July 8, 2025 • 47 mins
Ever wonder how top security teams stay one step ahead of cybercriminals? The answer lies in the ancient wisdom of Sun Tzu: "If you know yourself and know your enemy, you'll win all battles." This principle forms the foundation of effective Cyber Threat Intelligence (CTI).
To celebrate our 10th episode, we had an insightful conversation with Kees Pouw, a veteran CISO with over two decades of cybersecurity experience, where we explore how organizations can build powerful CTI capabilities that transform their security posture. Drawing from his experience as both a consultant and in-house security leader, Kees breaks down the mystique surrounding threat intelligence and delivers practical insights on implementation.
"The best battles are won before they're fought," Kees explains, highlighting how proper intelligence allows organizations to deter attackers through strategic preparation. By understanding specific attacker techniques—like Lockbit's targeting of VMware ESXi hosts—security teams can focus limited resources on the most critical defenses.
We dive deep into the four core domains of comprehensive CTI: threat intelligence feeds, dark web monitoring, digital risk protection, and attack surface management. For organizations just starting their CTI journey, Kees offers a pragmatic roadmap, suggesting which capabilities to prioritize and how to grow organically from existing security operations.
The conversation takes a fascinating turn when we explore how agentic AI is revolutionizing threat intelligence. Kees shares his "wow moment" realizing how AI agents can automate complex research tasks that previously required specialized human expertise—potentially transforming how organizations process the massive volumes of intelligence data.
Whether you're looking to build your first CTI program or enhance existing capabilities, this episode provides a masterclass in making threat intelligence both practical and powerful. Subscribe now to continue learning from cybersecurity leaders who are shaping the future of digital defense.
Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Kees Pouw (00:00):
I had that wow moment .
Oh my God, this is going toquite disrupt the industry and
everybody should be looking atthat.
Rachael Tyrell (00:07):
Hello and welcome to Episode 10, Season 1
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and host willbreak down complex topics into
actionable insights.
On this episode of season one,our host, Pedro Kertzman, will
chat with Kees Pouw, who hasover 20 years of experience in
(00:30):
helping organizations excel inthe areas of cybersecurity, risk
management and architecture.
He was the co-founder andmanaging partner of iSecurity, a
leading North Americancybersecurity firm developing
custom-built solutions for manycustomers.
Currently as the CISO of one ofthe largest brokerage firms in
Canada, he brings distinctinsights into the cyber threat
landscape and the steps that theorganization can take to build
(00:52):
world-class cyber resilience.
Over to you, Pedro.
Pedro Kertzman (00:58):
Kees, thank you so much for coming to the show.
I'm really happy to have youhere.
Kees Pouw (01:02):
Well, thank you, it's exciting to be here and to be
talking about cyber threat show.
I'm really happy to have youhere.
Well, thank you, it's excitingto be here and to be talking
about cyber threat intelligence.
I think it's a topic that,frankly, drives a lot of
interest and excitement.
Even when I need to talk to myexecutives, I can see that a lot
of things related to cyber canbe very boring to them.
But when you start talkingabout cyber threat intelligence,
(01:23):
they get excited, even though Ithink sometimes it's a little
bit, uh, not clear what it is.
It's a bit mystic thing aroundit.
So I'm happy to be here andclarify some of that and what it
can do for you and what itcannot, and, uh, what are the
things that are available?
Right, awesome.
Pedro Kertzman (01:42):
Yeah, I cannot agree more.
I think it's the the topicslike super hot nowadays,
especially when we start seeingthe boundaries or blurred lines
between intelligence in general,geopolitical stuff, how it
translates into the cyberuniverse and back and forth and
all that.
So probably that's why they getso excited when they start
(02:04):
hearing the cyber consequencesof some geopolitical decision or
something like that.
Again, thanks for coming to theshow and, given your experience
, I think it would be valuablefor the listeners if you could
bring, for example, what's themain value for an organization
(02:25):
to build a CTI program?
Any thoughts around that?
Kees Pouw (02:30):
Very good question right to start off why should we
have a cyber threatintelligence program?
And, speaking from theperspective of a CISO, right, my
current role in a mid-sizedorganization where we have to be
very smart about where we applyour resources and what's going
to bring good outcomes right fora security program.
(02:51):
So I like to step back andthink about art of war.
In essence, I love thoseconcepts.
It's amazing to me that theyare thousands of years old and
applies to what we're trying todo, including in the cyber.
And I'd like to start with thestatement from Sun Tzu about if
(03:11):
you know yourself and you knowyour enemy, you're going to win
all battles.
If you just know yourself, youdon't know your enemy, you're
going to win half of the battles.
And the other way around If youknow about your enemies, you
don't know yourself.
It's also half.
If you don't know yourself andyour enemy, you're really in bad
luck, right, you're going tolose most of the battles, and
(03:32):
the cyber threat intelligence isthat half.
It's knowing about your enemy,it's knowing what are their
intent, what are theirmotivation, what are their
capabilities, what techniquesthey use.
And, again, knowing that, Ithink you're going to be able to
much better apply yourresources when you're building
your capabilities and, frankly,while it may be sound very easy
(03:55):
to know yourself, organizationsare very complex, right?
So you don't have, like youdon't, I don't step into this
job and I get a list of all theapplications that I have,
everything that's externallyexposed and what are all the
data flows, everythingdocumented.
It's really not like that.
So this is why getting to knowyour enemies and also having a
(04:19):
view of your enemies on yourinfrastructure and how they can
attack you, it becomes so, soimportant.
Pedro Kertzman (04:26):
And I think another quote that also
resonates to me, but maybe itwill be like a follow-up on this
one after you know yourself andyou know your enemy, it was
kind of clear the quote-unquotevalue from a CTI perspective of
that quote the best wars are woneven before they start.
So if you properly know you andyour enemy, you won't actually
(04:50):
have a war.
They probably won't try to thentranslate it to CTI.
They won't probably even try togo to your environment because
just the way you're prepared forany particular tactics or
methods they use to try tobreach your environment, they
will go there and just that'sgonna beat you hard.
(05:12):
So they go elsewhere, yeah sogoing back.
Kees Pouw (05:15):
The other one is, uh, to to know your enemy, you have
to become your enemy.
So then that's a nice one.
Yeah, that's another good onewhere cyber threat intelligence
can provide you a lot of value.
And I think what you'rementioning as well is that if
you want a battle when you don'teven have the battle right,
(05:38):
your enemy understands yourcapabilities, you know
themselves, and they don't eventry.
And that's kind of ultimategoal.
It's not to have a war at allbecause the enemy is going to go
elsewhere, and I think this isvery valid in the cyberspace
because there's a lot of crimesof opportunity 100% and continue
(05:58):
with that.
I can give specific exampleswhere having good cyber threat
intelligence helps us focus ourprogram.
In my previous days, when I wasrunning a lot of incident
response, dealing with a lot ofransomware, we know that Lockbit
goes after the VMware, the EXIhost, and they go there and then
(06:22):
they encrypt the entireterritory of VMs, which is a
very effective technique forthem because it overwhelms.
So when I start my new job,that's the first thing I'm going
to look.
Ok, let's protect the SSI hostbecause that's a place they're
going to go after Right, like ifthey breach my initial layers.
That really informs thedecisions that you have to make
(06:42):
in terms of where to put yourscarce resources to high
effective protection.
Excellent An example that I'mseeing now we're seeing a lot of
increased attacks with fakecapture.
We've learned that from somefeeds and it's a lot of living
off the land and, for those whoare not familiar with it, it's
(07:03):
using less of malware but usingthe tools available.
Let's call it dual use where, um, it's difficult because it
could be a administrator or anengineer or a developer using
these tools but in, in factcould be hackers using like
powershell being one.
One good example.
(07:23):
So, in knowing that ourtraining program, the
simulations we do, are focusedon that particular one as
opposed to being too broad andgeneric, again, using resources
in the most effective waybecause they're limited, even
the time of individuals wherethey're going to pay attention
for your training program, themore you know again right about
(07:43):
your enemy you're going to bedeploying these resources and,
as you mentioned, in this case,if we are well trained about
these attacks and the usersbehave well, we're even not
going to have any war right orany battle because it's won
before it was fought.
I think that's that's actuallythe quote.
The battles are before it wasfought.
(08:03):
I think that's actually thequote.
The battles are won beforethey're fought right.
Pedro Kertzman (08:08):
Yeah, because you are well prepared for it.
That's a great point.
You mentioned a few times aboutthat equation, especially for
mid-sized organizations budgetresources, best usage of those
resources, so on and so forth.
When it comes to a CTI program,any particular domains that you
(08:33):
would focus with that resourceconstraint in mind, what would
be the most valuable ones tohave in place or invest in?
Kees Pouw (08:42):
Very good question.
So, in accepting the importanceof a program, I think the next
question would be what is it?
What would characterize a cyberthreat intelligence program?
Before we answer which ones, tostart, I think it's worth
spending some time clarifying.
What does it mean?
What are the functionality weexpect to have from a cyber
(09:04):
threat intelligence program orplatform?
I think the first thing thatcomes to mind at least to me,
anyway.
Like again, I'm speaking thisfrom more a management
perspective than a technician ora very deep domain expert it's
about threat intelligence feeds.
So I think this all startedwith okay.
