In honor of mental health awareness month and because it is such an important topic in the cyber threat intelligence (CTI) field, I’ve decided to write a short blog post on the topic. In it, I’ll outline some of the cultural realities and provide some emotional intelligence (EIQ) resources towards the end. Disclaimer: you may cringe at certain points when reading this because the content resonates with you, because it is a behavior currently descriptive of you or an experience you have exhibited in the past. Please know that self-awareness is the first step towards helping take responsive actions and make proactive changes.
Yo Dawg, I heard you like Threat Intelligence so I put some intel out on threats to you
Being a cyber threat intelligence analyst is probably one of the coolest jobs that exists. The work we do has demonstrable impact in helping safeguard organizations or protect national security from nation-states and cyber crime programs alike. We get to support investigations, draw trend lines from our data set, hunt for related cyber artifacts, write detections, and synthesize our findings into actionable intelligence that empowers stakeholders to make informed decisions. In a way, we are a hybrid between Sherlock Holmes, Q from James Bond, and a modern day Henry Kissinger. Yet, with great power comes great responsibility and also the propensity to push ourselves beyond the point of exhaustion into a state of burnout and even chronic stress. Let’s unpack some of the common behaviors and related drivers.
Individuals who gravitate towards the CTI discipline tend to be high performers that are intellectually curious and mission driven. These individuals are willing make sacrifices in order to achieve mission outcomes by working long hours over sizeable stints of time. Their passion, understanding of the time sensitive nature of the work, and “hero syndrome” that results in knowing that timeliness matters in having a tangible impact/mission outcome. Regrettably, this drive sometimes comes at the expense of our mental or physical health or relationship with others like family life and marriage.
I have most often seen this happen occur in times of crises. Let me give two recent examples:
1) On the vendor side, when Russia’s “special military operation” in Ukraine began on 24 February, those of us in vendor space had enough experience and data points to understand it was going to be a long and windy road for us ahead. Senior analysts across vendor space, especially those who came from government background as a CTI analysts, understood the implications: the quicker we start identifying intrusion activity, the quicker we can push signatures to security controls and share information to help support collective defense to rebuff the effects of Russia’s cyber program. Concurrent, the strategic analysts started considering the requests for information coming in about collateral damage, spillover effects, escalation in targeting calculus, and deployment of previously unseen capabilities and against whom. The idea of blended kinetic-cyber operations of the use of cyber operations in support of military objectives is something often not considered regularly outside of government spaces. During this time, I saw several highly capable analyst friends of mine working 12–16 hour days 6 days a week or more for several weeks, reverse engineering malware, analyzing telemetry data, generating hypothesis to explain or attribute behaviors, and pushing insights to the customers and the broader community. Seeing your peers pushing themselves to work the long hours then acts as an indirect cultural driver whereby you feel guilty for not doing the same or don’t want to look bad in the eyes of your boss.
2) For organizations, news of the Log4J vulnerability exploitation caused several teams to take an all-hands on deck approach to work across teams to create representative risk assessments. The first issue most organizations encountered was identify exactly what Log4J was and getting smart on it. In a lot of ways, the same thing happened with the APT29 SolarWinds operation — most CTI analysts had no idea that SolarWinds was an asset inventory system and fewer could identify if it was used as part of the organizations technology stack. What made Log4J radically different was just how deeply integrated it was into several products, so it required more than writing a quick regex. Chatter on the SANS advisory board email distribution was quite telling that this wasn’t just a CTI problem, but after a week or so, members of the info sec community were sharing ways to perform discovery in the environment with some more rigorous than others. For those who worked this issue, you have my utmost respect knowing you likely worked very long days over the course of a week or more.
There’s an edge case worth addressing here, too, on the topic of burnout that I have also found with our highly talented CTI community: it is easy for us to use work — something we are good — as an excuse not to deal with other life situations. If we work more, show results and high performance, then we can feel accomplished while downplaying or outright ignoring other issues in our lives. I have personally found myself doing this a lot more, especially since the covid-19 pandemic started. The intrinsic need here is safety, comfort, and the need for validation.
