Season 1 - Episode 18 (Pedro Kertzman & Freddy Murre) - Cyber Threat Intelligence Podcast

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Freddy Murre (00:00):
Basically, everyone just do whatever they
feel like and then call itintelligence.

Rachael Tyrell (00:05):
Hello and welcome to Episode 18, Season 1,
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host, Pedro Kertzman, will
chat with Freddie Murr, who isan intelligence professional

(00:26):
with more than 13 years ofpractical intelligence
experience from both militaryand private sector.
He is a prolific speaker ontopics like intelligence
methodology and tradecraft, CTI,how the CTI community can
benefit from using intelligencetradecraft, and how AI may
change how we do intelligenceand CTI.
Freddie holds a BA in marketing, one MA in Counterterrorism and
one MA in Intelligence.
He is currently doing his PhD,where he is researching the

(00:48):
intersection of intelligencetradecraft, CTI and AI.
Over to you, Pedro.

Pedro Kertzman (00:56):
Freddy, thank you so much for coming to the
show.

It's great to have you here, yeah finally, we've
been trying for a couple ofmonths now to sync our calendars
, so it's great to be here.

That's right.
That's right.
Would you mind, you know, doinga little introduction to the
audience how your CTI journeystarted?
Sure.

So my name is Freddy, obviously Freddy Murray.
Anyone who knows me on LinkedInwill probably see me speaking a
lot about intelligence andstuff, but sort of um.
So I work at an organizationcalled nordic financial search.
It's a non-profit.
That's sort of my day job.
That's 50 of my time and theother 50 I work at the
university and doing a phd andthe research is actually how can

(01:38):
we apply intelligencemethodology, intelligence
tradecraft, into cyber threatintelligence?
So a lot of people sort offorget that the CTI cyber threat
intelligence actually has ahuge intelligence component to
it.
So that's what I'm researchingtrying to figure out how to do
it.
And also AI how will AI changehow we do intelligence today?

(02:00):
Ie, then, how will intelligenceand AI together help us do
intelligence better in CTI?
So that's sort of the Iwouldn't call it a threesome In
Norwegian it makes more sense,but it's sort of the three parts
of the research.

Fair enough, and so you were talking about the
super important aspectintelligence within CTI and any
experience around howinternational institutions
usually leverage CTI or Europeaninstitution leverage CTI Any
insights around that?

Yeah, so a lot of the things we do is
collaborating with variousnational but also international
organizations.
So since I work in a nonprofit,then we actually cover five
countries in Northern Europe andthrough that, we also are
members in different ISACs likeFSISAC, fviasac, we are

(03:02):
collaborating with lawenforcement in Europol there's a
lot of things going on but alsowith various other sector and
other sector certs and otherNCCs across Northern Europe.
So we connect with andcollaborate with a lot of
different organizations, both onthe government side, but also
the private sector and when wework on CTI and perhaps I should

(03:26):
go back a little bit and talk alittle bit more on what we do
and what I do, so we can connectthe two.
So I spent I don't know 17years or so in the armed forces
and almost eight or nine ofthose with intelligence, and
when I got out of the militaryintelligence side, I started

(03:50):
working at NSRC actually almostoh, what is that?
In 2018, six, seven years agoand everyone was sort of I
usually say they were talkingthe talk, but they weren't
walking the walk.
They were talking aboutintelligence, about requirements
, about stakeholder, aboutintelligence requirements, et
cetera.
You know we got to do this, wehave to do a collection, we have

(04:10):
to have planning, and I waslike, hey, this is.
You know, I was pleasantlysurprised about the lingo, about
the talk, but the thing is thatthat was just it.
It was the lingo.
They were not using theintelligence methodology in a
good way.
Those few that were doing itwere writing blog posts and
telling others how to do it, andI was like, no, that's not how

(04:31):
you do the intelligence side.
Basically, what I see is a lotof the CTI teams, but also
vendors, are doing cyber threatinformation, not cyber threat
intelligence.
You know so.
So, um, although a lot of thesereports are pushing data,
they're pushing information thesort of the, the metadata, if

(04:53):
you will, about data.
So that, combined to me atleast, is information.
So when you have a list of ipaddresses with no other
information about the dates orlast seen, the IP addresses
connected to certain campaignsor certain time periods, and
then they switch to this IP, whydid they do that?

(05:14):
What is the consequence ofdoing this?
What are your assessments basedon what you're seeing?
All of those things are missingin the vendor space and that is
sort of in air quotes.
We say that it's inherited bythe CTI teams.
Right, this is sort of the wayto do things.
So when we look at thedifferent teams, when they work,

(05:38):
a lot of them are using thetools that the vendors are
giving them.
But the problems with the toolsis, you get the panel and this
is a list of all the indicators,but what are the indicators?
That is relevant to me, with mytechnology, with my issues,
with my requirements.

(05:58):
There aren't any, or very, veryfew, vendors who are actually
thinking about you as a payingcustomer, adapting their air
quotes again, intelligence toyou and your needs.
Too often we see that you getthis package, as I said a moment
ago.
Here's a list of indicators.

(06:20):
These are bad go hunt.
It has a value in itself, butwhy am I spending time on this
if I don't have the technology?
Why am I getting this alert ifI don't have this technology?
Or why am I getting this alertif I don't have on-premise?
I have cloud.
This is an on-premvulnerability.

(06:42):
It's irrelevant to me.
But then again you havemanagers and CISOs and everyone
reading the news.
They're screaming in your ear.
You have to have something tocommunicate to them, of course,
but that's the huge gap usuallywe see is vendors coming with a
lot of information and claimingthis is malicious to everyone,

(07:03):
where actually it's notmalicious to you because you
don't have the technology, oryou are secure in a different
way because of the technologystack and the defensive posture
you've set up.
So that's one side of it, thevendor space.
The other space is, to me atleast, is the teams, or other
teams.
When I say teams, I say that alittle playfully, because CTI

(07:28):
teams usually is the one guy orone person who has been given
the title, given the role ofbeing CTI.
Hey, you worked here now forthree years.
Seems like you love this.
Hey, what do you think aboutbeing the CTI guy?
And you go.
No sure you know that soundsfun, but that person has no

(07:48):
background in cyber threatintelligence.
That person might be reallygood at instant response or
really good at detectionengineering, but maybe not as
good in cyber threatintelligence.
So what usually happens is thatthose people will fall back to
whatever they know, which is thetechnical part.

(08:08):
It is how can I figure out theIP address?
On this thing I read about inthe blog post of this vendor.
They're really focusing on thatpart rather than saying

(08:28):
focusing on that part ratherthan saying these IOCs are
irrelevant to us, because andthen focus on what really
matters figuring out whichthreat actors are actually
trying to breach you, whichthreat actors are actually
posing a threat to you.
So if a vendor comes out with areport about activities in
Southeast Asia and you have noactivities there, you have no
satellite offices there, youhave no vendors there, why

(08:50):
should you spend time on it?
And I'm using this analogybecause we've seen it so many
times.
Also, when Ukraine and whenRussia invaded Ukraine, there
was a lot of reporting going onabout tanks, about soldiers,
about you know when will someonedo this or do that in the

(09:11):
military space.
And here you are, as a CTIperson, informing your CISO
about how many tanks have beenmoved and you know what is the
operational status of thisbattalion.
And I'm like, holy moly, thisis so strange, right?
This is not what cyber threatintelligence people should be

(09:31):
working on.
There's a counter argument tothat, of course, when the boss
comes in and say, hey, I'm alittle worried about this
conflict.
What can you tell me about it,about this conflict?
What can you tell me about it?
Sometimes, you should, ofcourse, provide information and
provide support.
Intelligence is about decisionsupport, reducing uncertainty,

(09:56):
providing the knowledge but alsothe assessment of stuff that is
uncertain.
That's sort of our job.
So when they come in and askabout stuff they care about, yes
, we should listen to and adaptto what they need, within reason
.
Usually that's what I say.
So if it's too far away fromwhat we are supposed to do, we

(10:18):
should not give a pushback butat least sort of say, hey, we
can tell you about the cyberelements.
But at least sort of say, hey,we can tell you about the cyber
elements, we can tell you aboutthe campaigns and activities and
how that has affected, you knowor could affect us and our
security posture and our sort ofdetection capabilities.
That makes complete sense.
But then starting to talk aboutyou know, battalions and

(10:42):
training level and how manytanks and planes and aircraft in
general, it's sort of gettinginto the sphere of.
That's something that perhapssomeone else should be doing.
And I saw a post the other day.
A guy was using the analogy ofthe boss comes in and asks a

(11:02):
question and he adds you know,maybe this is a little outside
of what you do.
And then the reply from the CTIguy was no, listen, you have a
Ferrari and if you want to takeit out for a spin, you take it
out for a spin.
You know you can drive itanywhere you want.
My counter argument is well,yes, you can drive a Ferrari on
the Autobahn and have fun, oryou can drive it on a small dirt

(11:25):
road with holes everywhere.
That's going to be a poorjourney for everyone.
The car is going to bedestroyed, right.
So it is fit for purpose forcertain elements, for certain
roads and for certain sort ofspeeds and atmosphere, but not
for everything, right?
So, yes, you can drive aroundand do what you want with it,

(11:47):
but it's going to be good forone thing and bad for another.
So I think a lot of the CTIteams, they should focus on what
they're doing.
They should be able to supportthe SOC, the insert responders
that's their core function inmost of the cases we see and
hear about but also verify withyour key stakeholders what else

(12:08):
is it that they want you to do?
If they want you to support onrisk assessments not the risk
assessment per se, butinformation into their risk
assessment Well, that'ssomething different than giving
them all the IOCs.
They don't care about the IOCs,they care about the.
So what, when you have seenthese things, these reports from

(12:29):
these vendors, how can thataffect us if our detection is
not good enough or if ourdefensive posture has these
certain holes of vulnerabilities?
That's where you really have tobe able to communicate what the
vulnerabilities means for thebusiness, what the threat actor

(12:51):
and their motivation and theirskill levels, what that means
for us and our detection anddefensive posture.
And if that's challenged, howcould that, if they were to be
able to bypass?
Let's say, a ransom incidenthappens or someone steals all
our data and it's a lot ofintellectual property, what

(13:12):
would that look like and how canwe then detect and respond on
it?
How long will it take and whatwill it cost, et cetera, et
cetera.
Right, so now we're gettinginto more of what the business
cares about rather than what wecare about, more of what the
business cares about rather thanwhat we care about.
And I guess too often we see CTIpeople writing blogs and
reports for other CTI people.

(13:33):
So for one level it works right.
I see something that is reallyrelevant to everyone who does
CTI, or at least some people whoare in the same have the same
issues that I have.
So it makes sense for me towrite to them.
But, again, those are not allthe readers, not all the

(13:54):
consumers of intelligence.
Usually we say there's threelevels.
We have clients, customers andconsumers.
Consumers is anyone who mightbe interested, who will read and
consume your reporting?
Customers are people who comein every once in a while and
sort of buy in air quotesintelligence from you.

(14:15):
You don't have an ongoingagreement with them.
They come in every once in awhile and want something from
you.
Clients, on the other hand, arethe ones that you are delivering
to continuously and it's thereason for you existing.
So if you work with CTI, thoseare your key clients and the
challenge here is that for onetype of topic or question, you

(14:39):
might have a set of key clientsand some customers that you have
delivered to, but for adifferent topic, that changes.
And understanding and beingable to engage with the
different stakeholders atdifferent levels and
understanding what their needsare that's a huge, huge thing
where a lot of the teams I seemisunderstand and sort of come

(15:05):
running with again.
What I said initially when Istarted this rant was that you
know they fall back to the levelof their skills rather than you
know, excelling and doingsomething completely different,
which never happens.
You know, to be fair, that wasa long rant.
Hopefully.

No, that was awesome, I appreciate it.
You touched a long rant,hopefully.
No, that was awesome, Iappreciate it.
You touched on a very goodpoint.
I would say the industry ingeneral is set in a way that the
vendors do a one directionalIOC information to customers you
mentioned.
They don't understand thereality of the customers, they

(15:44):
don't know if it makes sense fortheir environments and their
operations, and all that, Ithink, because technically,
everything is sitting on ataxi's server that is created to
shoot information one way, sothey feed that to the customers.
Here you go, do something withit, and then the brainstorming

(16:07):
part is what, if kind of this isthe core problem, and instead
we should be using more like ayou name it like a
bi-directional API.
So we first yeah, we do sendsome information, or vendors, or
the vendors send information tothe customers, then the

(16:28):
customers will react to it hey,this makes sense, this doesn't.
And then the vendors, based onthat information that they will
receive back, they can fine tunethe initial, and then we would
be closer-ish a little bit toactual intelligence not there
yet, because we still needsomebody with a lot of proper