So if people are threat actors,are attacking, what are the IPs
(09:31):
, what kind of domains they'reusing, and if there's malware a
lot of it was related to malwarewhat kind of hashes that we can
go and find in the environment.
This is kind of quite statictype of information.
Frankly, it's a whack-a-moleand the industry has moved away
from it where we look more atbehaviors in knowing the
(09:52):
techniques.
So it's kind of the moreadvanced.
Rachael Tyrell (09:55):
So, but that's how it starts Red intelligence
feeds.
Kees Pouw (09:57):
then the other domain .
It's about the dark web.
To demystify this is peopleusing servers using
anonymization techniques likewhat we call Tor nodes, where
you cannot really trace a box.
So it started with the intentof privacy, but it allows the
creation of these sites wherepeople can anonymously fully
(10:20):
anonymously or extremelydifficult to trace them where
they can just create forums andexchange information and you can
monitor for credentials.
That's kind of the classicalone right, like what kind of
databases from previous breacheswhere dumps of credentials are
exposed or threat actors areexchanging information.
(10:43):
You've got to think threatactors are supply chains.
Some people are just findingcompromised credentials and
selling them.
Others are taking thosecredentials and executing it
ransomware.
So it's a lot of exchangebetween them.
So monitoring those sites tounderstand if your organization
has any credentials,confidential information, or if
(11:03):
there's any chatter orconversation about attacking the
information.
It could be people thatsometimes people have been
breached and they don't evenknow, if they go there and find
out that a lot of informationhas been taken.
Then there is what we calldigital risk protection.
It's just monitoring lookalikedomains, people trying to fake
(11:24):
their organization, for example,to do accounting covers or
trick people into going thereand providing their credentials,
thinking they are theorganization and then
subsequently using that and, thelast element of that, external
(11:45):
assets and vulnerabilitiesassociated with that.
But from the perspective of anattacker, right, a threat actor,
not what you know internally,but what an attacker can see in
terms of gathering intelligenceand information about your
organization.
So, basically, what attackerscan see about the environment?
What are URLs, what are domains?
Do they have any vulnerabilityassociated to that?
(12:08):
So to summarize we're talkingabout Threat intelligence feeds.
We're talking about monitoringthe dark web or any previous
incident leaked information.
We're talking about digitalrisk protections, like people
faking to be you.
And then attack surface meaninghow do they see your
(12:28):
organization, your domains andwhat vulnerabilities are
associated with that?
So that's a kind of high level.
What are the domains?
So to go back to your question,where to start, I would start
with the elements of the threatintelligence feed and the attack
surface management, becausethey are very natural extension
of your security operationscenter.
(12:50):
I'm assuming any mid-sizedorganization would have one,
even the small ones these days.
If they cannot have internally,they will have a third party
which is monitoring theirinternal network, the logs, and
looking for malicious activitiesin the environment.
So that's kind of the internalpart of things.
So think of the cyber threatintelligence now monitoring the
(13:12):
external side of things.
Right Now you want to expandthat monitoring of the internal
assets.
Where are the logs?
Is there any abnormal behaviorsthere?
And you want to say, okay,let's start monitoring on the
outside things that are relevantto my inside, my assets.
So again, the threatintelligence feeding into inside
(13:32):
.
Do I see any activity relatedto this, malicious IP URLs or
any hashes, and what are thoseassets that are exposed on the
internet, what they look like,what attackers would see.
Those are the two areas rightNow, going into things like the
dark web monitoring and digitalrisk protection, my suggestion
(13:54):
would be, if you're juststarting, is to get engaged with
a third party which couldprovide you a simple report or
do a demo with one of thecommercial tools.
The vendors will be very happyto do a proof of value right,
yeah, to show it to you.
In fact, sometimes you even getthese emails right.
Oh, I found all these things onthe dark web.
(14:16):
Please have a look.
Right, because they want tokind of scare you and show off
the things that you may not knowthat's going on about potential
leakage of information and samerelated to the digital risk
protection.
You do a demo with those andthen see what the value is.
Right.
As I said, I would expand.
(14:37):
The natural thing is, expandsome of the functions of your
security monitoring system.
Assign somebody, full time orpartially, to start looking into
these domains and see what thevalue is, and they will have
different.
Depends on your business as well.
If you are offering a lot ofdigital services.
Right, depends on your businessas well.
If you are offering a lot ofdigital services, right, like if
you have a customer portal, forexample, and a large number of
(14:59):
people using that portal,digital risk protection is
something you want to look into.
Otherwise, you're going topotentially like, for example,
as we are a financialinstitution, this prevents fraud
I can't word.
It's mainly used for fraud.
There's a big element offinancial motivation talking
(15:20):
about knowing your enemy right,there's a lot of element of
financial motivation and thethreat actors really trying to
monetize against you.
So I think that gives you kindof a kind of summarize it.
And your SIM, your SOC, withthe threat intelligence and
attack surface management,because they're very important
things to do anyway.
(15:40):
And then the dark web, digitalrisk protection, and even if,
when we look, those are thingsyou may want to start with a
third party and then, if youlike, you buy the platform that,
then you need to train and getsomebody to dedicate more time
to it perfect, and I love theway you put it the supply chain
(16:01):
on the threat actor side, theworking together in different
areas of expertise to kind ofleverage each other's knowledge
when it comes to to an attackplan or something like that.
Pedro Kertzman (16:14):
They don't try anymore to know every single
area within the cybersecurityspace.
They're just super specializedon like credential stealing or
ransomware or web appapplication exploits and you
name it.
So they're kind of a and theyalso, you know, get together on
this sort of a supply chain, asyou mentioned, to try to go
(16:38):
after their targets.
That's a really nice way to putit.
Kees Pouw (16:42):
Yeah, they're trading right.
So, as people in the real worldrealize I'm good in something
and then I specialize on thatsomething and then I start
trading right, like I got thesecredentials, then the other one
is really good at creating, likesoftware development, so they
would do ransomware platform,where somebody can just use that
(17:04):
for the sake of doing theencryption and the negotiation
and whatnot, while peoplespecialize in getting that
initial access to begin with,which provides you an
opportunity.
If credentials of access toenvironment exist and somebody
is offering it and if weinfiltrate that, we would be
(17:25):
able to prevent that.
That's another aspect of itwhere you can prevent a
situation from happening.
Again to your point earlier,you would would prevent you win
the battle even before you'rekilling that aspect of the kill
chain, right, yeah, now maybeit's a good point for us to talk
about what are the challenges,but we speaking about all of
(17:46):
these great capabilities and thebenefits, but, as everything
else, uh it, it has itsdisadvantages and challenges,
right, and the first thing thatcomes to mind if we think about
what we're talking about, likethe internal and external and
cyber threat intelligence beingfocused on the external, you can
imagine the volume ofinformation that you're talking
(18:09):
about that's right All the formsthat exist, the ones that you
know of, the ones that you don'tknow of yet.
So we're really talking about,with huge amount of information
that needs to be processed,validated to be meaningful, and
the amount of false positivesthat you can get.
So I gave the example earlierof somebody saying, oh, I found
(18:29):
a bunch of these credentials inthe dark web and you now have to
go and validate are these validor not?
Or is this documentation reallymine or not?
Is it really confidential?
So you can spend a lot of timedealing with false positives,
and I have a term that I use tomy team, like it's chasing
ghosts.
Right, you're really chasing aghost.
(18:50):
It's not relevant, because theinformation, the intelligence,
it has to be relevant, it has tobe timely and it has to be
impactful to something you do,and quite often it's not.
It's still information.
It may be a list of people thatare not with you anymore,
(19:11):
accounts are not active and ifyou're talking about thousands
of them, you're going to have toreconcile that information and
sometimes you spend a lot oftime and you does not really
yield anything.
So it has an element of hit andmiss that.
I believe that it's a, it's adrawback of it and and if you
have to focus, like you justthink about, like the internal,
(19:34):
the internal information aboutthe internal, your SOC, is
something you know, it's there,you control, while the
information out there it'ssomething that's somewhat
outside of your control.
So you have to balance thatright, that you, you have to
have the ability to quicklyfilter through that and and it
(19:54):
goes back to having developingsome skill set where a good
integration with the internalteam and also have a good handle
about your assets information,which is a good thing to have
anyway and you need it forinternal protection.
The other challenge would becost.
So if you move into acommercial platform, they're not
cheap, they're expensive andthe cost can add up Now the
(20:18):
platform, the cost of an analyst, and if you're not using that
actionable, impactful kind ofintelligence, you may not be
getting the full return oninvestment right.
So that's the kind of challengeand the pitfall that I see.
Pedro Kertzman (20:35):
Awesome, Now that, let's's say, we know the
recommendations of the three orsome of the main domains to have
on a CTI program, some of thedrawbacks let's say the company
is growing they are thinkingabout.
Ok, so maybe it's time toreally start a CTI program.
Where is like ground zero kindof thing Would you recommend?
(20:58):
Yeah, start your CTI programfrom your experience by doing
this part of the equation andbuilding from that kind of thing
.
Any thoughts around that?
Kees Pouw (21:11):
Sure, I think two kind of different approach you
can take, right.
So, more in the line that Isuggested and that I frankly
like it more, is to expand anexisting capability.
So it would start with yoursecurity operations center team
(21:32):
and expand those functionalitiesinto attack service management.
