Season 1 - Episode 6 (Pedro Kertzman & Aaron Roberts) - Cyber Threat Intelligence Podcast

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Aaron Roberts (00:00):
And that's how the corporate credentials are
breached.

Rachael Tyrell (00:04):
Hello and welcome to Episode 6, Season 1
of your Cyber ThreatIntelligence podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional, or simply curiousabout the digital battlefield,
our expert guests and host willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host, Pedro Kurtzman, will
chat with Aaron Roberts.
Aaron is a cyber threatintelligence expert specialized

(00:27):
in open source intelligence withexperience across the UK public
and private sectors, themilitary, and founding member of
the UK OSINT community.
Aaron, thanks so much forcoming to the show.
It's great to have you here.

Thanks so much, Pedro.
It's great to be here.

Pedro Kertzman (01:00):
Awesome.
And I usually start asking theguests about their journey to
CTI.
Would you mind walking usthrough that, please?

Yeah.
So back in the land before, I'dsay ubiquitous internet, I'd
always been interested in likecomputers and stuff growing up,
mostly because of video games,probably like a lot of CTI
analysts.
And then as I was growing up,trying to figure out what to do
with my life, I decided that Iwanted to be a football coach,

(01:31):
which is not very cyber, is notvery intelligence analyst, is
very far removed from that.
I guess there was some dataanalysis involved, but like very
different world.
So I went to university andstarted studying about sports
and coaching and thinking thisis a a good route to go down and

(01:53):
there's like a good career insomething I'm interested in down
the road until you find outparticularly in the UK and
probably in most developednations where like football is a
big deal or soccer which youmight call it in the US it turns
out it's more who you knowrather than what you could learn
like through like a formaldegree and I think that's

(02:15):
something where a lot of peopleprobably make this realisation
as they're growing up and anidea of I've got a degree in
this thing, so therefore I cannow be a person over here doing
this subject is very, verydifferent from like perceptions
versus reality.
So whilst through university, Iwas not really enjoying the

(02:37):
course.
It wasn't really what I'danticipated it being anyway.
And it eventually came down toa point where I'd seen local
government department hadadvertised like for vacancies
and I always assumed like andgrowing up watched a lot of 24
and you know bad quality actionmovies and thinking I could do

(02:59):
that I want to be a spy let'sdon't do that and I'm thinking
out of curiosity how far could Iget in this process thinking I
would you know probably not evenget paper sifted to an
interview let alone anythingelse but long story short is I
somehow managed to talk myselfinto a job and So I was working

(03:21):
in sales service in the UKinitially as an IT support
analyst.
So, you know, eventually likelevel one support, answering
phone calls, diagnosing problemsand either, you know, using
like known fixes or trying towork the issue out and then
either subsequently resolvingthe problem or passing it on to
like deeper technical support.

(03:42):
And that gave me a really goodfoundational knowledge around
like, you know, like operatesystems and computers and, you
know, to a lesser extent, Iwould say networking, because
most of the network issues youjust have to pass on because you
either don't have the rightaccess to tools or you just, you
know, you don't have that levelof knowledge to be able to

(04:03):
resolve them.
And from there, I sort of cameto the end of that post and was
looking for the next move.
And then I transitioned intolike more of a cybersecurity
role, which was less technicalin terms of like resolving
issues and understanding likeday to day what was happening in
different situations.

(04:23):
But it put me in a much morecustomer facing role.
So I would interface withdifferent government
departments, private sector aswell, and understand and
anticipate the questions theywould be asking about things.
A lot of that would come downfrom like essentially like
government guidance or things inthe news.
So if that's like, you know,new vulnerabilities or, you

(04:46):
know, a rampant form of malware.
And, you know, we're talkingback in like 2012.
So the biggest things reallywere like, you know, banking
Trojans and things like that atthe time, Game Over Zeus and
stuff like that.
So that role was reallyinteresting to me because I got
to be sort of sit in the middlebetween a relatively senior, but

(05:08):
non-technical audience, whichwere mostly like the people I've
considered to be customersversus they, the technical
goblins behind me where i'd begoing to like kind of get the
real answers from them tounderstand the issues and then
taking like the technicalaspects of what they had to say
and then trying to put it intolanguage that the others could

(05:28):
understand um and then fromthere that's kind of i did that
for a couple years and then theopportunity to pivot into a
different team uh where to focuson open source intelligence so
and i think that's really wherelike my sort of cyber journey
really, I would say reallykicked on.
So I got to use combination ofall those skills.

(05:49):
So, you know, relationshipmanagement, interfacing with
different partners,internationally and like
nationally, bit of like projectmanagement and stuff.
So over long-term piece ofwork, but also working across
like such a broad range ofdifferent subject areas.
So effectively learning how todo what I call nowadays called

(06:13):
OSINT.
And that would be, you know,could be, we could be talking
about individuals.
We might be talking about, youknow, infrastructure might be
specific websites or it mightbe, you know, certain platforms
and sort of understand, try andA, figure out what information
can we find out about them?
How do we turn that into like auseful intelligence product for

(06:36):
the end customer?
And invariably a lot of thatwas, you know, sensitive work
but geared around how can weleverage data from the internet
to inform other decisions and alot of that work involved like
looking at different you knowgroups and different

(06:57):
organizations some of itinvolved you know what we now
call like like apts and thingslike that and that could be
anything from likeinfrastructure that they had
used in cyber attacks versus,you know, potentially like
individuals that are suspectedof being in those groups.
So at the time, I think theterm cyber threat intelligence

(07:18):
hadn't really been like coinedas such.
It was effectively just a newtype of information that was
pretty much derived from opensource information.
So even OSINT as a term wasprobably maybe not even like
common lexicon to say.

