Understanding Your Environment and Communicating the Threat
February 5, 2018 • Amanda McKeon
Building a successful threat intelligence operation and team involves many important considerations. What are your organizations critical assets, who are your potential adversaries, and how do you best communicate with the rest of your organization to ensure your efforts are properly focused and your conclusions properly understood and implemented?
Our guest today is AJ Nash. He’s the cyber threat intelligence evangelist and manager of intelligence services at Symantec. It’s a big company, offering a diverse array of cybersecurity products and services, with some well-known brands like Norton and LifeLock, as well as threat intelligence products and services.
Our conversation covers a wide range of topics, including the foundations of intelligence and the intelligence lifecycle, the challenges of moving from the military to the private sector, leadership styles, and how to be sure you’re asking the right questions when it comes to threat intelligence.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 42 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire. Thanks for joining us.
My guest today is AJ Nash. He’s the cyber threat intelligence evangelist and manager of intelligence services at Symantec. It’s a big company, offering a diverse array of cybersecurity products and services, with some well-known brands like Norton and LifeLock, as well as threat intelligence products. Our conversation covers a wide range of topics, including the foundations of intelligence and the intelligence lifecycle, the challenges of moving from the military to the private sector, leadership styles, and how to be sure you’re asking the right questions when it comes to threat intelligence. Stay with us.
If I had been asked what I was going to be when I grew up, this is not what I would have answered. I actually, growing up, was probably going to be in the legal field someplace, but I was kind of a traditional underachiever. I was a bright kid who didn’t apply himself well in school. I kind of wandered through for a while. So, after a few years of not doing much outside of high school, I decided to join the military. I just wanted to be a part of something bigger and be meaningful in some way. Through a course of events, I ended up in military intelligence. I was a linguist in the Air Force. Not a very good one, as it turned out, so I became an analyst, and everything has sort of flowed from there.
I did intel analysis. I’ve done counterterrorism, counterinsurgency, chased war criminals for a couple years, did some counter-IED work, and then, eventually, wandered into cyber. There’s a lot of developing intelligence there, and I was asked to apply some of those skills to the cyber environment. So, I did some countering of threats in cyberspace for about five years in the government sector. And then, like many people in the IC, I was certainly interested in seeing what might be outside, and I was recruited. As it turned out, a large bank reached out and was trying to build a threat intel program. So, I had a chance to take advantage of that, and I came over and started applying what I’ve learned in the military and in defense contracting to the private sector.
And then, again, somebody recruited me. I had a chance to come over to Symantec, and now, I try to help a lot of people do what we had accomplished at the bank, and then build off of that. Now, I’m really trying to teach a lot of people what I can about what intelligence is. The private sector has picked up the terminology and they want to apply intelligence and cyber intelligence, or cyber threat intelligence, but some folks are misapplying those terms, still. So, things as simple as the difference between data, information, and intelligence. I like to have that discussion, or talking about how to operationalize intelligence, or consulting with folks on how to build your team.
What are you trying to accomplish? Let’s talk about your end goals and what your deliverables are going to be, and then we can work backwards and try to figure out how to build from there. So, it’s been a long journey. I can’t say much of it was planned out. But I really like where I am right now, and I like where the industry is, so it’s fun to contribute to something that’s growing and meaningful.
When you came out of the military and you were heading into the private sector, when you got recruited by that bank, what was that transition process for you? And when you were part of a team that was starting to spin up this department, there must have been … It’s a different culture. It’s a different environment. How did that go for you?
Yeah, that’s a great question. I did about 10 years in the Air Force, and then I did move into defense contracting, so I had about nine9 years of defense contracting, which is not really private sector. It’s still in the IC, but it sort of moves you a little bit there, so I already understood a little bit about profitability and bottom lines and contract development, things like that. But then, the real leap from there to the bank, to the true private sector, was a shocking culture change for me. So, truth be told, they were good and bad. It was invigorating and freeing. You realize … You think you’re an adult when you’re in the military, but you’re very regimented and controlled.
