Sign in Subscribe

You're Doing it Wrong

I should be building something useful right now...

You're Doing it Wrong
Photo by Kind and Curious / Unsplash

I should be building something useful right now. Instead I am obsessing over the toxicity flowing around a keynote at a conference six hours away. I agree with most of the original author's sentiment, but this one line really got to me.

A screenshot of an unattributed social media post that reads, "Talks about every threat intel bros favorite topic — imposing cost!!!!!!!!!!! — and working with FBI to bring consequences to criminals" The post is timestamped April 29, 2025 at 1:51 PM.
Can we please stop labeling everyone as bros? Threat intel is not an NFT.

For some reason the dismissive labeling in this post cut deeper than usual. It probably has something to do with the fact that I'm a 40-year-old white guy, and bearded Marine vet who just quit my job at the FBI because of what the current administration is doing to our country and asking of the federal workforce. I've also been missing out on a lot of the cybersecurity jobs that I've been interviewing for where topics like "imposing cost" have come up.

My imposter syndrome has been telling me I haven't closed the deal in an interview yet because after 13 years as a threat intelligence analyst at the FBI, I'm somehow still not good enough to cut it in the private sector, but now I'm wondering if this type of false equivalence is more to blame.

To be clear, I strongly believe the current administration is destroying everything I've spent the last 20 years of my adult life fighting for. This is why I left government and won't be going back anytime soon. I also believe foreign adversaries who attack our hospitals, elections, and critical infrastructure should pay a steep price in order to deter future generations of criminals, terrorists, and dictators from choosing the same path.

These two positions are not mutually exclusive, and to falsely associate the latter with some sort of far-right ideology does far worse than just hurt me individually. It's holding back an entire industry that should be dedicated to reining in a threat forecast to exceed $10 trillion annually this year with losses trending upward year over year.

By contrast a 2002 study published by the Federal Reserve Bank of New York in Economic Policy Review estimated the total cost of the 9/11 attacks on the World Trade Center as roughly $60 billion when adjusted for inflation.

A Little Background...

This would probably be a good time for me to introduce myself, and share why it hurts so much to get lumped in with the likes of the current cabinet. As already mentioned, I do look the part after all. I grew up in rural Oklahoma and spent most of my summers wandering the countryside barefoot doing very rural things – and I loved it! That's an obvious exaggeration, but you get the picture. I was 'country.'

Those were 'simpler times,' but times that I wouldn't soon go back to. For anyone who's ever attempted to revisit an earlier phase of their life and realized that fondly remembered utopia doesn't exist anymore (and probably never did), you know what I mean. We tend to cling to the good memories and look past the bad, but it's our collective experience that makes us who we are now and in the future.

When I think back, I don't just remember four-wheel drives and Friday night lights. Yes. I played sports. Yes. I enjoyed hunting, fishing, and working on old cars. To summarize my formative years in the context of a movie that probably didn't age well, I basically grew up on the set of Varsity Blues. But, I was never Mox, Tweeder, or Billy Bob. I never quite fit in with that crowd despite being firmly embedded in it.

Back then it was the usual high school bullying that drove me away; the constant attempts of insecure young men to establish dominance over each other one way or another was too much. So, what did I do? In January 2005, one semester shy of completing my associate's degree in criminal justice (and having to figure out what I'd do next) I dropped out of my local community college and enlisted as an infantry Marine in the United States Marine Corps. That would show them! It also got me out of there.

I was never a model Marine. I caught pneumonia during bootcamp, which caused me to graduate a cycle behind schedule. I was always pushing the top end of an acceptable weight, but I kept my body fat down and eventually managed a first class PFT. That didn't mean I was weak though. The band of misfits I ended up joining in 1st Tank Battalion didn't tolerate the weak. In fact, I highly doubt some of them were a fan of the term 'tolerance' at all. The military between 2005 and 2009 should have been a big blinking red light for what was to come for our country.

I'll never forget the day my first platoon sergeant walked in to admonish the platoon because of an attempt by some to change the platoon crest to a Totenkopf (an emblem a few of them had proudly tattooed on their bodies). That was the day I learned the importance of investigating the symbology of imagery. Up until that point, I just thought they were assholes. I had never met a Nazi before, and in retrospect still didn't fully grasp the severity of the situation until years later when I also realized another platoon sergeant I had worked for was an early advocate for the Three Percenters and had clearly tried to recruit some of his junior Marines into the cause.

Needless to say, parts of my Marine Corps experience didn't differ significantly from being on the high school football team. The name calling persisted. The most significant difference was probably simply that I'd gotten better at defending myself. I'll never forget my first deployment to Iraq in late 2005 when my Totenkopf-tattooed squad leader decided to escalate to physical violence against me in front of our entire squad. In true Nazi-style, he overestimated his ability and ended up embarrassed and immobilized by a chokehold in front of all of his Nazi buddies. That same "leader" later ended up being stripped of his rank and dishonorably discharged after a court-martial for hazing another Marine. In the intelligence field we would have called that an indicator.

