These days, Nick Bradley is policing the world of cyberthreats in his role as practice lead of the IBM X-Force Incident Response and Intelligence Services (IRIS) Threat Analysis Group — but that wasn’t always the plan.

Nick comes from a multigenerational military family — his daughters are currently about to enter the service. Growing up in “middle of nowhere Florida,” there weren’t many options for Nick; he could either follow his family into the military or go to work at the local federal prison as a correctional officer. He pursued the best of both worlds by entering active duty with the Army military police, working his way to sergeant and switching to Reserves so he could study and become an officer, all the while maintaining a private hobby building computers and gaming.

One day, Nick came into work at the dispatch desk to find the computer switched off; it had a virus, the desk sergeant said, and they needed to wait for IT to come and fix it tomorrow.

“So I cleaned it up because I knew how to,” remembers Nick. “And it was something simple, too — it wasn’t some bleeding edge virus, it was one that had been out there forever. Back then, people had viruses on machines all the time. So I cleaned that up and went to work, didn’t think anything more of it.

“Then the next morning when all of the brass came in, I got called into the sergeant major’s office, and he wanted to know how I knew how to fix that computer.”

Changing Careers Under Orders

Nick’s personal tech interests ended up causing a major turn in his career. The brass told him he had a new job as a system administrator in the provost marshal’s office, and the rest is history.

“The thing was, in my mind, I still wanted to be military police, and so I was just doing this because that’s what they ordered me to do,” he says. “I even got accepted into the SWAT, or what the Army calls the SRT, and I did that on weekends so I could still be a cop.”

Nick later went to the Army Reserve and joined the Army R.O.T.C. program with the goal of becoming a commissioned officer. During that time, he also picked up some contract IT work to help pay the bills. Ultimately, it was this part-time job that led to a full-time career with Internet Security Systems — later acquired by IBM — and Nick decided not to commission back into active duty.

“It was an extremely hard decision because I love the military, but I realized I was going to be able to make a difference in this field that I never even knew existed, and that I was going to be able to provide a better life for my wife and kids.”

These days, Nick is still patrolling and protecting — he’s just a bit more desk-bound than he was while on active duty. Running the threat analysis group inside X-Force IRIS means Nick is in charge of the team that scours the net for signs of threats, turning it all into actionable intelligence not just for IBM clients, but for the world at large.

Quick to point out their role within a larger team — and that a lot of other groups contribute to the threat analysis — Nick explains how he and his X-Force IRIS colleagues identify issues. Using proprietary tools, the team scrapes the internet for text featuring keywords and information they find important: security patches being released, vulnerabilities exposed, breach disclosures and other info. They also have other groups within IBM they use as trusted sources, such as the incident response side of X-Force IRIS and IBM Trusteer, as well as external companies including Cisco Talos, Palo Alto Networks, Trend Micro and others.

Actionable Security Intelligence Beats the Bad Guys

“Our primary goal is to parse through all that noise and sort out what is hot versus what is just hype,” Nick says, explaining that the important information is made available through the team’s daily newsletter and through X-Force Exchange Collections.

“We don’t just want to be the person running around screaming ‘the sky is falling’ — we want to be the one telling you here’s where you go so you don’t get hurt. So we are always trying to share not just the intel, but also some form of action that can be taken, or actionable intelligence. That ranges from mitigation recommendations to actual indicators of compromise, what’s called IoC, and those can usually be directly loaded into protection platforms or into SIEMs.”

After nearly two decades watching threats and developing mitigations, Nick says the biggest thing that’s changed in cybersecurity is that the world now (finally!) takes it seriously. It used to be difficult to get a company to spend money on security; once they started seeing competitors suffer financial and reputational damage, though, that all changed.

But if the good news is that everyone has become more security-savvy, flip side is that the “bad guys are getting more sophisticated as well,” Nick says. Plus, there’s now there’s a “trickle-down” effect where high-level threat actors and advanced persistent threat (APT) groups release their tools onto the web, and lesser groups then access them to wreak their own havoc.

“One thing I think has significantly changed is the idea of hacking for infamy and glory,” says Nick. “For the longest time it was about compromising somebody and defacing their website — ‘you’ve been hacked, haha.’ It still happens, but that’s not the focus anymore. The focus now is espionage; it’s about money, sabotage, political agendas.”

All that must be hard for a guy from a law enforcement background. Nick says it was difficult at first to get used to mitigating, defending and protecting instead of directly going after the bad guys.

“That is a stark difference,” he says, “but I still think you make a better impact with protecting and defending than you would trying to go after individuals. We leave that to the FBI.”

Meet IBM X-Force incident command leader Mike Barcomb

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…