Tidal is excited to welcome Scott Small as our new Director of Cyber Threat Intelligence (CTI)! Scott will be generating reports and other content around threat intelligence and activity in the wild. He’ll also be hanging out in the Tidal Community Slack, which is available to registered users of the Tidal Community Edition, to help the community use the Tidal platform most effectively.
Read on to learn more about Scott, including his favorite MITRE ATT&CK® technique!
How did you get into working with cyber threat intelligence?
My whole career so far has been in the intelligence field, but only the most recent part has dealt with cyber threats. My first role actually focused on watching for and analyzing physical threats to commercial shipping and supply chains. But each of my jobs has involved lots of internet research, often at large scale, so there was a slow but steady progression toward looking at threats that played out online, and then to analyzing threats like nation-state and financially-motivated hackers and their techniques. Searching for articles on international news sites led to building skills for researching other parts of the internet like social media and the “dark web,” which led to learning about different types of bad actors, and then how they actually carry out malicious activity in cyberspace, and, over time, down to the level of the types of programs or raw code they use during attacks.
A fairly unique aspect of my career is that I’ve worked entirely in the private sector. This is becoming more common (especially with the growth of CTI), but when I started working, most professionals with “intelligence analyst” titles had typically spent at least some time with governments or militaries. I’ve had the chance to perform security & intelligence analysis work from most angles of the industry: helping defend a large enterprise, supporting many others at a managed service provider and as a consultant, and helping build security tools with multiple product vendors.
My views on intelligence are heavily shaped by my job experiences, especially my time as an analyst. I remember multiple times when I devoted a lot of time to a research project on an issue that I felt was interesting and important, but it was overlooked because the “so what” of the research wasn’t clear enough to the consumer. As a consultant, I saw similar issues play out at scale. Even in some cases where security leaders committed sizable budget and resources to intelligence, they weren’t always (or even often) making real use out of all the effort and money put into its production. It's clear that resource waste is never good for an organization’s bottom line, but it also contributes to the less-visible problem of discouraging and burning-out analysts (the same can be said for many security roles). Analysts can use more support to help them frame their products in terms of real-world impact, but organizations also need a lot of further education on how intelligence can and should be effectively put to use.
What do you wish more people understood about CTI?
CTI is far less about the “cyber threat” part of the phrase than it is about “intelligence”. The key value a CTI analyst brings to an organization centers around their intelligence skillset specifically: the ability to think critically and to apply that mindset to the massive volume of threats reported during a given year, month, or even week. Security teams must take a structured approach to processing and making sense of this stream of incoming information and determining relevance, and these skillsets are core to the intelligence discipline.
The cyber-specific aspects of CTI (often labeled as “hard” or “technical” knowledge) truly can be taught, potentially even while on the job. (Of course, current analysts trying to break into CTI should be receptive to learning about a new field, although successful intel professionals typically have a curious mindset anyway.) The most important ability an intelligence (including CTI) analyst should possess is communication skills. Furthermore, it isn’t discussed often, but a key piece of communication skill is persuasion. It may seem counterintuitive, since objectivity is (and always must be) an essential principle of intelligence analysis. But with the never-ending stream of threat reporting in the modern age, intelligence teams must be persuasive and show how their expert analysis of a threat should drive what a security program prioritizes, as opposed to simply the next latest vulnerability or nation-state hacking report bubbling up through social media.
A few other intelligence skills aren’t often discussed but are critical to building successful analysts and teams. Just behind communication skills, creativity is key to intelligence success. It unlocks new lanes for research and analysis when existing leads have dried up, and it contributes to successful analyst persuasion. Finally, empathy and diversity of views (informed by diversity of upbringing and experiences) are also essential. These aren’t emphasized enough, especially as much of the security industry continues relying on legacy military terminology and other “macho” themes, but these traits are essential to generating balanced and more accurate analysis and must be part of an intelligence program for it to be truly successful.
What advice would you give to an organization working to implement threat-informed defense using CTI?
As I transitioned into the cybersecurity field, threat-informed defense was a security approach (I’d even argue a mindset) that immediately resonated with me, less because of my background in intelligence, but because of my first role, which focused on physical risks. It was usually straightforward to understand how a port or trucking company could tune their security measures in response to the latest smuggling attempts, thefts, or attacks they faced on the ground, so I already had the mindset (rapid security tweaks in line with real current threats) – it just needed to be applied over a new set of terminology and technology specific to the cyber realm.
