the many career paths within IT security, how did you become a threat intelligence analyst?
L: I was fortunate to be a U.S. Secret Service (USSS) agent in the Los Angeles ECTF (Electronic Crimes Task Force) where all of the major federal, state, and local agencies are physically co-located. We were doing criminal threat intelligence long before it was the industry flavor of the year. We were able to stand up long term proactive operations to engage with online criminal communities and collect the necessary information that ultimately resulted in global arrests.
When I left the USSS, I continued my threat intelligence career in the private sector where there tends to be better data, but the attribution “last mile” is more difficult because of the lack of legal tools. I worked as a security researcher, analyst, and consultant at Team Cymru for many years before helping to start threat research and intelligence teams at Cisco Systems and Fidelity Investments.
RF: What can an aspiring threat intelligence analyst learn from your own career path that will inspire them?
L: It was a combination. I was an information systems major, but most of that knowledge was theory. There was little practical application. After graduation, I quickly realized that I was going to need to self learn a fairly wide domain. I was working a day job in information technology and spending my evenings in a lab doing hands-on learning with proprietary technologies like Sun, Cisco, Microsoft, etc. I obtained a number of certifications, which made me more attractive as a U.S. Secret Service candidate.
Security — and more specifically threat intelligence — is a career that demands intellectual curiosity and lifelong learning. It never ends. That’s one of the most attractive components of this field. My wife always jokes that if she needs to fall asleep she will ask me to read a page from one of the technical books on my reading list and that will instantly do the trick.
There are certainly human resource departments that are trained to identify certifications and they tend to be valued above all else, but there are also many companies that could care less about certifications and instead are supremely interested in prior work and achievements. Long term, a combination of security certifications and a portfolio of work is going to be the most attractive to the largest swath of potential employers.
RF: Let’s talk about you joining Recorded Future. Can you describe your role at Recorded Future?
L: As Vice President of Threat Intelligence, I am immersed daily in the Recorded Future universe in order to develop high value intelligence for our partners/customers. My core functions include research, evangelism, and product improvement.
RF: What motivated you to join Recorded Future, and why now?
L: I met Christopher, Recorded Future’s CEO and co-founder, years ago after his presentation at a security conference and I was instantly enamored with the capability that the Recorded Future team had built. I’ve been a proponent and user of the product for the last two years and I think it’s brilliant as both a threat intelligence originator and enricher. It is dramatically improving analysts’ challenging professional lives.
Timing is everything and I currently have an opportunity to leave the corporate life and focus on contributing to an already successful company.
RF: Fast forward 18 months. What is the biggest impact you’ve made on Recorded Future and threat intelligence as a discipline?
L: In 18 months our partners will have a new appreciation for the power of threat intelligence from the Web in their team’s daily operational defense workflow. The value of Recorded Future’s insight to an organization’s strategic assets is only going to increase.
RF: Having used Recorded Future, how would you explain its value for customers and CISOs?
L: Recorded Future solves a multitude of problems, but the primary value is targeting. Recorded Future is a capability that can be commissioned for any immediate or long-term intelligence gathering objective and it’s driven by the user, the analyst. The beauty of Recorded Future is that it’s not built on human analyst collection, it’s powered by code and thus can be programmatically leveraged to achieve high fidelity signals that are immediately useful at an operational and strategic level.
Specific examples: Strategically a CISO can track new threats and/or attacks in his or her industry vertical compared to other industry verticals on a weekly basis. The comparison sources remain consistent.
Operationally, a team can create proactive alerts for brand mentions in criminal forums and/or specific dark Web locations. Reactively, a team may want to further enrich a specific autonomous system or IP address in order to assess the nature of a log alert.
These are just two brief examples. Recorded Future use cases are practically limitless.
RF: It would be very helpful to hear about the challenges you see in the industry. Separating hype from reality, what cyber threats should companies be most worried about?
L: The threats never cease to evolve, but the real challenge today is the response, specifically the danger of operational routine and apathy. Operational teams are inundated with information about the latest threats and their respective tools, techniques, and procedures (TTPs), and eventually most of it turns into noise that fits into a logical bucket. Routine examples include the spear phish or “watering hole” nation state campaign, or the commodity malware infection, or the new hacktivist DDoS tool. The problem is that operational defenders are going to start seeing an acceleration in blended threats and defenders aren’t necessarily prepared for it.
For example, when nation state actors begin piggybacking on commodity malware campaigns (e.g., Poweliks), defenders can’t continue to treat every infection as a pedestrian event that simply requires a re-image of the compromised host.
RF: What tools do you use to tackle this problem set?
L: The hammer isn’t as important as the individual and team wielding it. You tackle these problems by hiring motivated and talented security professionals.
RF: Could you describe the challenge you were facing (in IT security, as a business, and in the industry)?
L: The number one challenge for our industry is hiring and retaining motivated and talented security professionals. The second greatest challenge is demonstrating the value and efficacy of security programs on a consistent basis to the business.
RF: Why was this a problem?
L: Companies need to train and support effective information security (INFOSEC) leaders, and leaders need to continue to improve their skills. Overall there is a dearth of leadership that is technically competent, that has operational experience, and that is emotionally intelligent. Leaders need to start caring about the person, and not just the value of the work they produce. They need to communicate clearly, be flexible, disable barriers, and demonstrate true empathy when needed.
There is a consistent pattern at work today in successful INFOSEC teams and programs. Strong leaders build trust with their individual contributors and over time those individual contributors experience increased loyalty. These are highly functional and productive teams that embrace a specific team culture, which is fantastic for the enterprise. Unfortunately, enterprises are frequently self-sabotaging. When they make dramatic changes in the organizational chart it leads to upheaval and career dissatisfaction and often good leaders leave and the team subsequently disintegrates. Companies need to prioritize the identification of successful INFOSEC leaders and do everything possible to support them long term.
RF: You are in a relatively unique position having worked both in a vendor and a customer organization. Having seen both sides what are your thoughts on how organizations should strategically think about threat intelligence?
L: At Cisco our mantra was “threat-centric security” and I believe that continues to ring true today. Identifying and understanding the threats that impact an organization’s customers, employees, infrastructure, applications, and vendors is the crucial function that drives both the “protect and defend” and “identify and remediate” functions of most enterprise security programs. A lack of quality intelligence risks a failure of the entire security apparatus.
RF: What do CISOs need to understand about threat intelligence?
L: Threat intelligence requires metrics like every other discipline. When communicating to the board, those metrics should become a regular fixture of any presentation. The value of the metrics should be self evident and while there is no industry template to define these metrics, it’s important to develop measurements that are meaningful to the business.