Information is not intelligence

[music plays]

AJ NASH

They’re related skills, but they’re not the same. I don’t want my dentist operating on my legs and I don’t want, you know, the guy or gal who’s amazing in incident response to lead my intel team. They’re just different. They’re associated but different. You can cross-train them. I’m sure that a dentist can learn how to be a medical doctor, and I’m sure the incident responder can certainly learn how to be an intel professional. I’ve seen it done. But to just plug something in and think they’re going to be successful is probably a mistake, and I see that an awful lot.

[music plays]

MATT ASHBURN

Welcome to NeedleStack, the podcast for professional online research. I’m your host, Matt Ashburn, and flip-flops are the only things that prevent me from using SOCs.

JEFF PHILLIPS

I’m Jeff Phillips, tech industry veteran and curious to a fault. Today we continue our series on security operations centers, or SOCs, and cyber threat intelligence, also known as CTI, which brings us to our special guest. Today, we’re joined by AJ Nash. AJ is the Vice President of Intelligence at ZeroFox, so we’re super excited to have him here. AJ has a background of nearly 20 years of service in the US Intelligence Community, focusing on counterterrorism, tracking war criminals, disrupting human trafficking, and also reporting on threats in cyberspace. And that last bit is where we’re going to focus on today. AJ Nash, welcome to the show.

AJ NASH

Hey, thanks for having me. Really appreciate the opportunity. I didn’t know I was going to be assaulted by Matt’s sense of humor right off the bat, but we’ll try to move on from that. Yes, no, I appreciate it. Thanks for having me. I’m looking forward to a good conversation today, guys.

JEFF PHILLIPS

Yeah, absolutely.

MATT ASHBURN

The NeedleStack sandals are actually available for sale on our website, authentic8.com/needlestack.

AJ NASH

I’m going to take a pass on those, but thanks.

JEFF PHILLIPS

Excellent idea for the sandals.

AJ NASH

I assume I get them as a gift, right? For participating.

JEFF PHILLIPS

AJ, you followed what seems like a fairly common path in threat intelligence, albeit you have some very unique experiences. And what I mean by that, is really that you transitioned from conducting threat intelligence in the government space into the private sector. Maybe can we start off by you talking about what that journey looked like for you and how you came to focus on cyber intelligence?

AJ NASH

Yeah, absolutely. It’s funny you mentioned having an interesting journey. I don’t know anybody who has a normal story, right? I don’t know many people who have that linear like, “I just planned it out. As a kid, I was going to do this, this, this.” I tend to be suspicious of those people. But yes, my story is nothing like that. I frittered around for a bit. Joined the Air Force in my early 20s. I was going to be a police officer – that was the plan – and I was going to go to law school. Then through a series of tests, they said, “No, you should be in intelligence. You should be a linguist,” and all these things. So they stroked my rather large ego as a young man and so I went and did that. And so, I was originally a cryptologic linguist. Not a good one. Anybody who ever went through class with me or saw me try to be a linguist knows I wasn’t a good one. But I did go through the coursework and graduated and eventually made it to Fort Meade, Maryland, and we had an active war going on, which I was supporting, but we had plenty of linguists who were a lot better than I was. And we needed an intel analyst, actually. So I ended up working the analysis shop, which really fit my skill set a bit better, but put me in a really good position because I understood the language, I understood the culture, but now I was supporting active missions, collecting on that with intelligence support. So that started me down the path of intelligence analysis. I did that in the Air Force for about nine and a half years and then I was medically retired. I went into defense contracting and continued to do intelligence work. Originally counter-IED work, some counterterrorism stuff. The way I ended up in cyber is yet another mistake. Nothing in my life was planned. So, I had a great job, but it was a long commute. I was trying to get a job closer to home and there was an opportunity to interview with a large contractor and I did. About 10 minutes into the interview, I stopped the interview and said, “I think I’m in the wrong room. It’s a big company, there could be other interviews.” All we were talking about was math and operations research and computer science and things I didn’t know anything about, really comparatively. I said, “I might be in the wrong room.” But it turns out I wasn’t. They were looking for people like me. We had a team with brilliant minds already, they had all the mathematicians and operations researchers they needed, and they were developing this new concept of how to do analysis, how to apply intelligence analysis to cyber environment, how we have to change a little bit from the physical world, and what they needed was intel analysts who could apply the intelligence tradecraft we had and also say, “Hey, will this work? Will people use it?” So that’s how I ended up in cyber. Completely by accident. That program was originally known as Cyber Intelligence Preparation of the Battlespace, which became Cyber Intelligence Preparation for the Environment because the SecDef didn’t want cyber to be considered a battlespace. And most people know it now as kill chain. It was a predecessor of kill chain. So by pure luck, I ended up on a great place, on a great contract, on a hard-hitting place where we were building a new concept of how to do intel analysis of cyberspace. I helped write the book on the subject and taught some classes. So that’s how I ended up in cyber. And from there, I’ve just stayed and I had a couple of different defense contracts along the way. And then the transition to the private sector, yet another unplanned event. Like most people who spent a lot of time in the government space, a lot of us wanted to transition. But if you’ve been doing the work we did for 15, 20 years, you start to think that your value really comes down to your badge and your clearance and your degree and your experience, maybe. And a friend of mine convinced me to create an account on LinkedIn, I had no social media. Of course, LinkedIn was compromised. It was announced the next day. It was prior to my joining, thankfully.

JEFF PHILLIPS

Haha, okay.

AJ NASH

But that led to somebody reaching out to me and led to some recruitment and led to a transition to the private sector. Then from there, I’ve just continued. The goal has been to bring the knowledge of the government space into the private sector to try to build intelligence-driven security. That’s been the journey since. I’ve been in the private sector now for about six years. Love most minutes of it. Work with incredible people, especially now. But in general, I have been very, very lucky in my career. This is where I am now. It’s a zigzag path. Certainly wasn’t planned. The guy who was going to be a cop and a lawyer ended up being in cybersecurity a long time down the road.

MATT ASHBURN

AJ, with your experience, and as you said, you’ve written the book on the topic, what are some of the recurring themes that you’ve seen throughout the years that keep coming back to you and your experience? What are some of those lessons that you think everybody needs to know?

AJ NASH

Yeah. In terms of cybersecurity in general, or cyber intelligence, or all the above?

MATT ASHBURN

I think all of the above, yeah.

AJ NASH

Sure. Yeah. I mean, I think a couple of things I’ve learned, which are good and bad, I suppose, when I moved into the private sector, I recognized very quickly that what people in the intelligence community who are transitioning out, what we take for granted as common knowledge, is not. You come into an organization and say, “Okay. Great. We’re going to build this intelligence organization. Let’s talk about intelligence requirements.” People look at you like I give a third head. It seemed common and basic, but it’s not, as it turns out.

MATT ASHBURN

Yeah.

AJ NASH

So to help people understand what the intelligence cycle is, what planning and direction is, how to understand who your stakeholders are, and what your intelligence requirements are, and why that should drive your collections is fundamental knowledge. That was a learning experience for me. When I first moved into the private sector, I really thought, “I’m going to do this for a couple of years and then there I go. I don’t want to know what I’m going to do the rest of my career, because everybody’s got to figure this stuff out.” Well, it’s a really, really big world is everything you learn. Maturity takes a long time in large enterprises and now I feel like I have a lot of job security for a long time to help folks do this because there’s a lot of growth to be had around the world. But yeah, those basic pieces I thought were important, and I was surprised to find out that people didn’t know them. Working through that has been interesting and a good journey to have. I guess the other piece is organizations that decide they want to go into intelligence a lot of times have a misunderstanding of what that means. I was surprised to learn how often organizations go from, “We don’t have intel. Okay. We’re going to build intel team.” Then they immediately put somebody in charge of that team who has not got any intel background. It makes sense now. I’ve been doing this a while, and I get it, but it doesn’t make sense at the same time, because it means people don’t understand that this is a different career field. This is not something that is just plug and play. To me, it would be like if you have a fantastic dentist that you think is great, and you trust them, and they’re brilliant, they’re good at their work, and you go, “Man, I need leg surgery. Let me see if my dentist will do it for me.” They’re related skills, but they’re not the same. I don’t want my dentist operating on my legs and I don’t want, you know, the guy or gal who’s amazing in incident response to lead my intel team. They’re just different. They’re associated but different. You can cross-train them. I’m sure that dentists can learn how to be a medical doctor, and I’m sure the incident responder can certainly learn how to be an intel professional. I’ve seen it done. But to just plug something in and think they’re going to be successful is probably a mistake. I see that an awful lot.

MATT ASHBURN

That’s a good point that you bring up there. Also the bit there about having intelligence requirements. Being from the intel community, we take that for granted. These foundational elements. Of course, you have to have intel requirements. That’s what drives the whole collection and production cycle. Can you talk a bit about the role of the Chief Intelligence Officer and your views on that? Where should threat intelligence be within an organization and how does it fit in?

AJ NASH

Yeah, thanks. I appreciate the plug. I did write a magazine article on that a year ago, and it’s made the rounds, have been republished a few times. The Chief Intelligence Officer, there’s an article out there on Google, it’s called Rise of the CINO, the C-I-N-O. US Cybersecurity Magazine published it originally. What I’ve seen in organizations generally is a cycle that says, “Okay. We don’t have intel at.” “All right. Great. We’re going to have intel.” They pick somebody in the room to have that job. But once we get past that, then they put it… They bury the intel team, almost always. It’s in the SOC someplace. It’s under defensive cyber operations, usually. Now, you’ve taken somebody who may or may not be properly aligned for the position to begin with and you’ve also buried them in a position where… Listen, wherever we are, wherever we work, you’re going to serve the needs of the person right above you. That’s just how life works. That’s how it works in the military, it’s how it works in the civilian world, it’s how it works in government. You serve the needs of the person above you, and then they serve the next one up, and that’s how the system works. If you bury your intel team in the SOC, under the Director of Defensive Operations, whatever it might be, whatever that person needs is what you’re going to be delivering. It really is limiting what value you’re going to get out of this. What I had proffered was, we need to elevate where we put intelligence. At a minimum, I think the intelligence team really… The intelligence leadership support to the CSO or the CSO. But ultimately, I believe needs to be reporting to the CEO. The org chart I had proffered was, essentially you have Chief Legal Officer and Chief Intelligence Officer are your consiglieres for the CEO, and then your other C-suites really handle the business operation. And so, the reason for that is to build an effective intelligence team, for a large enterprise, it’s going to be millions of dollars. There’s really no way around it, between the technologies and the accesses and the integrations and the people, it’s in the seven figures, for sure. But you can get just as much done, actually, get a lot more done and more value if you just elevate it. If you’re going to spend that money and you bury it in defensive cyber operations or bury it in the SOC, you’re only going to answer SOC needs. But with the people you’re going to hire and the technologies you’re going to have, the accesses you’ll have, if you elevate it up, you can also support insider threat. You can also support M&A. I talk a lot about how mergers and acquisitions really should be supported by an intelligence team. You can work with HR more. You can work with physical security. You can work with executive protection. There’s a lot of areas where intelligence can really support the large enterprise for the same investment. That’s something I’d proffered. There’s a whole paper on the subject. I’m a big believer in it. Gotten some traction a long way. I got some great feedback. Some academic institutions have talked to me a bit about it. A couple of large enterprises are considering the idea of really launching this. I can’t name names, of course. But yeah, I’m a big believer in it. Now, I will tell you, I didn’t invent this either. I don’t want to take too much credit. This is essentially taking the government system of why they launched the DNI, the Director of National Intelligence, and applying that to the private sector. Eventually, the government decided we need a single person who is overall the intelligence community, and that person reports to the President, and then everybody else fits in underneath. That’s the same concept here, is you need somebody who can have that single visibility of everything, apply it at the executive level to the CEO and to the board to make holistic decisions. It’s also going to be in the business intelligence, a lot of other pieces. Then you have subordinate groups that support all these different areas. Intelligence is a service. It is not a product. It’s a service. It’s about communication. It’s about understanding relationships. It’s about intelligence requirements and delivering solutions that solve people’s problems. But I’m a big believer that the higher organizations elevate this. Again, assuming they’ve put the right person in that position, the more value they’re going to get out of it.

