How Katie Nickels helped transform how we talk about cyber defense

Nickels possesses "superpowers" when it comes to explaining complex subjects in cybersecurity, according to members of the security community.

Katie Nickels

Katie Nickels is one of the cybersecurity community's most respected leaders and communicators.

Photo: Courtesy of Katie Nickels

It was early 2019, and Sherrod DeGrippo knew she had a problem. Customers were asking for her company, cybersecurity vendor Proofpoint, to show how its products lined up with MITRE ATT&CK, a popular framework that describes the stages of a typical cyberattack. But attempts to do so weren't going smoothly.

That's when DeGrippo had a thought: "I'm just going to call Katie."

She didn't know Katie Nickels well. But Nickels, then the threat intelligence lead for MITRE ATT&CK, had earned a reputation for making the complex framework understandable and usable. And over the next six months, that's exactly what she did for DeGrippo over a series of five Zoom meetings, during which she helped DeGrippo rethink Proofpoint’s entire approach to implementing ATT&CK.

"It was huge for us," said DeGrippo, Proofpoint’s vice president for threat research and detection. “If you can say, 'Katie said … ,' that's all you need."

Nickels, who is now director of intelligence at managed detection and response vendor Red Canary, is one of the cybersecurity community's most respected leaders and communicators. Customers trust the reports produced by Nickels’ team to make decisions about their own security posture in a world where threats are growing both in numbers and sophistication.

Not only is she an expert in the tradecraft of cyberthreat intelligence, but Nickels is also proficient at "synthesizing complex and ambiguous topics in such a way that somebody can really pick it up and run with it," said Robert Lee, co-founder and CEO of industrial cybersecurity vendor Dragos.

Having that combination of abilities — expert, communicator and educator — is a rarity in cybersecurity, and "I can't think of any higher compliment to pay somebody" than that, Lee said.

Still, Nickels wouldn’t want anyone to think that she knows it all at this point, or is “untouchable.”

“Over my career, I've just learned and listened to people and connected with people,” she told Protocol. “I continue to be driven by trying to share with others. But like everyone else in this community, I'm still learning.”

Ultimately, getting involved in the information security community, Nickels said, is “about connecting with people. And anyone can do that, regardless of where they are in their career, regardless of the number of Twitter followers they have.”

A nontraditional path

Nickels didn't set out to enter the cybersecurity field.

After graduating from Smith College with a bachelor's degree in American studies, Nickels initially hoped to become a journalist. Instead, she became a corporate investigations researcher and then, in 2009, joined the Department of Defense.

She did so in part at the encouragement of her now-husband, Drew Nickels, a member of the intelligence community, who suggested that her interest in research might make her a fit for an intelligence analysis role.

It just so happened that the threats Nickels was tasked with analyzing were cyberthreats. "I was fortunate enough that someone gave me a chance," she said.

After leaving the DoD in 2011 and working as a cyberthreat analyst at Raytheon and then ManTech, Nickels joined MITRE, a not-for-profit organization that provides federally funded R&D, in April 2015. She joined the organization in the runup to the public release of ATT&CK, which was a "right place, right time" situation, Nickels said.

At its most basic level, MITRE ATT&CK is a set of offensive tactics and techniques known to be commonly used by adversaries. Initially created in 2013 as an internal project at MITRE, ATT&CK was first publicly released in mid-2015 without much promotion or fanfare, according to Adam Pennington, who is the current head of ATT&CK and was involved with the project since its early days. "We had no idea if anyone was going to use this," he said.

But ATT&CK caught on. In large part, that's because it gave the cyber defense profession something that had been sorely lacking: a universal language.

ATT&CK offers a "defined lexicon and ways to communicate," said Dragos' Lee. "Prior to having MITRE ATT&CK, everyone was kind of inventing their own language."

Jen Burns, Blake Strom, Katie Nickels, Adam Pennington and Jamie Williams.The core MITRE ATT&CK team members at RSA 2019. From left: Jen Burns, Blake Strom, Katie Nickels, Adam Pennington and Jamie Williams.Photo: Courtesy of Katie Nickels

Cybersecurity vendors have embraced the ATT&CK lexicon to demonstrate how their products align to real-world threats. For instance, because the framework identifies the stages of a typical attack using a common language, a vendor can say "we're experts at shutting down stages three to seven" and security chiefs will immediately know what the vendor means, said Joel Fulton, CEO of cybersecurity vendor Lucidum.

Meanwhile, many security leaders are fans of ATT&CK because it gives them a clearer way to describe their security strategy internally, Fulton said. Prior to ATT&CK, most chief information security officers pitched their strategies like a salesperson, relying on charisma and large helpings of fear, uncertainty and doubt to convince their fellow executives and board of directors to follow their lead, he said. With the arrival of ATT&CK, CISOs now have a concrete way to explain their strategy, Fulton said.

The communicator

From the get-go, Nickels had a major impact on shaping how ATT&CK describes threat groups and the software tools they use, MITRE's Pennington said.

"ATT&CK had started doing that even before Katie joined, but we hadn't published it yet. And frankly, it wasn't very good. It was sort of all over the place," he said.

Nickels "came in and cleaned it up, did some incredible analysis on it and built up our practices and our standards," Pennington said.

She would go on to take charge of ATT&CK's blog and Twitter account; she eventually became the group's go-to public speaker, starting in 2018 with a talk at the BSides Las Vegas event, according to Pennington. A year later, Nickels was speaking in front of thousands at the Black Hat cybersecurity conference. Her Twitter following grew steadily.

Nickels “definitely had an impact on getting ATT&CK out there for the world,” Pennington said.

Even though Nickels wasn’t one of the creators of ATT&CK, "everyone associates MITRE ATT&CK with her [because] she's that good," Lee said. "She had such an oversized impact that she has become, to some people, the face of it."

