If you don't want your dentist operating on your leg, NeedleStack guest A.J. Nash asks, why are you putting incident response in charge of intel?
Many companies are seeing the value in building out a dedicated intel team of their own. But when it comes to where to place that new team, they can make a mistake detrimental to the success of the new venture and organization as a whole.
SOC and intel are different skills. They are related, but not the same, yet many companies tend to put incident response specialists on intel teams and bury the function within the SOC or other security organizations. In a recent conversation on NeedleStack with A.J. Nash — an accomplished author, speaker and VP of Intelligence at ZeroFox — he discussed how to build a successful and effective intel team by avoiding making some of the most common mistakes.
A.J. Nash has over two decades of experience in intelligence collection and analysis. He has found his way to cybersecurity through a successful linguistics and intelligence career in the U.S. Air Force, which led to him exploring his passions for analytics, team building, writing, communications, public speaking and leadership — in both government and private sectors.
Creating intelligence as a service
Surprisingly, some organizations who embark on the journey of creating an intelligence program don’t have a firm grasp on the fundamentals of intel building, such as what the intelligence cycle looks like, who the stakeholders are, what the requirements are or what their collection goals might be. To make matters worse, they often pick a team leader who has no real-world experience in intel. It’s like asking a trusted dentist to perform surgery on your legs, Nash suggests. A great specialist in incident response is not necessarily a great person to lead the intel organization. It’s not that plenty of people can’t successfully transition into intel leadership from other security roles, but without relevant experience and understanding of intelligence protocols, practices, standards and processes, it’s difficult to put together a successful and effective intelligence operation. As Nash points out in his Cybersecurity Magazine article, there are fundamental differences between the fields of cybersecurity and intelligence — with one primarily focusing on indicators of compromise (IOCs), signatures and response actions, while the other serves as the means of countering threats and driving enterprise-wide improvements.
“I don't want my dentist operating on my legs and I don't want the guy or gal who's amazing in incident response to lead my intel team. They're just different. They're associated but different. You can cross-train them. I'm sure that dentists can learn how to be a medical doctor, and I'm sure the incident responder can certainly learn how to be an intel professional. I've seen it done. But to just plug something in and think they're going to be successful is probably a mistake. I see that an awful lot.”— A.J. Nash, on NeedleStack's S1E21 | Information is not intelligence
A.J. is a strong advocate for establishing the role of the CINO — Chief Intelligence Office — to serve alongside the CIO, CFO and CISO. This approach has proven successful with the establishment of a role of Director of National Intelligence (DNI) in the U.S. government — a single role in charge of the broader intelligence community, reporting directly to the President. Nash argues that adding a senior expert on intelligence in private sector corporations will add an influential voice to the boardroom, helping organizations focus on security policies that go beyond threat response and mitigation.
Unfortunately, many companies today continue to place the intel function under SOC or some other type of defensive cyber operations, putting them in a position where they serve the needs of the specific domain they have been assigned to, rather than being on equal footing. Organizations that elevate the intelligence function and make intel leadership report directly to the CEO tend to fare much better in advancing the tradecraft, establishing enterprise-wide intelligence standards and aligning business needs with intelligence requirements.
This is essentially taking the governmentsystem of why they launched the DNI,
the Director of National Intelligence,and applying that to the private sector.
Eventually the government decided,
we need a single person who is over allthe intelligence community and that person
reports the President, and theneverybody else fits underneath.
And that's the same concept here.
Here is you need somebody who can have
that single visibility of everything,apply it at the executive level to the CEO
and to the board to makeholistic decisions.
It's also going to business intelligence,a lot of other pieces,
and then you have subordinate groupsthat support all these different areas.
Intelligence is a service.
It is not a product.So it's a service.
It's about communication.It's about understanding relationships.
It's about intelligence requirements
and delivering solutionsthat solve people's problems.
But I'm a big believer that the higherorganizations elevate this.
Again, assuming they've put the right
person in that position, the morevalue they're going to get out of it.
Setting up an intelligence team is a sizable investment for any organization. Between the technologies required to support intel operations and the cost of finding, hiring and retaining the right people, expenses can easily run into millions of dollars. Building the team that has the right leadership and position within the company can help businesses get the most of their investment, make holistic security decisions, increase efficiencies and set themselves up for future success. Ultimately, threat intelligence is not a product – it’s a service that a dedicated group of specialists provides to an entire organization. The goal of an intel team is to help the company as a whole solve business problems, and they achieve it through communication, building relationships and creating policies and standards to help reduce risk.
Diversity over unicorns
When building an intel team, Nash cautions company leadership against trying to find “unicorns” — exceptional employees who possess strong skill sets in anything and everything from traversing the dark web, to data collection, malware analysis, open-source intelligence and C-level presentations. Those people may exist, but it’s much more realistic and practical to assemble a team where individual players have their unique skill sets and work within the broader group to deliver results. Successful intel teams are composed of sub-groups that focus on specific tasks, such as collections, analytics or reporting. And even within these sub-groups, there’s further specialization, with some individuals focused on human intelligence, for example, while others gather technical intel. Human intelligence specialists are skilled in navigating the dark web, perhaps they know how to blend in with the crowd on the darknet forums and chats, have the right tools to safely visit suspicious sites and directly engage with the adversaries using sock puppets and such. Technical collection specialists add their perspective with detailed malware analysis and IOC research.