As I said, the threat feeds andgrow from there, right, awesome
, I think that that's a kind oforganic growth.
Or you, you could, um, just goto the market and and acquire a
cyber intelligence team, right,you just say, okay, I going to
(21:55):
get somebody who has experienceon this and then bring a person
and then they start building ateam that's high specialized.
So it's a question of a budget.
Very rarely in my career I say,okay, oh, now we have a couple
million dollars to start thisprogram, but it does happen,
right, if that's the case,that's kind of a different
approach where you can thenbuild the program with that
(22:18):
intent of building asophisticated cyber threat
intelligence, as opposed togrowing what?
What you have the?
The other aspect of it is whatare the skill sets like?
Who are we going to assign tothis function?
And, as I said, most likelysomebody from sock that can be
expanded to the role.
It could be as well somebodyfrom an offensive team that can
(22:41):
go there.
I think the minimal knowledgethat somebody has to have is to
have a good understanding ofthreats, understanding of even
I'll take a step back right Likehaving a good understanding of
networking, how the attacks work, some understanding of coding,
application, a very structuredmind in terms of doing
(23:02):
investigations and looking atthings from an evidence
perspective.
It's very helpful Some pastexperience in dealing with
incidents.
That's why I kind of say SOC, avery analytical role that you
can connect the dots and seepthrough the information and make
the right conclusions.
As I said, you can getinformation overload.
I find some people are notreally good at this because they
(23:24):
start going crazy, they startspeculating, they don't follow
the evidence, the bias.
Pedro Kertzman (23:30):
And they go nuts .
Kees Pouw (23:31):
They start making stories on their head.
Rachael Tyrell (23:33):
And then you say what?
Kees Pouw (23:34):
evidence do you have?
Or is it inside a thread?
Okay, but there's no evidenceof inside a thread here.
People, human brain is veryinteresting.
Right, like you, we have goodlarge language models.
Right, like you, have theseblanks and try to fill the blank
.
Right, it doesn't have theinformation.
Start making up information,start hallucinating to a degree,
that's right.
This is kind of uh, the way.
(23:56):
The way I see it.
And then I like to pair a lotthe cyber threat intelligence
team with the offensive team,because they, they, should be
sharing a lot of information.
Right now we talk about moresophisticated is about knowing
the techniques, the methods ismoving beyond that initial
baseline of looking at staticinformation and doing search on
(24:18):
environment.
It's about, okay, what are thetechniques that are exploitable
and which ones we have to worryabout and which ones are being
actively used, and are theyrelevant into relevant into our
environment and putting thefocus to fixing those right
(24:38):
Again.
So, is it relevant?
We see it out there thatredactors are using a lot.
We know that this applies to us, so let's go and fix it right.
Pedro Kertzman (24:51):
That's awesome.
That's super insightful.
Thank you, okay.
I think that's a goodunderstanding for people.
Thank you, okay, I think that'sa good uh understanding for
people.
You know best practices, how tocreate your own cti program and
one thing that, uh, it mightlike pepper in into, uh, many of
different aspects of ourprevious conversation and it's
probably the acronym of themoment kind of thing how do you
(25:15):
see Agenic AI improving orchanging, or how do you see
Agenic AI within the CTI orcybersecurity context?
What is your perspective on it?
Kees Pouw (25:30):
Yeah, I'm glad you brought that up.
Overall, I believe AI agenticAI in particular it's going to
disrupt our industry.
I think it's disrupting manyindustries and maybe I'll start
from what my view was when wefirst got to know about
(25:53):
Chatipiti.
That was that wild moment.
First, of course, you're soamazed by what it can do.
I look at this movie from uhcalled hidden figures.
It's a bunch of uh black womenright that were working for nasa
and they were calculators, uh,and you know it was difficult
(26:14):
for them and difficult for themto show their value and why kind
of meal dominated industry.
But the core of the story wasthat we had a profession called
a calculator, which what theseladies were really doing, and
they basically did thecalculations right, Like they
(26:35):
came with they want to calculatethe trajectory, whatever that
is.
And then they went do all thismath.
And then they brought the IBMcomputer, forgot the name of the
model, but that was the firstone.
So the leader of that group shewas so smart said we got to
learn this thing because this isgoing to replace us Bottom line
(26:56):
.
You don't have a professioncalled a calculator anymore,
right, because the computer doesthe calculator.
So when ChatsPT came and saidokay, now this thing can write
better than I can write, right,especially English being my
second language.
So now the thing can codebetter than many people.
So now you see how it cantransform and even change the
(27:16):
professions that exist.
We don't have calculators inthe profession anymore.
And now people may be worriedabout copywriters and even
developers right, they may notbe professions, but when it
comes to cyber, one thing that Iwas really not thinking of the
potential is because ofhallucination, right, I said, oh
, this thing can just meet up.
(27:37):
We need something that isprecise.
Is this a threat?
Not a threat.
But agentic AI changed that.
Now we're pairing a largelanguage model where they can
make calls to functions.
Look at this large amount ofdata.
I think this is going to besuper helpful for cyber threat
(27:59):
intelligence, because you'regoing to be able to create
agents that can be doingspecific tasks.
We have ways of eliminating byquery your own information,
validating and making API calls,so that AI can orchestrate this
and really do what is reallygood at it without hallucinating
(28:20):
and automating the task.
So I'll give you one particularexample right, something that
I'm experiencing with my team.
So we talked about attacksurface management, and it's a
very simple example because Iwanted people to visualize this.
We have a URL that is exposedexternally or, let's put it in a
different way, we find a bunchof vulnerabilities that our
(28:44):
endpoints report.
Some can be executed.
Now the question is okay, arethese exposed externally or not?
And if you happen to have aload balancer, what is exposed
externally has like a virtual IPthat maps to a bunch of the
internal IPs and that's thereport that we get, so then
(29:04):
somebody has to go and get thatinformation from the device and
do a mapping.
Okay, we have thesevulnerabilities.
Are they linked to this virtualIP, meaning they're exposed
externally?
Rachael Tyrell (29:14):
right, that's a very simple thing.
Kees Pouw (29:16):
The analysts can do it and you can do that
programmatically as well.
But with AI, what we are doingis that now we can just ask the
question.
I have these IPs Go to the loadbalancer and we have this thing
called model context protocol,which is MCP, which even means
(29:38):
we don't really need tounderstand how the interface is.
It's just a natural language.
Say, go, and the large languagemodel then is able to really
understand the API.
Go, get that information andwith the instructions and the
prompt that you, provided it caneasily map.
That.
It's a very simple thing.
It's something a human can do,provided it can easily map.
(29:58):
That.
It's a very simple thing.
It's something a human can do.
But you need somebody who needsto understand the syntax,
somebody who needs to understandthe device and how to get that
information, to do thatdynamically.
Now we can have an agent thatdoes that Very simple using
common tools that are availablenow.
So this is a reality.
Now you can extrapolate this toall the things we talked about
you can do.
We're doing an agent where nowwe get a vulnerability, we want
(30:22):
to go and to specific forums inthe dark web.
Are threat actors actuallyusing this as we speak, and then
, if it does, add a highercriteria to it?
And if it does, do we have itinternally?
And if it does, does it have?
So you can create all theseworkflows that we can do it with
(30:44):
AI.
Again, it's something thatexperts can do, something that
you can do programmatically, butyou can do much faster with AI
and you can do it in a way thatyou can augment your stuff.
You can do it in a way thatit's easy to program, so you
don't have to write so manylines of code.
(31:05):
You don't have to worry aboutif the API changes now a little
field change here, the wholestructure of the program breaks
right.
So to me in long short answeris yes, I think it's going to
drop.
The potential is huge that a lotof these tasks and that
(31:28):
information overload that I'mmentioning can be done through
agents and that's so much morecost effective than having a
bunch of experts.
Of course, we're still at thevery beginning of this.
I have questions about the costbecause if you have this huge
amount of information and youhave to pass that information to
the large language model ortokens that's how tokens for
(31:50):
simplicity would be like a word.
So if you're passing a lot ofthat information, it can have a
huge cost.
So we can think to draw aparallel is cloud right?
When cloud came and everybody?
Initially they were just movingand lift and shift from their
data sense to the cloud.
But then you have the cloudnative solutions and now in AI
(32:12):
they call AI first.
So basically you develop thingswith agents using a large range
model.
You don't do it in atraditional computing way, as I
mentioned, right At attacksurface.
You can do that veryprogrammatically using the
techniques, coding techniquesbut you can do it as the example
I provide.
But now you may start spendingso much money with it Same thing
(32:32):
with the cloud that you mayhave to DEI what you did because
you can't afford paying thislarge range of bonds.
And then there's a wholediscussion.
I don't want to get into atangent.
You see, I get quite excitedabout this because it took me a
while to see the potential, Ihave to admit.
But when I saw the first agentsand the concept of MCP, that I
(32:54):
had that wow moment.
Oh my God, this is going toquite disrupt the industry and
everybody should be looking atthat.
As I said, there's manychallenges.
We're just testing this, so howaccurate we can get, but I'm
pretty confident.
Especially when we're talkingabout more junior to
intermediate staff, I think itcan do as good as a job as those
and then pass along to the moresenior people.
(33:17):
So quite a lot of automation isgoing to happen in this field.
It's very information rich and Iwas even thinking about could
you train a model with it?
May be very expensive, right,but you could potentially train
the model with all theinformation that exists in the
dark web, because the modelsthat we have today are trained
with, obviously not with, thedark web information.
(33:38):
But then there's the side of it, right.
Maybe the attackers are goingto do that.
Thankfully, this is quiteexpensive to train a model we're
talking about millions ofdollars but a very sophisticated
attacker or companies that arespecialized in this, they could
be doing that as well.
So it could be feeding andretraining and you just be
asking this information that, uh, using natural language and
(33:59):
everything that we talked abouthere about leakages, could just
be a provider.
Pedro Kertzman (34:03):
That's a potential scenario that's
awesome and thanks for puttinginto such a easy way to
understand.
I appreciate that.
I I agree the um, I think alsowith llms or even agents now
like typewriters back in the day.
Now the computers come in, youdon't need, whenever you type
(34:25):
like a mistake, you don't needto rip off a paper, start from
the get-go so you just hitdelete and then you start from
there.
So just expedite gives morescale to your work.
Like you mentioned, ctispecifically, we handle a
massive amount of data Humansare not meant to handle like the
(34:46):
amount of data computers can do.
But then agents and LLMs theycan do that.
So, working hand in hand, Ithink it's going to be at scale.
It's going to be the benefitsof it.
I 100% agree.
It's going to be reallyinteresting to see in the in the
future it's happening, but evenmore so we're going to have a
better grasp in the short term.
Kees Pouw (35:07):
I would say yeah you're right, I think it's
already here, but we're juststarting to to explore, to rip
the all the Maybe.
I'll just comment on anotherelement of the challenge AI can
be quite difficult to understandand have traceability why it
does so.
That's another thing, thathaving to understand why I gave
(35:29):
this answer so that we and nowwe have layers upon layers of
not understanding how it works.
Right, like you could have agenerator, uh, through tools
like cursor, that then generates, like your mcp is that
interface that I talked about,that people don't know how it
was coded because it wasn't ahuman, and now we have the lms
make these decisions that wedon't have a full understanding.
(35:51):
Why, to a degree, right, why itdoes so.
It's even areas of research, alot of research now, because we
can create this, call it amonster, and now we're trying to
understand exactly how themonster is.
It's so complex as the, the waythe neural networks and and, uh
, what we call parameters,billions of them and trying to
understand why it given ananswer a and b, fully
(36:16):
understanding.
That is something that wetrying to grasp at this point.
So a lot of very exciting frommy point of view, because I
myself like disruption.
It brings so much opportunity.
It's dangerous too.
You can be left behind, but itbrings a lot of green field for
people to explore.
Pedro Kertzman (36:33):
Yeah, no, that's a great point Any, especially
if it's open source, uh, liketools that you see, or or maybe
methodologies that you see thatare useful, uh, for cti teams to
handle all that, all thatinformation or variety of
sources and all that yeah, no, Ino.
Kees Pouw (36:57):
I can give some hints here and, to be honest, I have
my notes here, which I don'thave to hide, because this is
what I talk to my analysts.
I think I'll start sayingthere's tons of tools, right,
like there's tons of open sourcetools available there, things
like Feedly, which is like anewsfeed aggregator.
We have hundreds of sources.
(37:18):
We have blogs, like KevinBeaumont as an example, open
intelligence platforms likeGoogle Docs there are many more
examples and then VirusTotal,url Scans, the Abusepdb the list
goes on and on and we have aswell CTI sharing communities
like AlienVault.
The list goes on and on, and wehave as well CTI sharing
(37:39):
communities like AlienVault, theOpenCTI.
There's the MIS project right,which stands for malware
information sharing platform,database, malware bazaar, url
halls and some basic tools thatpeople need to learn how to do
right, the DNS passive toolssuch as Waze and Slookups, and,
(37:59):
as I mentioned, they'reimportant so that you understand
how DNS and the networks work.
Yeah, so this is quite a lot.
Sense has a conference as well,which is awesome Cyber
Intelligence Summit.
I think it happens every yearand a half or so, with amazing
speakers and a lot ofintroductors and free courses
(38:22):
available for folks.
I think maybe we can.
I don't know how we put thepodcast, but we maybe can put
some links associated with it.
We can go and have a look, butthere's lots of resources right
and any using something likeGemini or ChatTPT to ask what
(38:45):
the sources are, you're going toget tons of it.
There's no lack of availablematerials there.
You may just get stuck with thechallenge of where to start and
not get overwhelmed right by thenumber of platforms that exist.
So Shodan actually it's onetool that I like.
It's kind of paid but it's notthat expensive in the attack
(39:10):
surface.
So you want to start learningabout what exists, about the
environment.
It's a very good place to startand I would go as well do some
demos.
As I mentioned some of thecommercial tools available, you
know I'm not making any orendorsing any tool, but you know
(39:32):
X record, future cyber hintthey will happily go and allow
you to check and validate theirplatforms.
People would learn a lot rightjust by going through there and
get a sense what are the thingsthat they they provide you.
Pedro Kertzman (39:44):
Yeah, no, that's awesome.
Uh, thanks for mentioning thatand yeah, absolutely, we can put
some links on the descriptionof the, the episode.
I appreciate it again case.
So you mentioned like a quite alot and we can see the, the
variety of knowledge you'rebringing related to to cti and
not specifically like consumingthe information on threat
(40:06):
reports and, let's say, morededicated sources like this.
Do you have any recommendationswhere to go as a learning
source from an overall CTIstandpoint, like frameworks, new
practices, things that wouldnot be on the threat report, for
(40:27):
example, but you know about CTIin general.
Any places or people to follow,or blogs, conferences, name it,
conferences, like you said,sense CTI I think it was a few
months ago.
Any other sources to learn CTI?
Kees Pouw (40:46):
Yeah, I think beyond that, I mean, sense is a very
good one.
It's just to reiterate.
Right, I think ArcX has somefree courses as well, but I want
to go back to the very basics.
So if you really want to starton this, I think you should
really understand the Mitreattack and the cyber kill chain
(41:08):
and even prior to that.
People should have goodknowledge of networking and
should have a very solidfoundation about that.
And then programming andunderstanding minimum of hacking
Like even myself, I don'treally get into that depth, but
have an understanding.
Injection of code versussomething that's more indirect
(41:30):
like a cross-type descripting.
What are the top attacktechniques that OWASP common?
I think those are very goodbecause those are the techniques
right that you are serious use.
I think you need to get familiar, at least conceptually, in
order to make good understanding, and I mentioned about the
MITRE, which is the attackphases, which is linked to the
(41:52):
kill chain.
Have a good understanding ofthat.
I think those are veryfoundational elements that
people should have before theystart trying to consume all this
information specific to cyberthreat intelligence.
And then I believe, if you wantto become very specialized now
we're talking about moreadvanced hacking techniques and
(42:17):
analyzing malware andunderstanding their behavior
would be kind of the moreadvanced specialized fields
right that people can apply andthere's plenty of courses and
certifications that you can goto to get specialized, even
malware analysis and whatnotawesome wow, super insightful, I
super insightful.
Pedro Kertzman (42:35):
I really appreciate it, kees.
Any final thoughts, things thatwe didn't mention during the
previous topics.
Kees Pouw (42:47):
No, I think it's a good segue into kind of wrapping
it up, right, I think it's justto summarize in order to have
an effective and efficient aswell.
Right, it's just to summarizein order to have an effective
and efficient as well, like it'ssomething that works, that
protects the organization, andit's something that you put your
efforts where you should bedoing.
So it speaks about efficiency.
(43:09):
You need to have some elementsof a cyber threat intelligence.
One thing that I did notmention is that we'll start with
that, but we did not elaboratemuch is now the executives, even
the board of directors oforganizations they're expecting
somebody to have any cyberprogram, to have some element of
(43:29):
that, to speak about thethreats that organizations are
facing, and they expect even tobe provided with a report.
So it's very important wetouched upon as well what is the
balance and how to startexpanding from your secure
operations center into theattack surface, which kind of
(43:51):
have an overlap, and goingbeyond into what's completely
outside your perimeter, which isthe dark web and also people
that are trying to fake you orgo against your brand by faking
websites or lookalike domains.
And one point that we did notmention that I see a lot of
attacks now is like malvertising.
(44:12):
So even if they don't have adomain lookalike, they may be
paying like google.
So when you, when somebodygoogles the name of your
organization or your product,they get a malicious link
instead of going to your website.
Right and and it's.
It's about account takeover.
What some people don't know is,even if you have a multi-factor
(44:34):
authentication or if you'resending, if you have a complete
man in the middle, you canactually bypass that because you
have someone that is just inbetween the attack and
especially if you're usingsomething like SMS or even an
authenticator, you completelyhijack in that session.
(44:54):
So you'll be able to take thesession of the user and whatever
you're trying to do, right,like do a transaction on the
staff and whatnot.
So those goes into the secondlevel of your maturity in your
program and, unless you have alot of budget, I would start
that, expand from the internaland then goes into those more
(45:17):
sophisticated.
And, lastly, you really have tobe paying attention to AI and I
recommend, if you have theresource, not just be looking
for buying tools, but have theteam understand, because if you
have one good resource, you'regoing to be able to augment.
I think this is a reality that'salready there.