JEFF PHILLIPS

AJ, if we keep on that, sort of that team organization and structure concept, and you mentioned the intelligence lifecycle, I’m curious what you look for in teams in terms of diversities of skill sets, or if someone can do it all? What I’m thinking about is there’s the person that’s going to go out and knows how to do the research, collection. That there’s someone that’s going to analyze that. It’s got to be put together and distributed. What are some of your thoughts? It might be someone that’s an expert on the dark web versus what’s publicly available. What’s your thoughts on those different skill set within an intelligence team?

AJ NASH

Yeah, it’s a great question. There’s no one way to build a team, obviously. I’ve seen it built in a lot of different ways. But I will say, I warn people or I caution people against trying to find unicorns. You might. I’ve worked with a couple of folks who can go all the way from the far end of the dark web all the way through malware analysis and the technical analysis and open source and all source and write finished products that can go to the executives. They are so few and far between, though. More often than not, you’re going to end up with a mix. We have organizations that are set up with, say, a collections organization versus an analysis and reporting organization. Then even with those, you may have subsets. Collections may have human intelligence versus technical intelligence. Human intelligence probably goes into the deep and dark web, maybe directly integrates or directly associates themselves with adversaries using sock puppets, not to be confused with Matt’s issues with SOCs. But you got that and then you got the technical collection. Bringing in the IOCs and all the technical components. Then folks who can actually take those pieces and build the puzzle. Again, there are people who do both sides. But more often than not, your heavy technical folks, they’re not a huge fan of writing in prose. Most of them write bullets if they write anything. Most of them write code. But they’ll write some bullets, they’ll throw it over and they’re like, “Here, you do something with it.” On the other side, you’ll have the people who build the puzzles. Listen, give enough pieces to the right person, they can build the puzzle, tell the story, put it in prose, make sense of it, draw conclusions, apply analytic tradecraft, and then have enough technical knowledge to go back and talk to the technical expert and say, “Hey, can you double-check this? Make sure I capture everything correctly. Did I get the data flows right? Do I understand what you gave me?” So most organizations that are successful tend to work in that fashion, where you don’t try to have 20 people who can all do the same thing. You say, “Hey, let’s get the people who are specialized and focus on things they do best.” To me, the things that matter most really are aptitude and attitude. You do have to be able to work well together. Brilliant jerks are absolutely useless to organizations. It’s not just a cliché, they’ll just kill a team. I’ll take a bunch of people who have B education or B intelligence and our A-plus people over that A-plus genius who’s a jerk. Like just one of them ruins a team. But in terms of the skills, right? Just being able to set those skills up so that people are able to go deep in the things they’re really good at and also really passionate about, and then be able to connect those dots and bring people together, which is where process comes in. Frankly, I’m a huge fan of processes. Being able to plug everything into a process is how it all works. You have collections, maybe you might launch an intel project. The project launches and you got a collector going out and doing their thing and you got researchers going out doing other things, and they’re pulling stuff together. Then there’s a drafting process and there’s an editing process might include peer review and senior review and there’s a technical review and management review, etc. The process will smooth out all those connections between folks. Sort of like when you put drywall up in a house. There’s some cracks, and then you smooth it out. You’ve got a process to it. So I think that’s, to me, the best way to do it. As far as the kind of skill sets you look for, that can be pretty diverse too. I mean, certainly, I’m biased towards somebody with an intel background to run the intel team, or at least to build that. I shouldn’t really say run it, but just to build the team. But I’ve seen people be successful with lots of backgrounds. Obviously, the easy ones are the intel background, the heavy computer science background, the technical backgrounds, the reverse engineering, etc. But I’ve seen journalists who are really successful in this space, musicians, artists. There is no single background that can make you successful in this space. Again, aptitude and attitude, but I do believe on the leadership side, as you build, I highly recommend starting with somebody with some significant intel background. Preferably if you’re in a private sector and you’re going to hire them they’ve already had another private sector job. Let somebody else deal with the pain of transition from the government space. There’s always some. If possible, if somebody else absorbed that and that person learned things are different in the private sector than the government, some places meetings consistently start 10 minutes late, it’s okay, and that’s just how life works, how business goes. Things like that. It’s good if you can build your own person, I would say to hire somebody who cut their teeth someplace else and learned a little bit about cultural shift.