My time in the Marine Corps wasn't all bad. I also served with some of the most selfless and dedicated professionals I've ever met. I learned the difference between good leaders and bad, and later became a platoon sergeant myself. The Marine Corps solidified the importance of a variety of leadership traits in me, and most importantly set me on a path dedicated to protecting the American people and upholding the Constitution of the United States. Let's get back on track.

"Imposing Cost" Matters

As an infantry Marine, I was also taught that terrorism is defined as

"the calculated use of violence or threat of violence to inculcate fear, intended to coerce or to intimidate governments or societies in the pursuit of goals that are generally political, religious or ideological."

The important takeaway in this context being the use of threats, fear, and coercion against society in pursuit of political goals. Sound familiar? After joining the FBI, I learned 18 USC 2331 defined 'international terrorism' as activities that—

(A) involve violent acts or acts dangerous to human life that are a violation of the criminal laws of the United States or of any State, or that would be a criminal violation if committed within the jurisdiction of the United States or of any State;
(B) appear to be intended—
(i) to intimidate or coerce a civilian population;
(ii) to influence the policy of a government by intimidation or coercion; or
(iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and
(C) occur primarily outside the territorial jurisdiction of the United States, or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to intimidate or coerce, or the locale in which their perpetrators operate or seek asylum;

See where I'm going with this? When I look at the cybersecurity landscape and foreign adversaries are attacking critical infrastructure and lobbing veiled threats of violent confrontation against the US and its allies, it doesn't look all that different than terrorism to me. Now, I know what you're thinking.

No. I am not advocating for designating a bunch of APTs or their benefactors as foreign terrorist organizations, nor am I suggesting we start launching drone strikes in China or invading North Korea. I am suggesting there are some of us in the field who have spent the last two decades creatively imposing costs on amorphous threat actors and made quite a substantial dent in a couple of terrorist organizations' abilities to effectively operate online. I'm also suggesting there are some lessons to be learned from these successes that translate very well to cyber defense.

Beyond Defensive Frameworks

For example, everybody in tech seems to love a good framework. Personally, I think the trend has turned into a way for managers to provide checklists to their staff, and it's getting a little out of hand. Nonetheless, take the MITRE Engage framework as an example.

When I said MITRE you probably thought ATT&CK, right? Don't get me wrong. MITRE ATT&CK is a vital knowledge base, but the name is deceiving. ATT&CK is a shield to Engage's spear. If you're not mapping ATT&CK techniques to adversary vulnerabilities and engagement opportunities, then you haven't really progressed since the bad old days of 'patch and fix.'

I know, I know. Offense is scary. Lawyers get more involved than they already are, and it requires a level of creativity that is quite literally outside of the boxy perimeter of defensive operators' usual comfort zone. On the extreme conservative side, some companies go as far as telling CTI analysts to limit their research to summarizing academic papers and YouTube videos. If this sounds like your company, please stop. You're only hurting yourself (and your investors).

Take celebrity streamer Kitboga's recent successes leveraging AI voice clones and scam baiting fraudulent call centers as a positive example. With little more than a garage startup, he's been preventing entire call centers from reaching actual victims. It's a textbook adversary engagement strategy at a bargain basement price. Imagine what a billion-dollar company building and staffing MDR services for Fortune 100s could do if they put their mind to it. SOCs, threat hunting, and incident response are still extremely important, but the industry focus is on the wrong side of the chart. Then again, it's probably a lot harder to quantify the value of defending against attacks that never happened.

Hire Software Engineers

While I'm airing grievances, I'd also like to touch on the importance of hiring professional software developers and engineers in cybersecurity organizations. No, I'm not talking about security engineers who can code. I'm talking about software developers who often need to be reminded about security fundamentals, but consistently churn out code more elegant than Jackie O herself.

I see far too many organizations shrinking their talent pool in hopes of finding the one unicorn who can quote from all the new frameworks, reverse all the malware, build and run the detection platforms, and then create and deliver sales content at conferences and online. These are all different jobs. I'm convinced the substitution of security engineers and analysts who can code for actual software developers is why all of the largest security failures in recent memory initiated with vulnerabilities in security products themselves.

Yes, as an analyst I often like to moonlight as a DevOps engineer. I even do a little hacking from time to time. That doesn't mean you get to cut out the developers. Like it or not, you need people focused on user experience and software design patterns if you want products that companies can deploy correctly.

Moving on...

Ugggghhhhhh... Ick.. Yuck! There. Now that I got that out of my system... I know that's a lot, and it might not land well with some. I'm still a work in progress, and sometimes I say too much, but I hope we can stop getting tangled up in unproductive side quests and focus on the real tasks at hand. I'm going to get back to building my death star.

What I should have been working on today is currently more of a life raft. For those curious I'm trying to compile a cheap and replicable system (er, framework?) for security research while navigating my current independent status. I'm also working on documenting my internal threat modeling process to articulate how I approach the challenge of operational security and managed attribution when researching organizations and infrastructure that would rather not be researched. It's nothing fancy for now, but you can follow along and even try parts out for yourself on my new GitHub page.