Interesting.

And then after doing that for a few years, I
made a decision to leave thegovernment and move to the
private sector.
So that was like a bigdecision.
But I think it was only withhindsight, it was only really a
big decision to move because themarket like the CTI space was

(08:05):
pretty, pretty new then andpretty misunderstood, I think.
You could go from one companyto the next and they would have
very, very different ideas aboutwhat CTI is and what CTI
analysts do and how they shouldwork.
And I think that's probablystill true today to some degree.

(08:25):
But that sort of decision therewas when I started looking at
what opportunities actuallyexist outside of this public
sector bubble.
And the UK market is definitelysignificantly smaller than the
US.
And I'm also sure about otherlike Western nations, but I

(08:48):
think the UK is definitely like,always seems like we're lagging
behind in terms of like thenumber of opportunities, the
breadth of the roles or thenecessary demand for certain
specialisms, which is alwaysfrustration as part of the
reason why we form like the UKOSINT community as well.
last year, but to bring us backto your initial question about

(09:12):
CTI.
So I made that decision to moveto the private sector and when
I was looking at roles, I waslooking for anything that sort
of mentioned like open sourceintelligence research, like
investigations and yeah,invariably like you'd see roles
looking for like cyber analystsand cyber intelligence, or it

(09:36):
would be like SOC analysts, butyou're really good at Google.
Because the market was prettyimmature then, I think.
So I ended up working for acompany called Eclectic IQ,
which are a Dutch threatintelligence firm that have
their own platform, threatintelligence platform.
And I joined what was called atthe time the Eclectic IQ Fusion

(09:58):
Center.
So...
our role as intelligenceanalysts was to collate
information from all thedifferent sources that we could
ingest and turn that into likestructured intelligence using
sticks sticks one at the timeokay and effectively turning

(10:18):
that into useful intelligencethat you could then send to a
customer and then they would beable to sort of understand like
the whole picture of things fromall the different vendors they
subscribe to.

Like, you're reaching the information that
you got in the first place.

Yeah, so it was a combination of, like, you might
do your own research onsomething, whether it's, like,
you know, an incident that'soccurred, or you might just be
researching, like, certain typesof infrastructure or a certain
factor.
Or you might be going, right,okay, well, what do, like, let's
say CrowdStrike say about thisactor?
What do Mandiant say about thisactor?

(10:53):
And then what other sources dowe have?
You might pull from somethinglike AlienVault or URL House and
you correlate this informationtogether and enrich it and pivot
from those different bits ofinformation to then provide a
report and say, well, this iswhat each vendor has to say
about this.

(11:14):
This is our assessment on this.
And then it's up to you as acustomer what you want to do
with that information.
And I feel that was a really,it was a different way of
approaching the situation frommy experience, but it was also,
I think, really, really usefulbecause, A, it was a great
exposure to different cybervendors, like, and seeing, like,

(11:36):
how they provide information,how they report on things,
insights into, like, theirvisibility, and also from a
different range of customers aswell, you can sort of see, like,
try and figure out what theirpriorities were and the things
they cared about, and also just,you know, like, how much money
they had as well a little bit.

(11:57):
I think that was reallyinteresting baptism of fire a
little bit into what CTI is inreal life.
And I think the vendor space isalways interesting because
unless you've been in thatenvironment as a defender or
blue team or part of acybersecurity function, you

(12:18):
wouldn't necessarily understandwhat the customer wants.
And I think this always comesdown to that thing where not
having a priority list ofintelligence requirements is one
of the fundamental things youshould do as a threat
intelligence team, regardless ofthe organization, because you
need to understand the peoplethat read your reports, what

(12:40):
they want to be reading about.

Yeah.

And I think especially At that time, I think
you would occasionally get abit guilty of researching
something that we thought wascool.
We'd be like, oh, have you seenthat?
APT28 did this.
Oh, it's great.
What about that?
Oh, it's amazing.
And then invariably, we'd belike, yeah, but we read about
that on Bleeping Computeralready, so why do we care?

(13:03):
It looks pretty in your littlegraph, and the visuals are nice,
but invariably, it hasn'treally helped us further our
security any further.
So I think after doing thatfor, I think it was about 18
months I worked there.
That's where I moved to a telcoin the UK and sort of went in

(13:27):
with the idea of like, you know,critical national
infrastructure, very interestingenvironment, getting attacked
daily basis.
And sort of like, sort ofhaving this exposure to real
like, tete-a-tete cyberoperations, like attack, defend,
attack, defend.
And whilst that didn't reallywork out for me, to be honest, I

(13:51):
was only there for about sixmonths.
I think it just ended up with,they basically bought into a
platform that needed a lot ofmanagement and a lot of
oversight.
And unfortunately, just the wayit worked was, you know, like
our support team was like on onepart of the world.

(14:13):
The vendor was on the westcoast of the US.
We're in the middle and we'rejust like trying to get either
somebody on a call or trying tounderstand something.
And it was just so verydifficult.
And it sort of went into thisspace where like you're kind of
doing like project managementand IT support without any of
the right tools to really enablethat.

