April 1, 2025 • 32 mins
Navigating the world of threat intelligence feeds requires a critical eye and regular evaluation. Security analyst and educator Pedro Barros takes us through his journey from SOC analyst to threat intelligence professional, explaining why CTI should function as a pillar supporting all cybersecurity operations.
Pedro highlights a persistent problem in threat intelligence practice: the proliferation of "combo lists" - recycled data from old breaches presented as new threats. "If you're going to give me some intelligence, do some more work on it," he challenges feed providers, stressing the need for context that makes alerts truly actionable. Without proper evaluation, these feeds create false alarms that waste precious security resources.
The conversation delves into practical evaluation strategies for threat intelligence sources. Rather than simply accumulating feeds, Pedro recommends quarterly assessments focused on accuracy, timeliness, and relevance. This process should incorporate feedback from SOC analysts, detection engineers, and vulnerability management teams to ensure intelligence serves its purpose across the organization.
For aspiring CTI professionals, Pedro emphasizes understanding adjacent security disciplines as foundational knowledge. He recommends "Visual Threat Intelligence" by Thomas Roccia as essential reading, describing it as so engaging he "started reading it one day and finished it the same day." He also highlights the need for more academic programs to include dedicated threat intelligence courses as the field continues to mature.
Visit Pedro's blog at pemblabs.net to follow his work, including his upcoming analysis of a sophisticated phishing campaign using targeted delivery methods and Telegram bots. Connect with our community on the Cyber Threat Intelligence Podcast LinkedIn group to continue the conversation about building intelligence capabilities that actually matter.
Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Pedro Barros (00:00):
Especially if you're using free threat feeds,
it's easy to just start stockingthem up.
Rachael Tyrell (00:05):
Hello and welcome to episode number three,
season one, of your CyberThreat Intelligence podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of season one,our host, Pedro Kurtzman, will
(00:26):
chat with Pedro Barros, who is acertified cybersecurity analyst
with years of experience inthreat intelligence detection,
engineering and incidentmanagement.
He works as a security analystand also teaches at Houston
Community College, where heintegrates hands-on labs and
real-world case studies toprepare future professionals
(00:46):
Over to you, Pedro.
Pedro Kertzman (00:53):
Pedro, thank you so much for coming to the show.
It's great to have you here.
Yeah, thanks for having me.
I'm very excited, Awesome, andI usually start asking the
guests their journey, how theygot to know cyber threat
intelligence, what path they hadto you know, all the way to
bring them to their current role.
(01:15):
Can you explore a little bit onthat please?
Pedro Barros (01:17):
Yeah, so I started in the SOC as a junior SOC
analyst as many would and thenfrom there, of course, now I
work as a mid-tier SOC analyst.
At first, training intelligencewas kind of a daunting role for
me, but the more time I spent inthe field I started noticing
(01:39):
that I'm much more excited tokind of like a research type of
work related to cybersecurity.
I love incident responding.
I've been doing that forbasically all my career on
cybersecurity.
But I feel like threatintelligence is the one that
touches, like all other areasand I think that's my philosophy
(02:01):
as well when I approach threatintelligence is that I feel like
threat intelligence should uh,it's one of those pillars that
should support your cybersecurity operations, plans and
goals for either your sock or,if you are an mss, msb right,
because you get to find out,okay, what's important for me,
what, what is it that I shouldbe looking for, why I should
(02:23):
look for that, and how I can getthose information and fit into
different roles such asdetection, engineering,
different roles like incidentresponse or forensics, how you
can kind of come and fit intothat.
We're talking about even redteaming and purple teaming.
So I think a well-seated threatintelligence role should be
(02:45):
able to fit into many, manydifferent areas of the
organization yeah, you touchedon, uh, for me, a very important
point.
Pedro Kertzman (02:53):
You mentioned pillar right, and, uh, for me, I
I could not agree more, uh, andI also see threat intelligence
as a guidance, right.
So, yeah, what uh kind offirewall?
Uh, if you will strategy yourconfiguration, you're going to
use nobody better than yourthreat intel peer area, if you
(03:17):
have one in your company to totell you, hey, because you name
it, our industry, the firewallsbrands we use, so on and so
forth.
So, because of the intel I have, you should start with these
ones.
Yeah, so we have always so manystuff to do on our, you know,
busy days.
Yeah, why not having that uhpriority list?
(03:39):
Yeah, coming from our peoplethat are deep into the weeds to
understand the mindset of youradversaries, right, exactly,
yeah, that's awesome.
And so you mentioned your pathto the cyber threat intelligence
role, and would you have anyrecommendations for people also
(04:00):
looking at moving or startingtheir career into CTI?
Pedro Barros (04:06):
Yes, so, like Playa said, cti, it should touch
basically every other area ofcybersecurity, and I think you
can thrive more in this role ifyou understand the fundamentals
of incident responding,forensics, detection,
(04:27):
engineering, vulnerabilitymanagement, identity access
management, iam.
And if you get thosefundamentals, I think you will
better fit into the role ofthird intelligence, fit into the
role of threat intelligence.
Like I said, you are supposedto basically kind of like, come
and make sure you are helpingthe team, being better and
(04:50):
focusing on the things thatmatter for the company, whether
this vulnerability managementand many of these roles.
In fact, they already kind ofdo some kind of a threat
intelligence as well.
Vulnerability management theyalso wanna make sure.
Okay, should we really beconcerned about this
vulnerability right now?
Is this something that is beingexploited in the wild?
(05:10):
Right, so you would either havethem kind of performing a
little bits of this role.
Right, you talk about detectionengineering.
They want to be interested aswell.
Okay, is this detectionsomething that we really need?
Like, depending on yourenvironment, whether it's
windows, what type of systemthat you're using, does it
really matter to us?
(05:30):
So if you have understanding ofthose different roles uh, kind
of like the fundamentals, Ithink it will be much, much
easier for you to transitioninto intelligence and be able to
, you know, bridge that gap thatexists between those different
roles excellent.
Pedro Kertzman (05:47):
Thank you very insightful, um, and and you know
you mentioned your role rightcan you explain a little bit
more about your role, the someof the things you do, uh, on
your current role yes, so Icurrently uh.
Pedro Barros (06:02):
My main responsibility, like and I say
that this is basically what Iwas hired for uh is incident
responding, right, but I work.
I work in a uh corpse corpse,uh corp sock, which means
basically it's not an mss, msp,right, it's a managed service,
security service provider.
So I have certainresponsibility.