But as far as the kind of skill sets youlook for, that can be pretty diverse too.
I mean, certainly I'm biased towards
somebody with an intel background to runthe intel team, at least to build it.
I shouldn't run it,but just to build the team.
But I've seen people be successfulwith lots of backgrounds.
Obviously, the easy ones are the intelbackground, the heavy computer science
background, the technical background waswith reverse engineering, et cetera.
But I've seen journalists who arereally successful in this space.
There is no single background that canmake you successful in this space.
Again, aptitude and attitude.
But I do believe on the leadership side,as you build, I highly recommend starting
with somebody with some significant intelbackground and preferably if you're
in a private sector and you'regoing to hire them.
They've already had anotherprivate sector job.
Let somebody else deal with the painof transition from the government space.
There's always some,
if possible, if somebody else absorbedthat and that person learned.
Things are different in the privatesector than the government.
Some places, meetings consistentlystart ten minutes late.
That's just how life works, howbusiness goes, things like that, right?
If you can build your own person,I would say to hire somebody who cut their
teeth someplace else and learna little bit about cultural shift.
Then, there are people who can take all this information and put it together, see how the pieces fit to apply tradecraft and analytics, draw conclusions, prepare executive communications and draft recommendations. It’s essential that all these sub-groups work together, frequently communicating and validating each other’s assumptions. It’s much more effective to build a team of specialists, where each person brings to the table their specific talents, rather than look for a handful of “unicorns” who can do everything on their own.
Although most intel specialists come from computer science or engineering fields, some of the most successful and creative intel teams are composed of diverse employees with previous experience in a variety of technical and non-technical fields and even seemingly unrelated disciplines like journalism, art or music. For leadership roles, though, Nash recommends bringing in someone with a strong intel background, and experience in both government and private sectors. This is where it’s important to have a trained medical doctor leading the surgical team, not a dentist, no matter how much you trust them!
Attitude + aptitude
When it comes to team building, Nash places a premium on a combination of aptitude and attitude, striving to put together a group that works well together, rather than assembling a collection of “brilliant jerks.” To him, having a person of average intelligence and skill who is passionate about their work and is a fantastic team player trumps hiring an A-plus level genius who has a bad attitude.
And then there's the process — the all-important glue that holds everything together. Successful intel organizations follow well-defined procedures from the launch of the project, through collections, research, drafting, communication and review. A.J. Nash likens intel processes to patching cracks between drywall panels — a clear and transparent set of rules where everyone understands the information flow and their role helps smooth interactions between team members.
I caution people againsttrying to find unicorns.
I've worked with a couple I've workedwith a couple of folks who can go all
the way from the far end of the Dark Web,you know, all the way through malware
analysis and the technical analysisand open source and all sorts and right.
Finished products that cango to the executives.
They are so few in Fargo's between,
though, more often than not,you're going to end up with a mix.
We have organizations that are set upwith, say, a collections organization
versus an analysisand reporting organization.
And then even with those,you may have subset.
Collections may have human intelligenceversus technical intelligence.
Human intelligence probably goesto Dark Web, maybe directly integrates or
directly associates themselveswith adversaries using sock puppets.
Not to be confused with Matt's issues
with socks, but you got that and then yougot a technical collection, right,
bringing in the IOCs and allthe technical components, right?
And then folks who can actually takethose pieces and build the puzzle.
Again, there are people who do both sides,
but more often than not,you're heavy technical folks.
They're not a huge fanof writing and pros.
Most of them write bullets if theywrite anything, those are my code.
But they'll write some bullets,
they'll throw it over,and I hear you do something with it.
On the other side, you'll have the people
who build the puzzles mostly giveenough pieces to the right person.
They can build a puzzle, tell the story,
put it in pros, make sense of it,draw conclusions,
apply analytic tradecraft,and then have enough technical knowledge
to go back and talk to the tech expertand say, hey, can you double check this?
Make sure I capture everything correctly?
Did I get the data flow is right?
Do I understand what you gave me?
So most organizations are successful,tend to work in that fashion.
We don't try to have 20 peoplewho can all do the same thing.
You say, let's get the people who are
specialized and focuson the things they do better.
To me, the things that matter mostreally are aptitude and attitude.
You do have to be ableto work well together.
Brilliant jerks are absolutelyuseless organizations.
How to get started
For organizations who are looking for recommendations on how to get started with putting together the guidelines for intel tradecraft, A.J. recommends Intelligence Community Directives — a collection of free resources that cover topics from policies to standards, requirements and analytics best practices. Here are a few examples of the most relevant IDCs:
- IDC 203: Analytic Standards
- IDC 206: Sourcing Requirements for Disseminated Analytic Products
- IDC 208: Maximizing the Utility of Analytic Products
- SANS FOR578: Cyber Threat Intelligence Training
See how Silo for Research is designed to help intel teams enhance threat data through secure, anonymous online investigations.Cybersecurity SOC Threat intelligence