Unknown (14:34):
So

I ended up like talking to a friend who was
hiring And he talked me aroundover a beer, which is probably
quite easy to do, in allhonesty.
He was like, come work with me,come work with me.
I was like, come on, let's havea chat.
But then, so I moved fromVodafone to Sky, which is a

(14:56):
predominantly a television mediabroadcasting company.
But they also do, like, theyalso run their own broadband
service.
They run landlined telephones.
They have a mobile networkoperator as well.
Um, which it's a very likeinteresting environment.
So they have everything fromlike content, piracy, user
account fraud.

(15:17):
Um, you know, the fact thatthey're a big company as well
with, you know, lots of money gointo like things like sports
rights.
So they're a very clear targetfor like ransomware groups and
stuff like that.
Very interesting environment.
Um, really exciting place towork as well, because there was
always like stuff happening,which.
Like whilst not directly partof your job, like just seeing

(15:39):
like, oh, the company's justdone this, or we've announced
this and we've got this thinggoing on.
And then you're like, justwalking around like the, the
office, you know, you see peoplelike from the TV, just like
having their lunch and stuff.
It's very like weird in a lotof ways, but that was a really
interesting setup as well.
Cause the CTI team was kind ofnew.

(16:01):
So I sort of went in as.
the principal threatintelligence analyst at that
point.
So that was enabled.
So I worked directly with thehead of threat intelligence to
kind of mold and shape where theteam was heading.
So while she did all the boringadmin stuff, I got to look at

(16:21):
the technical bits and try andfigure out how we could make the
best use of our budget and whattools we probably need to
enable us to get the rightanswers.
And that was really fun becauseI got to work across so many
different subject areas, whichas a traditional CTI analyst,

(16:41):
you might not think about.
So things like fraud, contentpiracy, and being able to sort
of embellish and enable thoseteams by effectively making
really good use of open sourceintelligence.
So looking at piracy on forumsand then being able to bring
that extra knowledge of okay,well, if you have these bits of

(17:04):
information about this personthat's selling accounts, we can
do these bits of research topotentially find out who they
are.
And I think some of that wasreally, really well received.
And it sort of helped thepiracy team sort of kick on a
little bit as well.
And enabling thoserelationships and sharing

(17:26):
tradecraft and occasionally we'ddo little workshops where this
is how we do this.
And they're able to sort oftake that away as well and use
that information.
So I think that's always beenreally interesting.
And then by that point, beingin a fairly senior role in terms
of the threat intelligenceteam, also being able to do that
mentoring piece with neweranalysts.

(17:48):
And that was great.
We'd get a lot of interns andapprentices.

Okay.

trying to figure out what what they may may want
to do with the rest of theircareer

nice

or at least you know at least in the shorter
term what they'd like to do oncethey finished all their
placements and been able to sortof like give them those skills
and that understanding and sortof help shape them and help them
grow from like what is thecomputer not quite that bad but
like if you go like what what isgoogle to i and now and osin

(18:18):
ninja was always really reallyrewarding

nice So,

yeah, it was a really long way into how I end
up in CTI.

And I think it's fair to say that you have a
fair amount of exposure to bothpaid Intel, but also into your
Synth tools and frameworks andmindset.

Unknown (18:45):
Yeah.

How would you describe like the main
differences between OSINT andtraditional paid Intel, for
example?

Yeah, sure.
That's a really good question.
And yeah, so I guess over thelast two, last like seven or
eight years, having workedacross quite a few different
teams and in different roles andfunctions as well.
So when I left Sky ended upbeing a CTO team lead, a tech
startup in the UK and That was avery different area of focus.

(19:16):
And I think it was kind of, I'dalready sort of done that
intelligence requirements pieceI mentioned earlier whilst
working at Sky and trying tofigure out actually what's the
business really care about.
Because if we're spending timewriting reports that we think
are interesting and nobody readsthem or takes no value out of
it, then we're just wasting ourtime.
At least this way, if they tellus, you know, weirdly when I

(19:40):
did that the first time,ransomware wasn't that
important.
on the list.
People were like, oh yeah, Iguess it's interesting.
But it was like, there wasother things that they seemed to
really want more informationon, which took us by surprise.
And I think even today I'd belike, no, ransomware's number
one.
Like, come on.
Calm yourself down.

(20:01):
But sort of taking that Intelrequirements work and fleshing
that out, then running into acompletely different role in a
tech startup and working in aninteresting space.
They have a quantum encryptionsolution, which is an

(20:24):
interesting space with veryinteresting and varied set of
potential threat actors.
And that was using,collectively, probably quite a
different range of tools as wellbecause the company was kind of
small.
and budgets were restricted.

(20:45):
We had to be really selectiveabout what tools we would make
use of to sort of enable thatwork.
And invariably the thing wewanted to know most about as a
company was effectively likewhat's being said about the
company online and how can wesort of monitor that and how do

(21:05):
we leverage that information tohelp us understand where
potential risks lie or potentialthreats.
So it was really interesting.
And you start using sociallistening tools, which usually
you'd use in a marketingcontext, right?
Because I want to know aboutwhat people are saying about our
brand.
How's our current campaigndoing?