The role came with its own set of pressures, however. The growing popularity of ATT&CK meant that threat researchers were continually submitting new techniques that they hoped would be added. And that often meant rejecting submitted techniques, particularly those that were theoretical, Nickels said.

Saying "no" to unfit submissions was "an important role," she said. "But it's a tough one."

Eventually though, ATT&CK still reached a point where it had become a bit unwieldy, particularly when it came to how attacker techniques were organized.

The number of documented techniques used by attackers against enterprise IT environments had ballooned to 266 by October 2019. For months, lead ATT&CK creator Blake Strom, Nickels and Pennington debated what to do.

On one hand, the large number of enterprise techniques was proving a challenge for security teams when it came to learning, prioritizing and communicating about the techniques, Nickels said. But Nickels and the other leaders of the ATT&CK team knew that outsized changes would be painful for security teams, which would have to do significant additional work to account for the changes in the framework.

Ultimately, the team decided to restructure ATT&CK by creating a new category, "sub-techniques," that would appear underneath the broader technique categories.

"We knew that for the long-term good of this framework, it was a necessary decision," Nickels said.

The irony is that what Nickels did next gave her a firsthand view of the effects of the decision.

Doing their own thing

In early 2020, Nickels departed MITRE to join Red Canary, one of the pioneers in the growing field of managed detection and response. Founded in 2013, the company uses technology for ingesting and analyzing massive amounts of threat data, along with human threat intelligence, to manage security on behalf of customers. The approach has proven to be an increasingly popular option amid the shortage of talent in the market.

Nickels came aboard to steer the human threat intelligence side of things at Red Canary. The decision to leave MITRE was a difficult one, she wrote on Medium shortly after making the switch. But while ATT&CK was great at curating attacker techniques that had been observed, the chance to do the observing herself, using the raw data, was appealing.

"I wanted to hands-on be seeing what adversaries are doing," Nickels said.

While growing the Red Canary threat intelligence team from four to 11, she said her focus at the company — like it was at MITRE — has been on making threat intelligence useful. And as part of that, "we try to not accept what everyone else is doing in threat intelligence as the best thing," she said.

You'd be hard-pressed to find anyone in cyberthreat intelligence that hasn't learned from Katie Nickels.

For instance, Nickels said she doesn't start with the assumption that the actions of the nation-state threat actors, such as China or Russia, are a priority for customers. Instead, "we look at what we're actually seeing in environments," she said.

That's led to unique discoveries, such as a cluster of attacker activity that the team dubbed "Raspberry Robin," which involves a worm typically delivered through a USB drive. "When you don't just look at the shiny objects — the state-sponsored threats or the things everyone's talking about — you start to see things that are interesting," Nickels said.

To take a different approach like this, however, it's ideal to create a team with a mix of different backgrounds and skills. And like Nickels herself, several of those involved with Red Canary's threat intelligence reports do not come from traditional computer science or cybersecurity backgrounds.

For instance, in a previous life, Red Canary principal intelligence analyst Lauren Podber worked as a dancer for six years, including for the New Jersey Devils. Nickels, Podber said, is "really open-minded about [threat] analysis and about how different people can work together — and how to bring those strengths together."

And while he preceded Nickels at Red Canary, principal security specialist Brian Donohue was formerly a journalist for Threatpost. The philosophy behind Red Canary's threat intelligence reports, Donohue said, is that "we need to make things that everyone is able to comprehend, [including] the people who are actually doing these jobs" on corporate cybersecurity teams.

As part of doing that, Nickels is uncompromising when it comes to ensuring that the threat-intelligence reports Red Canary releases meet this bar, he said.

"There's a tendency in this industry for editors to be like, 'I don't fully understand the technical aspects of this. But I'm sure it makes sense,'" Donohue said. "But one thing that Katie has been very good about is never believing that."

Instead, Nickels pushes the analysts and writers to make sure that every Red Canary report fully makes sense and is understandable to security teams, he said. While writing the vendor's 2021 report, for instance, there needed to be substantial last-minute revising based on Nickels' feedback, Donohue said.

"At the time, I was like, 'This is incredibly annoying feedback,'" he said. "But the most annoying thing about it was that I knew [Nickels] was right."


Ryan Kovar has known Nickels for the past decade, prior to her joining MITRE. But from the beginning, Kovar said Nickels' communication abilities and self-confidence convinced him that "she was going to be someone who lit the world on fire a bit."

"One of Katie's superpowers is her ability to communicate with empathy," said Kovar, distinguished security strategist at Splunk, who teamed with Nickels for the Black Hat talk in 2019.

Beyond MITRE ATT&CK and her work at Red Canary, Nickels has stood out from many of her security community peers by publishing a series of posts that have "democratized some of the insider secrets of threat intelligence,” Kovar said.

In particular, her Medium posts on how to get started in cyberthreat intelligence and her two-part "self-study plan" for learning the trade — the second part of which went live in August — have been widely read and shared.

"She's been very open about some of the things that either people [in the field] don't want to talk about, or they don't realize is not common knowledge," Kovar said.

That's provided a tremendous amount of exposure on these topics for those who are interested in or new to the industry, often revealing the fact that "this isn't actually as hard as maybe you think it is," he said.

Nickels has also served as an instructor at the SANS Institute, a well-known provider of cybersecurity training and certifications, teaching the organization's course on cyberthreat intelligence since 2019.

Selena Larson, who previously covered cybersecurity for CNN, and is now a senior threat intelligence analyst at Proofpoint, said Nickels had a major influence on her as she switched to the field of cybersecurity. And Larson said she's far from alone in that.

"You'd be hard-pressed to find anyone in cyberthreat intelligence that hasn't learned from Katie Nickels," Larson said.


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories