Welcome to Defender Spotlight! In this blog series, we interview cybersecurity defenders of all varieties about their experience working in security operations.
Editor's Note: When we originally approached Rebekah for the Defender Spotlight series, Komand and Rapid7 had not yet discussed acquisition. Some time after the interview, it became clear that Komand would be joining the Rapid7 family. The timing of the DS interview with Rebekah was purely coincidental, but a delight nonetheless. :-)
In our newest edition we're featuring Rebekah Brown from Rapid7. Rebekah is not your traditional incident responder; she has a long history in cyber threat intelligence, and brings that knowledge with her to every incident she investigates.
When we spoke with her, she talked in-depth about how threat intelligence can inform and improve the incident response lifecycle. She practices these concepts in her day-to-day life as a defender, and she’s even co-authored a book on this very topic called Intelligence-Driven Incident Response.
Tell me a bit about yourself, and your background?
I am the threat intelligence lead at Rapid7. I’m responsible for many things: from supporting our many different products to making sure we’re properly capturing and educating on threat aspects. So for example, things like vulnerabilities or incident detection and response.
I also work with our MSSP services and incident response services — that’s really the foundation of where our incident information comes from. With that info, I help our services teams figure out how to detect attackers and how to properly respond, even if attackers are changing. The goal is to also, hopefully, detect future activity faster.
As far as my background, I kind of stumbled into information security. I started out as a Chinese translator in the Marine Corp. Turns out, we had some issues with hacking and the networks at the Department of Defense. So they asked me to bring my intelligence approach to help solve this problem.
It was a lot of fun; I enjoyed it much more than I thought I would! I come from a family of engineers — my dad is a hardware and software engineer, so I knew many of these things. But I had never thought about applying them with an intelligence-focused approach. I really loved it.
From there, I just kind of kept running with it.
That's really neat. Was Rapid7 your first full-time infosec job?
No, actually. So after I left active-duty military, I became the cybersecurity program manager for Orange County, California, for their DHS fusion center. That was the first time I worked outside of the intelligence community. I worked with many local folks — like businesses, state and government organizations, police and fire departments — to help them understand why they needed to worry about cybersecurity in the first place.
Many of them didn’t have security programs going, so their IT guy doubled as their security guy. It was a really cool experience to help people figure out how to approach having a more secure network and workforce. And of course, as many of us know, state and local organizations don’t have a lot of money, so we were doing this with limited resources, time, and budget.
This was a pivotal moment for me, because I realized how important it was to understand the exact threats you’re facing, especially at that level. This is true no matter if you’re government, or a private business. The threats that the federal government and the private sector face are very different, so we needed to approach them different.
I learned a ton about how to customize programs to an organization’s threat landscape: from a response perspective and from a “where do we even start” perspective.
I headed back to Portland, Oregon — where I’m from — after Orange County. After that, I left Orange County — not because I don’t like California, but us Pacific Northwesterners don’t deal well with too much sunshine.
When I moved back to Portland, Oregon, I worked for Nike to help them stand up their cyber threat intelligence team, which was a lot of fun. I got to move from that “state and local, no support and no budget” place to a Fortune 500 company with ALL the budget.
On that note, moving from a resource-constrained organization to an organization where the sky's the limit, can you talk a bit about what that difference of scale was like?
So I gave a talk at 44CON last year that was a culmination of all these experiences. The talk was called “The Frugal Girl’s Guide to Threat Intelligence”. It was about how to decide what you really need, and how to make the most of what’s available to you. I actually learned this not from the “resource-constrained” world, but from the “all you can eat” world.
Because it’s so easy to say, “I’ll have this, I’ll have that, I’ll have one of EVERYTHING.” But I realized that this can make your job harder. It can make your job harder to understand what you’re dealing with, and how to apply these tools in a way that will truly help your program. It will just overwhelm everyone. So I like to take this approach:
- Build your threat profile
- Understand what you need to focus on
- Look for tools that will help you meet your goals and fill gaps
I like starting with open source. Free feeds and tools help you really understand how you and the team will operate without investing too much budget. You start understanding what’s important to you from a data source perspective, from a workflow perspective. You’ll learn things like “This is great, it will work for us, but it doesn’t scale” or “This is great, but we’re missing these features”.