(16:52):
context on the customer side,but at least it's not just
dumping information on on onsomebody.
But what do you think?

about that.
The interesting side there isthat in the cloud space I've
seen some of the things thatsome vendors are doing and
there's one I'm not going toname names but they have a
really interesting threatintelligence module where every
night they scan the network andscan sort of the system it's

(17:23):
connected to and just updatesits list and inventory of
systems and versions and youknow whatever the technology
they find, and then they mergeit with what are all the
vulnerabilities that is existingout there that is known, and
then actually warning the clientwhen they say, hey, this

(17:43):
vulnerability, you have thistechnology and you need to do
something because of theconfiguration we've seen, you're
actually vulnerable here.
That's really, really valuableand that's what the cyber threat
Intel vendors should be doingof the technology stack of their
customers so they can actuallysupport and actually provide

(18:07):
value rather than just pushingthrough the panel.
You know these are the sevenreports we produced last week.
You know, great, but they hadno benefit for me whatsoever
because we didn't have thetechnology stack or, you know,
they didn't affect us in any way, necessarily in the way that at
least we should care about.

(18:28):
So I see that, um, that there'ssome growing up to do, I guess,
in in that space.
But then it creates anotherproblem, right?
Do a bank or any organizationfor Any organization for that
matter want to give that type ofaccess to an external vendor?

(18:49):
A lot of the time, no, but inthe cloud space they say yes.
So there is some interestingdiscussions there, right?
So if in the cloud space, cloudcustomers say, yes, you can
scan everything in our cloudsystem so you can have that
information and provide us value, if they say yes to that, but

(19:11):
you can't scan our physicalnetwork in our own building, why
is that?
What is stopping them fromsaying yes there?
Because there's shadow IT, knowthere's poor access management.
You know certain uh, peoplehave way too much access.
People have quit and stillaccounts are valid or active.

(19:32):
There's so many bad thingsgoing on that having a vendor
coming in and sort of tellingyou to fix all these things
because you have forgotten, orthe admin who had that control
quit two months ago or two yearsago and the only person who
knew was that person, right, sothere's so many things that

(19:53):
could be fixed here.
I'm not saying that is the fix,I'm just saying that would be a
huge part of fixing at least alot of the oh, I'm to be a
little fresh and say stupidmistakes.
You know simple things.
Where, and again in air quotes,an advanced attack end air
quote was just basically, youhad forgotten to remove an

(20:16):
access, you know, and someonehad an easy password.
That is not an advanced attackand you see that all the time.
When you have all theseheadlines and also vendors
screaming advanced attack andwhen you look at what actually
happened, you're like, oh, okay,okay, you know.
So there is doom and gloom,sometimes by the marketing

(20:37):
department of certain vendorsand ambulance chasing by a lot
of vendors and saying if onlyyou were using our technology,
this would not have happened.
I'm like, holy moly, yeah, so,but I digressed a little bit.
Going back to the cloud part, Ithink there's a lot of exciting
things happening there where atleast some of the vendors I've

(20:58):
seen, as I said initially, thatthey're using the ability to
scan every night and they updatethrough all known
vulnerabilities.
When I saw that, I'm like, yes,now we're moving closer to at
least providing value.
Now, going out of CloudSpaceagain, is that some vendors, as
I said initially, they're usingthe Intel function.

(21:20):
They're saying, hey, what doyou care about?
Do you care about droppers?
Do you care about these certainmalwares?
Do you care about fraud?
Do you care about underground?
Do you care about group X,group Y, what do you care about
In which regions, in whichlanguages, et cetera, et cetera.
That gives a set of intelligencerequirements so you can

(21:42):
actually tell the vendor throughthe portal, or at least tell
the portal, I mean, what youcare about and filter out a lot
of the noise.
So you can say, whenever theypop up a report about this
specific or from this specificforum that pushes a lot of
credit card information orpushes certain malware or pushes

(22:03):
, let's say, selling access, andif ever that triggers something
on my trigger list or havethese IPs or these domains, I
would like to get an alert.
So there is a way.
But of all the vendors at leastI've tested throughout the last
seven years only a few, ahandful, actually have that

(22:24):
capability where you can saythese are the things I care
about in your reporting, theseare, the rest is noise, I don't
want it, right.
So, and that's actually notwhat we're getting somewhere
Right, but at the same time, Ican then get a lot of reporting
from one of these forums or fromthis certain malware, but it

(22:46):
was used in a way or, you know,outside the campaign didn't hit
our sector, for instance.
So there is some massaging to doand, you know, checking and
balancing the triggers you have,etc.
So there's a lot of work to doon both sides, but there is some
, at at least vendors that aredoing um, there are certain

(23:08):
vendors that is doing this theright way, uh, but uh, not too
many yeah, no, but that's that'sgood to know.

Uh, if uh customers can provide uh the
requirements or the things thatwill matter most for them
instead of just receiving anygeneric type of information, if
the information is actually morerelevant to them, I think it's
a really nice thing to do.
It just expedites the realintelligence at the end of the
line.

(23:34):
When it comes to intelligence,right, the different types of
intelligence, the strategic,operational, tactical, the
technical part.

When it comes to cti, any thoughts around those
differences, best practices,anything around that well, of
course, I have a lot to say and,but we have, unfortunately, we
don't have a lot of time, a lotof time to, so I'll keep it
short.
Um, so, my main job and I'mgoing to connect it into how I
do cyber threat intelligence inmy job at NFSearch.

(24:06):
So I work at the operationallevel.
So the order of things that I,or at least that we use, is that
we have at the top we havestrategic, then we have
operational, then we havetactical and then we have
technical.
That's sort of the four levelsthat we work with.
I'm not a tactical or technicalintelligence analyst.
I understand the results ofmalware analysis or log analysis

(24:30):
or the things that thetechnical people do.
I also understand the resultsof what the guys are doing in
incident response, but I don'tdo it.
I can't do it.
So I work at the operationallevel and basically what I do is
I translate the needs from thestrategic level from the CISO,
the chief risk officer, thechief operational officer.

