Events Add an event Speakers Talks Collections
 
RSAC 365 Virtual Summit
January 27, 2021, Online
RSAC 365 Virtual Summit
Request Q&A
RSAC 365 Virtual Summit
From the conference
RSAC 365 Virtual Summit
Request Q&A
Video
These Aren't the Threats You're Looking For: How Our APT Focus Ruins CTI
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
147
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About the talk

When someone thinks of cyber threat intelligence, they often think of one thing: advanced persistent threats (APTs). In this talk, Katie will explain why too much focus on APTs has misled our community about the value cyber threat intelligence brings. She will also share how CTI can improve cybersecurity decision-making in a way that extends far beyond APTs.

About speaker

Katie Nickels
Director of Intelligence at Red Canary

Katie Nickels is the Director of Intelligence for Red Canary as well as a SANS Certified Instructor for FOR578: Cyber Threat Intelligence. She has worked on cyberthreat intelligence (CTI) and network defense for over a decade, including in her previous role as the Threat Intelligence Lead for MITRE ATT&CK. Nickels hails from a liberal arts background with degrees from Smith College and Georgetown University. She has shared her expertise via presentations, webcasts, tweets, and blog posts, including through her personal blog, Katie’s Five Cents. Nickels has also served as a co-chair of the SANS CTI Summit and FIRST CTI Symposium. She is a recipient of the President's Award from the Women's Society of Cyberjutsu and serves as the Program Manager for the Cyberjutsu Girls Academy.

View the profile
Share

Hello everyone. Thank you so much for joining me today. My name is Katie Nichols and I work for Red Canary. And today I'll be talkin to you about advanced persistent threats. Apts and specifically how I think our focus on apts in this cyber threat intelligence, in cyber security Community, has kind of ruined CTI. I know it's a bold statement, but hopefully at the end of this understand why I say that and we'll go with with some lessons learned about how we can try to focus on the right things to produce the best actual outcomes from cyber threat intelligence. What about about

my background, but I said, I'm the director of intelligence company called Red Canary. You're not familiar. We do manage to text none response. You might also know of us from our open source projects, like Atomic red team that are a lot of fun and me, and my team kind of my dream job. I get to look at a whole bunch of data about what adversaries are doing, and then try to take that data and information and produce actionable intelligence. That helps us protect our customers and protect the entire community. So, tracking threats is what I love. I also teach for the Sans Institute

unsurprisingly their cyber threat, intelligence course, and relevant. To this talk, my background have been in this community for over a decade. Now, here is my started out as a civilian in, the US Department of Defense focusing on Cyber threat, intelligence. That's what I love, but I don't always work. I promise, when I am not working. I like to work out on my back deck. I do CrossFit at home. I also baked. So those, those two things balance, each other very nicely and I'm pretty active on Twitter. So you can find me at like the coins, don't overthink it, and it's based on my last name, my

Twitter handle. Timer threat intelligence. That's my passion. That's what I love. So, think for a moment can type it in chat. If you want, when you think of the term cyber threat, intelligence GTI, what do you think of? Give me a moment to think about that. Most people have a few different responses. But one of the most common one is people think of state-sponsored threats, advanced persistent threats, like China like Iran or Russia or North Korea, or depending where you are in the world, United States are five eyes countries. Intelligence of a

pretty big field, but I'm going to guess that at least one of you wrote apt is cuz I friend you was a title of my talk or something that you thought of as related to state-sponsored threat. That's why so many people out when they think think of when they think of PTI. What is cyber threat? Intelligence actually a few different. Definitions my love. This one. For my friend, Sergio caltagirone talks about a few key points with cyber threat intelligence. First off. It's actionable. Something isn't actionable. It's not intelligence about adversaries and their activities.

And last part of this this decision making it is so cute. The outcome is actionable. Knowledge should enable Defenders and decision-makers to make decisions. Whether it's on what techniques you should cover where in your network, you should prioritize prioritize. That's what cyber threat intelligence is all about enabling Defenders to make decisions. You will notice even though you know, maybe A T T is for one of the first things you thought of when I mentioned CPI nowhere in this definition or necessarily any definition. I've seen is a t t mentioned,

any part of CGI, but it is not the key point of CTI. Idea of a PT's. You've almost certainly heard it here at this conference. What is this term? Where did it come from? And a few years ago? I started getting serious about this myself all the time and blog posts media reports apt apt. Where does it come from? I started digging a little bit and luckily in the fall a colonel or dr. Greg rattray came out with this tweets that are Richard bait. Like another respected member of our community has alluded to before and criminal