(21:27):
Do people like us?
But using that with anintelligence angle is now
something that I actually offerthrough my own company.
I was like, this is actually...
a really interesting way ofdoing brand monitoring.
And I think it's something thatyou probably should be doing as
a company when you're lookingat threat intelligence.
So with that in mind and havinga fairly small budget for

(21:51):
tools, so we couldn't go in andbuy threat feeds for six
figures.
The money wasn't there.
I think in total, our budgetwas definitely way under
$100,000.
significantly smaller um but wehad certain databases and

(22:13):
accesses that we needed so youtalk um we talked to moody's who
have the bureau van dyke thebusiness data set uh that was
one of the things we ended upbuying access to which is a
phenomenal resource like um itwas it was certainly not cheap
and i think for an individualresearcher it's way out of

(22:34):
budget but when you compare itto trying to find information
about companies and ultimatelywho owns them and things like
that.
It was a phenomenal resource tohave access to.
We also leveraged multi-goenterprise as it was then.
That was really powerful aswell, because not only do you

(22:56):
have access to a phenomenal linkanalysis tool, but data
allowances that came with thatas well.
So you can enableinvestigations and have access
to some of these premium datasets without having to interact
really with the vendor and likepay them X, many thousands of
dollars a month for a year toget access to some of that data,
which when the number ofinquiries and sort of bits of

(23:21):
research we were doing, it wasjust, yeah, you couldn't justify
that expense.
It was like actually these 10lookups a month for our use case
here is actually sufficient,which, which is quite an
interesting place to be.
Compared to being in thoseenvironments where, oh yeah,
this client has boughteverything.
If there's a vendor, theybought them.

(23:42):
And then it's like you'reinundated with data versus now
we're doing very tailored andbespoke reports that are very
laser focused around particulartopics or particular threats.
So that was really interesting.
And with that, you come to sortof rely on a lot of the open

(24:04):
source tools and techniques thatyou can leverage from any
number of GitHub repositorieswhere somebody has a tool that
you can make use of.
A lot of the stuff I would usenow, whilst I probably have a
commercial solution for a lot ofthem, but there was tools like

(24:26):
Holohy, which would take anemail address and then find
account associations that werelinked to that email address.
But now you have tools likeOSINT Industries, Epios,
Predictor Search, Castriclues.
There's a bunch now where youcan do those same things.

(24:47):
And the tools, because they'recommercialized, and they've
taken what effectively was thatidea, put it on steroids, and
now it's not only a case of Ican say, oh, this email address
has a Google account.
It's now, I can see that theseare the details for that Google
account

Unknown (25:04):
or,

you know, a LinkedIn account and Strava and
whatever stuff.
So when you're doing likepeople focused research, that
can be super powerful.
And one of the things I do alot of is person of interest
investigations.
So those tools are really,really helpful for that, but
they come back to the paid andpaid versus like I guess OSINT

(25:29):
tools, the trade-off is alwaysabout the legwork that you have
to do, right?
So whilst some of the toolsthat you can leverage will have
like a multigo transform.
So you can still use like yourcommercial tools and then that
you might have access to amultigo and you can bring in
that open source solution andyou can still sort of use that

(25:51):
data together.
Most of them don't.
So invariably it's always thecase, the trade-off is, right, I
can bring this data in, butit's either going to be messy or
it's going to be up to you asan analyst to identify what's
useful in there, what aids yourinvestigation or helps you
answer the intelligencerequirement versus I've just got

(26:15):
all the data and here it is.

I

think the trade-off you get there,
obviously, with I'd saysomething like CrowdStrike, for
example, they might do aninvestigation based off some,
either an instant responsethey'd done or one of our
analyst teams has done like opensource research on.
But when you get that reportand you get the associated data,
it's already been curated foryou, right?

(26:40):
So it's like, ta-da, here'swhat happened.
Here's the analysis.
This is what we think.
Here's all the supportinginformation that you can then
take and you can do your ownresearch and verify or pivot
from.
And that's, you know, a hugetime-saving, especially in like

(27:01):
in a high paced environmentwhere you might have like a team
that, yeah.
Anytime you see aboutransomware attack, we get like
an instant response report orsomething like just send it.
And that's, you know, that'syou as an analyst and don't have
to do all that research.
So I think the trade-off reallyis the time, but at the same
time, I think you can also learna lot from the tools.

(27:24):
So.
And I think where I mentionedthose like email, phone number
lookup tools.
I think before like the firstlike one was on GitHub, not many
people would knew like what theextent of how much of that you
could do.

(27:44):
There were definitely likewithin the OSINT community,
there was definitely, you know,like trade craft and knowledge
sharing about, oh, you can dothis on this account.
You can do this on thisaccount.
but we're talking maybe three,four, five accounts or platforms
that you knew this trick wouldwork on.
And you get a tool that givesyou 30 plus and you're like, oh,

(28:04):
this is actually a reallyviable technique that we should
probably make better use of.
And not only that, at leastfour or five years ago, you'd be
able to potentially find otherbits of information to do that.
A lot of the platforms I've nowchanged that with like privacy

(28:24):
and security laws and stuff, butyou could like put in a
username and then sometimesyou'd get the email address or
you can use the email addressand you'd get the username or
the phone number that was likeassociated with one of those
accounts.
And now you can still kind ofdo that.
Um, invariably it's not veryoften that you get like from an

(28:44):
email address directly to a fullphone number.
but you might get a partialnumber.
And if you've already gotanother bit of information that
might help correlate somethingfor you or not, or also, oh,
that's an interesting thing thatwe didn't know about.
So now we have to go andresearch that.
So I think the power and thebeauty of those open source

(29:05):
tools is you get people that arecreative or curious and they
build something, share it withthe community.
And then people are able totake that and then develop it
further and, you know, turn itinto something which now is like
an industry, right?
There's a handful of thesetools that exist.

(29:27):
They all have pros and cons.
And as analysts, we're blessedthat we now have this choice as
well of where we might go.

