McAfee's Michael Rea on Managing Formal Intelligence Requirements

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 45 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Our guest today is Michael Rea. He's a threat intelligence professional currently working at McAfee. He's got prior experience in the U.S. Navy, serving at sea and at shore, including positions at Cyber Command and the NSA. We'll discuss his career, how threat intelligence differs between the military and the private sector, why it's valuable to formalize the management of your threat intelligence requirements, how best to do that, and how that helps make IT teams more effective. Stay with us.

Michael Rea:

I spent the better part of eight years on active duty in the U.S. Navy. I served in a variety of intelligence roles, both ashore and afloat. I got my crack in intelligence on USS Peleliu, which is a now decommissioned amphibious assault ship where I did geospatial intelligence analysis — looking at pretty satellite pictures, essentially — and doing all-source intelligence, fusion analysis, and production for tactical and operational-level leadership in support of maritime security operations, counter-piracy, and humanitarian assistance efforts.

And then, in 2012, I left the Peleliu to go to Fort Meade. From there, I did the ping pong back and forth between Cyber Command proper and the NSA. I spent about a year on the Cyber Command Joint Operation Center watch floor, doing indications and warning analysis in support of the senior Cyber Command leadership. I got to work on a joint Cyber Command and NSA project that I can't talk too much about. And then, my last portion of time at the floor, I was on one of the Cyber National Mission Force teams.

Dave Bittner:

I see. Now, when you were growing up, was this something that was an interest of yours? When you joined the Navy, is this an area you knew you wanted to pursue?

Michael Rea:

No, actually. I mean, I grew up with computers. I think my first one I got was an H5 with a Mac 7100, or something like that. Coincidentally enough, I haven't touched a Mac since middle school. But no, I never really thought about intelligence as a field or even, more specifically, the whole computer IT field. I accidentally fell into intelligence proper before I joined the military. I was studying Chinese studies in California, and I had originally joined the military with the intent on being a linguist, but we all know how military recruitment goes, and they never took me to take the DLAB. Then, my time to start processing into the service came up, and it's like, "Well, you can do intel." I was like, "That sounds great. What's that?" And they were like, "I don't know." I was like, "Okay, I'll do it." And then, that's just kind of how I started my intelligence career from there.

Dave Bittner:

Let's talk about threat intelligence and the role that it plays for the work that you've done, and what you're doing today.

Michael Rea:

I think it's really interesting to see the private sector intelligence discipline arise in the last few years. And I know there has been some portion of that in the more physical security space, personnel security, and things like that. But since around 2012, 2013, the cyber focus, intelligence discipline outside of government has been something pretty interesting to watch.

Still, I don't think it's necessarily understood by a lot of people who are starting to integrate those sorts of capabilities in their environment, but I think in the right organization, and with the right buy-in with those senior leadership roles within those companies, I think threat intelligence, at large, can help reduce risk to the organization, help inform decision makers to make the best decisions possible with the information provided, and help put a more human face behind those who are trying to break into your network.

Dave Bittner:

One of the points that you make is that it's important to have formal intelligence requirement management when approaching threat intelligence. Can you take us through the rationale there?

Michael Rea:

Much like any sort of concerted effort, you want to have clear guidelines about what you're trying to achieve established at the onset. That way, we know what the goalposts are. You have some sort of tangible agreement between what you're supposed to be doing with your intelligence customers. In that way, it helps set expectations on the onset, so both parties understand what they're producing and what they're receiving. That way, there's no miscommunication or misplaced expectations on the hands of the intelligence professionals doing the day-to-day work.

And then, through that sort of requirements process, it helps those senior leadership personnel, or those other organizations that you're working with, gain a sense of ownership with the intelligence process. I find that those organizations who are more or less separated — logically and physically — from their intelligence functions see it as a more abstract concept, one that they don't necessarily see the immediate relevance to the organization.

Sometimes organizations will say, "Hey, that company over there has a threat intelligence team. I must have one now." And then, we all know how corporations like to go buy things, or people, in order to start getting a capability to help get ahead of their competitors. But without that sort of clear, planning vision setting on the onset, you can not only stymie the good work that the people you bring on do, but also, not necessarily get the return on investment that you're looking to achieve out of integrating threat intelligence into your organization.

Dave Bittner:

What would your advice be for someone if they're thinking about spinning up a threat intelligence team? What are your tips on how to go about doing that?

Michael Rea:

Largely, I would say, identify the use cases for intelligence that you think will be the easiest to integrate, the easiest to align personnel resources to, and the ones that are achievable with internal data sets and tools, at the onset. I wouldn't worry too much about trying to get the most expensive, awesome threat intel tool, but to try to find the right people. And that can come from a variety of different backgrounds, be it the more technical focus from your traditional network security arenas, or more toward soft skills, or those who have traditional, all-source intelligence backgrounds that can help paint that bigger picture, from a risk profile perspective. And to start small. Don't try and do everything at once. Establish clear goalposts, and have a more gradual crawl, walk, run sort of sequence, and not try and throw the kitchen sink at it at the onset.

Dave Bittner:

Throughout cybersecurity, we're seeing the market get more and more crowded. Do you have any advice for people for how to break through the noise and know the right questions to ask to make sure that they're getting the services and products that are legit?