record came out and said it was me. I coined the term back in 2007. And like any good Intel analyst now, I trust him to the doctor is a colonel respected person, this community, but I asked around asking people who are around the Air Force at that time, and they all said, yeah, that seems right that jives with us and you get to lick the bottom of the fly, but I'll be available to you. You can go check out and hear him talk about the Advent of this term. And why it started to be used. And really, the way it was used initially. Was that the Air Force and the dod, you

needed to talk to private sector companies in the defense industrial base about some targeting from Chinese groups, suspected, state-sponsored groups and then needed a term to communicate about those adversaries. So that's where based on multiple sources that I found. I think a reliable. That's where this term apt comes from the need to communicate about state-sponsored adversaries. What we've seen is over the years, this term has grown and continue to be used. Initially was just in DOD circles, then on the defense industrial base and then in the broader public as well, not even 7 and I'm

beat early creation of that term 2009. There was a really interesting operation known as operation, Aurora or operation to Shady rats. That was significant in the progression of this term because this is one of the first times, the general public became aware of state-sponsored, breast be nothing. I have on the slide of Vanity. Fair article talked about, enter the Cyber Dragon. This is a series of suspected Chinese state-sponsored intrusions and the use of the term. ATT around the same operation, the New York Times actually had a piece in which they

discussed the newfangled advanced persistent threats, which was kind of funny, but it tells us that in this 2007-2009. Time frame. This term apt was relatively new, at least to the General Public. Another key date in the evolution of the term apt Chile in 2013. When mandiant released their famous report on a PT 1 of Chinese state-sponsored group. And this is a really key moments in the entire cyber threat intelligence community. In my opinion, excellent report from Mandan. So you should still go back and read. And

this is important, of course, because the group was named a PT 1, Do mandiant shows for their group naming many ways to names groups which son of time to talk about today for any state-sponsored actors in groups. They use the designation apt apt one, fairly well-known report in the community and since 2013, as I'm sure you're aware. This term apt just keeps being used, and the challenge with it is, it's origin is mostly to refer to Chinese state-sponsored threats, but it's becoming to be a little more broadly used than that. I'm a little more complex.

Think about the term itself, advanced persistent threats was initially. You is, but if you look at the term on face value advanced, What is advanced mean? There are different levels of advanced, right? Do you have to be really stealthy to be Advance? Does that will have to be custom created? To be Advanced, to Advanced is a tough word and then what about persistence? How persistent? I only kids, write those kids are probably persistence, right? Does an apt have to bother you every two minutes to be persistent every day. Every month. They have

to Target, you should they be targeting you specifically or your industry or anyone to be persistent? So these are some of the challenges with this term advanced persistent threat. That was created for a specific purpose. But then over the years kind of Taken on a life of its own. And so, while this is a term that we use in the community that suggest as much as you can, think about if there's a more specific term that you can use, generally though. I found that the term ABC in the community means state-sponsored and that's how I'll be using it through this presentation. We talked about

the origin of the term apt some of the problems with it. Now. Let's talk a little bit about why over the past decade plus this term as well as the overall concept of apts and state-sponsored actors. Why has that comment on? Why is it something that one of the first things you think of when I mention Cyrus, rent, intelligence? The first one, your uncertainty and doubt think of the hacker in a hoodie or this image for any Harry Potter fans might make you make you think of Dementors, but this kind of imagery is so common in our community,

this idea that we should fear adversaries. We should be uncertain. We should doubt our defenses and that's fair. I respect adversaries. I think we need to treat them appropriately. But to me, spreading fear, without any solution for our actions is something that we need to get away from in this community. I think that this spreading of fun as I call it fear uncertainty and doubt has been one of the reasons why a PT is have caught on is such a Hot Topic in this community because people are scared and rightly, so we should have a level of respect and fear perhaps for our

adversaries of getting compromised by them, but again being scared without taking action. Useful. And so many of us are guilty of this, right? In our conversations and social media in reporting and blog posts. What is encouraged us? All to think very carefully about. Are we ever spreading fear uncertainty and doubt without giving actions are solutions think that's one of the reasons why a t t is have caught on so much over the past decade. Plus. The next reason, relates to cognitive biases. This is a topic that I love because any intelligence analyst has to be

aware of these cognitive biases how our brains trick us. And one of these biases is probability bias. Anyone play to relax or been to Vegas or ever gambled. Now think of that moment before the roulette wheel starts spinning and maybe even if you've read a book about the odds in Vegas of roulette, and you know, your other terrible, you still want to believe, right? As humans. We we want to believe we want to believe we're going to win. We are bad at estimating probabilities. That's the idea of probability by us. And display them is a PT's as well.

We are inherently not great at figuring out. Okay, how common are apt is really in our environment, in our industry, in this community? Because of his various cognitive biases, we have right? Including that fear, and uncertainty, and doubt by read a story about an advanced persistent threat, state-sponsored adversary. That's really Advanced using his techniques. You're going to get scared and your brain might start to overestimate. How likely it is that threat will affect you just another key reason. Why ain't he is, I think are so persistent in our brain. So use that word is

the idea of probability by us and that as humans, we are not good at estimating likelihood. The next reason, I think of spy versus spy a sneaky person in the bushes with the Fedora. Let's let's be honest, Espionage. It's kind of sexy. It's kind of exciting to think about where we're going to catch people, spying and specially for me or anyone from a counter-intelligence, or intelligence background. You feel like this is the stuff that we have to care about the Espionage and as an analyst day today, you know, if you have a choice between reading a

blog post about an intelligence, the foreign intelligence service and reading about the latest crime, where Add a blog post on Espionage might be a little more alluring. It might be a little more exciting to you. So I think this is another one that we as a community just have to be honest. Some of us just kind of Espionage is sexy and cool, a little bit of luring. So another reason why I think apt is have caught on. Last reason is one that. Too many people talk about. Idea of where cyber threat intelligence. This deal was created and how it's migrated

where I get to go to my background. I started in this field US Department of Defense. You can bet for the US government cyber-espionage is a key thing. We need to worry about. Is it Russia? Is it China coming after us? That is really important, advanced persistent threats. That's the origin of the term in the Air Force, by Colonel rats cry. It's important to focus on state-sponsored threats in the government. What's happened over the years myself like many other girls, right? I moved on in my career. I decided to come to the private sector, which is fun and has new challenges. Many

other people from government and Military did the same. For example, and Amy might know Kevin mandia, album Ambience. He was previously in the Airforce. If you check out his bio, a lot of the people who you think of is cyber threat intelligence, you know, foundational Minds in this field in this industry folks like Sergio caltagirone wrote the diamonds model paper. A lot of these people wear it were in the US government and Military. And why this matters? And I'm talking about a PT's is that as myself. Another is going to be migrated from governments to the private sector whether

it was Kevin greeting, mandiant or other folks like Dmitri alperovitch creating their own companies, like crowdstrike. We've taken our thoughts and our biases from the public sector from the government to the private sector. And I think that is actually contributed to why the cybersecurity community overall feels like advanced persistent threats. Do you state sponsored breasts? Are so important? Because a lot of that thinking I need sound directions of CTI. Many of those are in government sectors. Then we talked about what a PT is

what that term is, where it came from and why I think it's so pervasive. But so what why does that even matter? Why is that harmful know what's the point of my talk title won't but how is this harming us? Ncti? If our brains are so focus on advanced persistent threats, we can get distracted. We can Overlook other threats. That might be more pressing to our environments. Some analysts some teams will be divided out. You know, you worked on Russia. You work on China. You work on North Korea. You work on crime. Where will

what is crime? Where is the most prevalent threats in an organization? There's only one analyst allocated to it. But three to other states sponsored threats that Miss allocation of resources can be a really challenging piece to deal with especially for leadership. And this is one of the reasons why we have to really be careful and think about, maybe we're focusing a little too much on the side the other day, BTS. And the other thing that happens many analysts can probably speak to this. I know it's happened to me, you're working on an investigation and intrusion, you're deep into it and then

something comes out about an advanced persistent threats. No blog post from someone, a tweet and your time gets distracted. Maybe that new information is the most important thing to worry about, but maybe what you were already working on was more important. So this idea that maybe apt is aren't always the most important threat important for us to remember. We'll take a look at some actual evidence. This is my mention our cognitive biases, make us think. Okay. Because of the sphere uncertainty and doubt. You know, we feel like maybe 80 teeth are really prevalent. What

does some data tell us realizing that no data is perfect. Stop. This is a top 10 list for my team at Red Canary. Basically, we go through the Telemetry ring in through our customers and our partners. And we try to figure out, okay, what threats do we see you're wrapped up all of those. And for 2020, here are the top 10 threats that we saw will be releasing much more about these threats and her upcoming threat detection report. So keep an eye out for that. Take a look here at this third column. Any of these breasts are the exclusive

shoe, state-sponsored, actors are apts and the answer for each of these threats. See, we have one group mostly men, our families know, none of these top 10, press, my team tracks are only used by state. Sponsored adversaries. Of course, some of them take Cobalt strike. We know that that's a tool that sponsored adversaries have used criminally Focus adversaries have used a lot of different adversaries have used but I can't take away that I got from looking at this data set of our top 10 threats is that if apt for the most important thing, I would

expect to see at least one or two state-sponsored groups up. There may be some of the malware that we know his custom to state-sponsored groups, but based on hard data set. I thought we were saying we're seeing, but a lot of it is the run-of-the-mill. Crimeware type stuff or tools and malware that are used by many different adversary. It's like Cobalt Striker, meaning cats. Of course, they're looking to remember all data has limitations. My team. Doesn't try to attribute to state-sponsored threats. We don't try to wait for you to country is. So okay. Maybe our data set is limited. We have

a different Focus. So let's compare to what other people see. None of us have all the data. So in this community, we need to really combine our efforts, and our visibility. So, take this diagram from Crosstrek OverWatch. They were kind enough to share this and give me permission to use it. And, of course, crowdstrike. They do quite a bit of attribution to state-sponsored. Press, this diagram breaks down, three main categories, and use our interactive intrusions that they were able to stay where they were fairly confident that they were malicious. Category, you see up here in the

light gray. And in this last quarter of 2020, looks like roughly half of those intrusions. They investigated every crime, this dark gray heretofore, unknown four-digit intrusions that they had high confidence were malicious, but just weren't able to attribute with high confidence, which time topic for another day at tradition is hard. But then you see down here and read, these are the targeted intrusions that they were able to associate and attribute. And so, what this tells us again. No data set is perfect. But what it tells us is that for the fourth quarter of

2022, Crosstrek OverWatch team, the bulk of the intrusions that they saw, or either a tribute to eat crime or unattributed nothing in the group, that works to identify state-sponsored threats day today. Don't know. That's perfect. We're starting to as we piece together. These sets get a clearer picture that perhaps state-sponsored breasts are not. The most prevalent thing with a lot of organizations are seeing. Another source, Verizon released a cyber Espionage report and they tracked what they call breach patterns

and taking a look here. Web applications miscellaneous, errors crime. We're pretty prevalent. You compare crime wearing. That was 10% of reach patterns versus cyber-espionage at 3%. Can this isn't saying, well, we know always crime where is more prevalent than cyber-espionage their challenges? Because Espionage should be a little more stealthy, but we would expect to see and I'll maybe this will be a little higher or at least we can say 10% of what we saw was crime where 31% or wet involves web applications. So

those things matter to Again, as imperfect as analyst, we have to interpret and assess what it means, but he can holistically my team crowdstrike, OverWatch team what Verizon has compiled data in totality is telling me that perhaps, state-sponsored threats or not, the most common thing that most teams. See, If we shouldn't Focus, just on state-sponsored threats, will what should we care about? First one, I mentioned it boring old crime. Werehog another report on IMA text her back again, very common saying the analyst day. And I

think that snow in late 2020 and was started to come around to the cydaea that maybe we need to take a look at boring old crime. We're so, for example, the family known as Bizarre Bazaar loader and bizarre back door. My team saw very directly what happens when a user opens an attachment with bizarre. We saw some discoveries some trust Discovery and then we saw the adversaries dropping Cobalt strike and based on Cyber threat, intelligence from other intrusions. We've seen in others. Have seen, we knew that we had to move quickly as they move laterally through

this network because otherwise almost certainly ran somewhere. I was going to follow. So a lot of people maybe you want to overlook, you know, qbox IMA Ted bizarre. It's just crime where it's not, not sexy state-sponsored stuff. But we're in World crime. Where is incredibly important to watch out for? Because we call them ransomware precursors. And a lot of this boring old crime where it doesn't deliver ransomware, it will Austin deliver. Some other second stage Halo that steals data, so don't overlook the boring old crimeware. Next one, right, leaving up cuz I

said Bizarro ultimately, we seen a lead to Rio Grande somewhere. We have seen a huge rise in rents tomorrow over 2020 and I do not expect that to change in 2021, is for my friend. Alan huista, who takes together public reporting on ransomware attacks. This one shows a state and local governments. And to see a pretty steady increase, just based on public reporting of ransomware against these governments, but sources. All over our, seeing the same thing. My team has as well, ransomware is here to stay. And that's one of those threats that if you find