Yeah.
It feels like the...
because the community is kindof actually doing the hands-on
work, ends up seeing like a needor a necessity to have
something to automate part ofthose manual processes, and then
create something morerudimentary or something like

(30:02):
that.
And then if it gets popular,then probably a company or
somebody with deep pockets,we'll pick that and try to
develop into a moresophisticated paid platform.
So it feels like the communityaspect can actually bring the
need first and then just releasesomething because it's a

(30:27):
day-to-day need for somebody orfor a type of role.
And from there, the industrymight keep an eye on it to
expand it to a paid platform.
uh intel platform or something

that's not for sure and likewise there's um
like when you think you takelike a bleeping computer report
or something from the record orzednet if they still do cyber
reports um but quite often likeyou find like researchers

(31:03):
particularly on like i'd saytwitter but probably less
nowadays um more of like bluesky, maybe LinkedIn a little
bit, but research is taking likewhat you get in one of these
reports that you'll read on oneof the news sites, pivoting on
some of that information andfinding more information as
well.
And it's one of those thingsthat sure a lot of people have

(31:25):
their opinions on Twitter as aplatform now versus what it was
a couple of years ago, but youstill have to rely on, you still
have to use that platformbecause there's still a wealth
of information being sharedthere that can be very, very
useful in our, you know,intelligence context.
And, you know, there are someguys out there do a lot of

(31:46):
research around like command andcontrol servers and things like
that.
And you can just like see likeon a daily, almost daily basis
when they post something like,oh, this is a good report.
I've pivoted from here andhere's a bunch of more of like
indicators that, you know,weren't in the report and
probably haven't been likeidentified yet as malicious.
And I think that And there's atool by a guy called Monty

(32:11):
Security called C2 Tracker,which is available on GitHub.
It's a Python script, whicheffectively queries, I think,
Shodan and Census.
But it's got almost themethodology for identifying the
command and control servers.
So every time you run a script,you can get a list of,

(32:33):
effectively, indicators ofattack.
that you can be prettyconfident are linked to
something malicious.

Speaker 01 (32:40):
Okay.

Because you've got this like curated search,
which is high fidelity enoughthat you'd probably include it
as suspect indicators.
And you can get those, you canthen ingest those into seeing
your EDR or whatever.
And you can be like veryproactive in blocking things
before an attack occurs.

(33:02):
Right.
Which.
Bearing in mind, that's a toolyou can download for free.
And if you've got a Shodan APIkey, probably not so much census
anymore because they've changedtheir license models.
But if you've got a Shodan APIkey, and they often do the $5
sale once or twice a year, youcan use this tool and have this

(33:27):
information, which some vendorswill charge you through the nose
for this indicator feed.
And quite often you'll findthat you're probably finding
things that they're notincluding for one reason or
another.
So I think that's where thereal power of open source
intelligence can come in becauseif you rely solely on a third

(33:50):
party, you're beholden to whatvisibility they have and what
data they have access to.
And that's a dangerous ridebecause when you think, you
know, We're all human analysts.
And depending on what we'redoing on any given day, you get
distracted for a moment andsuddenly you forget to change a

(34:14):
query to look at something else.
You might get like a partialsubset of data or you might miss
something or data could beincorrect for one reason or
another.
But you'd have no way ofknowing that if you're solely
reliant on like one list.
So being able to leverage thatinformation that we can get from

(34:36):
you know whether it's like atwitter post whether it's from
reading somebody's blog whetherit's from using tools like c2
tracker and you know you can youcan review the code in there
and you can sort of see what thelogic is for the search queries
and you can work backwards fromthat um i'd give a shout out
here to there's a researchercalled i'm going to butcher his

(34:57):
surname uh michael koshavarakoshawara i think he's a polish
guy does a lot of really, reallygood research around adversary
infrastructure.
He has an, he has an onlinecourse, uh, for this and it's
phenomenal.
Like walks you through likeexactly how to like pivot and
research these things usingdifferent tools and looking at

(35:17):
it from different angles.
Um, so I'd highly recommendanyone sort of checking out.
Um, cause it's, it's taught mea lot and I I'd understood like
the logic of how you would dothis sort of research.
But one of the things is alwayslike, yeah, how can you know?
It's always like, yeah, I canplay around with the IP address

(35:41):
and then look at differentthings, but maybe I'm just
clicking and getting somewhereat random.
But being able to work throughstructured examples that are,
it's real life.
Yeah, the downside is obviouslyinfrastructure comes and goes.
So sometimes you'll be workingthrough all the exercises and

(36:01):
the IPs don't exist exactly asyou're supposed to be following
it through.
But then you can switch to adifferent tool which might have
the historical data and you canstill see the information.
I think if you can get yourhead around doing that kind of
proactive OSINT research andinvestigation, which effectively
is all it is, right?

(36:21):
Because sure, you might needaccess to a platform, but most
of the IoT internet searchengines will allow you to have a
free account.
will allow you to search usingtheir web interface.
So maybe like the API access isprohibitively expensive or is
not available, but you can stilldo this research, albeit

(36:44):
manually.
And I think if you can do thatand then cross-reference that
with the data you get fromcommercial providers, you have a
really powerful level ofknowledge.
And then if you're doing thatand you're blocking things
before they can be used againstyou i think that's like that's
almost like the gold standardfor any for intelligence team

(37:06):
really worth and where they wantto be

Speaker 01 (37:08):
yeah

which can be really difficult and also like
you can track these things overtime as well so you can sort of
see right oh last week it wasall red line steel it was like
the most prevalent thing we wereseeing whereas this week that's
dropped off and now it's thislike bit of malware and being
able to do that across like youknow Ransomware groups, APTs,

(37:32):
different stealer, malware.
Being able to identify thosetrends and things over time can
be really powerful.
You can then bring that into astrategic report if you do those
every six months or somethingor every year.
This is what we saw over thecourse of the year in terms of
trends and numbers.
So I think that's a reallypowerful addition as well into
your whole mindset and approach.