(24:52):
Those are the people I usuallycommunicate with, or even
managers who are outside ofcyber and up.
They don't necessarilyunderstand or know as much about
the things they shouldn't.
In the old days, a CISO was sortof the technical whiz in the

(25:13):
business.
He or she knew a lot of thethings.
But more and more a CISO is nowlike do more than just be in
the technical part.
They do a lot of other stuff aswell.
Sometimes we get people like mewho don't know all the
technical parts, and that's fine.
But my job, as I said, is totranslate the results of an
incident or a report into whatdoes this mean for the business,

(25:36):
right?
So I work on a nonprofit.
We have around 240 almostfinancial institutions across
five countries with completedifferent cultures, different
rules and laws.
There's so many differentthings that I have to take into
account.
But what I've seen is thepersonas the CISO, the chief

(25:56):
risk officer and other roleslike that have more or less the
same needs, more or less.
So I can communicate well withthem and try to translate, as I
said in air quotes, what isgoing on, what this means to the
sector, because I represent thefinance sector, not individual

(26:16):
organizations.
They have to turn around andtake the information I give them
sorry, the intelligence andactually apply and use it in a
way that makes sense for them intheir context, in their
organization.
So they come to me withdifferent types of questions.
I tell them what I can andcannot do and, given the time

(26:37):
and resources that we have,that's a good part of being the
role I have.
We call it intelligenceengagement.
Right, the stakeholder comes tome with requirements.
I go through the process offiguring out what exactly is
they need and want.
By which time Can we do that atthe expected level and quality
with the resources and time wehave?

(26:58):
Yes or no?
Is it within or without whatI'm expected to do in terms of
the mandate and the reason forme being?
And then having a gooddiscussion and explaining to
them.
You know, yes, we can do thesethings, but on Friday at noon I
can give you this, but on Fridaynext week you can get 80% of
what you asked for, and inanother week I can give you 100%

(27:21):
of what you asked for Becauseyou know we don't have enough
people or technology orresources available.
Oh, I want you to do it anyway.
Well, yes, but then I have tohave this company come in and
give me these consultants.
This is going to cost you that.
Oh, no, no, you're fine, I canwait for two weeks.
So, having that discussion ofwhat I want and what I need.

(27:42):
So that's sort of the one partof the Intel cycle.
That's sort of the intelligencerequirements and stuff comes in
there and that's what I work alot with talking with these
stakeholders and figuring outexactly what they want.
Then turn around and talk tothe internal team at the end of
the circle five people there whodo incident response and

(28:04):
supporting the members.
So whenever there's cases theycommunicate with, solve and help
and work together with thedifferent teams across all the
five nations so I can translatethe needs into something and
they can then start working andcollecting and doing their
analysis at the technicaltactical level, can then start

(28:25):
working and collecting and doingtheir analysis at the technical
tactical level, All the wayfrom indicators all the way up
to.
You know, this group isoperating in this way, using
these malwares, with thesedroppers and these command and
control networks, and they wereusually publishing and traveling
or active in these communities,etc.
Which means because I'vestarted challenging them well,

(28:46):
what does that mean?
I know, but I want them toarticulate.
What does it mean that thisactor is operating in this way
in terms of the natural ortypical detection capabilities
in the finance sector?
Will they be able to detect how.
Those are the things that weneed to communicate to their

(29:06):
peers, to the other CTI andother incident responders,
across all the members.
I have to translate this intothe so what of?
Well, what does that mean tothe finance sector?
Are we actually, are wethreatened by how much?
Know?
What threat level should we set?
What does that mean in terms ofwhat should you then start

(29:28):
doing in terms of planning forand preparing for something that
might happen to us in two yearsor two months, or two, two
weeks?
So?
So my job, as I said, istranslating needs from the
strategic level and communicatewith the tactical technical
level.
They do their thing and magic.
They send that back to me andtranslate again back into

(29:49):
business speak.
That's sort of what I do.
Now there's this discussion,right, I think, Rob M Lee, for
instance, and they say he andthis other guy they say a CTI
person should be able to dostrategic, operational, tactical
technical.
There is no only strategic oronly tactical CTI people.

(30:09):
Well, I beg to differ.
Most people I communicate withare tactical, technical CTI
people.
There's very few like me.
I am not a tactical technicalperson.
I'm actually paid not to be atactical technical person.
I'm paid to be a strategicoperational person.
That's my role, my focus.
Do I do all of the things?

(30:31):
Well, sort of Maybe 80% of mytime is strategic and 20% I
support.
You know, with information andwhat we call basic intelligence,
to insert responders and to theSOC and to other CTI people
about certain threat actors andtheir behavior etc.
But a lot of the people who dotechnical do not do what I do.

(30:54):
I talk outside of their nearestpeers and from the communities
they came from.
If we change the whole that weneed to do everything, rather
than saying that, I think weshould be able to at least
identify.
When someone asks us a questionon strategic intelligence, we

(31:17):
should be able to identify itand then work on it or at least
hand it over to someone who aremore capable of doing it.
If that's an internal resourceor if that's a vendor or a
consultancy, I don't care.
But you, we should be able toservice that to our stakeholders
if they want it and if it'swithin the mandate I, why do we

(31:40):
exist?
So if they want me tocommunicate cti sorry, a
tactical technical cti, or orintelligence, if you will to
other technical cti people, thenthat's my role, then I
shouldn't care too much aboutthe strategic side right, but we
should be able to at least dothat initial.
Why do we exist?

(32:01):
I now we're into thestakeholder engagement part
again.
Why do we exist?
I now are into the stakeholderengagement part again.
Why do we exist?
What are they expecting us todo?
And do they even know that wecould do more?
Do they know and understand howto utilize and use us?
And now we can bring in theFerrari example again.
Yes, we are the Ferrari in thegarage.
They can take us out for a spinand really demonstrate.

(32:24):
We can then demonstrate ourvalue.
But if we do that on a dirtroad rather than on the autobahn
, then they're going to have amiserable time.
We're going to have a miserabletime and they're not going to
trust us again.
But if we can get them to usetheir Ferrari responsibly you
know, don't drive too fast,Don't crash, Use common sense

(32:45):
Then we can actually have asuccessful ride in a very
expensive but also very highperformance vehicle.
I'm bragging a little bit whatwe can do in CTI now, of course,
but I think we in CTI we can doa lot more than we do today,
and especially with AI coming in, and that's a really

(33:09):
interesting and challengingthing that we can discuss
further down the line of thisconversation.

That's awesome.
You touched briefly in a fewaspects that I think are related
to methodology.
Would you mind if we drill downa little bit and talk about,
let's say, the good and badmethodology around CTI?

Of course.
I mean we can spend a lot oftime about the bad, but let's
focus a little bit about thegood.
So in intelligence and in theintelligence communities across
the world, there are standards.
Some are written down and someare actually published.
So in the United States theyhave what's called ICD-203.

(33:49):
So Intelligence CommunityDirective 203.
That's about doing high qualityintelligence.
If you follow those standardsand there's more than 203,
there's quite a few of themactually but that's a good
starting point for most CTIteams and for anyone who wants
to do intelligence, to startwith those figuring out what it

(34:11):
is that you can do with yourresources and your sort of time
available today and start addinga little here, adding a little
there.
That's sort of my biggest tip.
Why am I saying it?
Well, I spend a lot of time onconferences.
I spend a lot of time readingblogs and being active on
LinkedIn and communicating witha lot of CTI people and what I

(34:34):
see is that there is a lack ofstandards in CTI in terms of the
intelligence side.
Cti in terms of theintelligence side.
There are a lack of standardsin how we communicate, how we
structure reports.
There's a lack of how we usewords and how we use assessments
, how we apply intelligence,tradecraft, ie structure,

(34:58):
analytical techniques, et cetera.
There's a big, huge mess, apile of poop where basically
everyone just do whatever theyfeel like and then call it
intelligence, and nothingfrustrates me more than people
who claim to be writingintelligence were actually

(35:18):
basically as I said initiallytoday basically just pushing
data or, at best, information.
So trying to get a standard inhas been really difficult.
Now, since I started at NordicFinancial Search, there's been a
change of course.
I remember my first conferencewas the SANS CTI Summit in

(35:42):
Virginia in 2019, january 2019,only months after I started, and
what sort of struck me was thatthere was a lot of fluff, a lot
of buzzwords, a lot of lingo,but there was not, as I said
earlier today, there wasn'tanything to back it up, right,

(36:02):
there were no standards.
Everyone was just doing theirown thing.
And we're still there.
But they're slowly beginning tounderstand that, hey, every
report should have a bluff, abottom line up front.
Why should I care about thisreport?
Every report should have anintroduction, sort of
introducing the problem,introducing sort of why this is

(36:24):
important to discuss.
Maybe not to everyone, or Imean not to you specifically,
but in general, but the bluff isto you.
Then, going down, you know whatis the reported information,
what is the facts, what is thatwe know and what is it that we
don't know?
And be clear which is which.
If you add any types ofassessments, we've seen more and

(36:45):
more actors trying to use whatwe call WEPS, words of
estimative probability, highlylikely or likely or even chance,
etc.
It's starting to be tested butnot used in a very good way and
also a lot of the reporting hasusually maybe a bluff you know,

(37:06):
introduction, these are thefacts and then done.
There's no conclusion, there'sno assessment that says you know
, based on what we're seeing, weassess that it's likely, that
you know this threat actor willpose.
You know that type of threathigh level, medium because and
here's the reasoning these areall the assumptions we had and

(37:27):
this is how we covered theseassumptions.
These are the sources we usedand this is a source summary
statement.
Basically, do we trust thesources?
You know what's the quality ofthe sources and information?
Do we have multiple independentsources confirming the
information?
All of those things?
Right, because, to be honest,too often a lot of these

(37:50):
reporting and blogs are trust me, bro, you know, I know because
I did it.
I'm like, yes, but where is thereferencing?
And that's sort of anotherthing.
That's become a little bitbetter, but in 2019, I struggled
to find references.
Why should I trust you?
Because you are this big vendor, are you nuts?

(38:11):
I'm never going to trust anyoneunless I can verify the
information.
In intelligence, we use theterm you can trust, but you
verify every single time,because people will try to
deceive, people will try tomanipulate.
People will try to manipulate,people will try to do marketing
gimmick rather than actuallycoming with the truth and
showing and demonstrating beingtransparent with your work.

(38:35):
There was this incident earlierthis year.
Again, I'm not going to mentionthe company, but a company had
an issue.
A cybersecurity company cameout and said, hey, these are the
things we've seen.
The company, but a company hadan issue.
A cyber security company cameout and said, hey, these are the
things we've seen, and sort ofpointed a certain direction with
no references.
Just trust us, bro.
And a lot of the people in thecommunity say, hey, listen, this

(38:59):
is interesting, but you have todemonstrate to us and show what
are you basing this on?
Because we can't see it.
The victim is denying that thishas even happened and you know
and you're showing us this sortof in air quotes proof, but we
can't actually backtrack thatinformation, we can't dissect it
, we don't know where you got itfrom.

(39:20):
And then they wrote anotherblog post trying to defend and
describing the process as ifyou're trying to describe how to
do intelligence rather thanactually describing what they
did.
So, again, they created a bigmess and they created more noise
than actually reducinguncertainty and reducing
friction, right?
So these are typical examplesnot typical.

(39:43):
It happens less now, but it wasmore, you know, uh, in 2018,
when I started, uh, so, uh, itis interesting to see that it
has been.
There has been a lot of changes.
So, methodology wise, there'smore.
When I go to first cti insummits in berlin, they have

(40:04):
been in ber Berlin for manyyears now.
I think they're going to changenext year, but more and more
same with SANS CTI Summit, moreand more of the talks is about
intelligence methodology, how todo.
This is what I did, this is howwe did something.
These are the results we had,and there's more and more of it.
And a lot of these summits alsohas a day of workshops.

(40:27):
So the first CTI summit, theyhave a day of a workshop the day
before and I've been teachinghow to do intelligence
requirement management to a fullhouse for the last four years
and basically what it is isidentify your key stakeholders,
identify what they want,translate that into some

(40:47):
products that you can deliver.
Go back to the stakeholder, askare these the things you want?
They say yes or nay, no, I mean.
And then you adjust and fix itand then you're set with a
certain set of products at acertain set of time, the key
questions that they want.
You start producing and thencoming back to them and saying,
hey, last six months, we'redoing these things for you.
What have you used them for?

(41:08):
The answer usually oh, theywere great.
No, no, no, sir, youmisunderstand.
What decisions did you makebased on the intelligence that
we gave you?
Ah, now you're getting into thecore value of your actual
deliverables.
If you can't articulate and theycan't articulate the decisions

(41:29):
they made, the benefits that yousupposedly gave them, then you
are in a dark space.
Whenever they want to cut moneyRight when they want to fire
someone, or, let's say, theywant to reduce their cost,
they're going to fire someone.
If they don't think that youdeliver value, they're going to
fire your ass.
So your biggest job is toensure that those who are

(41:53):
sitting on top of that pile ofmoney.
Whenever they want to cutsomething or reduce something,
they should think oh no, the CTIguy or CTI woman, they are
actually golden to my work, Idon't want to lose them right?
That's a cunning way, if youwill, of thinking of how can you
ensure that your job is safe?