yourself getting completely distracted by state-sponsored breast, this is one you might Overlook got to take ransomware, seriously. Read somewhere, the pressing of threats. But what about this threat business? Email Compromise. Take a look at these figures. This was for 2019, but I don't expect the FBI's numbers in 2020 will be any difference for one dollar sign for ransomware, write 8.9 million dollars of loss that was reported to the FBI in 2019 business email compromised called 1.7 billion B billion in 2019 of

losses. That is a lot more. My friend actually double-check that I had these numbers, right? This is email compromise. This is where an adversary my email, someone and try to trick them into wiring money. And on my CEO might say Katie, I need money. I'm overseas wire money and this is a threat that as cybersecurity professionals. We cannot afford to overlook, right? We can't just get distracted by just a PT, is the losses. Here are huge. And I think ve see the challenges. It's The cyber security challenge all slow process challenge, but this is a threat that we cannot afford to overlook as

a community. And I often hear from people as we talked about a PT's is this idea that well Advanced is that first word advance? So they must use really Advanced Techniques. Take a look and kind of unfurled out a little bit of this section using my former team miter attacks framework. Miner attack, of course, the framework of different adversary behaviors. And what I've done here is I have used the attack Navigator and open source tool to just create what's called a liar. This Matrix here. We just went through and based on information to miters

map. I said let me select the APT groups groups that are suspected to be state-sponsored or known to be motivated by Espionage. So I went through and I just selected those groups. Lot of the apts for fire eye and others. I said what color are those techniques that they use red? Next one, I want to run, I said groups like Finn 7, financially motivated, criminally motivated groups. Let me select those groups and the techniques that they use color those blue. Can probably guess what comes next? Red plus blue equals purple sewing. Purple. What we

have in this Matrix are the techniques that we've seen used by both state-sponsored apt actors. And financially or criminally motivated actors. And of course, this is a limited approach. This is a limited methodology. It's not everything that every group has ever done, but it's on that evidence that we have. You can see there's a lot of purple techniques what that says is in, this is consistent with what my team sees day today, you know, there's a lot of used by adversaries of encoded Powershell, doesn't matter if they're state-sponsored their criminally sponsor. They use encoded

Powershell. A lot of these techniques are used by adversaries, regardless of motivations. That's another kind of Miss. I wanted to bust around apts. There are some techniques that are particularly Advanced an exclusive the state-sponsored after this, but a lot of what adversaries are doing. Lots of adversaries are doing them regardless of their motivation. Just example that in fact, this is over the summer the Australian government came out and talked about series of improvements. They called the copy paste compromises and right here in the snippet from their report. You can see they

called it the copy paste compromises because the adversaries used tools copied almost identically from open source. Think back to that point I made earlier on what Advanced is. Is copying from open-source tools, really Advanced maybe maybe not but this is a sophisticated state-based actor. So you can start to see an example of what I said, you know, advanced persistent threats. They don't always have to use Advanced tools and a lot of adversaries were using the same kind of tooling and techniques such as Those Behind These copy paste

compromises. What's a pointer? What is this? Tell us as I said, there's significant overlap between techniques and tools are used by a TT and non apt groups. Of course. There are a couple very sophisticated techniques. I won't use the word Advanced very sophisticated techniques for custom built tools to evade defenses, but honestly, those are less common. Maybe it's because we just don't see them but both of the information that I talked about earlier, right? What are the common threats were seeing. It's a lot of

the common techniques and tools that are used by lots of different adversaries. That's a bad news. Great. ABT is for a lot of reasons why we talked to how we focus on them quite a bit as a community and that can harm us by taking our Focus away from the threats that really matter. Well, how do you make sure you focus on the right fronts? Good news, there is hope. And so, let's talk through that and we start to wrap up our discussion. Thinking about this problem of focusing too much on the AP to use. I'm going to ask me. Where is this problem? Katie? Where is it in

the intelligence cycle and not familiar. This is just the cycle that intelligence go through planning and Direction, collection analysis, dissemination etcetera. And my opinion of the focus on a pts comes in this planning and Direction face. Kind of what we talked about, right? Those reports that we read the fear uncertainty and doubt our cognitive biases. And so if we can start to plan for our cyber threat, intelligence better, that's going to help us hedge against this problem of focusing too much on a PTS.

