Cyber Legends: Inside The Mind of a Threat Analyst
How research, analysis, and communication turn signals into insight
- Beyond detection, research analysis and communication play a huge role in turning threat intelligence into industry reports.
- Breaking out of the data bubble and staying informed makes a world of difference for defenders as threats evolve fast.
- Brigid O Gorman shares what it takes to translate adversary activity into actionable intelligence defenders can actually use.
How do you explain a complex landscape in a way that genuinely helps people make better decisions? That question sits right at the center of the work Brigid O Gorman, Senior Intelligence Analyst, does every day. When people hear Threat Hunter, they often imagine a lone defender deep in code, tracking the world’s most sophisticated attacks. While that image isn’t entirely wrong, it only captures one side of these multi-faceted operatives.
In our last Cyber Legends instalment, we spoke with one of the web’s toughest defenders, Tyler Anderson, about network security and the common techniques attackers use to exploit trust. This time, we return to the Symantec and Carbon Black Threat Hunter Team to focus on the connective tissue behind effective threat hunting: the research and communications work that transforms intelligence into impact.
I sat down with Brigid to shed light on the engineers, analysts, and communications specialists working together to expose bad actors. From the evolution of communications in threat hunting to some of her most memorable moments on the team, Brigid reflects on how her role has changed—and why curiosity, context, and collaboration will always matter.
A role of many hats
How did you first get into threat intelligence?
I started out as an information developer—writing and editing content from engineering teams. As the team got smaller, I became more involved in researching the threat landscape itself, which pushed me toward a more nuanced understanding of the threats facing defenders, customers, and the public in general.
What does your work as a Senior Threat Intelligence Analyst usually look like?
On a day-to-day basis we send our Threat Landscape Bulletin, a newsletter that gets sent internally and to customers.
“We distill the biggest news stories of the day to keep customers and their employees informed on what’s happening.”
We work closely with the Threat Hunting and Research Team (THRT), and use the research and information they provide to build out content like blogs, whitepapers, presentations, and alerts for our customers.
How intelligence becomes action
What does the research-to-publication process look like?
It varies. Often one of the threat researchers will spot some suspicious or malicious activity during an investigation that we think should be highlighted to customers or the public in general, often prompting a customer alert or blog. Some of our content, particularly our whitepapers, are driven by broader activity and themes on the cyber threat landscape that we then actively investigate, such as AI, for example, or ransomware.
How do you decide what’s worth turning into a blog or report?
It’s really about whether it’s useful—something that customers are going to get value from—or if it helps explain something that maybe they wouldn’t otherwise understand. It’s also about keeping customers and people in general informed, so they know what cyber threats they need to be aware of.
What’s one thing about your job that would surprise people?
Probably that there's a lot of collaboration. I work together with engineers, analysts, researchers—people who have all kinds of skillsets—to produce our threat intelligence content. It might seem simple and straightforward, but there’s often a lot of different skills that come into play to make that content.
The threats that shape us all
How have the threats or trends you’re tracking changed since you first started at Symantec?
The biggest change is probably the extent to which attackers are now using living-off-the-land (LOTL) tools and legitimate software in attacks. In ransomware attacks, for example, often the only malware on the machine is the ransomware when it is deployed—the rest of the attack chain is often LOTL and legitimate tools. Years ago, the focus was a lot more on tracking malware and stopping it, but now merely stopping malware isn’t enough.
How we track this kind of activity has changed. We’re using technologies like Adaptive Protection and Incident Prediction to track behavior on the machine, looking for any suspicious behavior that can point to a tool being abused.
“On the ransomware landscape, we’ve also seen a big shift to extortion-only attacks, with actors like SnakeFly who used to distribute the Clop ransomware, and new operators like Scattered Spider and ShinyHunters. These actors aren’t actually deploying ransomware on machines anymore, but are focusing purely on data theft in an attempt to extort a ransom from victims.”
They often rely on social engineering attacks to gain initial access to victim networks, tricking people into giving them access by pretending to be someone they’re not. I think the advancements in security software have also played a part in pushing attackers towards data-theft-only attacks, as a lot of ransomware attacks are now being stopped before the ransomware is deployed.
Working out of Dublin, you’re at the crossroads of European cybersecurity. Are there any unique regional threats or trends you’ve noticed?
Well, one thing is how Europe is more impacted by threats emanating from Russia. This came into focus when there was an attack on Viasat satellites right at the start of the invasion of Ukraine in 2022. The intention was presumably to disrupt internet activity in Ukraine, but it actually ended up having a bigger domino effect, impacting internet connections in France, Germany, and multiple countries in the EU.
“I think there’s more anxiety in Europe about potential overspill from Russian cyber activity that might be aimed at Ukraine or other Eastern European countries Russia has an interest in.”
More recently, drone activity around European airports has also heightened anxieties and been linked by many to Russia, though it of course denies having any involvement in this activity.
What’s one memorable moment from your time on the Threat Hunter team?
It was during COVID, in 2020. A Russian attack group, Evil Corp, carried out a major campaign in which they deployed theWasted Locker ransomware, in an attempt to target dozens of U.S. organizations. Symantec spotted and blocked this attack before the ransomware could be deployed. At least 31 customer organizations were impacted by this attack, with the true number of potential victims likely to have been much higher than that. This activity was spotted at the time thanks to an alert sent by our Targeted Attack Cloud Analytics, which leverages advanced machine learning to spot patterns of activity associated with targeted attacks. This prompted further investigation by our team, which allowed them to discover and stop these attacks. This activity got a lot of media coverage, and a lot of positive coverage for our team.
We all have a part to play
The most effective intelligence programs don’t operate in isolation. They combine their efforts in research, analysis, and communication to ensure insights don’t stay buried in dashboards or reports, but reach the hands of the people who need them most.
At Symantec and Carbon Black, threat intelligence is a collective effort. Behind every alert, report, podcast, or blog is a shared goal: helping defenders stay informed so they can confidently face any obstacle thrown their way. Attackers may continue to reuse and refine their techniques, but we’re responding in force with solutions organizations of every size can rely on to respond faster and smarter—with up to 100% confidence.
See how Symantec Security Complete (SES-C) uses Incident Prediction and AI-driven analytics to help defenders anticipate an attacker’s next five likely moves and disrupt the attack chain before they can pivot.