Michael Rea:

Yeah. I think, at least from a threat intelligence discipline perspective, I think we're starting to make headway, trying to separate the fact that indicators of compromise aren't intelligence in and of itself. I know for the last, maybe, three to four years, that was one of the biggest hurdles and misconceptions about what threat intel is and what it looks like. And I think with the shift away from specifically relying on IOCs writ large, and almost at the exclusion of more traditional intelligence products, I think that kind of helps change the narrative of what intelligence can look like, and that it isn't just something that you can plug into a machine and it makes fancy alerts in a SIEM somewhere.

But also, know what specific intelligence questions you're looking to get answered. Not everyone will have the same benefit from collection from the underground cybercriminal markets. Depending on what sorts of technologies you have in your organization, specific vulnerability intelligence vendors may or may not be of particular use to you. Nation-state groups may not always be what you are most worried about, and that’s what keeps you up at night. So, just being able to set reasonable expectations about what your organization's threat profile looks like can help drive what sorts of tools, capabilities, and data sources that you need. Try to not get caught up with the marketing and PR hype of a lot of the vendors out there, and just focus on your specific use cases and start driving acquisition efforts toward those.

Dave Bittner:

We often speak about this idea of turning information into intelligence, and the human factor that goes along with that. Do you have any thoughts on that combination of being able to use automation to manage the fire hose of information that comes in, but then, combining that with the intuition that only humans have, so far?

Michael Rea:

Right. I think it's definitely a balancing act that I think we, as a community, need to take a hard and fast look at. I think with the drive toward a lot of security automation and orchestration, the intentions are well placed there, but I don't think relying too much on that sort of automation … I think machine learning and the AI bubble sort of plays into that, but ultimately, at the end of the day, intelligence isn't something that can be done by a machine.

At best, it's something that will help wrangle the data in a way that's useful for an analyst to sit down, take a look at, and start deriving their conclusions based on something that's been sort of pre-processed or pre-collated, and sort of analyzed at a first-level layer from a machine perspective. But ultimately, it's a human-driven process, and from there we, as analysts, can help derive those sort of analytic conclusions and help provide policy, or operational recommendations, to the stakeholders at the end of the day.

Dave Bittner:

Can you contrast the sorts of threat intelligence that you used in your government positions with what you see today and make use of in the private sector?

Michael Rea:

I mean, I think the difference between the public and private sector threat intel space is the audience in which you're trying to engage with, and the extent of the decisions you're trying to influence. In government, you have the potential to influence national and international policy, whereas, if you're in the private sector, you're only looking at a more micro-organizational level, even if that organization operates with a global footprint.

I think, ultimately, it's just about the level of impact that you'll have with the conclusions that you derive from your analysis, and what you're recommending to the specific customers of intelligence. At the national level, that could change the outcome of national or international events, whereas, in the private sector, it's a lot more narrowly focused. And even if it's a global company, you're only going to be affecting what's best internally, or help drive some small changes, potentially, in the way that the organization does business, so to speak.

It's just a different approach and mentality for what sorts of recommendations and action items you're trying to give those customers. At the end of the day, that sort of makes a difference. The process of doing the collection and analysis is more or less the same — the government just has a lot more legal leeway to get all the fun, different types of data that they can.

Dave Bittner:

I see. You know, you mentioned earlier, companies at the high level maybe not having a complete understanding of threat intelligence, and how it helps them manage their risk, and so forth. What do you think it's going to take to bridge that gap, to translate that information, so that people in the boardroom get what threat intelligence people are up to?

Michael Rea:

Yeah, so, I think it's an interesting question, and it's one that I think about quite a bit. But I think it takes a concerted effort from both the intelligence team within the organization, to have the organizational visibility, to have a more clear and direct communication line with that senior-level leadership, and to engage them in the process to where we're not getting wrapped up in the jargon of the discipline, but translating it to more business-palpable terms, something that you don't have to spend two to three hours explaining. You just switch the language that you're using, and then be able to connect and build a bridge with your customers. And I think it's also imperative that those intel teams help manage the fear and uncertainty of doubt about the risk profile that the company has.

Dave Bittner:

Do you find that there are some common misunderstandings about threat intelligence that you wish you could help people understand better?

Michael Rea:

Yeah. I think one of the biggest misconceptions that persists within the private threat intel discipline is that other technical skills within digital forensics and incident response, such as malware analysis, or host and network forensics, are intelligence analysis skills in and of themselves. I think that while a lot of the public reporting on malware, actor camps, and things like that focus on that technical detail, they paint a misconception that those are intelligence analysis skills, so people who possess those are automatically able to do intelligence work.

I think that's a bad misconception for a variety of reasons. One, I think, is that it sort of diminishes the more strategic and more soft analysis of the threat. I think that there's a perception that intelligence reporting that isn't technical isn't of use, and I think that just comes from a misunderstanding of what true intelligence analysis looks like. What are the analytic processes and rigor that goes through that production cycle? That, I think, a lot of organizations and people are still struggling to figure out how to take action on. Something that isn't, "Hey, block this hash," or, "Blacklist this IP," or something like that. I think helping to bridge that broad-level misconception about what threat intelligence is will go a long way in helping organizations understand and reduce their risk profiles, and then help stop the bad guys.

Dave Bittner:

Our thanks to Michael Rea from McAfee for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Produce Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.