Party planning and Direction you have to form requirements, and he CTI team and has problems that you want to solve the try to address with cyber threat intelligence. Maybe their questions trying to answer couple examples, you know, maybe you want to know what Assets in my organization or the highest risk to be targeted by adversaries. Or maybe what gaps do we have that you know might be exploited by adversaries using certain techniques because if you know the gaps The Defenders can then take that intelligence and fill them. So these requirements trying to

focus on what you actually need from your cyber threat intelligence. The questions you need to ask. It's a great way to hedge against focusing just on a pts because maybe you end up figuring out that you have visibility gaps in apt. Might exploit. Maybe you don't, but focusing on your requirements and your needs helps you, make sure you focus on the right breast. The other key thing we can do to help us focus on the right dress is called threat modeling. This is a concept that a lot of software creators use as well. But intelligence perspective, I think of threat modeling. It's just matching

up us. Our organization are access and matching that up with adversaries and threats trying to figure out. Okay. What do we have an adversary? Might try to steal or compromise and looking at the overlap between those two. That's how you get the threats and the threats it really matter to you. I've written about this. There's a link in the bottom. If you're interested in threat, modeling and intelligence based approach to that the whole separate presentation, but simply stated threat modeling, is that bringing together when you have that the

adversaries care about, and trying to think about the press, that might might be most likely to affect your organization. If you don't do threat modeling, here's what happens to a lot of organizations, you will read media reports. We all do that. We read blog posts, right? Our leadership asked us about certain threats and we have in our mind, the things that cause fear uncertainty, and doubt. And so those things Becomes of them. We think of the adversaries that we need to worry about is whatever. We're hearing whatever our mind tells us. We need to focus on and predictably

if that's what you rely on to figure out the threats you need to focus on. You're almost certainly going to say. We have to focus on apts. If you do threat modeling, though, you take time to think about what threats will really affect us. And you look at what press have you seen in the past for your organization or your industry? What's most likely to Target you based on what you've seen others have seen or your knowledge of adversaries or what's most likely to impact you? You start to think carefully and do threat modeling. That's going to result in you focusing on the threats that

really matter. Maybe it's some that I talked about for most organizations almost certainly going to be ran somewhere. Maybe the press. It matters your organization after you do this threat, modeling include ATT is and if they do awesome, that is fine. If it meets your requirements, you might want to focus on a PT is but what I found for many organizations when they sit down and think, honestly, about stressed, it matter to them. It ends up a lot of those are not advanced persistent threats. Wrapping up here with a couple take away is that I hope you leave this presentation on your mind. We

talked about that term apt Colonel, rattray created. It really evolved over time and generally people use it to mean state-sponsored threats, but it can be problematic. And so I'd urge you to think about you use that term. Are there other more precise terms, if you could use other key? Takeaway, I'm all about the Cyber threat intelligence about informing decisions. Remember cti's not all about advanced persistent threats. The point is to inform better security decision making Next one, it can be really harmful to organizations. If you focus too much on a pts. I can distract

your time from threats that matter. But the good news is that, by focusing, especially in that plan, directions phase of the intelligence cycle. You can start to use things like, requirements are doing, threat, modeling to make sure you focus on the right breast and have the best chance at being able to successfully defend your organization. You've got some homework. I know it's easy to listen to presentation. It's harder to action that Seer action items today. Or this week. Maybe just have an honest conversation with your team. How do we figure out what we choose to focus on, right? Or

are we just thinking? It's a PT's? Do we have any kind of methodology? If you don't have a methodology, maybe next month, start to build out some requirements a basic requirements list, build out, some kind of a threat and model and that's going to take time to do, it's not an easy task. So maybe a good goal within a year, start to prioritize, the pressing matter based on your requirements, in your threatened model, which will be a never-ending Journey. They will have to face as a challenge for your organization. And with that, thank you all so much for joining me. I'll shortly

I'll be having a live Q&A. So if you have any questions for me, you want to dive deeper on any topics, please feel free to join that will put that in the chat, and you can find it on the homepage as well. You're always welcome to reach out to me on Twitter at like the coins and with that. Thank you all so much. Have a great day.

Cackle comments for the website

Buy this talk

Access to the talk “These Aren't the Threats You're Looking For: How Our APT Focus Ruins CTI”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “RSAC 365 Virtual Summit”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Israel Barak
CISO at Cybereason
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Jason Rivera
Director, Strategic Threat Advisory Group at CrowdStrike
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Behnam Dayanim
partner, chair of Advertising, Gaming & Promotions and co-chair of Privacy & Cybersecurity practices at Paul Hastings LLP
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video
Access to the talk “These Aren't the Threats You're Looking For: How Our APT Focus Ruins CTI”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
843 conferences
34172 speakers
12918 hours of content