MATT ASHBURN

That’s a great thing to keep in mind. Are there any other tools or resources that you’d like to plug or that you think people should be familiar with if they’re looking to learn more about cyber intel or intel in general?

AJ NASH

Well, yeah, sure. I mean, certainly, I’d start with ZeroFox, but I’ll come back to that one. I think the things that I plug the most, frankly, are free. Which is nice and useful. When we talk about intelligence, for those who don’t have the background, I highly recommend Googling Intelligence Community Directive, ICD. ICD 203, 206, and 208 are the ones I would recommend people read combined. They’re probably 10 pages, maybe. There’s hundreds of ICDs. But anyway, Intelligence Community Directives are how the Intelligence Community does intel work, and they’re unclassified, and they’re readily available. Those three documents alone will be really helpful. Frankly, we’ve made it easier at ZeroFox where we just finished an analytic tradecraft and standards paper that we’re publishing, which is essentially 203, 6, and 8. They’re well-sourced, brought into private sector. People can also just download that and save themselves the trouble of looking for it. If you really want to go deeper into how the government does things, join the Publication 2-0 also readily available. It’s the Bible of intelligence. To learn how intel is done in the government sense, those are really important. As far as tools and things of that nature, yes, I work for a great company. ZeroFox is fantastic. Certainly, our platform is great. If you’re interested in… If you have concerns with social media monitoring, brand protection, physical security, executive protection, deep and dark web… Our dark ops team is amazing. Finnish intelligence, IOC is really across the board. I’m a huge fan. I have to admit, I was a customer of ZeroFox, then I was a partner of ZeroFox, and now I work at ZeroFox. I’ve seen the company grow from very, very tiny to where we are today. A huge fan of the company. I think that’s probably as far as a product or service, that’s the one I would say to recommend, because I’m here, of course, but I happen to believe in it. I wouldn’t have joined the company otherwise. Anybody who knows me knows I’m not much of a show or a company man, usually. I’ve been with the company now for about nine months and, yeah, I’m just amazed by the talent.

JEFF PHILLIPS

Well, the key question though, AJ, is how’s the commute? Was the commute okay? I mean, that was one-

AJ NASH

I don’t have a commute.

JEFF PHILLIPS

You don’t have a commute?

AJ NASH

Yeah, I don’t know. It’s fantastic. Ideally, it’s funny. My transition even to ZeroFox was also unintended. Somebody reached out to me, we had a conversation. I actually thought we’re going to talk partnership at first. I didn’t realize that [inaudible 00:20:47] opportunity. As the conversation’s happening… So ZeroFox is headquartered in Baltimore. My home at the time was right by Fort Meade. Very local. As we’re having this discussion, I said, “I hate to tell you this, but if you’re looking for somebody local, I’m literally watching them move things out of my house as we’re talking.” They were loading the moving truck. I had sold my home. This was July 15. We were leaving. That was it. We were out there. Actually, it was July 13. We moved the 15th. But we were leaving. I said, “If I have to be local, there’s nothing I can do anymore. I’ve already sold the home. It’s closed. I’m living in somebody else’s house. My stuff’s on the way out the door.” And thankfully, the company is very remote-friendly and said, “No, no. We don’t care where you live.” I was like, “All right. Let’s keep talking.” It’s ironic that I moved to Minnesota and immediately… Well, soon after a couple of months later, secured a position in Baltimore. I do come back every month, every couple of months, which is nice so I get to see friends and have a good time but work with the company. But yeah, I don’t have a commute, thankfully.