You do very important things, but you realize you don’t have that much freedom. And then when I moved to contracting, you thought, “Wow. This is a much freer life,” but you’re still very confined. It’s the nature of the work. It’s good for that industry. It’s what you need. But moving to the private sector was like becoming free range. You come and go when you want. We have responsibilities and things to accomplish, and, “Let’s set some goals and work toward them,” but it’s a lot of just, “Do whatever you need to do and get things accomplished.” It was strange to have someone hand me a company credit card and tell me to use it when you need it.
I realized what the rest of the world felt like in adulthood, to be honest with you. It was just a very different feeling, so it was very freeing. But there’s also some things that I misstepped to be honest. I came with a government and military background, and again, you deal with some folks who have never had that background, and you have to realize that people don’t all act the same way. You spend 20 years in that environment, or almost have 20 years in that environment, and you start thinking that everybody thinks that way. So, I took for granted that some people understood things they didn’t, which I had to slow down and do.
I also took for granted that communication styles are different. The private sector works at a different pace, so you have to really learn to adapt and adjust. In the government space, many people end up thinking and feeling kind of the same. You were doing it a long time. A equals B, and that gets to C. It’s kind of an understood thing in a lot of areas. In the private sector, it’s just a very different environment. So, I stepped on some toes. I made some mistakes — things I’ve been able to help others transition out, learn from, to try to make that an easier transition. Overall, I’m absolutely thrilled with the move. I love the opportunity.
Moving on to Symantec, being my second position in the private sector, I learned from my mistakes at the bank and I’m having a much better experience. I think everybody around me probably is. But yeah, it’s a very different culture. I think it’s freeing, and once you get used to that freedom, it’s a really exciting place to be. I really love it.
And so, what’s your day-to-day like at Symantec? What sort of responsibilities do you have there?
That’s a great question. I don’t have any two days that are alike. My responsibilities are quite varied. So basically, the things I do — I work anything from pre-sales engagements, working with prospective clients, to education and some fact-finding. Here’s what intelligence is, here’s what you can get from it, where are you, and really, trying to find out where they are as an organization in terms of maturity, from an intelligence standpoint. I spend a lot of time working with prospective clients, I spend time working with our internal sales team. I’m still teaching intelligence to the company. Prior to my arrival, I learned … As I arrived, I asked people what they were telling or what they were selling, and in a lot of cases, it just didn’t add up to reality.
They were given some bad information to work with, or they were filling in gaps, which happens. So, I spend a lot of time now helping, internally, to get our message aligned with our services and getting people going in the right direction. I’ve been doing that for a while. And then, post-sale, working with our clients. So, engaging clients to understand their needs. Capture those intelligence requirements. Working with our team to make sure we’re meeting those needs. Maturing our service as we see changes. So, making strategic changes, or sort of the day-to-day changes, just tweaking some of our products and services, so we’re always improving what we’re providing to our clients.
And then, the last piece is a lot of public speaking and engagement. So, I write papers and blogs, and I speak publicly, whether it’s at invited small business events, or whether it’s doing large engagements — maybe RSA, something like that. Really, trying to do that thought leadership piece to just contribute our piece to that puzzle. There’s a lot of brilliant people in this industry — people much, much more experienced and smarter than I. But we also have a small piece that we can contribute. So, I like to get out there and try to educate people. There’s a lot going on in cyber. Essentially, we’re at war every day in cyberspace, and we’re all on the same side, really. I don’t care what vendor you work for, or what company you’re involved with. We’re all interconnected.
So, I like to go out there as much as I can and just contribute positively to the knowledge base so that we’re improving everybody’s defenses.
You mentioned, earlier, the difference between the information and intelligence, and how information becomes intelligence. Can you touch on that? What’s your take there?
Yeah, absolutely. So, I’m going to quote some military doctrine in this. There’s Joint Pub 2-0 — really, the foundation for this. So, JP 2-0 talks about the difference between data and information and intelligence. And in simple terms, data would be a list of IP addresses. A lot of people are claiming, “I need intelligence. I need threat intelligence.” When you start asking them what it is, they say, “Well I just need all these IPs so I can build these white and blacklists.” That’s not intelligence. That’s really valuable — it’s important, but that’s data. If you want to move information, now you’re talking about some data with context, some informed data, I would say. So, that’s taking that same list of IPs, and now, we’re providing some sort of a threat score with it.
So, you’ve got a little more context, something more to work with. But when you get to the far end here, to the finished intelligence piece, now you’re talking about taking those IPs and having a threat score, but also, associating with specific actors or groups. Specific tactics, techniques, and procedures, maybe a specific signature. When was the IP good? When was the IP bad? When was the IP good again? Because those things come up and down, you get a timeline on that. And then, understanding the likely motives of the adversaries associated with that IP, so getting all of that context together — that’s when you get into more of a finished intelligence look.
So now, you’re able to not just create lists, but you can start looking and saying, “We’ve seen traffic coming in from this IP. What does it mean?” Well, this traffic … If we’ve seen this signature that goes with it, we can trace it back to this actor, and we understand their general motives. And then, based on the targets that we can determine, is this something we should prioritize higher? Is this a threat we should expect to see more of? So that’s, in a nutshell, how it ends up playing out, and they’re very, very different. The data and the information are incredibly important. They’re foundational. You can’t get to intelligence without them. But when we talk about threat intelligence, it’s really getting that holistic picture.
How do you guide people to be applying threat intelligence in ways that are best suited to them? I’ve heard people say that some people go out there shopping for threat intelligence, but they really don’t know what they want. And if you’re asking the wrong questions, you’re not going to get the right answers.
Oh, yeah. Absolutely true. The easiest way to focus on that, I would say — again, I’m going to refer back to some intelligence community doctrine. We’re pretty well-rooted in the IC doctrine. So, whether it’s JP 2-0, whether it’s ICDs, or something like that. But we follow the intelligence cycles. So, the first step of the intelligence cycle, it covers understanding what your needs are. For us, we talk about intelligence requirements, priority intelligence requirements. So, a good example of this, I would say, is when I worked at the bank. When I first got there, we were going to build this intel program, and I said, “Well, that’s great. What are our intelligence requirements?” Everybody looked at me blankly, and I realized that this wasn’t a well-understood term.
So, in that case, what I did was I sat down. The bank was built into multiple, different lines of business. So, I sat with the information security officer for each line of business and just interviewed them. It’s the easiest way to understand what their needs are, and there’s a lot of questions you can ask — some of the simple ones. You know, talk to me about your processes. Talk to me about your critical processes, and then, what technologies are you dependent on to make those function? Talk to me about your data, your critical data, the stuff you can’t live without, your golden nuggets. If they’re compromised, you’re out of business.
And then, what technology stack are you dependent on there? And then, talk about your communications. So, those are three easy areas to look at. And based on that, we were able to really understand the critical technical areas we had to worry about. Then, we can start focusing our efforts, in terms of research, on threats against things that matter to us, things that were most critical to us. So, I do the same thing now with clients — with all of our clients. We work through and try to understand their requirements so that you can tailor your collection and your research to meet those requirements. Then, the second half of that is, how do you make this work? Right?
Also, understand your clients. That’s sitting down and understanding what their organization looks like so that we can determine where we’re going to put this intelligence once we get it. Intelligence can be tactical. It can be operational. It can be strategic, and they all have different needs. Strategic intelligence can get you to the CSO, or the C-suite, maybe, and that helps with large muscle movements of an organization. Where are we going to invest? How do we want to pivot? If there are major threats to one system, should we move to a different system? Those kinds of things. Whereas, the very tactical intelligence is boots on the ground.
We need to make some changes here. We need to change how we have access to this port. We need to blacklist some of these IPs, for these reasons. We need to take another look at this business email compromise, or a scam that’s going on, and look at how we’re scanning that out through our emails — things like that. So, we do all of that. It’s a consultative approach, where we try to embed ourselves as much as we can with our clients, and get into their processes and onto their teams so we can really understand, from the inside, what those needs are. Once you have that, it gets much easier to apply that intelligence where it needs to go.
Otherwise, if you don’t have intelligence requirements, and you haven’t understood a client’s needs, you’re just chasing a bunch of shiny objects and throwing things at them, hoping some of it matters, and a lot of people waste a lot of time and money that way.