(42:15):
How can you ensure through that, that your stakeholders are
happy?
Ie you understand who they are.
You want to tailor yourintelligence or products to
their needs?
Ie, you understand who they are.
You want to tailor yourintelligence or products to
their needs?
Ie they're going to work oncertain projects.
They need support on certainquestions.
Your products should be able tosupport them on that so they
can make decisions.
Understanding methodology ofintelligence is actually really,

(42:39):
really important.
It isn't more important thandoing the technical part, but
it's equally important, becauseit's three words Cyber threat
intelligence, not just CT orcyber threat.
It's cyber threat intelligenceand that's where a lot of people
make mistakes.
But again, if your core value,what you're expected to do, is

(43:02):
support the SOC or support theincident responders, then by all
means do it, but at the sametime, at least ensure that you
understand the needs of yourother stakeholders and if they
have needs, try to service thema little bit as well, so you can
ensure that whenever there isdiscussions, they you are in

(43:23):
their favor side and not theirnegative side.
Does that make sense?

that doesn't make sense in english at all, I
realize, but you know the plusside rather than the minus side
absolutely, no, absolutely, andI agree with you, even if you
feel more comfortable or justserving the SOC or incident
response teams, cti.
In general, you can do more.
And like you mentioned, serveupstream better the leadership

(43:48):
with decision-making support.
I think that's the key thingand I like the way you put it.
If you don't validate they'reactually offering value for
decision-making, at some pointyou might get a surprise that
might not be as pleasant.
You know, when cost cutdecisions come into place.

But I realize that you know it might seem that I'm
only talking about higher ops,but my point is cyber threat
intelligence is supposed tosupport decision makers.
If you make a decision whetheror not IP is bad, if you make a
decision whether or not email isbad, if you make a decision or
not, if you have a certainvulnerability that you need to

(44:30):
plug because this activecampaign is trying to utilize
that vulnerability, that's adecision.
That is what we're supporting.
We're supporting our peers,those who work in different
parts, let's say the SOC, ortheir first line, second line
defense, or if they're detectionengineers or if they're threat

(44:50):
hunters.
We support them.
Not just about the CISO, it'sabout decision makers.
A decision has to be made andpart of your mandate is to
support a certain group ofpeople.
Who are those?
That's what I'm arguing.
I realized that throughoutconversation I was focusing a

(45:12):
lot on my job, but that's theexample I use.
The key job is to identify yourstakeholders based on the role
you have and why you exist, andthen you have to figure out well
, what type of decisions arethey going to make and then
support them with that to reduceuncertainty, et cetera, et
cetera.
So I guess that's a betterclarification of that.

Yeah, absolutely , and I think a very good
example what you're saying.
The decision making in general,not necessarily you know CISO
or person A or B, and sometimesthat might change depending on
the scenario that the CTI personmight be seeing.
I think the most recent allover the news example that I

(45:53):
think should be part of CTIconversations to decision makers
is including now HR folks inthe conversation with the whole
North Korea.
How can I?
Yeah, suddenly we get acompletely yeah.

So we get a completely different audience
that we have to communicate with.
They have no clue of what we'redoing, right, yeah, or we have
to talk to a purchaserdepartment because of they have,
they're going to purchasetechnology that is either under
some sort of law that you can'tdo, or selling that technology,
or importing this, or that youhave to sort of have what we

(46:30):
usually say the grown-up voice.
We have to sort of talk to ourpeers and communicate in the way
that they understand to say,hey, but all of these audiences
differ depending on thesituation and we have to be able
to communicate that Absolutely.
Now, one thing I talked aboutwas, you know, cti people
usually have many hats.
So I engage with stakeholders,I engage with, you know, insert

(46:57):
responders.
I do a lot of collection on myown.
I do a lot of analysis.
I I do a lot of collection onmy own, I do a lot of analysis.
I also do a lot of presentation, right?
So in all of this I've coveredbasically the entire
intelligence cycle, or theintelligence production or
intelligence you know, process,if you will, and that's sort of
the theory behind it if you will, you will always need some sort

(47:21):
of requirement.
So someone has some sort ofrequirement because they're
going to make a decision.
That's the core element.
That's what we do in thedirection phase, sort of the
starting point of intelligence.
Now a lot of people say, well, Idon't agree, because when I saw
that thing I thought that wasinteresting, so I sent it and
they liked it.
Because when I saw that thing Ithought that was interesting,

(47:44):
so I sent it, and they liked it.
Yes, because you know thatthat's interesting.
Ie, someone has a requirement.
It's not that that person hasto tell you about it, but
through your job you know andunderstand that, hey, this is a
threat, someone needs to knowabout it.
That's the requirement thatyou're giving right.
So it doesn't necessarily gofrom A then to B.
It can actually be from B to A.
And that's an important partabout the Intel cycle that a lot

(48:07):
of people say well, you have todo A, then B, then C, then D,
etc.
No, you don't.
But usually we say that thereis some sort of requirement.
That is the starting point.
You don't do a collection justfor the sake of collecting.
You collect on thatvulnerability because it is
relevant to you.

(48:27):
Ie there'sa requirement.
So these are the things thatwe're usually wrestling with
when we talk about the Intelcycle, but I'll go into the
cycle now.
So first part is direction.
Direction is understanding yourstakeholders and the
environment you're working inand your mandate, ie, why do you
exist and what are you supposedto deliver on?
And they come with a list ofquestions, and there might be

(48:51):
multiple stakeholders.
Some are important, your keystakeholders, and some are less,
and then some are like meh,those are the consumers, but we
can write stuff, but they can'ttell us what to do.
The client, customer, consumerlevel I talked about before.
So once we understand who isasking for what, then we can

(49:12):
start figuring out.
Well, what is it that they wantfrom us?
Well, do they want the report?
How often?
Maybe weekly?
They want it to contain certainthings.
All of these things has to tieback to decision.
If it's like, oh, I would likean overview of recent ransom
events, why, well, I want toknow why?

(49:33):
Well, I want to know becauseI'm doing this thing, why you
ask the whys until you get intothe core of why they want it.
Oh, I'm going to make thatdecision.
Bingo, that's what you'redelivering on.
If it's only about I'm curious,you smile.
Then you go on Feedly or anothervendor.
Create a template and automatethe heck out of it.

