The Importance of Adversarial Focus

April 23, 2018 • Amanda McKeon

Our guest today is Greg Reith. Greg began his career with U.S. Army Special Forces with a specialty in operations and intelligence. His experience includes counter intelligence, analysis, and collection at both tactical and strategic levels. At the end of his career in the military, he transitioned into Information Technology and was an information systems security officer. Most recently, Greg led the T-Mobile threat intelligence team as a senior security engineer and developed the T-Mobile threat intelligence strategy.

We’ll learn about his career, get his thoughts on leadership and assembling teams, and how he’s learned to integrate threat intelligence into his work. He’ll also describe a technique called “adversarial focus.” We’ll learn what that is and why it’s important to understand.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 53 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire. Our guest today is Greg Reith. Greg began his career with the U.S. Army special forces with a specialty in operations and intelligence. Greg’s experience includes counterintelligence, analysis, and collection at both tactical and strategic levels. At the end of his career in the military, he transitioned into information technology and was an information systems security officer.

Most recently, Greg led the T-Mobile threat intelligence team as a senior security engineer for threat intelligence and developed the T-Mobile threat intelligence strategy. We’ll learn about his career, get his thoughts on leadership and assembling teams, and how he’s learned to integrate threat intelligence into his work.

He’ll also describe a technique he calls “adversarial focus.” We’ll learn what that is and why it’s important to understand. Stay with us.

Greg Reith:

My intelligence experience starts back … I was in the service, so I spent 21 years as a special forces operator and my specialty was intelligence and operations. I’ve been through the basic course, intermediate course, and then some advanced intelligence training. I did collection, I did analysis, I did tactical and strategic. And after that, I was a director of security for a company called Winfirst. It was about a billion-dollar startup, and they took fiber to the curb back in 2000. After that, I had a software company for a period of time, and after that, I did mostly consulting work. I did consulting work for AT&T, Microsoft, and some other big companies. And that was focused around risk assessment, penetration testing, security architecture, threat assessment — things of that nature. Eventually, I ended up at T-Mobile. I was there for a period of time, and now, I’m primarily just consulting and training.

Dave Bittner:

Can you describe for us, working with T-Mobile, for such a large communications company — how does a company like that approach threat intelligence?

Greg Reith:

When I went into the role, they didn’t have a program, so I basically developed the program and matured it as best I could over time. I think one of the big things about doing intelligence into some of the bigger companies is, you have to have someone that’s got practical experience at doing it and has had the right kind of training. There’s a lot of stuff on the internet that’s not correct, and it really takes someone that’s got that capability to build that kind of a program. T-Mobile did put some money to it. We did have a small team. It kind of really depends on what your organization’s goals are. Some people don’t want to know what the threats are and how they might impact you, and some do.

Intelligence is expensive. It’s very resource intensive, it’s time intensive. It is not a real-time capability. It’s overtime, and a lot of vendors are really selling you information as opposed to intelligence, and you’re trying to develop intelligence. So there’s a lot of confusion in the market, in general, and it kind of takes someone to be able to bring all that together and define what it is you really need to do and the best approach to go about doing it.

They gave me a lot of leeway in terms of setting up the initial capability. And like I said, depending on goals, objectives, and things of that nature, the ultimate goal of an intelligence team is to be able to develop warning intelligence and reduce strategic and technical surprise. It’s not really to support a response team, and it’s not really to support a team specifically with focus. It’s its own entity. It supports multiple teams, and I think sometimes organizations get a little bit confused about that in some cases. But it was a good experience and I’m glad I did it.

Dave Bittner:

Can you describe for us — how did you promote the value of threat intelligence to the people you worked for? You said it was expensive, so how do you make the case that it’s worthwhile?

Greg Reith:

In order to make the case, you have to … It’s a lot different than working for an agency or the military, or someone where they understand it, and they have budgets for it, and they have dedicated collections teams, and so on. So, because it is expensive, if you’re going to do it correctly, you have to be able to quantify what you’re going to get out of it at the end. Unfortunately, intelligence is one of those things that does take time. It’s not something where you can always have intelligence every week that’s literally making significant difference in terms of ROI and things like that.