JEFF PHILLIPS

There we go.

AJ NASH

I work from home and I travel a lot. But yeah, no commute. For those who still have to commute in the DC area, I’m sorry. I’ve been there. It’s not a treat.

MATT ASHBURN

There’s life outside of DC, I tell people that all the time. So get out. There’s a whole new world out there.

AJ NASH

Spent 22 years around there and it’s hard. Yeah. It’s very cold up here. But I spent 22 years there and I miss it. I’m glad, I’m thankful that I work for a company that is local and I get to come back out and see old friends and talk to government folks. I’m really thankful for the opportunity, but I’m also thankful not to have a commute for sure.

JEFF PHILLIPS

For sure. Well, AJ, I was thinking a little bit about our listeners out there and there’s different skill sets and they’re all in obviously in the world of conducting online research and investigations. If you have one piece of advice, something they can start doing, something they should stop doing related to threat intelligence, what would it be?

AJ NASH

Yeah. That’s a good question. Certainly, in terms of if it’s somebody who’s looking to get into the space or get better at it, I mean, the documents I mentioned, I highly recommend reading and getting familiar with them. If you have the resources and the time, assuming you don’t have an intel background, something like a SANS course FOR what is it? 5, 7, 8 is the CTI course, I believe. It’s really useful certification. It’s expensive. Talk to Rob Lee, see if you can get him to lower the price, but it’s a good course. It’s certainly worth taking. Beyond that, also, if you’re looking to get in the space or understand it better, networking is hugely important. This is not an industry that can’t be broken into. We have an endless supply of job openings. Again, aptitude and attitude are hugely important. Reach out to people. LinkedIn’s been a massive tool for a lot of folks. Don’t be shy. Most people I know in this industry that are worth working with will answer anybody and are happy to talk, are happy to help. It’s actually a pretty helping industry, especially in the intel side of things. They’ll be wary at first if some random person pings them so expect some questions. But most folks are happy to help, myself included. People ping me all the time. I’m happy to put some time in the calendar and see what I can do to help them or maybe connect them with somebody because you just never know who the right person is for the right fit someplace else. I think having that, it’s not even a matter of having guts or confidence or courage or anything like that. Do it even if you’re uncomfortable with it. But if it’s something you want to get into, there is space here. As far as protecting ourselves or things of that nature, recommendation’s there. Mostly it’s the basics. People still do a lousy job with the most basic things of cybersecurity. If your password is easy, you deserve to get cracked, frankly. Get a password manager. If you can’t remember tough passwords, neither can I, so get a password manager and run them through there.

MATT ASHBURN

That’s right. So many attacks that we see out there today, and so many of the compromises and data breaches occur because those basic things aren’t being done. So that’s great advice to keep in mind.

AJ NASH

Yeah. Any S3 bucket. Anything that’s ever been popped in an S3 bucket, right? It’s always the same story.

MATT ASHBURN

That’s right.

AJ NASH

Misconfigured S3 buckets, basic passwords. Executives are the worst. They’re the absolute worst when it comes to passwords and they’re just, I don’t know what it is, but it’s a challenge. They’re the absolute worst. Set really hard rules on your passwords.

MATT ASHBURN

That’s right. Well, AJ, thank you so much for joining us today. If you’re at home and you’d like to follow him on Twitter, you can. That’s AJNIntel on Twitter. If you like what you heard today, you can subscribe to our show wherever you get your podcasts. You can also watch episodes on YouTube and view transcripts and other episode info on our website at authentic8.com/needlestack. That’s authentic with the number 8.com/needlestack. Be sure to follow us also on Twitter @needlestack_pod on Twitter is our handle, and we’ll be back next week with more on SOC investigations and CTI analysis. We’ll see you then.