While I clearly believe in the value of intelligence, organizations should implement a range of more “basic” security policies, procedures, and technologies before they consider setting up a dedicated CTI function. (For reference, see frameworks like the NIST Cybersecurity Framework and the CIS Controls, which are organized into implementation tiers based on maturity levels). But since threat-informed defense is much more of a mindset than a specific function or process, organizations can absolutely start taking advantage of it long before adding a dedicated intelligence team. Ideally, this mindset will be promoted among virtually everyone within the security program. I’m seeing so many more incident responders, detection engineers, threat hunters, and red teamers keeping tabs on current threat reporting and considering how those threats might affect their day-to-day work (consciously or subconsciously). This is a great step in the direction towards cultivating a “threat-informed” mindset – add a little more structure around this, and an organization can be on a path toward driving consistent, positive, impactful security changes. I’m so excited by this trend!
A final important note: remember that the expected outcomes of intelligence in the private sector are different than those in the public or military space. In order to justify themselves, private sector security & intelligence teams need to do more to demonstrate – ideally in terms that can be measured (quantified) – how they contribute to reducing organizational risk. For a government or military, “situational awareness” is often a goal for intelligence functions – they typically serve broad audiences that may benefit from a rollup of a large volume of the day’s news or events. However, it’s practically impossible for an enterprise to quantify how general situational awareness, without some corresponding action or change, contributes to improving security and reducing organizational risk, and therefore CTI teams are best suited by reframing their products in more specific, operational terms. An intel report that identifies a new technique used by a known adversary of interest and summarizes existing defenses in line with that technique (and recommendations for closing security gaps), is immensely more actionable and measurable than a daily threat report that is essentially just a summary of yesterday’s news without any organizational context.
Is there a particular threat group or technique you find most interesting?
Definitely – my “favorite” technique is Obfuscated Files or Information (defined as T1027 in the MITRE ATT&CK® knowledge base). In many ways, I think it helps keep the CTI industry employed.
T1027 is a great example of the Defense Evasion techniques, which describe the many ways that bad actors attempt to work around the often-complex security measures that we defenders have put in place. T1027 covers some of the most advanced methods that adversaries use to conceal their malicious activities, such as encoding dangerous files in ways that are difficult to recognize, “smuggling” malicious code, or removing evidence that they were in a network in the first place.
To me, this technique represents a trend that has existed for years but only seems to be increasing over time: adversary adaptation. Much like CTI analysts are dedicated to staying aware of the latest adversary activities, many threat groups keep tabs on the latest defensive countermeasures and take steps to adjust their activities accordingly. Modern-day cybersecurity is the epitome of a cat-and-mouse game, and I think it’s well worth acknowledging the extent of this trend – it truly speaks to the necessity the CTI discipline.
What are you excited about at Tidal right now?
I’m extremely excited to be supporting this organization at this time. We have ambitious goals, but also the expertise, skill, belief, and drive to achieve them. During my career, I’ve been able to speak with many security teams and individual practitioners challenged with operationalizing threat intelligence, and I know there is a strong need and desire for resources and solutions to address this challenge. I’m excited for the time in the hopefully-not-distant future where “defense” becomes synonymous with “threat-informed defense”, and the Tidal team is motivated to help make that a reality.
I’m especially excited that, from the outset, Tidal has emphasized making so many of its resources widely available to the community. Personally, I’m a big advocate for openly available learning content, which fortunately can now be found throughout the cybersecurity community. Skills and knowledge I’ve gained through free, public resources online have opened opportunities and directly contributed to advancing my career, and I’m thrilled to help drive this type of content in line with Tidal’s mission of making threat-informed defense achievable. Speaking of, we have an amazing roadmap for Tidal’s Community Edition, so I encourage anyone reading to keep an eye out for a lot of upcoming content to be shared there, on our Community Slack, and elsewhere very soon!
Be on the lookout for technique sets and other curated content from Scott in the Tidal Community Edition! He’ll also be on the blog regularly with timely updates and in-depth analysis, and be on the lookout for fun, intereactive opportunities soon! Subscribe to the blog so you never miss an update from Scott of the rest of the Tidal team.