Making the Framework for Threat Intelligence Easy

May 18, 2020 • Monica Todros

Our guest is Chris Cochran, threat intelligence and operations lead at Netflix, and co-host of the Hacker Valley Podcast. We discuss his career in cybersecurity, from his ambitious beginnings as a student, his service in the U.S. Marine Corp, and his time at U.S. Cyber Command as a member of the team pioneering threat intelligence before it was even known by that name.

Chris also shares his thoughts on leadership, as well as his development of an intelligence framework that goes by the acronym EASY.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 159 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest is Chris Cochran, threat intelligence and operations lead at Netflix, and co-host of the Hacker Valley Podcast. We discuss his career in cybersecurity, from his ambitious beginnings as a student, his service in the U.S. Marine Corp, and his time at U.S. Cyber Command as a member of the team pioneering threat intelligence before it was even known by that name.

Chris also shares his thoughts on leadership, as well as his development of an intelligence framework that goes by the acronym EASY. Stay with us.

Chris Cochran:

Growing up, I’ve always been interested in technology. I think it really started around the “Terminator 2” era. I wanted to build Skynet, but for good purposes, not to take over the world and go to war. I fell in love with technology and I wanted to build robots. So I started out with one of those kits where you could turn it into anything, you could turn it into an alarm system, you could turn into an AM radio. I was just fascinated with technology. And that really just stuck with me throughout my years. I remember taking apart computers, and looking at components, and figuring out how exactly computers work.

And I remember I had transferred schools from one school district to another, and in this new school, they had a program where your kids could actually get their networking certification. And I had missed the cutoff, and I wasn’t able to enter this program. And I was like, “Man, this would have been a great opportunity to really explore that technology passion that I had.” And I asked some of my friends that were in the program. I said, “Hey I really want to get into this computer stuff officially, what can I do?” And they said, “Go get a book.” And so I took my back-to-school clothes money, because I needed new clothes for the new school I was going to, and I spent every last dollar on a CompTIA A+ certification book. So this talked about computer components and things like that. And I read it like a novel, like just page to page, really trying to absorb as much information as I could. And so I would go back to my friends and I would ask these questions. And they said, “Wow, you’re really picking this stuff up.”

And so let’s skip ahead a little bit.

Dave Bittner:

Before we do that, how old were you at this time? Or what era of school are you in here?

Chris Cochran:

Yeah, this was the middle of high school at this point. And if we skip ahead a little bit, when I decided to join the Marine Corps, I was like three years into college, and I was a philosophy major. I was fascinated with logic, and argumentation, and things like that. And reading about these great philosophers back in the day. And by my third year I realized I might not be able to make a great living with philosophy. So I decided to join the Marine Corps, a huge 180. And I joined the Marine Corps. I did pretty well on the ASVAB. And they said, “You have the pick of the litter. You can do whatever you want.” I originally wanted to be a scout sniper for the Marine Corps. But I saw this thing that said intelligence and I was like, “Oh wow. I think I’m a pretty smart guy. Maybe I should try out this intelligence stuff.”

So not having any clue what intelligence was, I picked it, I go through bootcamp, I’m asking my drill instructor, “Hey, what is this intelligence thing?” And they’re like, “I don’t know.” Like no one had any clue.

Dave Bittner:

I don’t know, but I’ve been told.

Chris Cochran:

Yeah, exactly. And so I finally start working and I go to the National Security Agency as my first real duty station. And so they taught me all of the trade craft of intelligence, supporting the Marine Corps. And then ultimately I get out of the Marine Corps and I go to the newly formed United States Cyber Command. And this is where I really start to get into the nitty gritty of all source analysis, and what is now known as threat intelligence today. I’ve built a company that does threat intelligence support and building capabilities. I’ve been with the majority of the consultancies out there that do threat intelligence. And that’s really been the cornerstone of my entire career.

Dave Bittner:

Can you take us through your experience in the military? Because it sounds like you were among that group of people who were really pioneering this notion of threat intelligence within the intelligence community. Well, what insights can you share from that part of your journey?

Chris Cochran:

Yeah. So actually when I started doing it, to be completely transparent, I thought that if I ever had to leave the government, that I would have to just start from scratch. Because I didn’t think that threat intelligence was going to be a thing that was going to be applied to people in the commercial industry. And lo and behold, this APT1 report comes out from Mandiant, about 2013, this is about three years into my stint at Cyber Command. And all of a sudden, threat intelligence became the new hotness. It was the buzz word in the industry. And I was like, “Wow. I do have a future in the stuff that I’ve been doing.” But in parallel to doing all that, I went back to school, I switched my focus to have a little bit more technical focus. And so I got my minor in cybersecurity, but I kept all my philosophy classes. So I ended up majoring in humanities. But that combination supported my craft. The ability to argue and have logic to the assessments that I was making from a threat intelligence perspective.

And yeah, it just seemed like everything came together. It was a right place at the right time and the right preparation.

Dave Bittner:

Yeah. I mean that’s a really interesting part of the story. There’s many people who I’ve spoken to who have had unconventional approaches to cybersecurity, and threat intelligence, and so forth. And as you say, studying philosophy, I mean that’s a whole mindset. It’s a way of thinking, but it does apply to this area.

Chris Cochran:

Absolutely. And 100%. So one thing that I’ll give to your listeners to also take back to their work space is, there’s this thing called the Socratic method. And what it is, it’s a style of argumentation where you’re asking questions to actually get to a point. So whenever you have like those tough stakeholders from a threat intelligence perspective that feel like they don’t need threat intelligence, or they think threat intelligence is a waste of time and resources, what you can do is you can start to ask questions.

You can ask a question like, can you think of a time where you wish you had a piece of information to make a better decision, but you didn’t have it because you didn’t have that visibility? And so I’m sure that could apply to anybody in any function. And so once you start that question asking, and you start to define what their needs are, and you find out what their definitions are, then you can actually start to apply some of that logic to how you would support them from a threat intelligence perspective.

Dave Bittner:

Yeah. It also strikes me the importance of just having that set of communications tools in your back pocket to speak to both the people who you’re in charge of as a leader, but also the folks above you when you have to explain everything you’re up to.

Chris Cochran:

Yeah, absolutely. I think that communication is one of the most important aspects of threat intelligence, but also it’s one of the most important aspects of life in general. Like being able to communicate with your kids, your spouse, your superiors, to the mail person that delivers your mail, to the person that’s delivering your food. Being able to communicate effectively, and being able to meet people where they are, is super important to get anything done in life.

Dave Bittner:

The story that you share about choosing to enter the military is a common one that we hear from a lot of folks in cybersecurity. And it strikes me that, that really opened up a lot of doors for you and, and provided a lot of opportunities, particularly for that level of training, that on-the-job training that the military, it seems to me provides a lot of those opportunities that maybe you wouldn’t have gotten in the private sector.

Chris Cochran:

Absolutely. 100%. And I’m a big, big supporter of people entering the military. Any branch, serve your country or particularly any country really support … We’re all service members at the end of the day. I’ve spoken to people from all over the country. And when I say that I was in the United States Marine Corps, they say, “Thank you for your service,” even though they’re not from our particular nation. And I think that’s something that bonds all service people together. And so yeah, if you have the opportunity to get training while they also supply your meals, they make sure you take care of yourself. You have to stay in shape. They basically are the training wheels of adulthood.

When I went to college, I felt like I had to figure out everything on my own. Like things were neglected. I had to have a lot of hard lessons during that time. But when I went to the military, they Chris-proofed it, for lack of a better term. They made sure that I went to the doctor once a year, and got my dental checkups and paid all my bills, and all of these things while giving me the requisite skills to prepare me for life after the Marine Corps.

Dave Bittner:

That’s fascinating. Because I think, certainly, most of us probably think of the Marine Corps as being a place where there is a lot of physical discipline, but there’s that mental and emotional component as well.

Chris Cochran:

Yeah. That’s one of the things that I think sharpened the most, aside from my six pack abs, is at the boot camp I definitely had to find another gear of mental toughness. Because it’s such a unique scenario being separated from all the people that you’ve known your entire life, being shoved into this highly intense environment where constantly having to second-guess and respond to orders. And it really sharpens your mental toughness. It’s almost like there’s no option but to succeed in your mission. And that often applies to the things that I’m doing with my podcast, Hacker Valley Studio, or in my workplace, there is nothing but mission and accomplishment that’s on my mind and we have to do whatever we have to do to get it.

Dave Bittner:

Well, take us through your career path after the military.

Chris Cochran:

So, after the military, I went to United States Cyber Command for about five years. And I was leading a team that was a mix of contractors and military members and government civilians. And this is where I really started to hone my leadership skills. I had some leadership skills from the Marine Corps, but this is now an opportunity for me to lead different flavors of people from different backgrounds. And that’s where I really developed this notion that I am a decent leader, and this is a skillset that I want to learn. And so I became like a student of leadership, reading about the great leaders of the world. your Barack Obamas, your Stanley McChrystals, Admiral McRaven all those great leaders that you hear about.

And so I decided, after I left Cyber Command, to start my own company with a few friends, and this is when I really got into the commercial side of what threat intelligence is, some of the appliances that we use, or the solutions that we use. And I started to learn more about other facets of cybersecurity centric. So what is vulnerability management? What is incident response? What is threat hunting? All of these things. And so I pivoted from place to place learning little bits about each function within cybersecurity. And I think that being in threat intelligence, you have a great opportunity to actually learn about a lot of different functions within cybersecurity. Because you are supporting all of these roles with intelligence. And so you need to learn what they’re doing in order to best support them. And I think that’s really given me a huge leg up.

And then to pivot from having my own thing to going around from different consultancies. I was at Mandiant for a little bit, I was at Booz Allen Hamilton. And I really got to see different environments. And I feel like this plethora of experiences, and different environments, and things like that really gave me a leg up. And then that’s about the time that Netflix came calling, and asked me to come lead that function for the company.

Dave Bittner:

So, you’ve worked in threat intelligence at Netflix. Do you have any interesting insights to share from that experience? Certainly it’s a company we’re all familiar with.

Chris Cochran:

It’s funny. I ended up creating a framework, and not because I was like, “Oh, I’m so wise. I’m going to teach everybody something.” It was actually because I had to go back to the drawing board when I came over to Netflix.

I largely had been on the east coast, a lot of traditional cybersecurity, architecture solutions, things like that. But when I got over to Netflix, everything was so different. The people were different. The processes were different. The technology was different. Because it was all technology. A lot of it’s technology that Netflix internal employees built. And so I had to go back to the drawing board. Because when I came in, there was no security operation center. There was no SIM that people were using for alerts and things like that. So a lot of the things that were my go-to whenever I go to a new place didn’t exist. And so I was like, “Oh my gosh. I have to go back to the drawing board on how I can actually have an impact on this great organization.”

And I came up with this acronym called EASY. It’s the EASY framework. Some people call it the EASY button. It’s E for elicit requirements. You have to find out what the requirements are for your stakeholders. That’s how you build the basis for your threat intelligence program. A is assess collection plan. This is the collection plan to support all of the needs of the people that you’re supporting. And so you need to know where to look, whether it’s a premium feed that you’re using like Recorded Future, or maybe you’re looking at Twitter feeds for different research across the field, maybe it’s internal information. And then S is strive for impact. This was one of the biggest misses when it came to intelligence that I’ve seen. I’ve done it when I was younger in my career, and I saw other people do it when I was assessing other folks’ intel programs. They were missing the strive for impact part. They were giving good information and people were reading it and giving it a thumbs up. But what was the impact? What did the intelligence materially change within that organization? And then the Y is yield to feedback. So creating that feedback loop. A, is this intel what you need, or do I need to pivot? As you iterate on that feedback, you constantly get better.

It’s like that movie with Tom Cruise, “Edge of Tomorrow” — live, die, repeat. He kept dying in this movie. And every time he died, he got a little bit better, got a little bit better. And by the end, he was like this battle hardened warrior that was able to do amazingly incredible things, and it’s because he was able to iterate through. And so that’s what feedback does for threat intelligence. That’s what it does for cybersecurity. And that’s what it does for life.

Dave Bittner:

What are your recommendations for organizations that are just getting started with threat intelligence? What sort of advice would you have for them?

Chris Cochran:

I would say for organizations that are just started, if you can hire somebody to support your threat intelligence needs, great. If not, check out some vendors. Some vendors can double as your threat intelligence arm and support you in the things that you need to be aware of from a threat perspective. But just start small. Don’t think that you have to have everything all at once.

Look at maybe two or three of your most critical assets, and think about what threats might be coming after those assets. And then look at threat intelligence that is around that. Look at the different ISACs that you might belong to in your industry. Look at what some of the other folks are having to combat. And then you can just use that as your indications and warnings, if we could go back to my military days, of what could be coming your way. And that’s how you would start with any threat intelligence.

Dave Bittner:

How do you approach leadership itself? What is your leadership style?

Chris Cochran:

So my leadership style, and I’ve heard people call it different things. I’ve heard people call it servant leadership, or supportive leadership. I really want to support the people that work with me. I feel like I don’t want to say that they work for me. Like I tell them what to do. They work with me, and I want to support them the best way that I can to make sure that they are getting job satisfaction, they’re getting job training, they’re going above and beyond what they thought was even possible, give them encouragement, challenge them, give them critical feedback when it’s needed, and just help them grow.

When I was a lot younger, I had a hard time giving feedback to folks when something was a challenge, or maybe there was a deficiency in some area. But then I grew to realize that if I don’t give them this feedback and no one does, they’re not going to grow. And so I’d be doing them a disjustice or injustice if I didn’t give them that feedback. And so being as supportive as I can in whatever they want out of life and out of their career, that’s what I’m here to do.

Dave Bittner:

That’s really interesting. Because I think it’s so easy for a lot of people to have this approach where you don’t want to hurt someone’s feelings, so you’re sensitive to other people’s feelings. So maybe you’ll hold back with criticism. But in the long run, that might not be the best thing for them.

Chris Cochran:

I wish everything could be happy. I wish everybody could be at 100%at all times. I wish everyone had all the requisite skills and knowledge that they need. But people have deficiencies. I have deficiencies. I have things that I’m constantly working on. I have things that I might not ever be great at, but it’s something that I work towards. And so I appreciate it when people give me that feedback. Because it might be something I didn’t even think of. Like, “Oh, wow. I never thought of it that way.” Let me look into the resources that I have access to improve upon that.

Dave Bittner:

Our thanks to Chris Cochran for joining us. Don’t forget, he is co-host of the Hacker Valley Podcast. Check it out.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

Defending MacOS Against Sophisticated Attacks

Defending MacOS Against Sophisticated Attacks

August 10, 2020 • Caitlin Mattingly

Our guest today is Phil Stokes He’s a security researcher at SentinelOne, where he specializes in...

Making Security Real in the Context of Business

Making Security Real in the Context of Business

August 3, 2020 • Caitlin Mattingly

Our guest today is Shamla Naidoo, a managing partner at IBM Security With a career spanning over...

Ransomware Negotiations and Original Hacker Culture

Ransomware Negotiations and Original Hacker Culture

July 27, 2020 • Caitlin Mattingly

Our guest today is Sherri Davidoff She’s the founder and CEO of LMG Security, a cybersecurity and...