Know Thyself
One of the most famous quotes in Sun Tzu’s “The Art of War” is “if you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” CTI is a marathon and not a sprint. In order to keep pace, we first and foremost need to know ourselves and our limitations and then work with management to ensure we are given the proper time and space to recharge our tanks of mental, emotional, and physical energy.
Beyond scheduling time off to remove yourself from the stressors of work, convention guidance includes taking breaks, going to workout, establishing fixed cut off points, or undertaking a restful hobby like listening to music. I also try to find and entertain levity when possible whether that is thinking of a witty name for a paper you are working on like “She Doesn’t Even Go Here: The Role of Contractors in the Cyber Threat Landscape” to creating or using an appropriate, highly relevant meme in conversation to developing an awesome project that will boost morale for the masses like Red Canary’s “Threat sounds vol. 2: The 2022 Threat Detection Report playlist”. I’m getting slightly preachy, so I’ll cut it off after offering these three additional suggestions:
1) You never know what someone is going through in their life or what type of day they are having, but offering words of encouragement about the rad work they are doing or how impressed you are with a project can have a huge impact on helping improve the mood, refill their energy level, and appreciate the work culture and one’s colleagues. Likewise, having a support network, checking in with your peers, and offering an ear to listen has the ability to go a long way. During the Ukraine invasion, for instance, one of my most talented colleagues, Gabby, started implementing a check in with our Russia watchers crew. I won’t speak for James, Josh, or Ryan on this one, but I cannot express just how impactful it was, letting me introspect, take my temperature, and if needed vent or seek out advice. Gabby — you are my hero for so many reasons, but huge hat tip for that initiative.
2) Check in with you manager frequently, especially as work starts to heat up. While managers try to be proactive, it is somethings hard for them to have a good pulse on where everyone is, especially if they have a lot of subordinates. Being explicit and proactive about where you are on the burnout scale allows the two of you to plan accordingly to get you time off, offload some of your work to other members of the team, and not put additional responsibilities on your plate for some time. Remember, people are any organization’s #1 asset and managers usually are trying to do right by you to retain talent, including managing burnout. I realize that last statement might not apply for US Government folk where managers aren’t usually hired for their leadership qualities, instead they are promoted from within usually trying to get their GS-15, SIS, or SES.
3) It is okay to seek professional help. During my time in the government, there was a stigma about going to see a therapist, psychologist, or psychiatrist, mostly because it could call into question your mental stability and adversely affect your ability to hold a security clearance, protect national secrets, yata yata yata. Even after I left the government, I felt that I could handle stress on my own and that seeing a therapist was admitting weakness or showing vulnerability. That thought process was stupid; be better than me. I’ve been seeing a therapist for a few months now and my only regret was not finding one sooner. She and I have been able to work through a lot of PTSD I have had festering for years. She has helped me understand myself better, my fears, my intrinsic drivers, and it has helped me calibrate my visceral response to various situations.
In case you are curious, my therapist introduced me to the EIQ assessment called Ennegram. It has been far more insightful than other EIQ assessments I have taken in the past, such as the Myers-Briggs, the Discovery Assessment Profile (DiSC), or even Insights Discovery. Insights Discovery was actually pretty useful for understanding your natural state responses versus how you respond when you are consciously focused. While you can pay for the Ennegram test, you can also just read the descriptions and see which one stands out to you. Each day, and sometimes several times during the day, I’ll take my pulse to determine where I think I am operating on the 9-point scale for my type (The Investigator). If I am operating anywhere outside of the “Healthy Levels” it is a flag that I need to be mindful and process more cautiously throughout the day lest I fall back onto some of the negative qualities outlined in it.
This, however, is not the only way to gauge burnout. If you find yourself dropping balls at work or in your home life, that might be a sign. The important thing I hope you take away from this blog posting is that we work in a highly stressful area, some of which is self-imposed. We are a strong, tight-knit community and to operate effectively requires we be our best self. We can’t do that if we don’t take stride to take care of ourselves, so please be mindful of just how real burnout is and help each other best we can recognize and bounce back from it.