That, of course, of that of aswell, security engineering,
(06:23):
detection engineering and uh,basically reaching out to
different uh stakeholders at thecompanies see what's bad things
that we are finding and kind oflike help them uh understand
why this is bad and where weshould move.
Like, let's say, we found a uh aserver that is supposed to,
that is being uh that's hostinga service that perhaps is
(06:44):
vulnerable or that istransmitting data in clear text.
We want to make sure, hey, canwe work on this so that we close
this port and start using thisport, because this port can
provide more security, and kindof walk with them as well, like
okay, through the step ofimplementations and testing
until things are good.
Besides that, of course, someresponsibilities of course, were
(07:08):
being added in a sense.
Like something came up, youknow how to do it, you start
doing it, right, that'sbasically as well.
Like kind of like how I gotinto my responsibilities doing
threat intelligence for mycurrent position as well.
Pedro Kertzman (07:23):
Awesome and any like uh experiences.
Recent experiences you hadworking with the threat intel
feeds, for example.
Uh good, bad ugly.
You know any advice around that.
Pedro Barros (07:36):
Yes, um, I have a big hic when it comes to uh
combo list, right, because and Iand I like to say that combo
list is like, uh, powerpuffgirls.
There is a guy, uh, theprofessor, basically created
pop-up girls and the way thatstarts the show is basically him
making the potion, right, itgoes sugar, butter and
(07:59):
everything nice, and then heputs a chemical x and it
explodes.
The powerpuff girls come toexistence.
I feel like combo list is justlike you know, someone put out
there going okay, I got thisemails, I got this PII and I got
this hashes and for passwordhashes, and then it just bring
(08:19):
like all from from any other,from every other breach that has
happened, like in the past, andthat's what combo list is.
And when you have a thread feedthat is literally looking into
that very heavily, right,whatever new combo list that
comes from that comes up, guesswhat they're gonna feed onto
that data into their system.
(08:40):
And they start learning hey, wefound a bunch of uh emails,
we're gonna be found the 100emails from your, from your uh
company on this combo list.
And then when you startinvestigating that combo listen,
you start finding a way this isthese things are from breach
that happened five years ago,right, seven years ago.
There is, of course there isthe is the fear of any like
(09:04):
password reuse.
But when you look into a breachthat has happened five years
ago, most of the time you havemoved on from that right, at
least if you are implementinggood password policies.
So that's kind of like my badexperience with some of the
threat fears that you might findout there.
They just start generatingalerts and it creates creates
(09:25):
sudden panic that is not there,right.
And then of course, you havethose good ones where you
actually find like complete, uh,what I call complete threading
threat intelligence, where theyare not just feeding onto those
data by just looking at theiremails or password hashes.
Right, if the data has moreinformation in there that can
(09:45):
identify where that, where thatbridge occur, they will look
into those and they will let youknow.
Uh, here's, here's when we thinkthis bridge happened.
We think this is coming fromthe brief that was reported
perhaps two years ago, becausethe data sets look similar to
this.
You know they find some common,uh commonality into those data
sets and make their ownassumptions based on that.
Um, I think that is more wellequipped so that you, you have
(10:09):
an idea, okay, whether this isgoing to be actionable or not.
Right, instead of just having alarge style, just you know,
because someone can just grabanother list of uh emails and
password from a previous bridge,combine them and then post it
on some kind of a web doc, webforum and of course, your, your
feeders are gonna take it andthen just generate more alerts.
(10:31):
So that's why I'm like I'm I'mI'm very like, much against like
combo lists and just usingemail and password to create
alerts.
Yeah, if you're gonna give mesome intelligence.
You know, do some more work onit and then send it, and then
I'll see if no.
Yeah, it's good.
Pedro Kertzman (10:47):
No, that makes sense and so you mentioned what
I would understand is like yougotta be that you know three
characteristics of a good CTItimely, relevant.
People are like just creating abig Feed, but it's actually
(11:10):
almost like a repository ofhistorical.
It's, yeah, breaches positivesand noise that it's not super
timely to to action upon uh,yeah, and and that's that's like
very like the.
Pedro Barros (11:21):
You know the basics of threat intelligence,
right, if it is the dataaccurate, is it, is it timely?
Is it relevant to you?
So I think those questionsshould, you know, still be
applied.
And one thing that I feel like,uh, we don't talk match as well
is uh, it is like uh threatfeeds evaluation right, you got
(11:42):
this, you're receiving, you'reusing this product using uh the.
You know their, their threatintelligence feed.
Um, how often do you evaluatewhether how much false positive
has generated, how much the datathat it has uh alerts that it
has generated is relevant to youor not, and how timely that is
right?
So I think those are somethings that we need to.
(12:03):
You guys kind of talk aboutmore when it comes to
intelligence so that weevaluating it and if we are
doing that and making thoseconversation as well with those
30 intelligence feed providers,I think they will also start
looking tomorrow.
You know what we should reallystart.
You know looking more into ourproducts, see how we can better
(12:23):
our product, what our customersare saying about what we feed
them.
Pedro Kertzman (12:29):
Yeah, no, that's awesome.
I love this like a win-win.
Yeah, so you're mentioningabout evaluating right the
threat feeds or the threat intelyou're receiving.
Can you expand a little bitmore on that please?
Sure.
Pedro Barros (12:42):
Yes.
So I think we should startevaluating more.
You know the value of itself,like of the trade feeds that we
have, and I think that should besomething that either is done
quarterly or every six months,or you know, I guess, how
comfortable you decide to be,maybe once a year, but I think
(13:03):
quarterly or every six monthswould be a better place to be
that.
Uh, once a year, but I thinkquarterly or every six months
would be a better place to bethere, and that's it.
So you, being in the thirdintel intelligence analyst on
the receiving end and you'refeeding intelligence as well to
others, you're creating aworkflow that will trigger alert
for, for the sock, right, forthe, for your, for your analyst.
(13:23):
Look into the scene, right, youanalyze the, the thread by you
yourself looking into analyst.
Look into the scene, right, youanalyze the, the thread by you
yourself looking into the datathat is coming.
Right, you know, as a thirdfeed, by looking at yourself, uh
, the data that is coming, butalso by taking input from the
team that you're serving insideyour company.
Right, how does the?
How does the the the sock feelslike?
(13:44):
How does uh, how do theanalysts feel like when those
alerts are coming.
Are they complete?
Are they?
Do they have to do a lot morework to to understand why this
is an alert, why this matters?
Right, if you're creating aalert base of that you also, you
know it would be a good idea,so to kind of provide, like,
(14:06):
certain things that they shouldbe looking for.
If that is missing, you know,talk with them.
Okay, what do you think youwanna see when that alert comes,
on that single plain pane ofglass that you're basically kind
of looking at the alert?
What matters more to you andhave you seen this on the alerts
when they pop up, or is thissomething that you have to
(14:27):
search more?
You go into the detectionengineering team, get the
feedback from them.
Is this valuable?
Let's say, perhaps you'rebringing some kind of YARA rules
that you find this isinteresting, and then you want
perhaps your team to kind oflike work and find a way to
(14:49):
transfer that into their sametechnology or whatever
technology that they are using.
And even from a vulnerabilitymanagement standpoint, right,
how are they getting informedmore about those vulnerabilities
that they are trying to patchand mitigate, right?
Do you provide some kind ofmore insight?
Did you help them make theirdecisions easier when it comes
(15:11):
to that.
So there is the the one sidewhere you have to actually kind
of like, go and look into thedata that you're receiving, um,
see perhaps what's missing there, what's good, and if you're
distilling that information toother other roles or departments
in your company, get thefeedback from them as well, ask
them whether that data isvaluable or it's just something
(15:33):
that you know.
Perhaps they see, oh, there'sone more, came in right.
Pedro Kertzman (15:38):
So I think, uh, look into evaluation in in that
way will be a great way toapproach it yeah, just listening
to what you're saying, it feelsthat we might benefit from
having, for example, like anevaluation matrix for for feeds,
data feeds, I don't know maybeparameters like completeness of
the information or you name it,timeliness, so on and so forth
(16:02):
to actually help judge, filter,what is the best feeds.
I have, the most important ones, the ones that are actually
making my analysts spend moretime to actually come up or make
sense of that, not as completeor accurate information.
Maybe it could be somethingthat I don't know.
Pedro Barros (16:21):
Maybe somebody will build something like that
in the future to to help theindustry in general yeah, that's
a good idea, because I neverthought about, you know, even
just creating a matrix, but itwould be interesting to look
into that and see if you knowsomething could be, uh, could be
created so that people can havesomething to use as a reference
when evaluating data feeds yeah, funny enough, a few months ago
(16:45):
I was putting together apresentation for, like college
students, so I was doing apresentation on a college here
and, uh, you know, talking aboutthe industry, tell them a
little bit about the historyaround threat intelligence.
Pedro Kertzman (16:59):
And actually I realized that most of the
security vendors, the bigvendors that we know out there
you name it, firewall vendors,endpoint security vendors out
there they always had some sortof internal cyber threat
intelligence practice and theyused to use that to pump, to be
(17:20):
able to have like a good, let'ssay, off-the-shelf products to
pump that information into their, again, firewalls, endpoints
and so on.
But they never realized that atsome point and that probably
happened, I don't know, betweenanywhere between five and ten
years we started seeing somemore focused, uh, boutique ish
(17:40):
players, um, you name itscraping dark web and then
creating feeds out of it or, youknow, collecting whatever other
type of telemetry or intel andcreating packages specifically
to sell cyber threatintelligence.
And then those, let's say, bigplayers that had that internal
(18:08):
knowledge but never thought thatcould actually be like a
product and another subset ofthe industry, if you will.
Uh, they were like, oh wow,wait up, let's, we can do this.
We have this knowledgeinternally.
So now all those big playersdecided to also create their
threat intel offerings and youknow the market is, as you know,
right now clogged with so manyofferings feeds all over the
(18:30):
place, right so it's hard tojudge and what's the best one
for me.
Pedro Barros (18:35):
So you got to put a lot of work to to to make
sense of what's the actualinformation that you need yeah,
if you, especially if you'reusing free thread feeds, it's
easy to just starting stackingthem up, right, if you're not
really looking much into why youwanna collect that specific
(18:57):
data.
Oh, just another one.
Oh yeah, you know this happened, but we missed from those,
let's say, 15 data feeds that wealready have.
We didn't get that information,but there's this one that we
saw that provided thatinformation.
You know what?
Let's add that to the list.
It just starts piling up, pilingup, and sometimes it becomes
(19:19):
like in the question, of course,even, of course, the data
ingestion into the SIMs.
Right, how much are you gonnakeep pulling?
And just if you're notevaluating as well, you gotta
deal with storage as well whenit comes to many SIMs, not just
ingestion, how much data youbring in, but also how much
(19:39):
you're saving for how longyou're keeping those data as
well.
So it can become, in a sense,just expensive for nothing.
And one other thing as well nowthat you mentioned when you were
starting up, is that I feellike threat intelligence.
I think the way that we areright now, even in schools and
(20:02):
colleges, it should become likea class of their own.
I think at this point thereshould have been like a.
You know there are many morecolleges and universities that
are creating cybersecuritycurriculum, but most of the time
you won't see any courserelated to threat intelligence.
And I just start wondering why.
Why that is?
(20:22):
I think we are at a time wherewe it's something that we think
is important and that it hasmatured enough to that point
where we should have somethingrelated to that.
Pedro Kertzman (20:32):
Yeah, I could not agree more.
That's why I reach out tocolleges and other institutions
that have cybersecurity programsto see if they have already
anything related to CTI.
If not, if they're interestedto listen to anybody talking
about that topic with theirstudents, just to create more
awareness around this importantpart of the industry, which kind
(20:52):
of reminds me of a topic aswell.
We do have a fair amount ofopen source, slash free CTI
feeds out there, but sometimesthe quality, like you mentioned
right you could, because wedon't have like a huge amount of
people behind that feed makingsure you know timely, the
(21:14):
information is relevant, so onand so forth.
Uh, the flip side of it will bethe analysts or the teams
relying on that informationhaving to, you know, work a lot
more just to make make relyingon that information, having to
you know work a lot more just tomake sense of that information
popping into their systems.
(21:34):
Yeah, no, that's awesome and youknow I heard you recently spoke
on another Cyber ThreatIntelligence Conference.
Can you just mention a littlebit?
How was it?
Some good insights from it.
Pedro Barros (21:52):
Yes, this was actually my first speaking of
engagement opportunity ever.
There is actually one morecoming up.
It won't be necessarily oncyber threat intelligence, but
it was super good.
I remember coming into thenight at the hotel and just
seeing some, some guys uh,hanging on the lobby.
I was like you know what, letme go introduce myself to those
(22:14):
people.
And I went and introducedmyself.
Guess what?
There?
