After spending 22 years in the U.S. Air Force building the branch’s cyber presence worldwide and reshaping its cyber curriculum, Lance Taylor now applies his background to the private sector. From lessons he’s learned along the way to the best tools for the job, Lance tells us how companies can improve their intel.
Among other things, collaborating regularly with fellow threat intelligence practitioners throughout the industry, as well as other teams - incident responders, malware analysts, and so on - I don't think that we share enough in this industry, and I know that everyone's trying to maintain the confidentiality of the goings-on within their organizations, but I think there is a way that we can share at least some of the telemetry we're seeing from threat actors and some of the, the tactics, techniques, and procedures that we're witnessing to help each other along.
MATT ASHBURN:Welcome to NeedleStack, the podcast for professional online research. I'm your host, Matt Ashburn, and personally I prefer intelligence that's handcrafted and locally sourced.
JEFF PHILLIPS:And I'm Jeff Phillips, tech industry veteran and curious to a fault. Today we're continuing our series covering security operation centers and cyber threat intelligence, and we're excited to have a special guest. Today we're joined by Lance Taylor, and Lance is the manager of intelligence and threat management at CLEAR. Any of you that travel have seen CLEAR as you're going through security at airports. Lance is a 22 year Air Force veteran with a career in intelligence and cyber at the NSA and the Air Intelligence Agency. Let's see, Lance, you served as a Korean translator for the U-2 reconnaissance mission. You earned a commission as a Cyber Officer and billed out the Air Force's cyber presence throughout the world. You were also tasked in an elite group to revamp the Cyber Officer program and shift the curriculum's focus towards a future in cyber warfare. And my understanding is this is the curriculum that's in use today. Lance, welcome to the show.
LANCE TAYLOR:Thank you for having me. I appreciate it.
JEFF PHILLIPS:Why don't we start with that last one. Tell me a little bit about that curriculum. What was it like when you were in that program and how did the change take shape?
LANCE TAYLOR:When I first started in the program, it was very much geared towards a support role for not only the war fighter, the pilots, and the Air Force mission, but also for everyday business as the Air Force moved further into cyber developments. Everything was geared towards support and focused on land mobile radios, air traffic control systems, and your conventional support network for the squadron. And so, as time went on and the various services, Air Force, Army, Navy, Marines, they all started to move towards cyber warfare as an effective way to accomplish our mission. And so, the Air Force decided, "You know what? It's time for us to revamp our curriculum, move away from a support focus and more towards an offensive and defensive mission as it pertains to cyber."
MATT ASHBURN:That's really interesting. In your career, given all that you've done, what have been some of the lessons that you've learned along the way to make intelligence-focused research better, easier, more efficient?
LANCE TAYLOR:Well, one of the things that I've learned is that regardless of what industry you work in, regardless the size of your organization, one thing that you always have to keep in mind is, is my program scalable? Can it match the growth of my organization? Or in your particular industry, if your customer base is growing exponentially, you have to be able to protect that. And so, I love automation, I try to automate as much as possible and make my deliverables more scalable, and the support that I give to my internal teams, I want to make sure that's also scalable. And also I want it to be agile, and automation helps me do that, so I guess I would say, one thing that's really helped me, something that I've picked up over the years that I've been doing this, is that automation is integral to rapid dissemination and getting the right information to the right people at the right time.
MATT ASHBURN:Yeah, I would agree that the efficiency and scalability are really important factors, right, of an intelligence team. Has your use of, or your opinion of, tools and exterior services changed at all over the years?
LANCE TAYLOR:It really has. You know, before I joined the private sector - and I spent all of my time in the public sector, pretty much my whole adult life - as I joined the private sector, even though you might have various intel, premium intel providers, they all focus on different areas. They all have different perspectives on intelligence, and they all have different things about them that I really enjoy. So I've learned that there are a lot of differences between providers that may focus all on the same thing, but they all have different, different contributions. That has really helped me, as an analyst, to be able to have not only multiple sources confirming the same things, but also having different perspectives on the same things that they have confirmed. I really enjoy engaging with those teams individually and asking a little bit more about it and how they approached a particular conclusion, and things that we could do better, you know, when they give us advice on how to make my program better or things that I ask as far as best practices, what are some of the things that your other customers are doing? Is there something that we're not thinking about that we should be doing? I'm always in learning mode, and it really helps to have all of those different perspectives available.
JEFF PHILLIPS:One thing, in some of our earlier, previous discussions, Lance, it seemed like you were an advocate of making an investigator out of everyone, even if it's not in your job description. I know you love information, but can you talk about how that's benefited you in your career and made for better intelligence products, if you consider everyone an investigator?
LANCE TAYLOR:Absolutely. One of the deadly sins that I think we can have as a threat intelligence analyst is a myopic view, or a biased view, about a particular topic, or about a particular attack or tactic, technique, and procedure. And so, by evangelizing, as I put it, about threat intelligence and trying to involve some of my incident responders and my threat hunter in threat intelligence, I feel that I can gain a better perspective and a more holistic perspective by incorporating their thoughts. And also, I become a better supporter of their programs when they tell me, "Here's how we're using the intelligence you're giving me, and here's something that we really lack. If you have any input on this that we could benefit from, it only makes my program better because I'm able to serve my internal stakeholders that much better." That's internally. Externally, if I can involve more folks who are just graduating some of these cyber boot camps and graduating university, or who are just now entering into cyber security, they are incredibly smart. They grew up with the Information Age, they grew up with devices, things that I didn't grow up with. They have a different way of thinking, and then they can solve things a lot differently, and a lot faster in some cases. If I can get more of them into the industry, I think they will be the thought leaders of the future and say, "Here's where we need to go if we're going to stay ahead of some of these threats." Because I can tell you, on the dark web, a lot of these actors are incredibly innovative and they figure out a way. You can have the best defense in the world, but they can figure out a way around that very quickly and very creatively. I think we're going to stay ahead of that, we need to have some of these new folks coming into the industry with their mindsets and their way of solving for some of these issues.
MATT ASHBURN:Lance, I really like your idea there of including multiple teams, especially from cyber defense, in the intelligence cycle as consumers, or maybe even those people driving some of the requirements for the intelligence collection and analysis. I want to circle back, if we could, on something you mentioned about the need to confirm intelligence hypotheses or different perspectives. What's the role of attribution in that and what's the value of that? There are different opinions on that, I'd like to get your thoughts on what the value is that you see of attribution when it comes to cyber incidents.
LANCE TAYLOR:I think there are some very strong opinions about that, about attribution and the value of that. I think that there are folks who feel that it's just too easy to pretend that you're someone else, and it's easy to make it seem like it's coming from someone else or another country, if you will. There are people who say attribution is of no value, but then there are people in the camp that I'm in, which is that may be true, but there are also other ways that you could potentially validate your hypothesis when it comes to attribution, because you can look at some of the TTPs that are being exhibited by this threat actor. If those TTPs match up with who you think it might be or who you're attributing this attack to, then I think that is a little bit helpful for you to at least form the direction of your investigation. Then if you confirm that that's not the case, you just go back as you normally would and reevaluate your hypothesis. I think one more thing about attribution as far as the value goes is if you can, at least with reasonable certainty, determine who a threat actor might be, you can at least have a general idea of what their motivation might be. If you're familiar with what their motivation might be, then you know what to defend and how to defend against it. I do think that there's some value to it, but I can recognize the merit of both sides of the argument.
JEFF PHILLIPS:Yeah, and I guess it depends on the person's role too, right? If you're the president of a company, let's say, or maybe the CFO of a company, and you've just lost millions of dollars because of a cyber compromise, you probably don't care too much if it's China or Russia, Iran, or some ransomware gang or something, right? But from the cyber defense perspective, it's many times helpful to know what to look for and the other tactics and techniques that they may be using on the network. As you pointed out, too, the motivation can be very valuable to cyber defense as well.
LANCE TAYLOR:Right, and I will add to that that at least according to recent reports, there is an increasing overlap between e-crime and nation-state actors. Even if you've only narrowed it down to nation-state, or narrowed it down to e-crime, that doesn't necessarily mean that it's limited to that realm. A lot of these nation-state actors are moonlighting in their off hours as e-crime actors, and using their skills to further their own interests, monetary interests, after hours. I think attribution is probably going to become less and less relevant as we see more of this overlap, but at least for now, at least it gives you a direction to head with your hypothesis and either confirm or refute your own hypothesis.
MATT ASHBURN:That makes a lot of sense, Lance. Obviously right now you're in the camp of attribution has value. Also said bringing others into the fold to help establish your hypothesis, other members of the team, so I wanted to reverse that a little bit. Those are things that you think people should do. Is there something that you think folks individually or as a whole, threat intelligence teams, should stop doing that tends to be something that you see going in the threat intelligence world, maybe they should stop doing certain things going forward?
LANCE TAYLOR:I mentioned earlier that it is, I think, one of the deadly sins to have a myopic view of threat intelligence and saying, "Well, all I need to do for my organization is ingest some indicators and watch out for e-crime." If you take that myopic view, you are excluding the possibility that you might be compromised by a nation-state actor and you may not be necessarily aware of the interest that a nation-state actor might have in your organization. If you're a financial organization or a hospitality organization, that might be of interest to a nation-state actor who is tracking dissidents, or tracking people of interest for their espionage program, something like that. I think people, if they have a myopic view and are limiting what they're doing with their threat intelligence for their organization based on that myopic view, that's definitely something that they should stop doing and have more of a holistic view. Being aware of not only what's happening on the dark web, but also geopolitical events, what's being discussed on social media. On Twitter there are a lot of incredibly helpful cyber security feeds, and they will list some of the most recent malware attacks, and malware that's never been seen before. I think that is a better thing to do for your program and for your organization, is having that holistic view. The other one, which I alluded to briefly, is thinking that just ingesting indicators is enough, and that that counts as threat intelligence. That's nothing more than data. If you really want to do threat intelligence for your organization, you have to figure out how to synthesize that data into actionable defenses and actionable steps for other teams within your organization.