Agreed.
And you mentioned something,double checking or
cross-referencing.
Do you think it's fair to saythat OSINT would be like a good
complement or filling some gapsof the traditional threat
intelligence from liketraditional or paid vendors?

Yeah, I think as a threat intelligence analyst,
you have to understand And Ithink in a lot of ways, how you
can get the data, what the datameans, and therefore how you can
use it in an intelligenceproduct.
So I think fundamentally, theidea that OSINT and CTI are

(38:38):
different fields is not reallythe case.
There are parts of CTI whicharen't OSINT because it relies
on like a network sharing group,or it relies on, you know,
other information or yeah.
Like commercial commercialvendors providing this
information.
But I think fundamentally whatwe're all doing is researching

(39:02):
things that we're finding on theinternet, which, you know, is
almost to the letter definitionof what OSIN is maybe like, and
I think like touched heavilythere around like adversary
infrastructure and But that'slike the approach to that and
the methodology for that isn'tcompletely almost the same as

(39:23):
what you would do if you wereresearching where to buy like
technology at a cheap price orhow to find researching like an
individual's online footprint.
You know, like the approach,the methodologies and a lot of
the techniques are going to bethe same.
Sure, the subject matter mightbe different and the platforms

(39:47):
might be different but you stillneed that sort of analytical
approach you still need to becurious and you still need to
have that investigative enemyset and whilst looking at file
hashes and like ipv6 addresseswill like melt most people's
eyes like which is fine likeit's not that different from

(40:10):
doing research on other types ofdata and i think depending on
where your skills lie, I thinkthere's so much you can do with
some of that technicalinformation to really enable
investigations.
And if you're really good atlike image geolocation, like

(40:32):
maybe that doesn't quite fitinto like a CTI bucket until it
does where, you know, oh, thisthreat actor has uploaded a
picture of something and thislooks like this, and then what
information could you find?
So I think there's so muchcrossover in different, almost
different disciplines.
And yeah, so many, likeeverything that you consider to

(40:55):
be like a huge difference, it'sprobably not really that
significant.
Like all that really changes islike the subject matter,
everything else more or lessstays the same.
If you're doing research intoactors on the dark web, your
trade craft, your approach isgoing to be probably exactly the
same.
as researching IP address andshowdown.

(41:16):
And then thinking, right, well,what else can I find out here?
I'm gonna query this source andsee what information I can get.
Or, all right, I'll go to thistool now and see what that
information provides.
Unless you're just clickingaround wildly and hoping for the
best and YOLOing to a knownmalicious server and seeing what

(41:37):
happens to your work computer,don't do that.
Largely, I think themethodology in your approach
will always be the same becausewe'll always have the
operational security obsec inthe back of our heads that,
okay, we need to protectourselves for this reason.
I'm researching this and I knowit's bad.

(41:59):
I don't want the villain on theother end to understand that
we're looking at them because wedon't want them to target us or
we don't want them to know thatwe're aware of whatever they
did.
So I think All thoseapproaches, they're always the
same.

Okay, awesome.
And so you mentioned a lotabout, you know, open source
tools, paid tools as well, howthey, you know, complement each
other or can fill some of thegaps the other will have.
And you also gave the example,you know, working with a low

(42:35):
budget kind of approach.
And I think...
A lot of companies will haveunique needs.
You mentioned branding as well,monitoring.
But do you think at any pointwe could have like one, two, or
three must-have tools for anyCTI or OSINT teams?

That's a really good question.
Pick the top three.

Unknown (43:04):
Okay.

World War I, you name it.
It could be one.
Again, I know every companywill have different scenarios,
but maybe one tool is like,regardless of the scenario, like
you must have for everybody.

Yeah, so again, I know that this is in the
process of change as well, but Ithink the one constant that
I've always seen has beenVirusTotal.
That's always...
for a CTI team, access to virustotal intelligence is, it
should be like a God-givenright.
This is the one thing weactually need.

(43:43):
I don't know what that's gonnalook like now, because it's in
the process of the licenses arechanging and the model's
changing.
It's all going under like theGoogle threat intelligence
banner.
But that's always been one ofthose tools where it's like that
we fundamentally need this.
In line with that as well,particularly for myself, I've

(44:05):
always loved link analysis andthe visualizations that enables.
So either you need a tool likeMultigo or i2 Analyst Notebook,
or you need a platform whichwill give you some of those
visualizations.
Because I think for me, beingable to see those links between

(44:25):
different data sources,particularly, and seeing how the
information all pans out, Ithink it's such a powerful and
useful visual aid as aninvestigator that it's almost
sinful that you wouldn't haveaccess to that because putting
everything in a spreadsheet

Speaker 01 (44:45):
doesn't

quite have the same impact, I find.
At least for me.
I know there's probably somegeniuses out there that just
love looking at file hashes in aspreadsheet, but that's
unfortunately not me.
And multi-year is one of thosetools that, since I've been
self-employed, it's been thefirst thing I've paid for access

(45:05):
to.
It's because it's just sopowerful and it enables me to
get to a point with aninvestigation where I know, A,
if I'm looking at something likea scoping exercise or if I'm
looking at it, working throughit step by step in an
investigation, it gives me thatfull flow of things that I need
to see.

(45:26):
And then I can leverage all thedata source I have access to,
to make sure I've got the wholepicture to enable that
investigation.
And whether that's like personof interest work, or if that's
like cyber incident response andthreat intelligence research,
security research, like the factyou can do all this in one

(45:48):
place I've found is alwaysreally, really powerful.
And to bring this back to thetopic of open source as well, um
there's a uk securityspecialist called daniel card
who's launched he's vibe codinga like he says like a multigo
replacement i think he's likekind of adjusted his use case a
little bit um but i think at themoment he's stuck with name

(46:10):
crime mapper and oh he's fivecoded the whole thing and it's
it's really quite impressivelike you know it's like i'm just
i'm just telling you what to doand it does it and then when it
doesn't work he shouts at itand then once it gets back to
where it needs to be.
And I think that's, yeah, Ithink we're all leveraging AI in

(46:32):
one way or another at themoment.

Speaker 01 (46:34):
Oh

yeah.
Like leveraging large languagemodels for document summaries
and all that stuff.
But like seeing like stuff likethat coming out and again, like
if you can't afford a multigolicense, there are a couple of
options out there where you canstill do this kind of research
analysis, and particularly froma CTI angle, the tool that Dan

(46:56):
has built, I think you can plugin a Showdown API, URL scan, and
a couple of others as well.
So you can still, if your focusis purely on threat
intelligence research, it'sprobably going to get you quite
a long way there for what you'dactually want to be able to

(47:17):
query and how you'd want toleverage that data.
So it's well worth a look.
And especially as like there'sa lot on GitHub.
I think he's also got like aweb version where you can just
go and play with it.

Okay.
And if we're, you know,thinking about data breaches,
for example, any, you know,tools, frameworks, approach to
attack surface Intel that youwould recommend?

Yeah.
So it's very much like top ofmy mind.
I think I'm, So my companyPerspective Intelligence, we do
attack surface intelligence.
That's kind of how I coined it.
But effectively, it's usingopen source intelligence to
enable companies to understandthe external attack surface by

(48:09):
effectively taking that point ofview of if I was going to
target you, what can I see?
And what could I use to do badthings?
And I think So our focus is atthe moment, very much like UK
small, medium businesses, kindof where we position ourselves
at the moment, mostly because a,I think that's a hugely

(48:32):
underserved market when it comesto not just cyber threat
intelligence, but cybersecurityin general.
Um, mostly because, you know,they don't tend to be big
ticket.
They don't tend to be likecompanies that you can spend six
months trying to cultivate asix figure deal out of it's.
you know, it's a very small,it's a very big market, but very

(48:52):
underserved by the majorplayers in like the intelligence
space.
And I think the approach we'vetaken there is if you follow
like basic cyber hygiene and youdo the basic things that the
National Cyber Security Centerhas said you should do, like as
a company, invariably it's likeuse a password manager, use

(49:16):
multi-factor authentication, Ifwe do just those two things,
we're going to reduce thelikelihood of you being
successfully exploitedsignificantly.
I think Microsoft said it wassomething like if you use MFA,
you beat 99% of attacks.
I don't believe their numbers,but it's a high number.

Speaker 01 (49:37):
If

you just made it that much harder to get in, then
opportunistic attacks becomeless likely to succeed.

Our

approach there is very much like if you can do
these basic things right,

Speaker 01 (49:51):
you

know, apply updates, software updates,
especially when there'ssomething bad.
If you use password manager,use MFA, then if we can find all
the things that exist likeoutside of where you might have
visibility.
So if you've got a couple ofsecurity tools that are doing
some sort of monitoring insideyour network, if we can find the
things that are outside yourarea of control, then if we can

(50:16):
get ahead of those and eithermitigate them or clarify that,
oh, that's actually not aproblem or that, oh yeah, that
needs fixing, then I think we'reprobably going to get you
significantly further down theroad of avoiding being a victim
of cybercrime than where westarted.
And I think for most companiesthat really starts with, do you

(50:41):
understand what a data breachis?
And Secondly, when they say,yeah, I have an idea what that
is, we look to have I been pwnedonce.
We then say, have you everheard of information stealer
malware?
At which point most companies,most reasonable human beings go,
I haven't got a clue what thatmeans.
So that, and then it's tryingto educate people around what is

(51:06):
effectively a fairly subtledifference because for all
intents and purposes, yourcredentials are stolen over here
in a breach.
Your credentials are stolenhere by malware.
sounds like the same thing.
But getting businesses tounderstand that stealer malware
is much more dangerous because adata breach is always like a

(51:28):
point in time, right?
So something was posted onbreach forums this week and the
breach happened three years agoand one of your corporate email
addresses is inside it.
The likelihood is that personprobably doesn't work here
anymore.
Or if they have, they'veprobably changed their password
by now.
You'd hope, potentially.