Some of them were actuallypeople who were at the board and
the ones who decided which youknow which talks they're gonna,
they're gonna accept and whichones they're not.
So they were very excited formy talk and that kind of
encouraged me.
I had a lot of stress beingtheir first time speaker, but it
(22:36):
was really just amazing.
The only thing that happened andit's nothing to do with the
conference I discovered that Iam, I guess I'm very sensible to
lights, so those stage light atthe end of my talk.
It caused me an immenseheadache.
Oh no, yeah, but overall theconference was amazing.
(22:58):
It was a great experience.
I would recommend to people, to, you know, join conferences and
go, listen to other people andyou know, if you have, if you
have something that you want totalk about, you know, submit
your call for paper and see ifit's gonna it's gonna be
accepted or not yeah, honestly,that's for me, probably one of
my favorite parts within theindustry, especially in the cti.
Pedro Kertzman (23:19):
Overall in cyber security, we see that, but
especially on cti, the amount ofcollaboration.
Right, because we know, andacross so many, you name it
literature, we have forums,blogs, you name it we always
hear about even though I'm goingto name an industry, it could
(23:41):
be so many others, even banks.
In theory, from a sales andmarketing perspective, they're
competitors, but when it comesto operations, especially
cybersecurity and cyber threatintelligence, forget this
competitor mindset andcollaborate.
(24:02):
If we don't do that, we'realways going to be outnumbered
because frat actors do that.
Right, yeah, they do that youknow and they are yeah, no, go
ahead.
Pedro Barros (24:15):
Yeah, and they are .
They are well motivated, um, todo that, right.
Yeah, um, sometimes they're.
It's just, I guess, the promiseof a great financial gain from
whatever they're going to do, orif they're already even being
paid right, talking about umadvanced, persistent threat, if
they're already being paid by,perhaps, the government or
something like that, so they'rewell motivated to continue to
(24:35):
share exactly, exactly.
Pedro Kertzman (24:36):
That's why we need to really get together to
to flip the table, you know, getahead of these guys, otherwise
it's always going to be this uhnightmare that sometimes we we
see, uh, oh, that's in talkingabout, you know, collaboration
and uh, studying and referencesand stuff any, you know, blogs
(24:57):
or books or references that youuse to update your knowledge.
Pedro Barros (25:08):
Yes, one of my favorite books so far when it
comes to threat intelligence isVisual Threat Intelligence by
Thomas Rossia I hope I'm notbutchering his name.
It's great.
It touches the fundamentals sowell and the graphics in it it
just uh.
The book in itself, it lookslike a comic, but the graphics
(25:28):
in it just helps you understandthose concepts uh much better.
Um, I, I think I read that book.
I started reading it like onone day and I finished it one
day because it was that it wasthat good.
It was just that good.
I was just like you know, I wasnot getting tired, I was
excited.
The more pages I flip is justso good, so much fundamentals in
(25:51):
there and it provides so muchresources on how to do things
and where to find them as well.
So that's that.
That's my main one to go.
Now there is one that I find itvery interesting as well.
I think in the sense it'sfuturistic because it talks a
lot about AI.
It's by Justin Hutchins theLanguage of Deception
(26:11):
Weaponizing Next Generation AI.
It's so good.
Pedro Kertzman (26:15):
It touches many aspects of threat intelligence
that think it will be awonderful grade okay, that's
awesome and, um, you know, it'sstill about you know reading
materials and, uh, upgradingyour knowledge per se.
What about your knowledge?
Is there?
(26:35):
You have any ways.
You, you know, share articles,write stuff, or, or you or you
know conferences, you talk.
If people want to learn morefrom you, uh, is there any where
they should go?
Pedro Barros (26:47):
Yes, um, I have a blog of mine is called
pemblabsnet Uh, that's P, e, m,b, uh, labs, l, a, b, s
pemblabsnet.
That's where I share myarticles and I'm actually going
to post something soon that Ithink is going to be very
interesting read as well.
But an infrastructure that Iwas able to track down and and
(27:12):
you know, it got me to do thatquestion of also kind of ethics
on reporting, when you shouldreport something when you find
it as well.
So I ended up finding thismalicious infrastructure that
ended up becoming a big campaign.
But, yeah, before reporting it,I decided okay, let me spend
(27:34):
some more days into this, reallydig into it.
Do a lot of OCint as well intothat.
I ended up finding more.
It started from GitHub, wentinto certain pages.
Do some do a lot of?
Uh, all scenes as well intothat?
Um, they ended up finding more.
Uh, they started from from.
He started from github, wentinto certain pages.
It went into one fishing pagesto about five fishing pages and
we're talking about it was.
(27:54):
He did something veryinteresting that I thought he
was just like oh, why is hedoing this?
Is that it was so targeted thatit will only get you to is that
it was so targeted that it willonly get you to those phishing
page landing page if you arepart of that email list that it
wanted to target.
So you wouldn't get to thatlanding page if you were not
part of it.
So it was just interesting.
(28:15):
And one other infrastructureended up leading to one of these
Telegram bots, so I was veryexcited about that.
Did a lot of hosting on thoseTelegram bots that I haven't
done before in the past, so itwas just fascinating.
So I'll be sharing there on myblog.
That's again pamblabsnet.
That's where I normally writemy stuff.
(28:36):
So far I don't have muchwritten, but there are already
some posts in there and I'm veryhopeful that I'll finish
writing this one and probably beup by the weekend.
Awesome, yeah awesome.
Pedro Kertzman (28:47):
Thanks for sharing that.
Yeah and and uh.
One, one question I'd like toask.
Uh, all our guests from youknow all the knowledge you
acquired throughout your career,especially on the CTI area.
Is there anything that you knowtoday that you wish you knew on
(29:09):
the very beginning, when youstarted on the CTI industry?
Pedro Barros (29:15):
Yes, I would say so.
The way I look into CTI, right,touching into different roles,
one that I like most is, youknow, when I get to do malware
analysis or reverse engineering,and if one thing I regret is to
(29:38):
kind of skip a lot of datastructures and system
engineerings, right, I feel likeif I had spent more time
getting understandingfundamentals of that, it would
be what I make my work as, whenI'm analyzing a malware, much
more easier I understanding thesystem calls and those, those
functions that you already havethere and in Windows or Linux,
(30:02):
how they are borrowed fromdifferent libraries to use them
to basically perform thoseactions that they're looking for
.
I feel like if I spend moretime and I'm going to be
spending some more time duringthis year reading a lot more
into system engineering andunderstanding the file structure
(30:23):
as well.
So those are some of thosethings that I look back.
I was like man, I wish I couldhave spent more time into that.
Pedro Kertzman (30:29):
Awesome.
So I guess it's also some goodrecommendations on next steps
for people looking for topicsthat will help them to be a
better threat intelligence unit,and so on.
Yeah, pedro, thank you so muchfor coming to the show.
I really appreciate all theinsights and I hope I'll see you
(30:50):
around.
Pedro Barros (30:51):
Yeah for sure, we both speak Portuguese.
We just learned that, so that'sawesome.
I'm very glad to have met youand have this opportunity to be
here with you.
It was really good.
Pedro Kertzman (31:02):
Same name, same industry, same mother language.
Oh my goodness, nobody's goingto ever beat that one.
Thanks again.
Rachael Tyrell (31:11):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time,
Especially if you're using free threat feeds,
it's easy to just start stockingthem up.
Rachael Tyrell (00:05):
Hello and welcome to episode number three,
season one, of your CyberThreat Intelligence podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of season one,our host, Pedro Kurtzman, will
(00:26):
chat with Pedro Barros, who is acertified cybersecurity analyst
with years of experience inthreat intelligence detection,
engineering and incidentmanagement.
He works as a security analystand also teaches at Houston
Community College, where heintegrates hands-on labs and
real-world case studies toprepare future professionals
(00:46):
Over to you, Pedro.
Pedro Kertzman (00:53):
Pedro, thank you so much for coming to the show.
It's great to have you here.
Yeah, thanks for having me.
I'm very excited, Awesome, andI usually start asking the
guests their journey, how theygot to know cyber threat
intelligence, what path they hadto you know, all the way to
bring them to their current role.
(01:15):
Can you explore a little bit onthat please?
Pedro Barros (01:17):
Yeah, so I started in the SOC as a junior SOC
analyst as many would and thenfrom there, of course, now I
work as a mid-tier SOC analyst.
At first, training intelligencewas kind of a daunting role for
me, but the more time I spent inthe field I started noticing
(01:39):
that I'm much more excited tokind of like a research type of
work related to cybersecurity.
I love incident responding.
I've been doing that forbasically all my career on
cybersecurity.
But I feel like threatintelligence is the one that
touches, like all other areasand I think that's my philosophy
(02:01):
as well when I approach threatintelligence is that I feel like
threat intelligence should uh,it's one of those pillars that
should support your cybersecurity operations, plans and
goals for either your sock or,if you are an mss, msb right,
because you get to find out,okay, what's important for me,
what, what is it that I shouldbe looking for, why I should
(02:23):
look for that, and how I can getthose information and fit into
different roles such asdetection, engineering,
different roles like incidentresponse or forensics, how you
can kind of come and fit intothat.
We're talking about even redteaming and purple teaming.
So I think a well-seated threatintelligence role should be
(02:45):
able to fit into many, manydifferent areas of the
organization yeah, you touchedon, uh, for me, a very important
point.
Pedro Kertzman (02:53):
You mentioned pillar right, and, uh, for me, I
I could not agree more, uh, andI also see threat intelligence
as a guidance, right.
So, yeah, what uh kind offirewall?
Uh, if you will strategy yourconfiguration, you're going to
use nobody better than yourthreat intel peer area, if you
(03:17):
have one in your company to totell you, hey, because you name
it, our industry, the firewallsbrands we use, so on and so
forth.
So, because of the intel I have, you should start with these
ones.
Yeah, so we have always so manystuff to do on our, you know,
busy days.
Yeah, why not having that uhpriority list?
(03:39):
Yeah, coming from our peoplethat are deep into the weeds to
understand the mindset of youradversaries, right, exactly,
yeah, that's awesome.
And so you mentioned your pathto the cyber threat intelligence
role, and would you have anyrecommendations for people also
(04:00):
looking at moving or startingtheir career into CTI?
Pedro Barros (04:06):
Yes, so, like Playa said, cti, it should touch
basically every other area ofcybersecurity, and I think you
can thrive more in this role ifyou understand the fundamentals
of incident responding,forensics, detection,
(04:27):
engineering, vulnerabilitymanagement, identity access
management, iam.
And if you get thosefundamentals, I think you will
better fit into the role ofthird intelligence, fit into the
role of threat intelligence.
Like I said, you are supposedto basically kind of like, come
and make sure you are helpingthe team, being better and
(04:50):
focusing on the things thatmatter for the company, whether
this vulnerability managementand many of these roles.
In fact, they already kind ofdo some kind of a threat
intelligence as well.
Vulnerability management theyalso wanna make sure.
Okay, should we really beconcerned about this
vulnerability right now?
Is this something that is beingexploited in the wild?
(05:10):
Right, so you would either havethem kind of performing a
little bits of this role.
Right, you talk about detectionengineering.
They want to be interested aswell.
Okay, is this detectionsomething that we really need?
Like, depending on yourenvironment, whether it's
windows, what type of systemthat you're using, does it
really matter to us?
(05:30):
So if you have understanding ofthose different roles uh, kind
of like the fundamentals, Ithink it will be much, much
easier for you to transitioninto intelligence and be able to
, you know, bridge that gap thatexists between those different
roles excellent.
Pedro Kertzman (05:47):
Thank you very insightful, um, and and you know
you mentioned your role rightcan you explain a little bit
more about your role, the someof the things you do, uh, on
your current role yes, so Icurrently uh.
Pedro Barros (06:02):
My main responsibility, like and I say
that this is basically what Iwas hired for uh is incident
responding, right, but I work.
I work in a uh corpse corpse,uh corp sock, which means
basically it's not an mss, msp,right, it's a managed service,
security service provider.
So I have certainresponsibility.
That, of course, of that of aswell, security engineering,
(06:23):
detection engineering and uh,basically reaching out to
different uh stakeholders at thecompanies see what's bad things
that we are finding and kind oflike help them uh understand
why this is bad and where weshould move.
Like, let's say, we found a uh aserver that is supposed to,
that is being uh that's hostinga service that perhaps is
(06:44):
vulnerable or that istransmitting data in clear text.
We want to make sure, hey, canwe work on this so that we close
this port and start using thisport, because this port can
provide more security, and kindof walk with them as well, like
okay, through the step ofimplementations and testing
until things are good.
Besides that, of course, someresponsibilities of course, were
(07:08):
being added in a sense.
Like something came up, youknow how to do it, you start
doing it, right, that'sbasically as well.
Like kind of like how I gotinto my responsibilities doing
threat intelligence for mycurrent position as well.
Pedro Kertzman (07:23):
Awesome and any like uh experiences.
Recent experiences you hadworking with the threat intel
feeds, for example.
Uh good, bad ugly.
You know any advice around that.
Pedro Barros (07:36):
Yes, um, I have a big hic when it comes to uh
combo list, right, because and Iand I like to say that combo
list is like, uh, powerpuffgirls.
There is a guy, uh, theprofessor, basically created
pop-up girls and the way thatstarts the show is basically him
making the potion, right, itgoes sugar, butter and
(07:59):
everything nice, and then heputs a chemical x and it
explodes.
The powerpuff girls come toexistence.
I feel like combo list is justlike you know, someone put out
there going okay, I got thisemails, I got this PII and I got
this hashes and for passwordhashes, and then it just bring
(08:19):
like all from from any other,from every other breach that has
happened, like in the past, andthat's what combo list is.
And when you have a thread feedthat is literally looking into
that very heavily, right,whatever new combo list that
comes from that comes up, guesswhat they're gonna feed onto
that data into their system.
(08:40):
And they start learning hey, wefound a bunch of uh emails,
we're gonna be found the 100emails from your, from your uh
company on this combo list.
And then when you startinvestigating that combo listen,
you start finding a way this isthese things are from breach
that happened five years ago,right, seven years ago.
There is, of course there isthe is the fear of any like
(09:04):
password reuse.
But when you look into a breachthat has happened five years
ago, most of the time you havemoved on from that right, at
least if you are implementinggood password policies.
So that's kind of like my badexperience with some of the
threat fears that you might findout there.
They just start generatingalerts and it creates creates
(09:25):
sudden panic that is not there,right.
And then of course, you havethose good ones where you
actually find like complete, uh,what I call complete threading
threat intelligence, where theyare not just feeding onto those
data by just looking at theiremails or password hashes.
Right, if the data has moreinformation in there that can
(09:45):
identify where that, where thatbridge occur, they will look
into those and they will let youknow.
Uh, here's, here's when we thinkthis bridge happened.
We think this is coming fromthe brief that was reported
perhaps two years ago, becausethe data sets look similar to
this.
You know they find some common,uh commonality into those data
sets and make their ownassumptions based on that.
Um, I think that is more wellequipped so that you, you have
(10:09):
an idea, okay, whether this isgoing to be actionable or not.
Right, instead of just having alarge style, just you know,
because someone can just grabanother list of uh emails and
password from a previous bridge,combine them and then post it
on some kind of a web doc, webforum and of course, your, your
feeders are gonna take it andthen just generate more alerts.
(10:31):
So that's why I'm like I'm I'mI'm very like, much against like
combo lists and just usingemail and password to create
alerts.
Yeah, if you're gonna give mesome intelligence.
You know, do some more work onit and then send it, and then
I'll see if no.
Yeah, it's good.
Pedro Kertzman (10:47):
No, that makes sense and so you mentioned what
I would understand is like yougotta be that you know three
characteristics of a good CTItimely, relevant.
People are like just creating abig Feed, but it's actually
(11:10):
almost like a repository ofhistorical.
It's, yeah, breaches positivesand noise that it's not super
timely to to action upon uh,yeah, and and that's that's like
very like the.
Pedro Barros (11:21):
You know the basics of threat intelligence,
right, if it is the dataaccurate, is it, is it timely?
Is it relevant to you?
So I think those questionsshould, you know, still be
applied.
And one thing that I feel like,uh, we don't talk match as well
is uh, it is like uh threatfeeds evaluation right, you got
(11:42):
this, you're receiving, you'reusing this product using uh the.
You know their, their threatintelligence feed.
Um, how often do you evaluatewhether how much false positive
has generated, how much the datathat it has uh alerts that it
has generated is relevant to youor not, and how timely that is
right?
So I think those are somethings that we need to.
(12:03):
You guys kind of talk aboutmore when it comes to
intelligence so that weevaluating it and if we are
doing that and making thoseconversation as well with those
30 intelligence feed providers,I think they will also start
looking tomorrow.
You know what we should reallystart.
You know looking more into ourproducts, see how we can better
(12:23):
our product, what our customersare saying about what we feed
them.
Pedro Kertzman (12:29):
Yeah, no, that's awesome.
I love this like a win-win.
Yeah, so you're mentioningabout evaluating right the
threat feeds or the threat intelyou're receiving.
Can you expand a little bitmore on that please?
Sure.
Pedro Barros (12:42):
Yes.
So I think we should startevaluating more.
You know the value of itself,like of the trade feeds that we
have, and I think that should besomething that either is done
quarterly or every six months,or you know, I guess, how
comfortable you decide to be,maybe once a year, but I think
(13:03):
quarterly or every six monthswould be a better place to be
that.
Uh, once a year, but I thinkquarterly or every six months
would be a better place to bethere, and that's it.
So you, being in the thirdintel intelligence analyst on
the receiving end and you'refeeding intelligence as well to
others, you're creating aworkflow that will trigger alert
for, for the sock, right, forthe, for your, for your analyst.
(13:23):
Look into the scene, right, youanalyze the, the thread by you
yourself looking into analyst.
Look into the scene, right, youanalyze the, the thread by you
yourself looking into the datathat is coming.
Right, you know, as a thirdfeed, by looking at yourself, uh
, the data that is coming, butalso by taking input from the
team that you're serving insideyour company.
Right, how does the?
How does the the the sock feelslike?
(13:44):
How does uh, how do theanalysts feel like when those
alerts are coming.
Are they complete?
Are they?
Do they have to do a lot morework to to understand why this
is an alert, why this matters?
Right, if you're creating aalert base of that you also, you
know it would be a good idea,so to kind of provide, like,
(14:06):
certain things that they shouldbe looking for.
If that is missing, you know,talk with them.
Okay, what do you think youwanna see when that alert comes,
on that single plain pane ofglass that you're basically kind
of looking at the alert?
What matters more to you andhave you seen this on the alerts
when they pop up, or is thissomething that you have to
(14:27):
search more?
You go into the detectionengineering team, get the
feedback from them.
Is this valuable?
Let's say, perhaps you'rebringing some kind of YARA rules
that you find this isinteresting, and then you want
perhaps your team to kind oflike work and find a way to
(14:49):
transfer that into their sametechnology or whatever
technology that they are using.
And even from a vulnerabilitymanagement standpoint, right,
how are they getting informedmore about those vulnerabilities
that they are trying to patchand mitigate, right?
