In this episode for The Pivot podcast, we welcome our guest Teresa Walsh!
Teresa leads the FS-ISAC’s Global Intelligence Office (GIO) to protect the financial sector against cyber threats by delivering actionable strategic, operational, and tactical intelligence products. Based in the United Kingdom, she oversees FS-ISAC’s global member sharing operations and a team of regional intelligence officers and analysts who monitor emerging threats. Teresa began her career as a civilian intelligence analyst with the US Naval Criminal Investigative Service (NCIS) and holds a master’s in political science with a focus on international relations from the University of Missouri-Columbia.
In this episode of The Pivot, Teresa provides insights into the intelligence world, the differences between traditional intelligence and cyber intelligence, the psychology behind the analysts, and more!
The Pivot: Your New OSINT and Infosec Podcast 🔗︎
Brought to you by Maltego, The Pivot is your OSINT and infosec podcast that dives deep into topics pivoting from information security to the criminal underground. Through The Pivot episodes, we aim to share insightful information for beginners and seasoned investigators alike, shedding light on all things OSINT and infosec from an insider’s perspective.
Each episode features one or two of Maltego’s own Subject Matter Experts as the host and an external expert, researcher, or industry leader invited to share their projects, stories, experiences, and advice.
Where to Listen to The Pivot? 🔗︎
The Pivot podcast is available on Spotify, Apple Podcast, Google Podcast, and the Maltego YouTube channel. Each episode is 45 to 60 minutes long and is released on the 15th of every month. Stay tuned with us for more updates!
Tell us a bit about yourself and your work! 🔗︎
Teresa: I head up the intelligence team for FS-ISAC. For people who don’t know who we are, we’re a membership association with thousands of financial institutions being part of our membership. We work with them throughout the world and have people in Brazil, Australia, New Zealand, India, Canada, and all sorts of places.
My team has to keep up with the members, so every day is actually always very interesting. I wake up with messages from my team in Singapore and Australia telling me what’s going on, and then by the end of the day, I’m hearing from the Latin America crew or the US crew talking about what’s happening there.
I think in our world and in our industry, there’s always something going on. It’s never necessarily a dull moment, and it has been a very rewarding job. I’ve been here almost six years to this date. It’ll be my anniversary next month.
What is it like waking up to different parts of the world giving you little bits of information and insights as to what’s happening in and around these areas? 🔗︎
Teresa: On a personal level, I love it because I started out in political science and international relations. I was fascinated about the world and what’s going on around me, which was probably a little bit ironic, considering I was from a really small town in the Midwest of America.
I just really love to understand what was taking place around the world. Being able to wake up and hear from maybe our regional director in Japan or from an analyst in Australia, or talk about the membership in Malaysia or Thailand is just really fascinating to me.
Now with the pandemic, we’re in a remote kind of flexible lifestyle, aren’t we? I’ve always been a bit like that. My mind has always wandered back and forth between work and home life, so it actually works well with me to be able to say: Oh, I need to get a few things done as soon as I wake up, and then focus on personal life, and later get back into the work scheme. The ebb and flow actually works very nice for me.
Talking about your world, what is it like being in the intelligence world? 🔗︎
Teresa: It probably sounds a little bit sexier than it actually is, and I think Hollywood is to be blamed for that. We’re not always in front of 20 screens, stopping attacks as they happen and things like that. It is in some ways very mundane and regular. Waking up, you’re looking at what’s going on, reading a lot of reports, interacting with people, finding out more information, and then analyzing as well as assessing what’s going on.
One of the challenges I always have in the intelligence profession is trying to make sure people understand that cyber intelligence is not just about IP addresses and URLs. It actually is going back to that old-fashioned way of thinking about intelligence analysis. You’re trying to drive decision making and help your decision makers make the best choice possible, whether it’s to invest in a new technology or tighten controls in a certain way. It all goes back, at the end of the day, to that primary purpose, not just for grabbing IOCs and shoving them through your sim.
What is the biggest challenge for getting the traditional SOC team to think differently about the intelligence and use it versus jamming millions of IPs into a tip? 🔗︎
Teresa: I think you need to sit down and decide what you actually want from threat intelligence. What I hear a lot from executives is they’ve read about threat intelligence, heard from a peer that they have a CTI team, things like that, and so they just assume we need one. Without understanding exactly what it is, they decided to just create one. To them, it is about the IOCs. The KPI of assessing the success of your intelligence program is how many IOCs you push through your tip or your sim.
That’s not the right way to think about intelligence. There’s nothing wrong with IOCs because they are the building blocks. I have kids, so I always use a Lego analogy. If you think of Legos, even the biggest Lego picture in the world starts with one little itty-bitty block. You have to have those types of tactical level blocks and should still look into IOCs. It’s just not the only thing about cyber intelligence that you need.
Intelligence should be a part of your business, such as how you make your business and how to make it more resilient? I think that’s where the gap is. The initial mindset at the very beginning when you say we need a cyber intelligence program is to sit down and actually understand what you need and what the base requirement is.
Your risk management program should drive your intelligence requirements, and then your intelligence analysis should go back into your risk management program to help you be more resilient and understand the risk better. However, I think that is probably a mindset gap that hasn’t really been addressed too much yet.
How much of this intelligence is derived or propagated from open source intelligence? 🔗︎
Teresa: I would say a lot of it. In the intelligence world, you often hear analysts talk about multiple sources—multi-source intelligence—and that’s how you stay away from a single source. If you’re just looking at one source, you’re not collecting pieces of intelligence. Instead, you’re listening to somebody else tell a story and believing whatever it is.
Having multiple sources is a way to cross reference and confirm or deny what might be going on. You want to use a variety of sources, whether they’re closed sources from somebody who just had an attack with a sample of the malware used or an open source where its companies might have blogs and podcasts, talking about different types of threats and understandings of those threats.
If you want to go more to the strategic route, you also need to be aware of everything else around you and understand your industry. Because how can you protect your industry if you don’t understand how it works? There is also a level of not just the cyber tools that you need to be aware of, but keeping up with your industry and understand what the bad guys are going to look at, what they are going to go after, and what they are reading about in terms of money movements and databases with attractive bits of information.
In the finance world, I have to learn now about digital currencies. Not just cryptocurrencies, but the legitimate stable coins. The central bank digital currencies that are starting to give rise today. We have to understand that as cyber professionals because we need to be able to protect it down the road.
Do you have any specific tools that you use to gather all this intel or do you have other people doing that for you? 🔗︎
Teresa: A little bit of everything. We do have our own sets of tools. We make use of open source tools, paid subscriptions, and things like that. For our side as a membership organization, we also have a plethora of tools that our own members use. Since we are talking about thousands of members, that’s a huge crowdsourcing potential if you will, looking at a particular type of malware, a particular attack vector, and a particular pattern in an approach of a network intrusion.
I didn’t start out in this type of role, and thus I had to learn all these technical approaches and techniques an analyst uses. I became highly reliant on learning from others and understanding what they were doing and what tools they were using—.trying to crowdsource that information for my benefit at my bank where I was working at. I’ve also carried that over to FS-ISAC.
Use the resources you have around you. Use your peers, use each other, and crowdsource that information. It’s not just you working on your own skillsets and your own knowledge but collaborating and being stronger for it.
For anyone getting into the intelligence world, what are the three most important things in terms of advice that you would give them? 🔗︎
Teresa: First of all, I would say you’re never too old. I think everybody always approaches that question from a young student’s perspective trying to look at a career field. Nevertheless, I was definitely somebody who got into cyber after university. You’re never too old to make a change, so don’t give up on that thought. I know a lot of people in their forties and fifties even have made that leap into cyber. Consequently, I would say just because you’re not a student in your twenties and with the whole world in front of you doesn’t mean that it’s not a possibility.
Second is to find somebody to talk to. Some of the things like these podcasts. I think they’re brilliant because you are teaching people at large how to get into the fields and how to really kind of pursue those types of careers as well. I would say use resources as much as possible, whether that’s on the internet or people. You can get the things that people will never tell you and learn from them as much as possible.
Be open to possibilities as well. Sometimes people get maybe too pigeonholed in one idea or another about what they want to do. I got into this role by accident if I think about it as I never would’ve thought I would be here doing this type of job. Sometimes happy accidents do lead us down great path, so you do have to be open and flexible. If you’re somebody who says, “Nope, I have a plan.” I’m going to check the box and get to that plan. That’s okay too. I would say be open to the possibility along that path, and you’re going to find something else that interests you. Maybe it is penetration testing, threat hunting, or going along the business route and saying you want to make business decisions with cybersecurity in mind. All those things are an open field to you, so make sure you’re looking.
There’s More! Listen to Our Full Interview with Teresa! 🔗︎
If you find the snippets of the interview interesting, don’t miss the full interview!
Listen to our full interview with Teresa to learn more about:
- Which industry Teresa considers to be evolving faster against cyber risks than others
- Her suggestions on how to approach an intelligence program with a risk management mindset
- How she perceives the uncertainty in the intelligence world and the psychology behind an intel analyst
And much more!