“Which threat actor should I care about today?” That was a question from my client for a few months that sort of plagued my team. The CISO always engaged in the briefing material our team presented, and he seemed to enjoy our discussions about various threat actors, but we always came back to questions about racking and stacking groups. It was an interesting challenge and I am lucky to have been a part of an awesome team that worked together to develop the first iteration of the Threat Box model.

From that initial framework, I modified category the definitions and…

Here’s my GIANT head, drawn by this amazing artist: https://twitter.com/XLarimeX

Whether you are disseminating threat indicators internally to other teams or participating in information sharing programs within the community, context is a critical component of actionable intelligence. When analysts say, “Indicators aren’t Intelligence”, they are often referring to the contextless sharing of Observables that is too common within the Cyber Threat Intelligence (CTI) community. I believe that indicators can provide serious intelligence value, but it is up to the source analysts to provide that worth in the form of context.

Administrative note: In this article, I will capitalize key words to indicate field names and to stress the difference in…

Her name was Raider and she was the best platoon mascot

Be Positive Change. Imagine a workforce full of passionate men and women that care about the outcome of each and every day of work. Imagine what happens when you and I show up every day ready to push forward towards positive change. This isn’t ground breaking, this isn’t radical, and this isn’t idealistic. A big part of that positive change is understanding accountability and leadership. Team’s that are being led effectively and held accountable can literally change the world. Imagine what happens in your office if leaders start stepping up?

The Army taught me a lot of great things about…

One of the best ways to ensure that you have an amazing career that is filled with challenges, enjoyment, and growth, is to consistently work to improve yourself and your surroundings. Early in my Army career, I was taught that it is important to “improve your foxhole every day.” This simply means to find small ways to better yourself and your surroundings every day. With that in mind, I put together a talk for BSidesNoVA 2020 and presented it in our Career Village. The talk wasn’t recorded so I went ahead and recorded a session at home. …

It would be really awesome to map out the most common techniques used by threat actors and prioritize those for detection, right? It would also be really awesome to know what our defense-in-depth capability looks like for the enterprise compared against threat actor techniques. Woah, slam those together and you start to get a picture of true threat-informed defense. I actually proposed something exactly like this in my SANS Research Paper, “ATT&CKing Threat Management: A Structured Methodology for Cyber Threat Analysis”. Academic papers aren’t the funnest things to read, so here’s the TL;DR version.

Activity Heat Map Overlaid onto Notional Inc.’s Defense-in-Depth Map (zoomed section for clarity)

Here are the top techniques found…

So you just read my last article (Developing Team Documentation that Matters), and you’re thinking “cool story bro, but I bet the documentation is outdated in a few months.” And in most organizations, you’re probably right. But in this article, I will discuss a few options to keep your documentation squared away, your material written in “one voice,” and your analysts on the same page going forward. It’s time to talk about team training.

Every team has unbelievable newcomer training, right? Okay, probably not. I promise that building an effective in-house training program is an easy lift once you have…

Heeyooo! You have reached the personal blog of Andy Piazza. TURN BACK NOW! I am the Chief Evangelist of phia, LLC and a Cyber Threat Analyst supporting clients throughout the National Capital Region and beyond. I wear a few other hats for the company, but that’s not why you’re here. (See disclaimer footnote about views being my own)

I decided to take on the challenge of writing about professional matters a few years ago on LinkedIn. Since then, I have seen a decline in written article sharing on LinkedIn in favor of video content. That fact, coupled with feedback that…

My lessons learned and recommendations from developing process documentation, work instructions, and training material for awesome teams.

Admin note before we get started: I’m an analyst and will use analyst throughout this article. Feel free to replace the word with “doer” if “analyst” doesn’t describe what your team does.

Let’s talk about building process documentation, training material, and work instructions. Generally, there are two camps of thinking here: 1) documentation is a useless checkbox requirement or 2) here is a 100-page dissertation on this process that is full of really big words but doesn’t actually say what your people do…

My lessons learned and recommendations from multiple threat feed and Threat Intelligence Platform (TIP) assessments. PART II

A lot of organizations are rushing out to get Threat Intelligence Platforms (TIPs) for their analysts- and rightfully so. The commercial market has done well on selling us the idea that a “TIP” is the solution to enhancing and improving our analytical capabilities. However, organizations that buy into this mantra without first taking the time to define well thought-out requirements may see analysts reviewing and researching the same information in separate silos-of-excellence while seeing no real improvement in program efficiency. In fact, a…

My lessons learned and recommendations from multiple threat feed and Threat Intelligence Platform (TIP) assessments.

There are a few different approaches that I have seen organizations take when it comes to consuming threat intelligence. Teams that have been in the threat intel space for a long time probably started with informal sharing distros (We don’t talk about fight club!) with unorganized TXT files serving as their community standard. These teams likely evolved their sharing efforts into using CSVs, maybe even with some basic structure, before moving on to helping build out projects like STIX, openIOC, etc.. …

Andy Piazza

I enjoy writing, mentoring, and sharing knowledge. Read my full bio in my whoami article https://medium.com/@andy.c.piazza/whoami-a5410956fffb

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store