You spoke earlier about how, earlier in your career, you might have considered being a linguist. It strikes me that one of the pieces of this puzzle is the ability for the threat intelligence team to translate what they do, adjust the information that they gather, and analyze it to the other people throughout the company. Do you have any thoughts on how to best do that?
Yeah, that’s a tremendous challenge. I was a linguist for a while. I wasn’t a very good one. And now, we do see … There are a couple things we see when you go down that road. First, within intelligence, we employ several linguists because it’s important to be able to take language in native language and move it back to English. You hear very different things. You read very different things. But then, translating it English to English within the company to make sure that folks who are less technical, or less intelligence-inclined, understand what we’re doing. That’s an ongoing process. That’s a big part of my job. As I said earlier, I work with sales a lot. I also work with product management. I work with our managed services teams.
We have to help them understand how intelligence fits in. So, there’s a lot of internal education that goes on. I’ve done some training internally, and I’m sure we’ll continue to do more to really educate the entire workforce on what intelligence is. We are a cybersecurity company end to end, from the data coming in, all the way to the finished intelligence products. It’s a network. Everything works together. This is one environment. So, all of our intelligence pours into all of our other products and services. It’s a lot of communication. We have a very big company, so communication takes time and effort, but we’ve been working very hard at that.
I think, at this point, I’ve been with the company now about a year and a half. I think we’re just getting to the point now where it’s filling most of the space of the company, where they’re starting to understand. There’s still pockets where I’m working internationally, but there’s just a lot of communication to help people understand what intelligence is, and really, probably more importantly, what it isn’t. There’s far too much misinformation regarding intelligence. I don’t think it’s intentional, but there’s a lot out there where people think, “We have intelligence organization,” like a magic ball, or, “We can get into the dark web. We can see everything.” Those are just misconceptions.
So, we need to help people understand that expectation management is a big part of intelligence, as well. It is in the intelligence community as much as it is in the private sector.
Does the challenge of transferring information … Does that flow in both directions? In other words, the rest of the company being able to receive the messages that the threat intelligence team is putting out, but also, the threat intelligence team being open to what the rest of the company is saying.
Absolutely. Absolutely. It’s a two-way street for us. So, for instance, our managed services organization. We’ve got thousands of companies, anywhere from Fortune 50, out to those that we manage networks for. We are constantly engaging with those organizations, and we’ve reached a point now … It was, I would say, stove-piped in the past. We’ve broken down a lot of those barriers, and now, those analysts will reach out to us and say, “Hey, we just saw this on this client’s network. Is there anything else you know about this?” Or, “We want to tip this off to you, so you guys can do some research on that.” So, it’s a constant back and forth in terms of the technical side, our managed services team, reaching out to the intel team.
And then, we get the same thing from the business side, and from the sales side, as well. As we’ve gotten the message out of what we do and how we do it, we get more and more engagement back. I, in fact, just on the way over here, had a salesman call me. So, talk about an opportunity with a client and how we can structure that opportunity. And being in a position to be that far upfront, we can say, “Here’s all the services Symantec offers.” Now, we talk about, specifically, how we can customize it to that client’s needs and make sure that we’re giving them ground truth on, “If you go down this road, and if we build this intelligence organization, this is what you can expect to receive.”
So, we’ve reached that point where, I think, we’re really interconnected. I get a lot of phone calls. All over the world, people call me, so I’m up 24 hours a day, pretty much, which is great. I love that kind of work, but I think we’re getting to that point now where there’s a lot of two-way streets. People understand they can reach out to myself or others on the team just about any time, and ask just about any question. And as a result, that education just continues to flow, and we gain a lot from that. When MSS reaches out and sends us — I’m sorry, MSS is the managed security services organization — when they reach out and tell us what they’ve seen in the networks, that gives us something to jump on and work with.
So, we’ve gotten to the point now where that’s really interconnected. And then, from a tactical standpoint, whatever we do pours back into the systems we have. So, it pours back into our giant data lake, and it pours back all the way down to, say, Norton Antivirus. So, it’s all working together as one ecosystem.
As we’ve seen new threats coming our way — as the threat actors evolve, increase their sophistication — what have you seen in terms of necessary evolution on the threat intelligence side?
I think, a couple of things we’re seeing is threat actors get more advanced, and there’s more of them, frankly. So, there’s a lot of money in this industry, if you’re talking about it from a cybercrime standpoint. And from a nation-state standpoint, we haven’t really found a significant deterrence, in my opinion, for most nation-state actors. We’ve seen a lot of things in the news. Specifically, if I want to bring up China, for example. But when you look at the Chinese problem, stealing intellectual property is a multi-billion dollar success story for China, and there’s nothing that I’ve seen so far that creates a deterrent that that outweighs that profit.
So, these things aren’t going away. As far as what we need to do, I think part of it is getting faster, which is hard. Intelligence requires time to be successful. Speed is always an issue, so I think we’re seeing more and more push to machine-to-machine. You know, machine learning. People talk about AI, artificial intelligence. Those aren’t the same thing, but we’re really working down that path. The more things we can get to the point where they’re automated, where there’s enough of a thought process built into a machine that it can take care of the first, second, and third tier, perhaps, and allow us to put more of our time and energy into the higher-need questions, the more it’s going to help us, I think, as an industry.
So, I’m seeing a lot more of that. I think there’s a big push. I would say, 2018 is going to be a big leap forward in machine learning and AI, and we really need it. We’re not winning, to be honest with you. I don’t know that we’re losing, but we’re not winning. I haven’t seen things get better over the last couple of years. I think defenses are getting better. I think companies are getting smarter, but I think adversaries are also constantly improving, and we’re just chasing them.
Now, I want to switch gears a little bit and talk about your own leadership style. You work with the team, the people there at Symantec. How do you approach that? How do you lead your team?
So, I’m a big believer in what’s known as servant leadership. My background actually comes from that. I learned some of that when I was in the Air Force, and then I actually started in school. I got a master’s degree in organizational leadership from Gonzaga — go Zags — and it’s the foundation — that is, servant leadership. So, in a nutshell, what servant leadership is, is you look at a couple different styles of leadership. There’s the hierarchical style leadership, kind of a traditional, “I’m the boss. You’ll do what I say because I’m the boss, and it’s my job to make sure things get done, and I’ll be demanding, and we’ll all follow along.” And then there’s servant leadership.
With servant leadership, the theory is my position, or my position of authority, or my title, or whatever you want to call it, offers me the opportunity to do more good and help more people achieve. So, as a leader, I believe it’s our job to knock down obstacles, to work with the team to understand, “What do you need to accomplish personally for yourself, for your own satisfaction? What do we need accomplished as a team?” Because, obviously, we do have some goals we have to get through. How we blend those together, and then just get out of the way, and let people do what they do well. Guide them if there’s challenges. Know that I’m always available to help, anytime, day or night.
My number one priority is that we succeed both personally and professionally, and then try to knock down as many obstacles as you can. Give people opportunities to be free, and be free to make mistakes, too. You can’t have a one-mistake environment. People have to understand if your intentions were good, and you did the best you could, and it didn’t work out, that’s okay. That’s going to happen sometimes. I’m a big believer in giving people the opportunity to be a little risky and take some chances. I’ve often told people, “Listen, if it’s not immoral and it’s not illegal, I got your back.” Those are kind of my guiding principles. Go do good things as long as it’s not immoral or illegal.
Easier to apologize than get permission.
It definitely is. It definitely is. There’s a few things I can’t help people out on.
We always make sure. I mean, we’re in corporate environments. Read the corporate policies. Make sure we’re staying within policy, but outside of those things, be free. Don’t be in a box because you have a specific title, or because you think you have a specific role. If you think there’s something more you can be doing, then go do it, go ahead. You don’t have to ask permission. We’ll sort it out and we’ll figure out how it fits into our team. I’m lucky enough to work in an organization where my leadership feels that way. Part of the reason I’m here actually is, when I was being recruited, I actually interviewed my director more than the other way around and asked him about his leadership style.
He talked about what he called an upside-down pyramid, which is the same concept as servant leadership, where the most important people are the team, and the least important person is the person who’s in a management position. Their job is to support everybody else. For us, everybody’s on a first-name basis. Nobody knows anybody else’s title, or rank, or anything like that. I can make a phone call to the president of the company right now, and he would answer it and know who I am, and not be offended. He probably would want to know why I want to call him. But from vice presidents, senior vice presidents, directors, whoever it might be — it’s a very open environment, which fits very well, and definitely fits my style.
It was the deciding factor, for me, in joining the team. I knew I was going to be someplace where I could fit right in and where they believed the same things. I believed in leadership and supporting the team.
I want to wrap up with you. Is there anything, when it comes to threat intelligence, that you wish people were paying better attention to, that they’re not? Do you feel like there’s anything that people are just missing?
Oh, there’s so much. Let’s see. Things that people should pay more attention to. Well, I think people are definitely quite focused on Russia. They’re quite focused on China. And rightfully so, nation states are always going to be an issue. People are certainly focused on cybercrime. So, what are we not focused on right now?
I often hear people say, “Don’t forget your basic cyber hygiene — updates, patches,” and those sorts of things. But I suspect there’s more to it than that.
Yeah, that’s a good point. So, sadly, a lot of the things that happen are very basic. A couple of things that frustrate me regularly when dealing with cybersecurity is, it really goes back to the kinetic warfare world. So, if you’re dealing in kinetic warfare, you need to understand your environment first. Before you go to war, you get the maps out, and you do all your planning, your preparation of the battle space, figuring out where the highest mountains are and where the best bridges are, and get your landscape down before you get involved. And surprisingly, very few organizations have a very good understanding of their own landscape.
Configuration management databases or change management databases aren’t woefully out of date. That hinders any solutions, certainly from an intelligence standpoint. So, in many cases, I can go to a company and say, “Hey, listen, we’ve found a new zero-day exploit against this version of this software. Can you tell me how many instances of that you have in your network?” And they don’t have any idea. Well, I can’t tell you how big a threat this is to your organization if you don’t know what’s in your network. So, I would say the biggest concern I run into, or one of them, certainly is understanding your own environment.
You can provide the best threat intelligence in the world, but unless you know your environment, you don’t know how to apply it properly. So, I work with a lot of people on trying to understand their own environments. I think there’s so much buzz about what’s going on outside of us, that we oftentimes aren’t doing a good enough job of handling our internal things appropriately. Some of the other ones you mentioned are simple ones. Keep training people. People do a terrible job on cybersecurity training in many companies. The easiest infection vector is still email, and yet, a lot of companies don’t put enough effort into training people to not click on that link.
Business email compromises are another rather easy scam to pull off, where you convince somebody to pay a bill that doesn’t actually exist, something like that. It gets a little more complicated if the adversary, maybe, spoofs the CFO, for instance, and then uses the CFO’s name and email to send an email to somebody in bookkeeping, or whatever it might be, to pay a bill. But a lot of those just come back to training. So, I guess the two I would focus on would be configuration management databases, getting those up to date and keeping those up to date, and training your personnel. I think that would eliminate a lot of problems.
If I had one more to throw in there, it would be backups. Backing up data on a daily basis, if possible. So, the big reason I would say that is, if you have backed up data, regularly backed up and you don’t keep too much on your own computers, then you really can eliminate most of the problems that come with ransomware. Ransomware is always in the news. It’s a massive problem internationally. But it really relies on somebody to be dependent on that piece of hardware. If they ransom your computer, and there’s no data on it, or there’s data that’s backed up, then you’ve taken away the threat. You can just wipe the computer, start over, and reload your data.
But they’re taking advantage of a lot of organizations that don’t have data backups. The one exception would be the healthcare industry. They’re taking advantage of the healthcare industry because of some concerns in some of their pieces of hardware where the software can’t be updated. They’re still running Windows XP, and they’re taking advantage of healthcare, because you’re in an environment where it’s life and death. So, they have their own set of problems. But I would say, yeah, the training, the configuration management databases, and then, really good data backups.
AJ Nash, thanks for joining us.
Thanks for having me. I really appreciate it.
Our thanks to AJ Nash from Symantec for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.