JEFF PHILLIPS:That's really interesting, Lance. I'm curious on the nation-state side. Some things you were saying to stop doing, I guess the reverse of that is to start looking more into the nation-state side of things, and also to start expanding beyond your feeds. Is that from your Air Force background? Or are you seeing in the private sector that focus beyond the e-crime into this potentially being nation-state when you may not have thought they'd have any interest in your organization? Is that starting to permeate through the private sector, do you think, or are we still early days there?
LANCE TAYLOR:It's probably a little bit of both. I think having a military background, I'm always thinking geopolitically and what effect that might have on whatever organization I happen to belong to at the time. Before it was the Air Force, now it's with CLEAR. But I do think that there is a growing threat from nation-state actors within the private sector. Although that doesn't exclude the public sector, obviously, they are interested just as much in our state secrets as they are with intellectual property and anything that will further their goals, whether they be economic or technological. I think that nation-state actors would not hesitate to try to integrate within the private sector. Also as we saw with SolarWinds, I think nation-state actors, or at least nation-state governments, are starting to see the growing value of supply chain attacks. Both public sector and private sector are using some of the same solutions. In this case it was SolarWinds, but a lot of the organizations use the same suppliers for two factor authentication, for email, and for everyday productivity apps. It would not be a far stretch, I think, for nation-states, particularly Russia and China, to recognize the value of supply chain attacks and to increase those attacks, because you get more bang for your buck in a supply chain attack than you would, let's say, from just targeting the State Department directly, or Mom and Pop's cyber security firm. I think supply chain has sort of changed the game for all of us.
MATT ASHBURN:Yeah, that's an attack that many people have either discounted in the past or maybe just weren't aware of, I think, in the past, too. The awareness of that is giving a great deal of pause, I think, to many people to reconsider where they're buying from. That's a good point.
LANCE TAYLOR:Exactly.
MATT ASHBURN:I wanted to switch gears a little bit as we start to close out here. In terms of tools and services that are out there, are there any go-to tools or services that you'd recommend for folks to check out as they're looking to perform cyber threat intel?
LANCE TAYLOR:Absolutely. One of the things that I take advantage of a lot is Google dorking. I think there's a lot of information out there that is not exactly indexed, and if you want to find out a little bit more information about something, using Google dorks is very valuable. In that case, I might go to Exploit-DB and check out some of those tools. The OSINT framework is another favorite of mine, I'm sure your listeners are very familiar with that, but it gives you, I think, a really good total or holistic list of tooling available for OSINT practitioners. Then also, I don't know if a lot of people are aware of this, but several years ago Bellingcat released a publicly available Google Doc, or Google Sheets, that listed a lot of the sources they use for OSINT. I think they're some of the best in the business as far as OSINT research goes, and they can do some really amazing things. That is another favorite of mine. I go there frequently to look at that sheet. It's broken up in tabs based on what kind of information you're looking for. Then let's see, lastly is a GitHub repository called Awesome OSINT, a lot of really great tools there. I would say those are some of my favorites as far as tools go.
JEFF PHILLIPS:Lance, what could we start doing in the threat intelligence community?
LANCE TAYLOR:That's a great question, Jeff. I think that, among other things, collaborating regularly with fellow threat intelligence practitioners throughout the industry, as well as other teams - incident responders, malware analysts, and so on - I don't think that we share enough in this industry, and I know that everyone's trying to maintain the confidentiality of the goings-on within their organizations, but I think there is a way that we can share at least some of the telemetry we're seeing from threat actors and some of the the tactics, techniques, and procedures that we're witnessing to help each other along. We're also not all at the same level. I think that if we're going to help each other grow, then sharing best practices the way we have been, but to a greater degree, with each other would help grow some of these threat intel analysts that we so, so badly need in the organization. Then lastly I would say, integrating threat intel into as many teams as possible internally within your organization. There are so many different areas, vulnerability management, risk, third party risk, risk in governance, customer service. These are all different teams within your organization that could benefit from threat intelligence, either from breach notifications, to compromised credentials, to indicator enrichment for your incident responders. I'm a real big proponent of pushing threat intelligence throughout the organization to give them a better idea of what's going on in the threat landscape and how it might impact their particular team mission.
MATT ASHBURN:Well, Lance, thank you so much for joining us today. Ladies and gentlemen, thanks to our guest Lance Taylor, a very experienced cyber threat professional. If you liked what you heard today, you can subscribe to our show wherever you get your podcasts. You can also watch episodes of our show on YouTube and view transcripts and other episode info on our website at Authentic8.com/NeedleStack. That's authentic with the number 8.com/NeedleStack. Be sure to follow us as well on Twitter at @needlestack_pod. We'll be back next week with more on sock investigations and CTI analysis. We'll see you then.