So, you kind of have to be able to develop some low-hanging fruit in the form of some enhanced information as you’re developing intelligence. And then, over time, as you present intelligence and it’s meaningful, then it gives them the benefit of having some forewarning about things that are happening. Either within the industry or at the organizational level, and so on. There’s a lot of shifting that goes on over time and you have to continually take that into account. What you’ve got to be able to do is, you have to be able to define a program that’s going to be cost effective to some extent, but is going to provide some actionable capability. Having said that, actionable capability can be kind of, in some cases, more difficult to develop because sometimes you do have some hard timelines, and intelligence can be fairly difficult to develop.

It’s about having a well-rounded program and having the capacity to augment staff — and you need to through a third party — that has the capability of pulling intelligence and doing analysis when you need that kind of help. But then, having the right kind of tools in place that allow you to do data collection analysis, and then, being able to present that to decision makers. Ultimately, you should be presenting intelligence for decision makers to use to make decisions with.

I had to develop a strategy, and a strategy that was an all-encompassing strategy. It did cost a bit of money. T-Mobile did end up hiring some staff specifically for developing intelligence. Basically, I had to show them that, well, this is what it can do and this is what you’re going to get out of it, and so on.

Dave Bittner:

So they recognized the value in it. I’m curious — what, from your experience in the military, were you able to bring to the private sector? Were there specific things that you felt benefited your ability to act there?

Greg Reith:

Oh yeah. It gave me an understanding of what intelligence was in the first place. It’s a lot different than what a lot of people think it is because a lot of people just haven’t really been exposed to it significantly in the past. I learned about the intelligence cycles, I learned about collection. I did collection, I did analysis. It takes probably 10 years to really develop a decent analyst. That’s because there’s a lot of mindset and bias issues that they have to be able to address. And first, before you can do that, you’ve got to be able to identify the fact that they even exist.

And then you start going into becoming an intuitional expert, which takes a lot of time. It’s not something that happens overnight. You have to have a lot of practical application of doing it to be able to be effective at it. You can use other techniques like structured analysis, which help you reduce mindset and things of that nature. And then you can use some sense making techniques for the more wicked problems, but all in all, you have to have the background. The background has to exist if you’re going to be very effective at doing it. And you have to have a practical application if you’re going to get to a point to where you can produce intelligence with some decent amount of accuracy.

Dave Bittner:

You just used a term, “intuitional expert.” Can you describe to me what that means and how it benefits?

Greg Reith:

Intuitional analysis is what a lot of the more experienced intelligence analysts will rely on. And then, sometimes, they will employ structural analysis techniques, and so on, but everybody has intuition. There’s two types of intuitional awareness; there’s expert domain based, and then there’s heuristic. In order for someone to be an expert domain-based analyst, they have to have a lot of deep-level knowledge into a particular area that they’re doing analysis in. If I look at some indicators, for example, or look at some sign posts, then I can kind of determine what they are.

Intuitional awareness and intuitional assessment works very, very well from an expert perspective, provided that what you’re looking at fits within the left and right boundaries of your domain of expertise. Heuristics is really about using intuition and using a set of rules that you can apply to a particular scenario or situation where it fits the rule, and then you can make an intuitional assessment as to the validity of what you’re seeing based on how it fits into that rule. That’s primarily what you’ll come across from an intuition perspective when you’re developing intelligence.

Dave Bittner:

We often talk about machine learning and artificial intelligence and how that can supplement the work that an analyst does, but that it really is up to an analyst. And I guess, the machine-learning tools don’t have the capability yet to have that sense that, “This just doesn’t feel right.”

Greg Reith:

Yeah, intelligence requires a person to make a judgment, and is in some cases an analytic leap, relative to an analysis. And yeah, machines aren’t quite to the same level that humans are at this point, but the other thing is, you have to have the right platform. So when you look at an attack, for example, most of the tools today are primarily point in time, and a lot of statistic attacks happen over time. You have to be able to correlate what’s already happened to what’s happening in the now to be able to develop trending and be able to forecast things. You have to have a platform that gives you the capability of link relating data on ingestion. And then you can apply machine learning on top of that to really develop some meaningful intelligence. Just applying machine learning to a single scope domain of information doesn’t give you the capability to take into account the other aspects that might have impact to that particular analysis.