Do you provide some kind ofmore insight?
Did you help them make theirdecisions easier when it comes
(15:11):
to that.
So there is the the one sidewhere you have to actually kind
of like, go and look into thedata that you're receiving, um,
see perhaps what's missing there, what's good, and if you're
distilling that information toother other roles or departments
in your company, get thefeedback from them as well, ask
them whether that data isvaluable or it's just something
(15:33):
that you know.
Perhaps they see, oh, there'sone more, came in right.
Pedro Kertzman (15:38):
So I think, uh, look into evaluation in in that
way will be a great way toapproach it yeah, just listening
to what you're saying, it feelsthat we might benefit from
having, for example, like anevaluation matrix for for feeds,
data feeds, I don't know maybeparameters like completeness of
the information or you name it,timeliness, so on and so forth
(16:02):
to actually help judge, filter,what is the best feeds.
I have, the most important ones, the ones that are actually
making my analysts spend moretime to actually come up or make
sense of that, not as completeor accurate information.
Maybe it could be somethingthat I don't know.
Pedro Barros (16:21):
Maybe somebody will build something like that
in the future to to help theindustry in general yeah, that's
a good idea, because I neverthought about, you know, even
just creating a matrix, but itwould be interesting to look
into that and see if you knowsomething could be, uh, could be
created so that people can havesomething to use as a reference
when evaluating data feeds yeah, funny enough, a few months ago
(16:45):
I was putting together apresentation for, like college
students, so I was doing apresentation on a college here
and, uh, you know, talking aboutthe industry, tell them a
little bit about the historyaround threat intelligence.
Pedro Kertzman (16:59):
And actually I realized that most of the
security vendors, the bigvendors that we know out there
you name it, firewall vendors,endpoint security vendors out
there they always had some sortof internal cyber threat
intelligence practice and theyused to use that to pump, to be
(17:20):
able to have like a good, let'ssay, off-the-shelf products to
pump that information into their, again, firewalls, endpoints
and so on.
But they never realized that atsome point and that probably
happened, I don't know, betweenanywhere between five and ten
years we started seeing somemore focused, uh, boutique ish
(17:40):
players, um, you name itscraping dark web and then
creating feeds out of it or, youknow, collecting whatever other
type of telemetry or intel andcreating packages specifically
to sell cyber threatintelligence.
And then those, let's say, bigplayers that had that internal
(18:08):
knowledge but never thought thatcould actually be like a
product and another subset ofthe industry, if you will.
Uh, they were like, oh wow,wait up, let's, we can do this.
We have this knowledgeinternally.
So now all those big playersdecided to also create their
threat intel offerings and youknow the market is, as you know,
right now clogged with so manyofferings feeds all over the
(18:30):
place, right so it's hard tojudge and what's the best one
for me.
Pedro Barros (18:35):
So you got to put a lot of work to to to make
sense of what's the actualinformation that you need yeah,
if you, especially if you'reusing free thread feeds, it's
easy to just starting stackingthem up, right, if you're not
really looking much into why youwanna collect that specific
(18:57):
data.
Oh, just another one.
Oh yeah, you know this happened, but we missed from those,
let's say, 15 data feeds that wealready have.
We didn't get that information,but there's this one that we
saw that provided thatinformation.
You know what?
Let's add that to the list.
It just starts piling up, pilingup, and sometimes it becomes
(19:19):
like in the question, of course,even, of course, the data
ingestion into the SIMs.
Right, how much are you gonnakeep pulling?
And just if you're notevaluating as well, you gotta
deal with storage as well whenit comes to many SIMs, not just
ingestion, how much data youbring in, but also how much
(19:39):
you're saving for how longyou're keeping those data as
well.
So it can become, in a sense,just expensive for nothing.
And one other thing as well nowthat you mentioned when you were
starting up, is that I feellike threat intelligence.
I think the way that we areright now, even in schools and
(20:02):
colleges, it should become likea class of their own.
I think at this point thereshould have been like a.
You know there are many morecolleges and universities that
are creating cybersecuritycurriculum, but most of the time
you won't see any courserelated to threat intelligence.
And I just start wondering why.
Why that is?
(20:22):
I think we are at a time wherewe it's something that we think
is important and that it hasmatured enough to that point
where we should have somethingrelated to that.
Pedro Kertzman (20:32):
Yeah, I could not agree more.
That's why I reach out tocolleges and other institutions
that have cybersecurity programsto see if they have already
anything related to CTI.
If not, if they're interestedto listen to anybody talking
about that topic with theirstudents, just to create more
awareness around this importantpart of the industry, which kind
(20:52):
of reminds me of a topic aswell.
We do have a fair amount ofopen source, slash free CTI
feeds out there, but sometimesthe quality, like you mentioned
right you could, because wedon't have like a huge amount of
people behind that feed makingsure you know timely, the
(21:14):
information is relevant, so onand so forth.
Uh, the flip side of it will bethe analysts or the teams
relying on that informationhaving to, you know, work a lot
more just to make make relyingon that information, having to
you know work a lot more just tomake sense of that information
popping into their systems.
(21:34):
Yeah, no, that's awesome and youknow I heard you recently spoke
on another Cyber ThreatIntelligence Conference.
Can you just mention a littlebit?
How was it?
Some good insights from it.
Pedro Barros (21:52):
Yes, this was actually my first speaking of
engagement opportunity ever.
There is actually one morecoming up.
It won't be necessarily oncyber threat intelligence, but
it was super good.
I remember coming into thenight at the hotel and just
seeing some, some guys uh,hanging on the lobby.
I was like you know what, letme go introduce myself to those
(22:14):
people.
And I went and introducedmyself.
Guess what?
There?
Some of them were actuallypeople who were at the board and
the ones who decided which youknow which talks they're gonna,
they're gonna accept and whichones they're not.
So they were very excited formy talk and that kind of
encouraged me.
I had a lot of stress beingtheir first time speaker, but it
(22:36):
was really just amazing.
The only thing that happened andit's nothing to do with the
conference I discovered that Iam, I guess I'm very sensible to
lights, so those stage light atthe end of my talk.
It caused me an immenseheadache.
Oh no, yeah, but overall theconference was amazing.
(22:58):
It was a great experience.
I would recommend to people, to, you know, join conferences and
go, listen to other people andyou know, if you have, if you
have something that you want totalk about, you know, submit
your call for paper and see ifit's gonna it's gonna be
accepted or not yeah, honestly,that's for me, probably one of
my favorite parts within theindustry, especially in the cti.
Pedro Kertzman (23:19):
Overall in cyber security, we see that, but
especially on cti, the amount ofcollaboration.
Right, because we know, andacross so many, you name it
literature, we have forums,blogs, you name it we always
hear about even though I'm goingto name an industry, it could
(23:41):
be so many others, even banks.
In theory, from a sales andmarketing perspective, they're
competitors, but when it comesto operations, especially
cybersecurity and cyber threatintelligence, forget this
competitor mindset andcollaborate.
(24:02):
If we don't do that, we'realways going to be outnumbered
because frat actors do that.
Right, yeah, they do that youknow and they are yeah, no, go
ahead.
Pedro Barros (24:15):
Yeah, and they are .
They are well motivated, um, todo that, right.
Yeah, um, sometimes they're.
It's just, I guess, the promiseof a great financial gain from
whatever they're going to do, orif they're already even being
paid right, talking about umadvanced, persistent threat, if
they're already being paid by,perhaps, the government or
something like that, so they'rewell motivated to continue to
(24:35):
share exactly, exactly.
Pedro Kertzman (24:36):
That's why we need to really get together to
to flip the table, you know, getahead of these guys, otherwise
it's always going to be this uhnightmare that sometimes we we
see, uh, oh, that's in talkingabout, you know, collaboration
and uh, studying and referencesand stuff any, you know, blogs
(24:57):
or books or references that youuse to update your knowledge.
Pedro Barros (25:08):
Yes, one of my favorite books so far when it
comes to threat intelligence isVisual Threat Intelligence by
Thomas Rossia I hope I'm notbutchering his name.
It's great.
It touches the fundamentals sowell and the graphics in it it
just uh.
The book in itself, it lookslike a comic, but the graphics
(25:28):
in it just helps you understandthose concepts uh much better.
Um, I, I think I read that book.
I started reading it like onone day and I finished it one
day because it was that it wasthat good.
It was just that good.
I was just like you know, I wasnot getting tired, I was
excited.
The more pages I flip is justso good, so much fundamentals in
(25:51):
there and it provides so muchresources on how to do things
and where to find them as well.
So that's that.
That's my main one to go.
Now there is one that I find itvery interesting as well.
I think in the sense it'sfuturistic because it talks a
lot about AI.
It's by Justin Hutchins theLanguage of Deception
(26:11):
Weaponizing Next Generation AI.
It's so good.
Pedro Kertzman (26:15):
It touches many aspects of threat intelligence
that think it will be awonderful grade okay, that's
awesome and, um, you know, it'sstill about you know reading
materials and, uh, upgradingyour knowledge per se.
What about your knowledge?
Is there?
(26:35):
You have any ways.
You, you know, share articles,write stuff, or, or you or you
know conferences, you talk.
If people want to learn morefrom you, uh, is there any where
they should go?
Pedro Barros (26:47):
Yes, um, I have a blog of mine is called
pemblabsnet Uh, that's P, e, m,b, uh, labs, l, a, b, s
pemblabsnet.
That's where I share myarticles and I'm actually going
to post something soon that Ithink is going to be very
interesting read as well.
But an infrastructure that Iwas able to track down and and
(27:12):
you know, it got me to do thatquestion of also kind of ethics
on reporting, when you shouldreport something when you find
it as well.
So I ended up finding thismalicious infrastructure that
ended up becoming a big campaign.
But, yeah, before reporting it,I decided okay, let me spend
(27:34):
some more days into this, reallydig into it.
Do a lot of OCint as well intothat.
I ended up finding more.
It started from GitHub, wentinto certain pages.
Do some do a lot of?
Uh, all scenes as well intothat?
Um, they ended up finding more.
Uh, they started from from.
He started from github, wentinto certain pages.
It went into one fishing pagesto about five fishing pages and
we're talking about it was.
(27:54):
He did something veryinteresting that I thought he
was just like oh, why is hedoing this?
Is that it was so targeted thatit will only get you to is that
it was so targeted that it willonly get you to those phishing
page landing page if you arepart of that email list that it
wanted to target.
So you wouldn't get to thatlanding page if you were not
part of it.
So it was just interesting.
(28:15):
And one other infrastructureended up leading to one of these
Telegram bots, so I was veryexcited about that.
Did a lot of hosting on thoseTelegram bots that I haven't
done before in the past, so itwas just fascinating.
So I'll be sharing there on myblog.
That's again pamblabsnet.
That's where I normally writemy stuff.
(28:36):
So far I don't have muchwritten, but there are already
some posts in there and I'm veryhopeful that I'll finish
writing this one and probably beup by the weekend.
Awesome, yeah awesome.
Pedro Kertzman (28:47):
Thanks for sharing that.
Yeah and and uh.
One, one question I'd like toask.
Uh, all our guests from youknow all the knowledge you
acquired throughout your career,especially on the CTI area.
Is there anything that you knowtoday that you wish you knew on
(29:09):
the very beginning, when youstarted on the CTI industry?
Pedro Barros (29:15):
Yes, I would say so.
The way I look into CTI, right,touching into different roles,
one that I like most is, youknow, when I get to do malware
analysis or reverse engineering,and if one thing I regret is to
(29:38):
kind of skip a lot of datastructures and system
engineerings, right, I feel likeif I had spent more time
getting understandingfundamentals of that, it would
be what I make my work as, whenI'm analyzing a malware, much
more easier I understanding thesystem calls and those, those
functions that you already havethere and in Windows or Linux,
(30:02):
how they are borrowed fromdifferent libraries to use them
to basically perform thoseactions that they're looking for
.
I feel like if I spend moretime and I'm going to be
spending some more time duringthis year reading a lot more
into system engineering andunderstanding the file structure
(30:23):
as well.
So those are some of thosethings that I look back.
I was like man, I wish I couldhave spent more time into that.
Pedro Kertzman (30:29):
Awesome.
So I guess it's also some goodrecommendations on next steps
for people looking for topicsthat will help them to be a
better threat intelligence unit,and so on.
Yeah, pedro, thank you so muchfor coming to the show.
I really appreciate all theinsights and I hope I'll see you
(30:50):
around.
Pedro Barros (30:51):
Yeah for sure, we both speak Portuguese.
We just learned that, so that'sawesome.
I'm very glad to have met youand have this opportunity to be
here with you.
It was really good.
Pedro Kertzman (31:02):
Same name, same industry, same mother language.
Oh my goodness, nobody's goingto ever beat that one.
Thanks again.
Rachael Tyrell (31:11):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time,
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com