(45:37):
Overall, I think thanks forbringing this topic to the
forefront.
I hope we have helped folkslook into this, dismissify a
little bit and understand alittle bit more about what works
and what doesn't, from our realperspective of running a
program right and having to dealwith the challenges of which
(46:00):
functions to enhance which onesthat we're going to put the
efforts towards.
Pedro Kertzman (46:07):
That's a perfect, Kees.
I really appreciate it.
Super insightful conversation,especially for folks looking
from an executive level likeyourself to build those programs
or enhance the CTI program.
It was great.
I really appreciate all theinsights and I hope I'll see you
around.
Kees Pouw (46:27):
Yeah, no, thank you.
Appreciate the opportunity oncemore, Thank you.
Rachael Tyrell (46:33):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time, stay sharp andstay secure.
(46:54):
We'll see you next time.
I had that wow moment .
Oh my God, this is going toquite disrupt the industry and
everybody should be looking atthat.
Rachael Tyrell (00:07):
Hello and welcome to Episode 10, Season 1
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and host willbreak down complex topics into
actionable insights.
On this episode of season one,our host, Pedro Kertzman, will
chat with Kees Pouw, who hasover 20 years of experience in
(00:30):
helping organizations excel inthe areas of cybersecurity, risk
management and architecture.
He was the co-founder andmanaging partner of iSecurity, a
leading North Americancybersecurity firm developing
custom-built solutions for manycustomers.
Currently as the CISO of one ofthe largest brokerage firms in
Canada, he brings distinctinsights into the cyber threat
landscape and the steps that theorganization can take to build
(00:52):
world-class cyber resilience.
Over to you, Pedro.
Pedro Kertzman (00:58):
Kees, thank you so much for coming to the show.
I'm really happy to have youhere.
Kees Pouw (01:02):
Well, thank you, it's exciting to be here and to be
talking about cyber threat show.
I'm really happy to have youhere.
Well, thank you, it's excitingto be here and to be talking
about cyber threat intelligence.
I think it's a topic that,frankly, drives a lot of
interest and excitement.
Even when I need to talk to myexecutives, I can see that a lot
of things related to cyber canbe very boring to them.
But when you start talkingabout cyber threat intelligence,
(01:23):
they get excited, even though Ithink sometimes it's a little
bit, uh, not clear what it is.
It's a bit mystic thing aroundit.
So I'm happy to be here andclarify some of that and what it
can do for you and what itcannot, and, uh, what are the
things that are available?
Right, awesome.
Pedro Kertzman (01:42):
Yeah, I cannot agree more.
I think it's the the topicslike super hot nowadays,
especially when we start seeingthe boundaries or blurred lines
between intelligence in general,geopolitical stuff, how it
translates into the cyberuniverse and back and forth and
all that.
So probably that's why they getso excited when they start
(02:04):
hearing the cyber consequencesof some geopolitical decision or
something like that.
Again, thanks for coming to theshow and, given your experience
, I think it would be valuablefor the listeners if you could
bring, for example, what's themain value for an organization
(02:25):
to build a CTI program?
Any thoughts around that?
Kees Pouw (02:30):
Very good question right to start off why should we
have a cyber threatintelligence program?
And, speaking from theperspective of a CISO, right, my
current role in a mid-sizedorganization where we have to be
very smart about where we applyour resources and what's going
to bring good outcomes right fora security program.
(02:51):
So I like to step back andthink about art of war.
In essence, I love thoseconcepts.
It's amazing to me that theyare thousands of years old and
applies to what we're trying todo, including in the cyber.
And I'd like to start with thestatement from Sun Tzu about if
(03:11):
you know yourself and you knowyour enemy, you're going to win
all battles.
If you just know yourself, youdon't know your enemy, you're
going to win half of the battles.
And the other way around If youknow about your enemies, you
don't know yourself.
It's also half.
If you don't know yourself andyour enemy, you're really in bad
luck, right, you're going tolose most of the battles, and
(03:32):
the cyber threat intelligence isthat half.
It's knowing about your enemy,it's knowing what are their
intent, what are theirmotivation, what are their
capabilities, what techniquesthey use.
And, again, knowing that, Ithink you're going to be able to
much better apply yourresources when you're building
your capabilities and, frankly,while it may be sound very easy
(03:55):
to know yourself, organizationsare very complex, right?
So you don't have, like youdon't, I don't step into this
job and I get a list of all theapplications that I have,
everything that's externallyexposed and what are all the
data flows, everythingdocumented.
It's really not like that.
So this is why getting to knowyour enemies and also having a
(04:19):
view of your enemies on yourinfrastructure and how they can
attack you, it becomes so, soimportant.
Pedro Kertzman (04:26):
And I think another quote that also
resonates to me, but maybe itwill be like a follow-up on this
one after you know yourself andyou know your enemy, it was
kind of clear the quote-unquotevalue from a CTI perspective of
that quote the best wars are woneven before they start.
So if you properly know you andyour enemy, you won't actually
(04:50):
have a war.
They probably won't try to thentranslate it to CTI.
They won't probably even try togo to your environment because
just the way you're prepared forany particular tactics or
methods they use to try tobreach your environment, they
will go there and just that'sgonna beat you hard.
(05:12):
So they go elsewhere, yeah sogoing back.
Kees Pouw (05:15):
The other one is, uh, to to know your enemy, you have
to become your enemy.
So then that's a nice one.
Yeah, that's another good onewhere cyber threat intelligence
can provide you a lot of value.
And I think what you'rementioning as well is that if
you want a battle when you don'teven have the battle right,
(05:38):
your enemy understands yourcapabilities, you know
themselves, and they don't eventry.
And that's kind of ultimategoal.
It's not to have a war at allbecause the enemy is going to go
elsewhere, and I think this isvery valid in the cyberspace
because there's a lot of crimesof opportunity 100% and continue
(05:58):
with that.
I can give specific exampleswhere having good cyber threat
intelligence helps us focus ourprogram.
In my previous days, when I wasrunning a lot of incident
response, dealing with a lot ofransomware, we know that Lockbit
goes after the VMware, the EXIhost, and they go there and then
(06:22):
they encrypt the entireterritory of VMs, which is a
very effective technique forthem because it overwhelms.
So when I start my new job,that's the first thing I'm going
to look.
Ok, let's protect the SSI hostbecause that's a place they're
going to go after Right, like ifthey breach my initial layers.
That really informs thedecisions that you have to make
(06:42):
in terms of where to put yourscarce resources to high
effective protection.
Excellent An example that I'mseeing now we're seeing a lot of
increased attacks with fakecapture.
We've learned that from somefeeds and it's a lot of living
off the land and, for those whoare not familiar with it, it's
(07:03):
using less of malware but usingthe tools available.
Let's call it dual use where, um, it's difficult because it
could be a administrator or anengineer or a developer using
these tools but in, in factcould be hackers using like
powershell being one.
One good example.
(07:23):
So, in knowing that ourtraining program, the
simulations we do, are focusedon that particular one as
opposed to being too broad andgeneric, again, using resources
in the most effective waybecause they're limited, even
the time of individuals wherethey're going to pay attention
for your training program, themore you know again right about
(07:43):
your enemy you're going to bedeploying these resources and,
as you mentioned, in this case,if we are well trained about
these attacks and the usersbehave well, we're even not
going to have any war right orany battle because it's won
before it was fought.
I think that's that's actuallythe quote.
The battles are before it wasfought.
(08:03):
I think that's actually thequote.
The battles are won beforethey're fought right.
Pedro Kertzman (08:08):
Yeah, because you are well prepared for it.
That's a great point.
You mentioned a few times aboutthat equation, especially for
mid-sized organizations budgetresources, best usage of those
resources, so on and so forth.
When it comes to a CTI program,any particular domains that you
(08:33):
would focus with that resourceconstraint in mind, what would
be the most valuable ones tohave in place or invest in?
Kees Pouw (08:42):
Very good question.
So, in accepting the importanceof a program, I think the next
question would be what is it?
What would characterize a cyberthreat intelligence program?
Before we answer which ones, tostart, I think it's worth
spending some time clarifying.
What does it mean?
What are the functionality weexpect to have from a cyber
(09:04):
threat intelligence program orplatform?
I think the first thing thatcomes to mind at least to me,
anyway.
Like again, I'm speaking thisfrom more a management
perspective than a technician ora very deep domain expert it's
about threat intelligence feeds.
So I think this all startedwith okay.
So if people are threat actors,are attacking, what are the IPs
(09:31):
, what kind of domains they'reusing, and if there's malware a
lot of it was related to malwarewhat kind of hashes that we can
go and find in the environment.
This is kind of quite statictype of information.
Frankly, it's a whack-a-moleand the industry has moved away
from it where we look more atbehaviors in knowing the
(09:52):
techniques.
So it's kind of the moreadvanced.
Rachael Tyrell (09:55):
So, but that's how it starts Red intelligence
feeds.
Kees Pouw (09:57):
then the other domain .
It's about the dark web.
To demystify this is peopleusing servers using
anonymization techniques likewhat we call Tor nodes, where
you cannot really trace a box.
So it started with the intentof privacy, but it allows the
creation of these sites wherepeople can anonymously fully
(10:20):
anonymously or extremelydifficult to trace them where
they can just create forums andexchange information and you can
monitor for credentials.
That's kind of the classicalone right, like what kind of
databases from previous breacheswhere dumps of credentials are
exposed or threat actors areexchanging information.
(10:43):
You've got to think threatactors are supply chains.
Some people are just findingcompromised credentials and
selling them.
Others are taking thosecredentials and executing it
ransomware.
So it's a lot of exchangebetween them.
So monitoring those sites tounderstand if your organization
has any credentials,confidential information, or if
(11:03):
there's any chatter orconversation about attacking the
information.
It could be people thatsometimes people have been
breached and they don't evenknow, if they go there and find
out that a lot of informationhas been taken.
Then there is what we calldigital risk protection.
It's just monitoring lookalikedomains, people trying to fake
(11:24):
their organization, for example,to do accounting covers or
trick people into going thereand providing their credentials,
thinking they are theorganization and then
subsequently using that and, thelast element of that, external
(11:45):
assets and vulnerabilitiesassociated with that.
But from the perspective of anattacker, right, a threat actor,
not what you know internally,but what an attacker can see in
terms of gathering intelligenceand information about your
organization.
So, basically, what attackerscan see about the environment?
What are URLs, what are domains?
Do they have any vulnerabilityassociated to that?
(12:08):
So to summarize we're talkingabout Threat intelligence feeds.
We're talking about monitoringthe dark web or any previous
incident leaked information.
We're talking about digitalrisk protections, like people
faking to be you.
And then attack surface meaninghow do they see your
(12:28):
organization, your domains andwhat vulnerabilities are
associated with that?
So that's a kind of high level.
What are the domains?
So to go back to your question,where to start, I would start
with the elements of the threatintelligence feed and the attack
surface management, becausethey are very natural extension
of your security operationscenter.
(12:50):
I'm assuming any mid-sizedorganization would have one,
even the small ones these days.
If they cannot have internally,they will have a third party
which is monitoring theirinternal network, the logs, and
looking for malicious activitiesin the environment.
So that's kind of the internalpart of things.
So think of the cyber threatintelligence now monitoring the
(13:12):
external side of things.
Right Now you want to expandthat monitoring of the internal
assets.
Where are the logs?
Is there any abnormal behaviorsthere?
And you want to say, okay,let's start monitoring on the
outside things that are relevantto my inside, my assets.
So again, the threatintelligence feeding into inside
(13:32):
.
Do I see any activity relatedto this, malicious IP URLs or
any hashes, and what are thoseassets that are exposed on the
internet, what they look like,what attackers would see.
Those are the two areas rightNow, going into things like the
dark web monitoring and digitalrisk protection, my suggestion
(13:54):
would be, if you're juststarting, is to get engaged with
a third party which couldprovide you a simple report or
do a demo with one of thecommercial tools.
The vendors will be very happyto do a proof of value right,
yeah, to show it to you.
In fact, sometimes you even getthese emails right.
Oh, I found all these things onthe dark web.
(14:16):
Please have a look.
Right, because they want tokind of scare you and show off
the things that you may not knowthat's going on about potential
leakage of information and samerelated to the digital risk
protection.
You do a demo with those andthen see what the value is.
Right.
As I said, I would expand.
(14:37):
The natural thing is, expandsome of the functions of your
security monitoring system.
Assign somebody, full time orpartially, to start looking into
these domains and see what thevalue is, and they will have
different.
Depends on your business as well.
If you are offering a lot ofdigital services.
Right, depends on your businessas well.
If you are offering a lot ofdigital services, right, like if
you have a customer portal, forexample, and a large number of
(14:59):
people using that portal,digital risk protection is
something you want to look into.
Otherwise, you're going topotentially like, for example,
as we are a financialinstitution, this prevents fraud
I can't word.
It's mainly used for fraud.
There's a big element offinancial motivation talking
(15:20):
about knowing your enemy right,there's a lot of element of
financial motivation and thethreat actors really trying to
monetize against you.
So I think that gives you kindof a kind of summarize it.
And your SIM, your SOC, withthe threat intelligence and
attack surface management,because they're very important
things to do anyway.
(15:40):
And then the dark web, digitalrisk protection, and even if,
when we look, those are thingsyou may want to start with a
third party and then, if youlike, you buy the platform that,
then you need to train and getsomebody to dedicate more time
to it perfect, and I love theway you put it the supply chain
(16:01):
on the threat actor side, theworking together in different
areas of expertise to kind ofleverage each other's knowledge
when it comes to to an attackplan or something like that.
Pedro Kertzman (16:14):
They don't try anymore to know every single
area within the cybersecurityspace.
They're just super specializedon like credential stealing or
ransomware or web appapplication exploits and you
name it.
So they're kind of a and theyalso, you know, get together on
this sort of a supply chain, asyou mentioned, to try to go
(16:38):
after their targets.
That's a really nice way to putit.
Kees Pouw (16:42):
Yeah, they're trading right.
So, as people in the real worldrealize I'm good in something
and then I specialize on thatsomething and then I start
trading right, like I got thesecredentials, then the other one
is really good at creating, likesoftware development, so they
would do ransomware platform,where somebody can just use that
(17:04):
for the sake of doing theencryption and the negotiation
and whatnot, while peoplespecialize in getting that
initial access to begin with,which provides you an
opportunity.
If credentials of access toenvironment exist and somebody
is offering it and if weinfiltrate that, we would be
(17:25):
able to prevent that.
That's another aspect of itwhere you can prevent a
situation from happening.
Again to your point earlier,you would would prevent you win
the battle even before you'rekilling that aspect of the kill
chain, right, yeah, now maybeit's a good point for us to talk
about what are the challenges,but we speaking about all of
(17:46):
these great capabilities and thebenefits, but, as everything
else, uh it, it has itsdisadvantages and challenges,
right, and the first thing thatcomes to mind if we think about
what we're talking about, likethe internal and external and
cyber threat intelligence beingfocused on the external, you can
imagine the volume ofinformation that you're talking
(18:09):
about that's right All the formsthat exist, the ones that you
know of, the ones that you don'tknow of yet.
So we're really talking about,with huge amount of information
that needs to be processed,validated to be meaningful, and
the amount of false positivesthat you can get.
So I gave the example earlierof somebody saying, oh, I found
(18:29):
a bunch of these credentials inthe dark web and you now have to
go and validate are these validor not?
Or is this documentation reallymine or not?
Is it really confidential?
So you can spend a lot of timedealing with false positives,
and I have a term that I use tomy team, like it's chasing
ghosts.
Right, you're really chasing aghost.
(18:50):
It's not relevant, because theinformation, the intelligence,
it has to be relevant, it has tobe timely and it has to be
impactful to something you do,and quite often it's not.
It's still information.
It may be a list of people thatare not with you anymore,
(19:11):
accounts are not active and ifyou're talking about thousands
of them, you're going to have toreconcile that information and
sometimes you spend a lot oftime and you does not really
yield anything.
So it has an element of hit andmiss that.
I believe that it's a, it's adrawback of it and and if you
have to focus, like you justthink about, like the internal,
(19:34):
the internal information aboutthe internal, your SOC, is
something you know, it's there,you control, while the
information out there it'ssomething that's somewhat
outside of your control.
So you have to balance thatright, that you, you have to
have the ability to quicklyfilter through that and and it
(19:54):
goes back to having developingsome skill set where a good
integration with the internalteam and also have a good handle
about your assets information,which is a good thing to have
anyway and you need it forinternal protection.
The other challenge would becost.
So if you move into acommercial platform, they're not
cheap, they're expensive andthe cost can add up Now the
(20:18):
platform, the cost of an analyst, and if you're not using that
actionable, impactful kind ofintelligence, you may not be
getting the full return oninvestment right.
So that's the kind of challengeand the pitfall that I see.
Pedro Kertzman (20:35):
Awesome, Now that, let's's say, we know the
recommendations of the three orsome of the main domains to have
on a CTI program, some of thedrawbacks let's say the company
is growing they are thinkingabout.
Ok, so maybe it's time toreally start a CTI program.
Where is like ground zero kindof thing Would you recommend?
(20:58):
Yeah, start your CTI programfrom your experience by doing
this part of the equation andbuilding from that kind of thing
.
Any thoughts around that?
Kees Pouw (21:11):
Sure, I think two kind of different approach you
can take, right.
So, more in the line that Isuggested and that I frankly
like it more, is to expand anexisting capability.
So it would start with yoursecurity operations center team
(21:32):
and expand those functionalitiesinto attack service management.
As I said, the threat feeds andgrow from there, right, awesome
, I think that that's a kind oforganic growth.
Or you, you could, um, just goto the market and and acquire a
cyber intelligence team, right,you just say, okay, I going to
(21:55):
get somebody who has experienceon this and then bring a person
and then they start building ateam that's high specialized.
So it's a question of a budget.
Very rarely in my career I say,okay, oh, now we have a couple
million dollars to start thisprogram, but it does happen,
right, if that's the case,that's kind of a different
approach where you can thenbuild the program with that
(22:18):
intent of building asophisticated cyber threat
intelligence, as opposed togrowing what?
What you have the?
The other aspect of it is whatare the skill sets like?
Who are we going to assign tothis function?
And, as I said, most likelysomebody from sock that can be
expanded to the role.
It could be as well somebodyfrom an offensive team that can
(22:41):
go there.
I think the minimal knowledgethat somebody has to have is to
have a good understanding ofthreats, understanding of even
I'll take a step back right Likehaving a good understanding of
networking, how the attacks work, some understanding of coding,
application, a very structuredmind in terms of doing
(23:02):
investigations and looking atthings from an evidence
perspective.
It's very helpful Some pastexperience in dealing with
incidents.
That's why I kind of say SOC, avery analytical role that you
can connect the dots and seepthrough the information and make
the right conclusions.
As I said, you can getinformation overload.
I find some people are notreally good at this because they
(23:24):
start going crazy, they startspeculating, they don't follow
the evidence, the bias.
Pedro Kertzman (23:30):
And they go nuts .
Kees Pouw (23:31):
They start making stories on their head.
Rachael Tyrell (23:33):
And then you say what?
Kees Pouw (23:34):
evidence do you have?
Or is it inside a thread?
Okay, but there's no evidenceof inside a thread here.
People, human brain is veryinteresting.
Right, like you, we have goodlarge language models.
Right, like you, have theseblanks and try to fill the blank
.
Right, it doesn't have theinformation.
Start making up information,start hallucinating to a degree,
that's right.
This is kind of uh, the way.
(23:56):
The way I see it.
And then I like to pair a lotthe cyber threat intelligence
team with the offensive team,because they, they, should be
sharing a lot of information.
Right now we talk about moresophisticated is about knowing
the techniques, the methods ismoving beyond that initial
baseline of looking at staticinformation and doing search on
(24:18):
environment.
It's about, okay, what are thetechniques that are exploitable
and which ones we have to worryabout and which ones are being
actively used, and are theyrelevant into relevant into our
environment and putting thefocus to fixing those right
(24:38):
Again.
So, is it relevant?
We see it out there thatredactors are using a lot.
We know that this applies to us, so let's go and fix it right.
Pedro Kertzman (24:51):
That's awesome.
That's super insightful.
Thank you, okay.
I think that's a goodunderstanding for people.
Thank you, okay, I think that'sa good uh understanding for
people.
You know best practices, how tocreate your own cti program and
one thing that, uh, it mightlike pepper in into, uh, many of
different aspects of ourprevious conversation and it's
probably the acronym of themoment kind of thing how do you
(25:15):
see Agenic AI improving orchanging, or how do you see
Agenic AI within the CTI orcybersecurity context?
What is your perspective on it?
Kees Pouw (25:30):
Yeah, I'm glad you brought that up.
Overall, I believe AI agenticAI in particular it's going to
disrupt our industry.
I think it's disrupting manyindustries and maybe I'll start
from what my view was when wefirst got to know about
(25:53):
Chatipiti.
That was that wild moment.
First, of course, you're soamazed by what it can do.
I look at this movie from uhcalled hidden figures.
It's a bunch of uh black womenright that were working for nasa
and they were calculators, uh,and you know it was difficult
(26:14):
for them and difficult for themto show their value and why kind
of meal dominated industry.
But the core of the story wasthat we had a profession called
a calculator, which what theseladies were really doing, and
they basically did thecalculations right, Like they
(26:35):
came with they want to calculatethe trajectory, whatever that
is.
And then they went do all thismath.
And then they brought the IBMcomputer, forgot the name of the
model, but that was the firstone.
So the leader of that group shewas so smart said we got to
learn this thing because this isgoing to replace us Bottom line
(26:56):
.
You don't have a professioncalled a calculator anymore,
right, because the computer doesthe calculator.
So when ChatsPT came and saidokay, now this thing can write
better than I can write, right,especially English being my
second language.
So now the thing can codebetter than many people.
So now you see how it cantransform and even change the
(27:16):
professions that exist.
We don't have calculators inthe profession anymore.
And now people may be worriedabout copywriters and even
developers right, they may notbe professions, but when it
comes to cyber, one thing that Iwas really not thinking of the
potential is because ofhallucination, right, I said, oh
, this thing can just meet up.
(27:37):
We need something that isprecise.
Is this a threat?
Not a threat.
But agentic AI changed that.
Now we're pairing a largelanguage model where they can
make calls to functions.
Look at this large amount ofdata.
I think this is going to besuper helpful for cyber threat
(27:59):
intelligence, because you'regoing to be able to create
agents that can be doingspecific tasks.
We have ways of eliminating byquery your own information,
validating and making API calls,so that AI can orchestrate this
and really do what is reallygood at it without hallucinating
(28:20):
and automating the task.
So I'll give you one particularexample right, something that
I'm experiencing with my team.
So we talked about attacksurface management, and it's a
very simple example because Iwanted people to visualize this.
We have a URL that is exposedexternally or, let's put it in a
different way, we find a bunchof vulnerabilities that our
(28:44):
endpoints report.
Some can be executed.
Now the question is okay, arethese exposed externally or not?
And if you happen to have aload balancer, what is exposed
externally has like a virtual IPthat maps to a bunch of the
internal IPs and that's thereport that we get, so then
(29:04):
somebody has to go and get thatinformation from the device and
do a mapping.
Okay, we have thesevulnerabilities.
Are they linked to this virtualIP, meaning they're exposed
externally?
Rachael Tyrell (29:14):
right, that's a very simple thing.
Kees Pouw (29:16):
The analysts can do it and you can do that
programmatically as well.
But with AI, what we are doingis that now we can just ask the
question.
I have these IPs Go to the loadbalancer and we have this thing
called model context protocol,which is MCP, which even means
(29:38):
we don't really need tounderstand how the interface is.
It's just a natural language.
Say, go, and the large languagemodel then is able to really
understand the API.
Go, get that information andwith the instructions and the
prompt that you, provided it caneasily map.
That.
It's a very simple thing.
It's something a human can do,provided it can easily map.
(29:58):
That.
It's a very simple thing.
It's something a human can do.
But you need somebody who needsto understand the syntax,
somebody who needs to understandthe device and how to get that
information, to do thatdynamically.
Now we can have an agent thatdoes that Very simple using
common tools that are availablenow.
So this is a reality.
Now you can extrapolate this toall the things we talked about
you can do.
We're doing an agent where nowwe get a vulnerability, we want
(30:22):
to go and to specific forums inthe dark web.
Are threat actors actuallyusing this as we speak, and then
, if it does, add a highercriteria to it?
And if it does, do we have itinternally?
And if it does, does it have?
So you can create all theseworkflows that we can do it with
(30:44):
AI.
Again, it's something thatexperts can do, something that
you can do programmatically, butyou can do much faster with AI
and you can do it in a way thatyou can augment your stuff.
You can do it in a way thatit's easy to program, so you
don't have to write so manylines of code.
(31:05):
You don't have to worry aboutif the API changes now a little
field change here, the wholestructure of the program breaks
right.
So to me in long short answeris yes, I think it's going to
drop.
The potential is huge that a lotof these tasks and that
(31:28):
information overload that I'mmentioning can be done through
agents and that's so much morecost effective than having a
bunch of experts.
Of course, we're still at thevery beginning of this.
I have questions about the costbecause if you have this huge
amount of information and youhave to pass that information to
the large language model ortokens that's how tokens for
(31:50):
simplicity would be like a word.
So if you're passing a lot ofthat information, it can have a
huge cost.
So we can think to draw aparallel is cloud right?
When cloud came and everybody?
Initially they were just movingand lift and shift from their
data sense to the cloud.
But then you have the cloudnative solutions and now in AI
(32:12):
they call AI first.
So basically you develop thingswith agents using a large range
model.
You don't do it in atraditional computing way, as I
mentioned, right At attacksurface.
You can do that veryprogrammatically using the
techniques, coding techniquesbut you can do it as the example
I provide.
But now you may start spendingso much money with it Same thing
(32:32):
with the cloud that you mayhave to DEI what you did because
you can't afford paying thislarge range of bonds.
And then there's a wholediscussion.
I don't want to get into atangent.
You see, I get quite excitedabout this because it took me a
while to see the potential, Ihave to admit.
But when I saw the first agentsand the concept of MCP, that I
(32:54):
had that wow moment.
Oh my God, this is going toquite disrupt the industry and
everybody should be looking atthat.
As I said, there's manychallenges.
We're just testing this, so howaccurate we can get, but I'm
pretty confident.
Especially when we're talkingabout more junior to
intermediate staff, I think itcan do as good as a job as those
and then pass along to the moresenior people.
(33:17):
So quite a lot of automation isgoing to happen in this field.
It's very information rich and Iwas even thinking about could
you train a model with it?
May be very expensive, right,but you could potentially train
the model with all theinformation that exists in the
dark web, because the modelsthat we have today are trained
with, obviously not with, thedark web information.
(33:38):
But then there's the side of it, right.
Maybe the attackers are goingto do that.
Thankfully, this is quiteexpensive to train a model we're
talking about millions ofdollars but a very sophisticated
attacker or companies that arespecialized in this, they could
be doing that as well.
So it could be feeding andretraining and you just be
asking this information that, uh, using natural language and
(33:59):
everything that we talked abouthere about leakages, could just
be a provider.
Pedro Kertzman (34:03):
That's a potential scenario that's
awesome and thanks for puttinginto such a easy way to
understand.
I appreciate that.
I I agree the um, I think alsowith llms or even agents now
like typewriters back in the day.
Now the computers come in, youdon't need, whenever you type
(34:25):
like a mistake, you don't needto rip off a paper, start from
the get-go so you just hitdelete and then you start from
there.
So just expedite gives morescale to your work.
Like you mentioned, ctispecifically, we handle a
massive amount of data Humansare not meant to handle like the
(34:46):
amount of data computers can do.
But then agents and LLMs theycan do that.
So, working hand in hand, Ithink it's going to be at scale.
It's going to be the benefitsof it.
I 100% agree.
It's going to be reallyinteresting to see in the in the
future it's happening, but evenmore so we're going to have a
better grasp in the short term.
Kees Pouw (35:07):
I would say yeah you're right, I think it's
already here, but we're juststarting to to explore, to rip
the all the Maybe.
I'll just comment on anotherelement of the challenge AI can
be quite difficult to understandand have traceability why it
does so.
That's another thing, thathaving to understand why I gave
(35:29):
this answer so that we and nowwe have layers upon layers of
not understanding how it works.
Right, like you could have agenerator, uh, through tools
like cursor, that then generates, like your mcp is that
interface that I talked about,that people don't know how it
was coded because it wasn't ahuman, and now we have the lms
make these decisions that wedon't have a full understanding.
(35:51):
Why, to a degree, right, why itdoes so.
It's even areas of research, alot of research now, because we
can create this, call it amonster, and now we're trying to
understand exactly how themonster is.
It's so complex as the, the waythe neural networks and and, uh
, what we call parameters,billions of them and trying to
understand why it given ananswer a and b, fully
(36:16):
understanding.
That is something that wetrying to grasp at this point.
So a lot of very exciting frommy point of view, because I
myself like disruption.
It brings so much opportunity.
It's dangerous too.
You can be left behind, but itbrings a lot of green field for
people to explore.
Pedro Kertzman (36:33):
Yeah, no, that's a great point Any, especially
if it's open source, uh, liketools that you see, or or maybe
methodologies that you see thatare useful, uh, for cti teams to
handle all that, all thatinformation or variety of
sources and all that yeah, no, Ino.
Kees Pouw (36:57):
I can give some hints here and, to be honest, I have
my notes here, which I don'thave to hide, because this is
what I talk to my analysts.
I think I'll start sayingthere's tons of tools, right,
like there's tons of open sourcetools available there, things
like Feedly, which is like anewsfeed aggregator.
We have hundreds of sources.
(37:18):
We have blogs, like KevinBeaumont as an example, open
intelligence platforms likeGoogle Docs there are many more
examples and then VirusTotal,url Scans, the Abusepdb the list
goes on and on and we have aswell CTI sharing communities
like AlienVault.
The list goes on and on, and wehave as well CTI sharing
(37:39):
communities like AlienVault, theOpenCTI.
There's the MIS project right,which stands for malware
information sharing platform,database, malware bazaar, url
halls and some basic tools thatpeople need to learn how to do
right, the DNS passive toolssuch as Waze and Slookups, and,
(37:59):
as I mentioned, they'reimportant so that you understand
how DNS and the networks work.
Yeah, so this is quite a lot.
Sense has a conference as well,which is awesome Cyber
Intelligence Summit.
I think it happens every yearand a half or so, with amazing
speakers and a lot ofintroductors and free courses
(38:22):
available for folks.
I think maybe we can.
I don't know how we put thepodcast, but we maybe can put
some links associated with it.
We can go and have a look, butthere's lots of resources right
and any using something likeGemini or ChatTPT to ask what
(38:45):
the sources are, you're going toget tons of it.
There's no lack of availablematerials there.
You may just get stuck with thechallenge of where to start and
not get overwhelmed right by thenumber of platforms that exist.
So Shodan actually it's onetool that I like.
It's kind of paid but it's notthat expensive in the attack
(39:10):
surface.
So you want to start learningabout what exists, about the
environment.
It's a very good place to startand I would go as well do some
demos.
As I mentioned some of thecommercial tools available, you
know I'm not making any orendorsing any tool, but you know
(39:32):
X record, future cyber hintthey will happily go and allow
you to check and validate theirplatforms.
People would learn a lot rightjust by going through there and
get a sense what are the thingsthat they they provide you.
Pedro Kertzman (39:44):
Yeah, no, that's awesome.
Uh, thanks for mentioning thatand yeah, absolutely, we can put
some links on the descriptionof the, the episode.
I appreciate it again case.
So you mentioned like a quite alot and we can see the, the
variety of knowledge you'rebringing related to to cti and
not specifically like consumingthe information on threat
(40:06):
reports and, let's say, morededicated sources like this.
Do you have any recommendationswhere to go as a learning
source from an overall CTIstandpoint, like frameworks, new
practices, things that wouldnot be on the threat report, for
(40:27):
example, but you know about CTIin general.
Any places or people to follow,or blogs, conferences, name it,
conferences, like you said,sense CTI I think it was a few
months ago.
Any other sources to learn CTI?
Kees Pouw (40:46):
Yeah, I think beyond that, I mean, sense is a very
good one.
It's just to reiterate.
Right, I think ArcX has somefree courses as well, but I want
to go back to the very basics.
So if you really want to starton this, I think you should
really understand the Mitreattack and the cyber kill chain
(41:08):
and even prior to that.
People should have goodknowledge of networking and
should have a very solidfoundation about that.
And then programming andunderstanding minimum of hacking
Like even myself, I don'treally get into that depth, but
have an understanding.
Injection of code versussomething that's more indirect
(41:30):
like a cross-type descripting.
What are the top attacktechniques that OWASP common?
I think those are very goodbecause those are the techniques
right that you are serious use.
I think you need to get familiar, at least conceptually, in
order to make good understanding, and I mentioned about the
MITRE, which is the attackphases, which is linked to the
(41:52):
kill chain.
Have a good understanding ofthat.
I think those are veryfoundational elements that
people should have before theystart trying to consume all this
information specific to cyberthreat intelligence.
And then I believe, if you wantto become very specialized now
we're talking about moreadvanced hacking techniques and
(42:17):
analyzing malware andunderstanding their behavior
would be kind of the moreadvanced specialized fields
right that people can apply andthere's plenty of courses and
certifications that you can goto to get specialized, even
malware analysis and whatnotawesome wow, super insightful, I
super insightful.
Pedro Kertzman (42:35):
I really appreciate it, kees.
Any final thoughts, things thatwe didn't mention during the
previous topics.
Kees Pouw (42:47):
No, I think it's a good segue into kind of wrapping
it up, right, I think it's justto summarize in order to have
an effective and efficient aswell.
Right, it's just to summarizein order to have an effective
and efficient as well, like it'ssomething that works, that
protects the organization, andit's something that you put your
efforts where you should bedoing.
So it speaks about efficiency.
(43:09):
You need to have some elementsof a cyber threat intelligence.
One thing that I did notmention is that we'll start with
that, but we did not elaboratemuch is now the executives, even
the board of directors oforganizations they're expecting
somebody to have any cyberprogram, to have some element of
(43:29):
that, to speak about thethreats that organizations are
facing, and they expect even tobe provided with a report.
So it's very important wetouched upon as well what is the
balance and how to startexpanding from your secure
operations center into theattack surface, which kind of
(43:51):
have an overlap, and goingbeyond into what's completely
outside your perimeter, which isthe dark web and also people
that are trying to fake you orgo against your brand by faking
websites or lookalike domains.
And one point that we did notmention that I see a lot of
attacks now is like malvertising.
(44:12):
So even if they don't have adomain lookalike, they may be
paying like google.
So when you, when somebodygoogles the name of your
organization or your product,they get a malicious link
instead of going to your website.
Right and and it's.
It's about account takeover.
What some people don't know is,even if you have a multi-factor
(44:34):
authentication or if you'resending, if you have a complete
man in the middle, you canactually bypass that because you
have someone that is just inbetween the attack and
especially if you're usingsomething like SMS or even an
authenticator, you completelyhijack in that session.
(44:54):
So you'll be able to take thesession of the user and whatever
you're trying to do, right,like do a transaction on the
staff and whatnot.
So those goes into the secondlevel of your maturity in your
program and, unless you have alot of budget, I would start
that, expand from the internaland then goes into those more
(45:17):
sophisticated.
And, lastly, you really have tobe paying attention to AI and I
recommend, if you have theresource, not just be looking
for buying tools, but have theteam understand, because if you
have one good resource, you'regoing to be able to augment.
I think this is a reality that'salready there.
(45:37):
Overall, I think thanks forbringing this topic to the
forefront.
I hope we have helped folkslook into this, dismissify a
little bit and understand alittle bit more about what works
and what doesn't, from our realperspective of running a
program right and having to dealwith the challenges of which
(46:00):
functions to enhance which onesthat we're going to put the
efforts towards.
Pedro Kertzman (46:07):
That's a perfect, Kees.
I really appreciate it.
Super insightful conversation,especially for folks looking
from an executive level likeyourself to build those programs
or enhance the CTI program.
It was great.
I really appreciate all theinsights and I hope I'll see you
around.
Kees Pouw (46:27):
Yeah, no, thank you.
Appreciate the opportunity oncemore, Thank you.
Rachael Tyrell (46:33):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time, stay sharp andstay secure.
(46:54):
We'll see you next time.
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com