From there, you can start transitioning to commercial tools to help fill the gaps and needs. Otherwise, you can get overwhelmed. There is no shortage of good tools and resources, specifically for threat intel, but you can’t get them all and assume it will help make your workflow more efficient.
Many products are are building in concepts like machine learning to help make workflows more efficient. What are your thoughts on that?
When we hear about concepts like machine learning, we hear it as a security buzzword. But I’ve seen it done right, and there are really cool ways to use it when we can apply our own understanding of what good and bad activity look like.
You can then use machine learning to start pulling out the patterns that a human analyst may not have seen on their own. But then they can analyze that data and say, “Aha! I see why this is not normal” or “No computer, learn better. That’s just a user doing something new for the first time.”
I am also super lucky at Rapid7, I have an awesome data science team. They always correct me when I say machine learning. They’ll say, “supervised learning, Rebekah. It’s supervised learning.”
You can use technologies like automation to be better and faster at sensing patterns, but you still need a person in there inputting, dictating, and tweaking algorithms.
We talk about how easy it is to get bad data into threat intelligence feeds. We just had this most recent DHS report on North Korean DDoS. They have common Windows binaries listed as IoCs, and it’s so easy to get bad data. If we just feed that into machines, and it makes decisions based off our bad data, then we’re just causing more problems down the road.
We have to get a lot better at our own data sources before we start trusting computers to make those decisions for us.
Let's talk about training and the cybersecurity talent shortage. Do you think there’s a way around this?
I'm a co-author and instructor for the SANS threat intelligence course, Forensics 578. My co-authors are Robert Lee and Jake Williams, whom are both great incident responders.
As an instructor, I disagree that it’s difficult to find capable people. I’ve seen people come from every background, from every walk of life — former FBI agents, CS students out of school, you name it. When you start walking through the process, you walk students through how to approach an incident, how to use intelligence to augment the process, and how to use incident response information to build and generate intelligence for the future.
It resonates. People from different backgrounds also bring new approaches to the table. It does rely on on-the-job training. Training provides a foundation; it provides people with the concepts. But application of the principles is necessary.
Many organizations want senior talent, but in order to become senior, you need someone to take a chance on you. Can you talk about that a bit?
I love teaching and mentoring. When I was in Orange County, DHS gave me 3 of their cybersecurity interns. One intern ended up taking over my job when I left, and another just messaged me to tell me she was accepted into Boston University’s Masters of Computer Science program.
This is a girl who studied counterterrorism, but she found her way into cybersecurity. She found people that would answer questions, point her at some good resources, and she’ll be one of those senior people soon. Yeah, it’ll take her a few more years to get there, but she’s on her way.
There are so many capable people out there, with so much potential. We don’t live in a world where working with computers is an isolated demographic. We say a lot of terrible things about users, but we’re coming into a world where everyone grows up using computers. They have to understand how they work. We’ll start seeing many different levels of experience, but a lot more knowledge than we’re used to.
We’ll probably continue saying we have that talent shortage because of the seniority issue, but there’s so much potential out there. These people are passionate and smart. They get it.
Do you have any last pieces of advice to give?
Ask questions. This is the intelligence-analyst in me. When you start to pull in data sources and do analysis, you always run into new things that you don’t understand. I’ve never had a problem raising my hand and asking questions. I believe this is one of the reasons I’ve been successful; not just in the information security field, but with intelligence work in general.
You have to ask questions. One of the downsides of our community is that we’re afraid to ask questions, afraid to appear like we don’t know everything. We’re used to the RTFM answer, but I think we’re also thankfully getting away from that.
There are so many people out there willing to mentor and explain things. One thing I tell my students is this: for that 1 jerk that is rude about your question, you’ll find 10 more people that are happy to answer and explore the question with you. Then you can give back and answer that question for the next person that asks it.
So be curious, and don’t be afraid to be curious.
What a treasure trove of knowledge and wisdom from Rebekah! If you enjoyed learning about her and the work she does, you can follow her on Twitter. We’re also releasing a separate interview with her on the topic of Intelligence-Driven Incident Response. Stay tuned for that soon!
If you enjoyed this interview, you can check out other inspirational thoughts from fellow defenders: