Anomali Threat Day: Building the Texas A&M University System Threat Intelligence Program, Presented by Texas A&M University
Transcript
.svg){kind=icon}
- I'm really excited to have Cody from Texas A&M.
He'll be talking about the challenges associated with developing a threat intelligence program there at Texas A&M.
Cody, let's just start.
Can you introduce yourself? Tell us a little bit about yourself.
- Yeah, hey, Austin.
My name is Cody Autry.
I am the threat intelligence analyst for the Texas A&M system.
Just for those of you in the audience that don't know, A&M is an umbrella system.
We have 11 universities and 8 state agencies.
I work at the security operation center in the system office.
- Perfect.
Thank you for that and welcome to the Threat Day.
So let's just start out-- really like your program.
Can you tell us a little bit about how Texas A&M has built out the threat intelligence program there? - Yeah.
Yeah, my background is not information technology.
I came over from a demolitions guy in the army.
I worked with State Department doing some fun stuff over there in the sandbox for nearly five years but nothing information technology related.
So when I started conversations with A&M about working a threat intelligence program, I started reading up on NIST.
So I follow all the NIST framework for developing the threat intelligence program.
And then, Austin, you remember Dan.
Dan got me hooked up with you guys.
So then I started going through the Anomali playbook.
It's the threat Intel-- the threat intelligence analyst playbook that you all have published.
It's a great, great resource.
So I started following that.
I started a systematic collection and analysis and dissemination of any information that pertains to cyber threat intelligence and then, to the extent of even physical threat intelligence or security intelligence.
So I kind of went with what I knew in a security intelligence program but also turned that into cyber threat intelligence.
- Great, thank you.
So how has Texas A&M collaborator communicated with other universities or stakeholders? How are you doing that? - So like I mentioned, we have 11 other universities and eight state agencies that all fall within the umbrella.
Historically, every University, state agency was not all a part of that system umbrella at one time.
So everybody has their own infrastructure.
Everybody has their own security infrastructure.
And part of that was trying to just bring everybody in and show them the ROI, that return on investment on having a SOC monitor their traffic.
And then, even further, was the cyber threat intelligence program.
So communication, reaching out, lots of conversations, lots of showing good use cases and other case studies on cyber threat intelligence and really utilizing some of that playbook to offer our services.
And our members-- you have schools like Tarleton and Stephenville that have maybe two people on their security team.
And that is a lot at-- I think they're at like nearly 18,000 students there at Tarleton.
And two people one their cybersecurity team is not enough.
So that's where we really try to help our smaller stakeholders engage and communicate with each other and then communicate back to the SOC, and we can help provide some coverage at no cost, by the way.
Yeah, if we ask for things, we're not going to have them pay for it.
We're going to take care of it.
- That's excellent.
So you all kind of serve as a central hub for this.
So the challenges that you're talking about there around a lot of the agencies or the smaller schools having only a couple of people-- the disparate and the divided environments that sounds like challenges, not just school space but pretty much across the board.
What would you say that-- what are the similarities you see there? What other challenges are you seeing? - Communication is a big one.
That's probably the biggest challenge is trying to find communication and collaboration within the state agencies and the various universities, right? Like I said, everybody had their own security teams before.
So everybody had their own way of doing things.
When a big branch comes in-- when the umbrella comes over, we're not trying to overshadow them because they have that interdependence to make their own decisions and buy their own products.
But at the same time, we want to ensure that system policies are in place, and we're going to help them increase their security overall.
With Anomali, I got every system member-- I had to go out and find a point of contact, which was very painful.
- I remember this one.
- Trying to find somebody that would talk to me from each stakeholder.
And then I said, OK, now-- and it might be the ISO.
Here I am just a new guy in threat intelligence and information technology or cybersecurity, really.
And I'm-- who is this guy emailing me saying, hey, I want to talk to you about threat intelligence.
So sometimes that was an ISO.
Sometimes it was other security analysts, and I had to go out and talk to them.
And this was all during COVID.
So that was also another challenge there.
Was everything had to be over email and Zoom.
There was no face to face.
Now there was a couple of times where-- I'm a very face to face person.
I showed up on some doorsteps knocking on the doors was like, hey, I want to talk to you.
So I was very persistent.
- For you, yeah.
I do remember those conversations and challenges faced there.
How would you say-- I mean, around distributing the intelligence, how has that gone for you? Being able to share them? No secret here, Texas A&M is using Anomali.
But what have you all done specifically to share that intelligence with other organizations? - So I went out and started to create-- this was one of those challenges, right? So I said, OK, we'll use Anomali.
We'll use the taxi sharing, or we'll use our ability to create threat models or import intelligence.
And we'll be able to get that to our stakeholders.
So I'd go in every once in a while.
I do like a user audit, and I'd look and see which universities-- who was logging in and actually using the Anomali threat stream after I provisioned an account, after I trained them on it.
And I'd go in and see that some of them haven't used it since the day that we did training on it.
Oh, man.
OK, so I need to reach back out to them.
That means they're not getting the information that I'm trying to disseminate.
All right, I've hit a roadblock.
What do I do? So Nick McCarty and I got together and Dominic DerTatevasion, the director of the SOC.
We all got together and said, OK, let's figure out this.
What can we do? So we created an additional email distribution.
We created intel@SOC.tamu.edu.
So OK, now we have this email distribution list, and I included all the ISOs on it.
I put security analysts on it because at the end of the day, it's the security analyst that's going to be taking those actionable items and doing something with them.
So then I started pushing threat intelligence from Anomali, wrapping it up in that intel@SOC email address and distributing it out.
And since then, I've seen a lot more buy in into threat stream.
I've seen a lot more users.
I've had a couple other stakeholders actually come to me and say, hey, my coworker has this.
Can you get me an account? Can you provision me one? Absolutely, let's get started.
- That's great.
That's exactly the story you like to hear.
So in the way of security practice, how have you or how have you seen the other agencies and schools incorporate CTI into the security practices? What is the value of doing that? - So as I mentioned-- say again? - What is the value of doing that? CODY AUTRY: That value? - Yeah.
- So like I said, some of these teams are extremely small, and they're hurting.
Prairie View A&M, they suffered from a ransomware attack back in February, I believe.
February, March, it was during winter-geddon here in Texas.
So they suffered a massive ransomware attack, PYSA ransomware group.
So for those of you on the call, PYSA targets higher education very heavily.
They constantly going out and targeting higher education.
So where's the value in CTI? Right there.
Now we have adversary monitoring capabilities.
That's part of Anomali, the threat stream, the intelligence initiatives.
So that comes part of our intelligence requirements that we create, we refine, and we help with those partners, with our stakeholders continually and just develop those intelligence requirements.
So the value is hopefully we won't suffer another ransomware attack again.
We've been able to do very well since then.
We've reached out multiple stakeholders-- it's a shame that it takes an incident to get people to buy in.
But you know, that's-- I can't remember who said it.
I think it was Churchill said, never let a good incident go to waste.
So sometimes you just have to capitalize on that.
- That's great.
How would you say-- how has it bled into your strategic practices around security in general? - So at that strategic level, the C-suite, our executives, that's really where that return on investment needs to show.
They like to see numbers.
Everybody knows that.
And they like to create policy, or develop policy.
So working with Anomali and Flashpoint-- Flashpoint's another partner that we use-- we've been able to reach out, create rules, or create threat feeds, or keyword alerts in Flashpoint and rules in Anomali Threat Stream.
And we were able to actually monitor and discover that there was a bunch of credentials that were getting breached and compromised-- is the correct term, actually.
So these credentials were getting compromised.
And with higher education, the lifespan on those usernames and passwords are fairly long because higher education the students will use the same edu account for walmart.com because they get a discount.
But they'll use the same password as their net ID or their SSO.
Then walmart.com gets breached.
The credentials are compromised.
And then now, those credentials are being sold on an illicit marketplace somewhere.
So with those rules, we were able to bring in and say, hey, these threat actors are-- they're not only collecting the username, password, but they're also collecting browser history, the logs, and cookies, which if you read up on it, you can use those cookies to bypass multi-factor authentication.
So then we went back and readdressed the policy.
So policy said that you can do a 60 day remember me with multi-factor.
That is a long time.
So at that strategic level we addressed the policy.
We changed it to five days, which is a lot shorter than 60.
So changed that to five, and here we are today.
- Perfect.
So I've got one more question for you.
Actually, I've got two for you.
One is tell me about what Texas A&M-- I should say share with everyone what Texas A&M has done with your student body, how you're incorporating the next generation of cybersecurity experts into your program.
- OK.
So we have-- we're nearing 40 student workers right now.
Our student workers are our tier one security analyst.
These student workers come from mostly computer science backgrounds, but some of them are coming from either engineering or-- I have a couple of grad students, actually, that are just interested in getting some of that technical skill sets that they never learned before at the SOC.
So they can then go and work in an intelligence agency or something like that.
So we also have the defense cyber leader development program, DCLDP.
These programs are kind of a pipeline to address some of those skill sets that are needed in the workforce-- operations research analyst, network operators, the reverse engineering, vulnerability researchers, and any of the information operations, interrogators, things like that.
We help develop those student workers that we have.
We pay them well.
We get them into the program.
We train them.
We have a couple of summer internships for them, and then I bring some of the student workers into the cyber-threat intelligence program.
So for me, on my side of the house, ex-military, so I make them take the initiative to come to me.
I'm not going to go out there and recruit them.
I want you to come to me, and I want you to take initiative.
So those students then I utilize Anomali University.
So that's kind of my first step to bringing them in.
I'm the only one here.
I don't have a lot of time to sit down and train 40 student workers.
So with using Anomali University, that's kind of like their-- let's get your books started.
That'll give them a week to do that.
And then I'll bring them in into my office, and we'll get hands on training.
- That's excellent.
I love the program.
I think it's great.
I always love hearing more and more about it.
And actually, that placed perfect into my next question.
You mentioned an article that you read that kind of got you ramped up on cyber threat intelligence.
Coming from the military background, not having had that experience, I will say your-- I've seen your capabilities and skills just grow exponentially over the last couple of years.
Kudos on that.
And what would you-- what are some resources that you would say, hey, here's some great resources for students or even for faculty in education that's not familiar with cyber threat intelligence or security in general? - All right, I'm going to throw this guy a plug because he's the first one that comes to mind-- Professor Messer on YouTube.
- Professor Messer.
- Yeah, YouTube University has been great for me.
AUSTIN: OK.
- I think I'm going to have a self-proclaimed PhD by the end of the year, maybe.
AUSTIN: That's great.
- Yeah, he's the first one that comes to mind, for sure.
There's also another program out there.
It's the FIRST, Improving Security Together.
It's first.org.
They have a good curriculum for cyber threat intelligence specifically.
Professor Messer is more on cybersecurity holistically.
But for cyber threat intelligence, first.org is a great resource.
And then of course, Anomali has a ton of great publications.
So obviously, if I need help, that's where I start is with the Anomali help button and getting in there and looking at the publications that y'all have first.
But outside of Anomali, for sure first.org and Professor Messer are my two go to's.
- That's awesome.
What was the article that you referenced at the beginning again? - Let's see, was it the article in regards to multi-factor? - No, I believe it was CTI landscape.
- CTI Landscape? Oh, we come back to that.
- We'll find it.
It's on our website if anybody wants to go look for it, under Resources.
So OK.
Well, Cody, great conversation.
Thank you so much.