How Katie Nickels helped transform how we talk about cyber defense

Nickels possesses "superpowers" when it comes to explaining complex subjects in cybersecurity, according to members of the security community.

Katie Nickels

Katie Nickels is one of the cybersecurity community's most respected leaders and communicators.

Photo: Courtesy of Katie Nickels

It was early 2019, and Sherrod DeGrippo knew she had a problem. Customers were asking for her company, cybersecurity vendor Proofpoint, to show how its products lined up with MITRE ATT&CK, a popular framework that describes the stages of a typical cyberattack. But attempts to do so weren't going smoothly.

That's when DeGrippo had a thought: "I'm just going to call Katie."

She didn't know Katie Nickels well. But Nickels, then the threat intelligence lead for MITRE ATT&CK, had earned a reputation for making the complex framework understandable and usable. And over the next six months, that's exactly what she did for DeGrippo over a series of five Zoom meetings, during which she helped DeGrippo rethink Proofpoint’s entire approach to implementing ATT&CK.

"It was huge for us," said DeGrippo, Proofpoint’s vice president for threat research and detection. “If you can say, 'Katie said … ,' that's all you need."

Nickels, who is now director of intelligence at managed detection and response vendor Red Canary, is one of the cybersecurity community's most respected leaders and communicators. Customers trust the reports produced by Nickels’ team to make decisions about their own security posture in a world where threats are growing both in numbers and sophistication.

Not only is she an expert in the tradecraft of cyberthreat intelligence, but Nickels is also proficient at "synthesizing complex and ambiguous topics in such a way that somebody can really pick it up and run with it," said Robert Lee, co-founder and CEO of industrial cybersecurity vendor Dragos.

Having that combination of abilities — expert, communicator and educator — is a rarity in cybersecurity, and "I can't think of any higher compliment to pay somebody" than that, Lee said.

Still, Nickels wouldn’t want anyone to think that she knows it all at this point, or is “untouchable.”

“Over my career, I've just learned and listened to people and connected with people,” she told Protocol. “I continue to be driven by trying to share with others. But like everyone else in this community, I'm still learning.”

Ultimately, getting involved in the information security community, Nickels said, is “about connecting with people. And anyone can do that, regardless of where they are in their career, regardless of the number of Twitter followers they have.”

A nontraditional path

Nickels didn't set out to enter the cybersecurity field.

After graduating from Smith College with a bachelor's degree in American studies, Nickels initially hoped to become a journalist. Instead, she became a corporate investigations researcher and then, in 2009, joined the Department of Defense.

She did so in part at the encouragement of her now-husband, Drew Nickels, a member of the intelligence community, who suggested that her interest in research might make her a fit for an intelligence analysis role.

It just so happened that the threats Nickels was tasked with analyzing were cyberthreats. "I was fortunate enough that someone gave me a chance," she said.

After leaving the DoD in 2011 and working as a cyberthreat analyst at Raytheon and then ManTech, Nickels joined MITRE, a not-for-profit organization that provides federally funded R&D, in April 2015. She joined the organization in the runup to the public release of ATT&CK, which was a "right place, right time" situation, Nickels said.

At its most basic level, MITRE ATT&CK is a set of offensive tactics and techniques known to be commonly used by adversaries. Initially created in 2013 as an internal project at MITRE, ATT&CK was first publicly released in mid-2015 without much promotion or fanfare, according to Adam Pennington, who is the current head of ATT&CK and was involved with the project since its early days. "We had no idea if anyone was going to use this," he said.

But ATT&CK caught on. In large part, that's because it gave the cyber defense profession something that had been sorely lacking: a universal language.

ATT&CK offers a "defined lexicon and ways to communicate," said Dragos' Lee. "Prior to having MITRE ATT&CK, everyone was kind of inventing their own language."

Jen Burns, Blake Strom, Katie Nickels, Adam Pennington and Jamie Williams. The core MITRE ATT&CK team members at RSA 2019. From left: Jen Burns, Blake Strom, Katie Nickels, Adam Pennington and Jamie Williams.Photo: Courtesy of Katie Nickels

Cybersecurity vendors have embraced the ATT&CK lexicon to demonstrate how their products align to real-world threats. For instance, because the framework identifies the stages of a typical attack using a common language, a vendor can say "we're experts at shutting down stages three to seven" and security chiefs will immediately know what the vendor means, said Joel Fulton, CEO of cybersecurity vendor Lucidum.

Meanwhile, many security leaders are fans of ATT&CK because it gives them a clearer way to describe their security strategy internally, Fulton said. Prior to ATT&CK, most chief information security officers pitched their strategies like a salesperson, relying on charisma and large helpings of fear, uncertainty and doubt to convince their fellow executives and board of directors to follow their lead, he said. With the arrival of ATT&CK, CISOs now have a concrete way to explain their strategy, Fulton said.

The communicator

From the get-go, Nickels had a major impact on shaping how ATT&CK describes threat groups and the software tools they use, MITRE's Pennington said.

"ATT&CK had started doing that even before Katie joined, but we hadn't published it yet. And frankly, it wasn't very good. It was sort of all over the place," he said.

Nickels "came in and cleaned it up, did some incredible analysis on it and built up our practices and our standards," Pennington said.

She would go on to take charge of ATT&CK's blog and Twitter account; she eventually became the group's go-to public speaker, starting in 2018 with a talk at the BSides Las Vegas event, according to Pennington. A year later, Nickels was speaking in front of thousands at the Black Hat cybersecurity conference. Her Twitter following grew steadily.

Nickels “definitely had an impact on getting ATT&CK out there for the world,” Pennington said.

Even though Nickels wasn’t one of the creators of ATT&CK, "everyone associates MITRE ATT&CK with her [because] she's that good," Lee said. "She had such an oversized impact that she has become, to some people, the face of it."

The role came with its own set of pressures, however. The growing popularity of ATT&CK meant that threat researchers were continually submitting new techniques that they hoped would be added. And that often meant rejecting submitted techniques, particularly those that were theoretical, Nickels said.

Saying "no" to unfit submissions was "an important role," she said. "But it's a tough one."

Eventually though, ATT&CK still reached a point where it had become a bit unwieldy, particularly when it came to how attacker techniques were organized.

The number of documented techniques used by attackers against enterprise IT environments had ballooned to 266 by October 2019. For months, lead ATT&CK creator Blake Strom, Nickels and Pennington debated what to do.

On one hand, the large number of enterprise techniques was proving a challenge for security teams when it came to learning, prioritizing and communicating about the techniques, Nickels said. But Nickels and the other leaders of the ATT&CK team knew that outsized changes would be painful for security teams, which would have to do significant additional work to account for the changes in the framework.

Ultimately, the team decided to restructure ATT&CK by creating a new category, "sub-techniques," that would appear underneath the broader technique categories.

"We knew that for the long-term good of this framework, it was a necessary decision," Nickels said.

The irony is that what Nickels did next gave her a firsthand view of the effects of the decision.

Doing their own thing

In early 2020, Nickels departed MITRE to join Red Canary, one of the pioneers in the growing field of managed detection and response. Founded in 2013, the company uses technology for ingesting and analyzing massive amounts of threat data, along with human threat intelligence, to manage security on behalf of customers. The approach has proven to be an increasingly popular option amid the shortage of talent in the market.

Nickels came aboard to steer the human threat intelligence side of things at Red Canary. The decision to leave MITRE was a difficult one, she wrote on Medium shortly after making the switch. But while ATT&CK was great at curating attacker techniques that had been observed, the chance to do the observing herself, using the raw data, was appealing.

"I wanted to hands-on be seeing what adversaries are doing," Nickels said.

While growing the Red Canary threat intelligence team from four to 11, she said her focus at the company — like it was at MITRE — has been on making threat intelligence useful. And as part of that, "we try to not accept what everyone else is doing in threat intelligence as the best thing," she said.

You'd be hard-pressed to find anyone in cyberthreat intelligence that hasn't learned from Katie Nickels.

For instance, Nickels said she doesn't start with the assumption that the actions of the nation-state threat actors, such as China or Russia, are a priority for customers. Instead, "we look at what we're actually seeing in environments," she said.

That's led to unique discoveries, such as a cluster of attacker activity that the team dubbed "Raspberry Robin," which involves a worm typically delivered through a USB drive. "When you don't just look at the shiny objects — the state-sponsored threats or the things everyone's talking about — you start to see things that are interesting," Nickels said.

To take a different approach like this, however, it's ideal to create a team with a mix of different backgrounds and skills. And like Nickels herself, several of those involved with Red Canary's threat intelligence reports do not come from traditional computer science or cybersecurity backgrounds.

For instance, in a previous life, Red Canary principal intelligence analyst Lauren Podber worked as a dancer for six years, including for the New Jersey Devils. Nickels, Podber said, is "really open-minded about [threat] analysis and about how different people can work together — and how to bring those strengths together."

And while he preceded Nickels at Red Canary, principal security specialist Brian Donohue was formerly a journalist for Threatpost. The philosophy behind Red Canary's threat intelligence reports, Donohue said, is that "we need to make things that everyone is able to comprehend, [including] the people who are actually doing these jobs" on corporate cybersecurity teams.

As part of doing that, Nickels is uncompromising when it comes to ensuring that the threat-intelligence reports Red Canary releases meet this bar, he said.

"There's a tendency in this industry for editors to be like, 'I don't fully understand the technical aspects of this. But I'm sure it makes sense,'" Donohue said. "But one thing that Katie has been very good about is never believing that."

Instead, Nickels pushes the analysts and writers to make sure that every Red Canary report fully makes sense and is understandable to security teams, he said. While writing the vendor's 2021 report, for instance, there needed to be substantial last-minute revising based on Nickels' feedback, Donohue said.

"At the time, I was like, 'This is incredibly annoying feedback,'" he said. "But the most annoying thing about it was that I knew [Nickels] was right."


Ryan Kovar has known Nickels for the past decade, prior to her joining MITRE. But from the beginning, Kovar said Nickels' communication abilities and self-confidence convinced him that "she was going to be someone who lit the world on fire a bit."