(49:55):
Don't waste hours on this everyweek.
Create an automation, get itout there and check every six
months and verify that they'rehappy.
If they're not reading it, tryturning it off or delaying it
for a few days.
See what happens.
If nobody cries, nobody uses itright.
Don't waste time on stuff youdon't have to work on.

(50:17):
So, as I said, direction,direction.
Who wants what?
Next is what is it that I want,why, when, what time, at what
quality, et cetera.
Once you know who and what theywant, and then how are you then
going to deliver it?
Right?
Once you understand this, youcan then start looking into well
, what do I have to do to beable to deliver that product?

(50:39):
Do I have to do some sort ofanalysis I have to do to be able
to deliver that product.
Do I have to do some sort ofanalysis?
I have to write something.
Do I have to write the blog?
Do I have to write the report?
Do I have to do a presentation?
What should it contain?
That's your production part,where you're.
How are you going to createthis thing that you're going to
give to them that they can usefor the decision.
Now, for those of you who arefamiliar with Intel Cycle, you

(50:59):
realize I'm going backwards.
Now, for those of you who arefamiliar with Intel Cycle, you
realize I'm going backwards.
I went from direction then todissemination.
Now I'm talking about analysis.
I haven't started collectingyet, right.
So once I know who's asking forwhat and when, how are they
wanting it, the disseminationwhat do I need to do to be able
to generate that intelligenceand what type of analysis I need

(51:21):
to do?
That's analysis and processing.
Then I have to figure out well,what do I have of access have
of data, what are my gaps in thedata and gaps in my collection?
What do I need to do to buy orbuild or gain access to either
vendors or sources to get thatdata?
And then you go back to yourstakeholder and say, hey, you

(51:43):
asked me these things, this iswhat I'm going to do.
But because of lack of accessor too short of a time or high
demand and quality, I can onlydo these things or those things,
or you still want it.
Well, that's going to cost youX, y, z.
Oh, you're fine anyway.
Cool, then we're going to do it.
Well, that's going to cost youX, y, z.
Oh, you're fine anyway.
Cool, then we're going to do it.
That's usually what we say.

(52:04):
The four steps in the regularterm is you do direction, then,
once you know that, you startcollecting because you want to
fill your gaps, then you do youranalysis and processing
analysis, I mean and then youproduce, and then you do
dissemination, then you dofeedback.
Usually that's the order, butto be able to do it, you go
backwards, you gocounterclockwise to do that, and

(52:27):
that's what we call theintelligence engagement.
We engage with the stakeholderto figure out their needs and
then we discuss internally whatwe can do and then go back to
them and tell them what we candeliver to them at what time,
and then we execute, going theright way of the Intel cycle.
That's the four steps of theIntel cycle.

No, I love that.
Yeah, I thought it would justbe a natural follow-up from the
previous topic.
That's awesome, and you alsomentioned a few times back then
AI, right, how do you see AIchanging the CTI landscape?

This is interesting, right?
First, we have to clarify a fewthings.
Ai is a big term.
Most people, when we say AItoday, actually mean LLMs, large
language models, chat, gpt andother competitors of them.
That's what most people thinkof when we talk about AI.

(53:23):
I think AI, automation, machinelearning it's a huge, huge,
positive thing for anyone whodoes intelligence and protecting
organizations, cyber threatintelligence, incident
responders, defenders of alllevels right, ai is a big thing.

(53:45):
We have been using AI for thelast 10, 15 years with machine
learning and automation andmachine learning.
Some would argue thatautomation isn't AI per se, but
it's part of the machinelearning part.
I would say but at leastmachine learning, we've been
doing that for the last 10, 15years.
So we are already slowlyadopting AI into CTI or into

(54:10):
cybersecurity, if you will.
We've been doing that for along time already.
Now going into the other part,llms, that's a doozy because
there are so many misconceptionsof what an LLM is.
An LLM is essentially just atext generation tool, and I want

(54:32):
to emphasize the tool.
Llms are tools, not the endproduct.
A lot of people think that, oh,we are AI, the value of what we
do is AI.
No, you don't?
You use AI as a tool to deliverthe value that you're
delivering, right?
So using LLMs to write reportsor to summarize reports, or to

(54:58):
read a table of a lot of IPaddresses and a lot of other
things and use it in a creativeway are all good.
However, an LLM is a textgenerator, as I just said, and
its main purpose is to generatetext based on your input and the

(55:18):
data it's been trained on.
That's it.
It will never know thedifference between a finger,
wrist and hand.
It doesn't understand theconcepts of and if you don't
have fingers, it won'tunderstand that you can grab
something, right.
It doesn't understand.
If we're saying the LLMunderstand, we're actually

(55:38):
saying it's sentient, it's aware.
And the same with oh, the LLMunderstands, we're actually
saying it's sentient, it's aware.
And the same with oh, the LLMlied.
No, a lie is a consciousdecision to actually deceive
someone.
That means it is sentient.
It isn't.
An LLM basically is generatingtext.
It's also meant to build textthat resembles human writing in

(56:03):
such a way that you will trustit, right.
So that's what happens a lot.
You see this summary of thesethree reports.
You read it and go holy smokes,this is good and that's by
design, right.
It's generating the text basedon the input.
These are the texts.
Now, when it adds stuff, that'snot part of the text, that's not

(56:27):
a bug, that's a feature.
It's supposed to generate words.
If it removes stuff, again youknow it just generates text.
It doesn't know if a certainpoint was important or not.
It will not know whether or notthat malware is more important
to you or to anyone rather thanthat malware.

(56:49):
It won't understand thesethings.
And what I've seen, which isprobably the worst, is when it
combines things let's say, thenumber of fraud incidents in one
report and the percentages offraud activities in another
report it suddenly combinesthose two into a new diagram

(57:11):
that, on the face of it, looksreally good, but when you know
the data and understand the data, you realize that, hey, this
isn't right.
The data was there.
It didn't lie or hallucinate,it didn't forget.
It actually combined data thatwas in the report, but in the
wrong way.
So these are the three thingsthat you should see.