When you start looking at problems in general, you can have tame problems and wicked problems which are either simple or complex. And the complex problems normally span multiple domains. So if you’re not analyzing data across multiple domains and you don’t understand things like adversarial focus, then you’re missing out on a big part of the data you need to accurately be able to do in an assessment. It doesn’t matter if you’re using machine learning or not — if you’re not using the right data, then the analysis that you do, at the end of the day, is not going to be as accurate as it could be.

Dave Bittner:

What about human-to-human collaboration? You’ve got a team of analysts, and one of you has expertise in a certain area and another one has expertise in another area. How do you foster that sort of communication to say to your colleague, “Hey, I’ve got a funny feeling about this. What do you think?”

Greg Reith:

When I was at T-Mobile, I did some training. I trained a team and I trained some other business units in threat intelligence. One of the things that I’d tell them is, you have to have multiple eyes on a problem to give you a better analysis. And that’s absolutely true, and it goes back to the mindset bias issues that every human being has. When you have 10 analysts and you’re working a complex problem, if all 10 of you agree on something, then something’s off. There should be — because of your mindsets and bias — a difference of opinion. If everybody is involved in a problem and you come to the same solution, then you have to start looking at groupthink as being part of the problem.

When you’re approaching other business units, other people, and so on, you should set up some kind of formal structure where you can do an assessment, or you can input data or take data back from another entity, another person, and so on, as part of the analysis process. You’re going to have disagreements. That’s part of what it is, but it gives you a better understanding from other perspectives about that particular problem and the analysis that you’re doing.

When you have the capacity to include other people in the analysis, it’s a good thing. It gives you more perspective. It can often bring other things to the table that you might have missed, and that might be based on your mindset and biases that you have as an analyst. In fact, in some cases, you should take someone from another unit that has no knowledge as to what you’re analyzing and see what they think, because oftentimes, they’ll have other perspectives. That’s one of the problems, is a lot of the intelligence teams and organizations are really too small to really be able to effectively analyze more complex problems.

Dave Bittner:

Yeah, that’s interesting, I suppose the process is as important as the outcome sometimes.

Greg Reith:

Sure, yeah.

Dave Bittner:

One of the things we wanted to focus on today was something you describe as, “adversarial focus.” Can you fill us in on what that’s all about?

Greg Reith:

Sure. Basically, adversarial focus is who’s targeting you. People don’t just wake up and say, “Well, today…” Well, maybe some people do, but for the most part, your more sophisticated attackers are very focused in targeting. So when you start looking at threats in general, you have lower-tiered threats, which I call one to two tier, which basically includes your script kiddies, your single developers that are acting as low-move attackers, simple criminal attacks, disgruntled employees, disgruntled customers — things of that nature. Their targeting is all across the board and they have the capacity to attack a known vulnerability, so your automated processes should be able to deal with your lower-tier attackers.

Your tiers three and four move into more organization, and their focus is on generating revenue. They do their own targeting, they pick their targets. The tier-four groups are larger organized crime groups that can be very, very sophisticated, but they go through a targeting process to determine who they’re going to add focus too.

And then your tier fives and six, which is your nation-state sponsors, nation-state attackers. They get tasked to collect, they get tasked to support things like five-year plans, national strategies, and things of that nature, so their focus is much more defined. But adversarial focus is all about understanding who has focused on you as an organization, and each organization is going to have some level of adversarial focus.

Dave Bittner:

So how do you come up with that list of who’s targeting you, and then how do you rank the people on that list?

Greg Reith:

So you have to understand what you do as an organization. You have to understand your lines of business, your critical functions, what your roadmap is, and then you can start to figure out who might have interest in those different aspects. Then you can start to do the research to develop who has focus in those particular areas. Tools like intelligence tools that give capabilities scraping the open web and dark web are pretty critical, at that point, in pulling some of this information in. They can give you historical context, they can give you some trend capability. Using that, you can start to develop some adversarial focus from an early-warning perspective.

An example would be, every five years, China does a five-year plan. When you go back, historically, and look at the attacks that they’ve done, you can correlate those to five-year plan requirements. So they’re filling their national strategy requirements through attacking networks and APSoft and things of that nature.

There are different ways that you can determine focus from different groups. A lot of the data exists — you just have to know where to go to look for it.

Dave Bittner:

Is there a danger of your team getting distracted by bright, shiny objects?

Greg Reith:

Oh sure, there is, yeah. And that’s a problem too, especially with smaller teams. When I was doing training, I would tell people that, from a timing perspective, you have technical intelligence, you have operational intelligence, and you have strategic intelligence. So within your tactical component, you have two pieces. You have current ops, and you have future ops. Current ops is usually zero to 24 hours — it’s what’s happening right now. And then future ops is anywhere from 24 hours to five days. Operational would be five days on, out to a quarter, and then your strategic goes beyond that.

But it gives you the capability of having a person fill a role, either at the tactical level, and so on, and focus specifically on that. So when something does occur, and I pluck some intelligence from the current perspective, I can hand that off to, or I give access to, somebody who’s working future ops, and they can integrate that into what they’ve been working on in the short term. And further, that adds more context relative to some of what they see. When you’re doing something like that, you’re maintaining your capability of having a current capability, but you’re also maintaining the capability of having a future capability in the short term. And then your more senior people would be working some of the more operational or strategic aspects to develop new indicators, relative to what people doing tactical collection analysis have already done. You can implement that capability, but it does take a bigger team in order to cover that kind of a timeline.

Dave Bittner:

In terms of your advice for someone who’s thinking about spinning up a threat intelligence team, or finding someone to provide that sort of information for them, do you have any guidance for the best way is to approach it?

Greg Reith:

Do a lot of research, find someone who’s done intelligence, and have a conversation with them. As an example, a lot of people will go out to the internet, do some research, and will come across intelligence cycles. The current cycle that most people use revolves around planning and requirements, collection, processing, exploitation analysis, and then, dissemination. The problem is, that model is a very linear model that has to fit a very lateral problem. So, it’s more difficult to operationalize when you’re in a commercial entity because you have limited resources. You have things like budget, reduced staff, and you don’t have the capability to task for collections. It’s harder to implement that sort of a cycle, but you’re not going to know that until you talk to someone who’s actually done it. I would say, do the research, and then talk to someone who’s done intelligence and has experience in intelligence to help you set up a plan.

Dave Bittner:

How do you make it so that it’s okay for people to be comfortable with uncertainty?

Greg Reith:

That’s difficult. The thing is, you’re always going to have intelligence failures. It’s a part of the process. In today’s workplace, people want 100 percent. They want you to be right, and they want you to be right all the time, but that’s not a realistic goal. You’re going to have some failures. The goal is to be accurate and have more successes than you have failures, and to have more significant successes.

A part of the training has to deal with that mindset to where I always need to be right, and I need to get away from being 100 percent. In the intelligence world, once you get to about 70 percent, that’s about when you need to start taking action, because if you’re waiting for an extra 10, 15, 20 percent, you’re going to miss your window of opportunity to actually put a control in place to deal with something that’s coming down the road. It’s hard sometimes to get people to think that way because they want to be right. It’s not wrong to want to be right, but the reality is, you’re always going to be wrong at some point.

Have a candid conversation about capability and about what you’re going to get, because intelligence deals with levels of confidence, as opposed to, “This is right 100 percent,” or “It’s wrong 100 percent.” There’s a little bit of gray. And a lot of people don’t like the gray part.

So, whoever is your team lead has to be comfortable with working with a lot of the gray part. He has to mentor or guide the other people to be able to accept the fact that you’re not always going to be right, and that’s not bad — that’s human nature. Training them and giving them techniques is going to make them more effective and more accurate when they do their analysis. They have to get away from going with the flow. Their analysis might be 100 percent opposite of what everyone else is saying.

When you look at some of the attacks that happened in the past, over the past year, the initial set of information, in a lot of cases, is not correct. But everybody wants to be at the very front of reporting, so you see a lot of information that’s not necessarily accurate, that kind of firms up over time. So when you’re doing an initial assessment, you have to caveat that with, “this is what our current intelligence is telling us, but we see these things that might be of interest that could alter the assessment,” and you have to do the assessment over time. If you’re just trying to focus on a point in time, then you’re potentially missing a lot of data that could change the analysis and the accuracy of the analysis itself.

Dave Bittner:

You have to have the ability to let go of the assumptions that you have previously made that may have been wrong.

Greg Reith:

That’s exactly true, yeah. That’s exactly correct.

Dave Bittner:

Our thanks to Greg Reith for joining us.

If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where everyday you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.