"One of Katie's superpowers is her ability to communicate with empathy," said Kovar, distinguished security strategist at Splunk, who teamed with Nickels for the Black Hat talk in 2019.

Beyond MITRE ATT&CK and her work at Red Canary, Nickels has stood out from many of her security community peers by publishing a series of posts that have "democratized some of the insider secrets of threat intelligence,” Kovar said.

In particular, her Medium posts on how to get started in cyberthreat intelligence and her two-part "self-study plan" for learning the trade — the second part of which went live in August — have been widely read and shared.

"She's been very open about some of the things that either people [in the field] don't want to talk about, or they don't realize is not common knowledge," Kovar said.

That's provided a tremendous amount of exposure on these topics for those who are interested in or new to the industry, often revealing the fact that "this isn't actually as hard as maybe you think it is," he said.

Nickels has also served as an instructor at the SANS Institute, a well-known provider of cybersecurity training and certifications, teaching the organization's course on cyberthreat intelligence since 2019.

Selena Larson, who previously covered cybersecurity for CNN, and is now a senior threat intelligence analyst at Proofpoint, said Nickels had a major influence on her as she switched to the field of cybersecurity. And Larson said she's far from alone in that.

"You'd be hard-pressed to find anyone in cyberthreat intelligence that hasn't learned from Katie Nickels," Larson said.

A 'Soho house for techies': VCs place a bet on community

Contrary is the latest venture firm to experiment with building community spaces instead of offices.

Contrary NYC is meant to re-create being part of a members-only club where engineers and entrepreneurs can hang out together, have a space to work, and host events for people in tech.

Photo: Courtesy of Contrary

In the pre-pandemic times, Contrary’s network of venture scouts, founders, and top technologists reflected the magnetic pull Silicon Valley had on the tech industry. About 80% were based in the Bay Area, with a smattering living elsewhere. Today, when Contrary asked where people in its network were living, the split had changed with 40% in the Bay Area and another 40% living in or planning to move to New York.

It’s totally bifurcated now, said Contrary’s founder Eric Tarczynski.

Keep Reading Show less
Biz Carson

Biz Carson ( @bizcarson) is a San Francisco-based reporter at Protocol, covering Silicon Valley with a focus on startups and venture capital. Previously, she reported for Forbes and was co-editor of Forbes Next Billion-Dollar Startups list. Before that, she worked for Business Insider, Gigaom, and Wired and started her career as a newspaper designer for Gannett.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.

Binance CEO wrestles with the 'Chinese company' label

Changpeng "CZ" Zhao, who leads crypto’s largest marketplace, is pushing back on attempts to link Binance to Beijing.

Despite Binance having to abandon its country of origin shortly after its founding, critics have portrayed the exchange as a tool of the Chinese government.

Photo: Akio Kon/Bloomberg via Getty Images

In crypto, he is known simply as CZ, head of one of the industry’s most dominant players.

It took only five years for Binance CEO and co-founder Changpeng Zhao to build his company, which launched in 2017, into the world’s biggest crypto exchange, with 90 million customers and roughly $76 billion in daily trading volume, outpacing the U.S. crypto powerhouse Coinbase.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.


How I decided to leave the US and pursue a tech career in Europe

Melissa Di Donato moved to Europe to broaden her technology experience with a different market perspective. She planned to stay two years. Seventeen years later, she remains in London as CEO of Suse.

“It was a hard go for me in the beginning. I was entering inside of a company that had been very traditional in a sense.”

Photo: Suse

Click banner image for more How I decided seriesA native New Yorker, Melissa Di Donato made a life-changing decision back in 2005 when she packed up for Europe to further her career in technology. Then with IBM, she made London her new home base.

Today, Di Donato is CEO of Germany’s Suse, now a 30-year-old, open-source enterprise software company that specializes in Linux operating systems, container management, storage, and edge computing. As the company’s first female leader, she has led Suse through the coronavirus pandemic, a 2021 IPO on the Frankfurt Stock Exchange, and the acquisitions of Kubernetes management startup Rancher Labs and container security company NeuVector.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.


UiPath had a rocky few years. Rob Enslin wants to turn it around.

Protocol caught up with Enslin, named earlier this year as UiPath’s co-CEO, to discuss why he left Google Cloud, the untapped potential of robotic-process automation, and how he plans to lead alongside founder Daniel Dines.

Rob Enslin, UiPath's co-CEO, chats with Protocol about the company's future.

Photo: UiPath

UiPath has had a shaky history.

The company, which helps companies automate business processes, went public in 2021 at a valuation of more than $30 billion, but now the company’s market capitalization is only around $7 billion. To add insult to injury, UiPath laid off 5% of its staff in June and then lowered its full-year guidance for fiscal year 2023 just months later, tanking its stock by 15%.

Keep Reading Show less
Aisha Counts

Aisha Counts (@aishacounts) is a reporter at Protocol covering enterprise software. Formerly, she was a management consultant for EY. She's based in Los Angeles and can be reached at acounts@protocol.com.

Latest Stories