(57:33):
It either adds, it, eitherforgets, or it combines things
wrongly and you never know whenit happens things wrongly and
you never know when it happensand that's the biggest issue
right now with LLMs is that alot of vendors are saying, oh,
we have AI this or AI that oryou know, and I'm like, well,
that's good, but how do you fixthe adding, the combining and

(57:55):
forgetting oh no, we haveguardrails in place.
Meaning, oh no, we haveguardrails in place.
But if you do now that's myretort is if anyone has fixed
that, you can be a gazillionaireright?
Because according to those whoknow, those who are actually

(58:17):
working with LLMs, they'resaying that's not going to
happen in a long, long time.
What happens is they take allthis information, the text, they
train the LLM, they take outthe LLM and that's a snapshot.
And then they add guardrails,they add a lot of layers of
information to guard, to keepthe LLM in track in accordance
with whatever purpose it's setup to be, with whatever purpose

(58:39):
it's set up to be right.
So you can have a medical LLMwhich will sort of try and help
you with medical or someone thatdoes the legal stuff.
But we have all seen examples inthe media where cases in
multiple countries have beenthrown out or actually won but
then had to be sort of canceledafterwards because there was

(59:03):
references to cases that werenot real.
There were a combination oflegal terms and stuff that
suddenly wasn't part of thedocumentation or they forgot
certain things, right?
So there's been so many casesof this.
So going back to using LLMs forcyber threat intelligence is

(59:23):
really good, but you have tounderstand the limitations.
You have to go back and verifyTrust, but verify is the key
aspect here.
Now I saw an interesting post onLinkedIn that asked you know.
Interesting post on LinkedInthat asked you know, if I gave
you a report that was written bya human, how much would you

(59:51):
trust it?
Okay, so people you know saidthis and that Good, if I tell
you that this report was writtenonly by AI, how much would you
trust it?
Oh, that was a completelydifferent story, right?
People went oh no, I don't know.
People weren't trusting thepure AI product, which is
interesting, right, that goesagainst what we're seeing.
A lot of people trust the AIblindly that's what I see, at

(01:00:11):
least.
But when you ask them here's ahuman product, here's an AI
product, which one would youtrust more?
People will trust the humanproduct more.
But then some will say well, youknow, why are we keeping the ai
to a higher standard thanhumans?
Why?
Why are requiring them to do anllm.

(01:00:31):
I mean to be more correct thanhuman and I don't have the
answer to that, but at themoment the llms are, you know,
30 to 60 correct in some casesand 80 correct in some cases.
But you know what never knowwhen it happens.
That to me is a problem, right,and if I'm going to generate a

(01:00:53):
report where I don't know whenthe llm added, removed or
combined stuff, I am not goingto send it out, right?
And also, going back to some ofthe things we said in the trade
graph, you know what are myassumptions?
The AI doesn't have assumptions.
That's a human trait.
Well, what are my sources?

(01:01:13):
Well, the sources the LLM isusing is usually blog posts and
stuff, not the reports.
If it uses the data set andreport, it will still add stuff
and you don't know when it adds,it forgets or combines stuff.
So the whole interesting partis say, oh, I'm saving time.
Well, are you?
If you have to go in and rereadeverything and verify, you're

(01:01:37):
actually spending almost thesame time you could have while
just reading the first time andthen writing it.

Pedro Kertzman (01:01:43):
You're saying about no, that's, that's great.
And you're saying about thelinkedin and blog posts, any
other places that you use apartfrom quote-unquote, traditional
threat reports, any other placesthat are your like go-to places
.
You also mentioned conferences,or you name it books, yeah, any

(01:02:05):
things you use to learn aboutmore on the cti industry, I
would say in general than this,you know, threat actor campaign
or something like that yeah.

Freddy Murre (01:02:15):
So, as I said I, my focus isn't so much on the
technical side but in terms ofconferences.
I would certainly try and go toSANS CTI if you can afford it,
and the same with that's in theUS, or the first CTI conference
which is in Europe, usually inGermany.

(01:02:36):
Those are really good for CTIpeople.
You know CTI people on stagetalking with CTI community and
everyone there more or less areCTI people or CISOs or CROs etc.
So it's a really good crowd tobe there and to network, network
the heck out of this.
That's my biggest sort of tipof this.

(01:03:04):
That's my biggest sort of tipIn terms of books.
I haven't found a lot of booksthat do CTI well because it's
mostly technical and not so muchon the analytical side or
intelligence side.
Some of them have some pages onit, but mostly it's more of the
you know, sticks and Taxi andMISP and all of those things are
more at the technical level andnot so much on the analysis and
the analytical level orintelligence level.

(01:03:25):
For that you have to go to theintelligence community, the best
book money can buy.
It's really expensive, but it'sby Fersen and Hoyer and it's
called Structure AnalyticalTechniques for Intelligence
Analysis by Fersen and Hoyer.
That's sort of what we callalmost the Bible, if you will,
in terms of right informationabout intelligence, about

(01:03:49):
analysis and how to do it.
Well, and there's a lot of booksby Fersen that I would also
recommend.
But if you haven't seen or readthe SAT book, the Structure
Analytica book, that's where Iwould start and then go online
and look at blogs and otherbooks and etc.
To learn more about how to doanalysis, how to do intelligence

(01:04:10):
, and add elements of that intowhat you do with cyber threat
intelligence.
I've also created a huge mindmap.
It's called the IntelligenceArchitecture Mind Map.
Put it on GitHub and it'savailable for everyone.
So we'll put the link, I guess,in the description.
Absolutely, and also teachintelligence Sort of a short

(01:04:32):
plug for me.
I teach structure analyticaltechniques.
I do a lot of workshops, sojust hit me up on LinkedIn and
we can have a conversation.

That's awesome.
I appreciate it.
Yeah, we're absolutely puttingthose links in the description
of the episode.
And any final thoughts for thelisteners?

No, I don't think so.
Just go forth and do greatthings and work together with
the peers and join communitiesand join sharing communities and
share your insights as much asyou can, because we all need to
help each other elevate thequality of our work, but also
share our knowledge in terms ofincidents and knowledge about

(01:05:16):
threat actors, etc.
That's the best way for us tofight the increasing threat.

Absolutely.
I could not agree more.
We have to share knowledge,because on the other side those
guys are doing it.
So we have to come together asan industry.
That's for sure.
Freddy, thank you so very muchfor all the insights.
I really appreciate you comingto the show and I hope I'll see
you around.

Yeah, thank you for having me.
I had a blast and lookingforward to seeing you in person.

Absolutely.
Thanks again, take care, thankyou, bye-bye.

Rachael Tyrell (01:05:53):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time, stay sharp andstay secure.

(01:06:15):
We'll be right back.

All Episodes

Season 1 - Episode 18 (Pedro Kertzman & Freddy Murre)

Episode Transcript

Popular Podcasts

Stuff You Should Know

Las Culturistas with Matt Rogers and Bowen Yang

Crime Junkie

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Season 1 - Episode 18 (Pedro Kertzman & Freddy Murre)