(51:50):
Whereas when you get theSteeler malware, obviously
there's a market there in theunderground to buy those
credentials.
And not only that, thosecredentials regularly get shared
for free.
I mean, at the moment, as we'rerecording this, less so on
Telegram because Telegram are inthe process of nuking a lot of

(52:11):
those channels.
But no doubt, they'll reappear.
or they'll move to a differentplatform.
And those credentials willcontain literally corporate
email address, Microsoft 365login, password, or HR portals,

(52:33):
business internal systems.
And we've worked with clientsbefore where that has been the
root cause of a ransomwareattack.
So understanding that A, assecurity professionals, we can
collect this data too.
Secondly, that when we collectthe data, we need to be able to

(52:55):
process it.
And the aim here is as soon aswe're able to identify that one
of your corporate emailaddresses appears in something,
particularly if it's likeSteeler malware or a phishing
kit, that's a sign of a realcompromise that needs like
immediate response because A,somebody's either clicked on a

(53:16):
link and submitted theirdetails, and they're probably
accurate details, or somebodyhas a malware infection, which
could be on a corporate device,but is most likely on a personal
device, which makes it eventhat much harder for you to
detect it using any manner ofsecurity tools.
And I know in this space, mostpeople know how stealing malware

(53:40):
works.
But I think getting companiesto understand that if you allow
people to log into their webbrowser using their personal
account and they're doing thatat home, that the corporate
credentials are then sharedbetween those two devices and
that's how the corporatecredentials are breached.
It's really like kind ofnuanced difference from getting

(54:02):
them to understand how databreach works and how a data
breach affecting a third party.
So it's not them that has toworry about cleaning it up.
Like it's a real, it's a reallypowerful, but nuanced
difference.
So I think using open sourceintelligence to enable that
investigation and, you know, infact, you know, we're

(54:24):
automatically collecting thedata and processing it and
checking for customercredentials.
I think that that'sfundamentally the cornerstone of
what the external attacksurface really is because sure
we could then have a look atlike what servers you have their
internet facing and you mightfind that there are some

(54:45):
vulnerabilities on them but youknow and again invariably when
we look at that what do we careabout the most it's either is it
on is it a vulnerability thatwe know is exploitable whether
that's like the caesar kev listor on other like yeah so
vunchek.com has their own likeknown exploitive vulnerability
list which differs from Caesar'sin that it's more expansive.

(55:08):
So more inclusive ofvulnerabilities that have
exploits available.
So first priority lists are, isit on an exploited
vulnerability list or is theEPSS significantly high?
Because that often indicatesthe likelihood of the attack is

(55:28):
in the next 30 days thatvulnerability will be exploited,
right?
So if we, we findvulnerabilities on internet
facing asset that we thinkyou're either going to be
exploited or we know exploitsexist and you know especially
when there's like code on githubthat anyone could effectively
run um we take that informationand now if we find compromised

(55:52):
credentials particularly fromlike a steeler log suddenly
we're starting to form thispicture of this is how you
probably would get an initialaccess

yeah explosive

and So taking that approach and then also
touching on those other things.
So like brand monitoring piecearound brand sentiment is, is
there anything about yourcompany, which is causing like
negative press, which, you know,if you're, if you're not aware
of, maybe you should be, or ifyou are aware of it, like, let's

(56:23):
look at it from this angle andsee if there's anything from
cyber aspect that we should beaware of.
And then also.
all the traditional bits like,okay, well, where else is
information about your companyonline?
Has your company been mentionedjust like, let's say on the
dark web, quote unquote, butinvariably on forums, which is
largely what people mean bythat.

(56:44):
So can we cover like any darkweb results that we do find?
Is your company included indocuments that are being shared
on like ransomware data leaksites or stuff like that?
Any information that might beuseful to a criminal?
And then the other piece we dois around almost like brand

(57:04):
protection.
So phishing, typosquat domainsand brand imagery.
So can we find, you know,obviously domains that look to
be mimicking like your companyor parts of your company.
And then subsequently, if adomain is very similar to yours,

(57:24):
does it contain your logos orlike your favicon icon?
so we can be pretty sure thatit might be a phishing attack.
And obviously with that,there's also, does this website
have a mail server running?
Because it's always like, okay,this looks like it's definitely
targeting you.
There's a mail server that'sprobably gonna be used to send

(57:46):
phishing emails.
And this webpage is covered inyour logos.
Good chance that that's goingto be used for some kind of
spear phishing attack.
And sort of taking thatapproach, to attack surface
management, which I think goesbeyond what a lot of traditional
tools do, where it's aroundassets and open ports and IPs.

(58:09):
And we still do all thatbecause it's fundamentally
important.
But I think by bringing thatopen source intelligence piece
to it, taking that step back andbeing a bit more, I'd say,
criminal-minded, I guess.
like if i take this approachthat if i wanted to do bad

(58:30):
things to your company this ishow i would look to do it and
then offering that sort ofongoing monitoring support so
the company can sort of feelhappy so that if something does
get identified and because alsolike very much in that space of
it's human analysts doing thework and it's a human written
report so everything that doesget sent to a client has been

(58:54):
assessed as probably worth yourtime Or we've disregarded this,
even though you'll probably seethis, we disregard it for these
reasons.
So I think being able to givethat contextualized approach to
looking at the data is reallyimportant, but fundamentally
what it really does come down tois like, The bulk of this

(59:18):
revolves around credentials andif your credentials are being
stolen or not.

Got it.
Thanks for sharing the storywith us.
And I often ask that to all theguests.
Do you think there's like anyskills or anything you know
today that you wish you knewback in a day when you decided
to pivot to CTI?

Yeah, maybe don't.
I jest, I jest.
Yeah, I think the mostimportant thing I think I look
at now and the approach that Itend to take is always around,
A, establishing the intelligencerequirements and being clear

(01:00:01):
about what it is that you needto deliver, whether that's areas
of focus, ransomware, nationstate, and this script kiddie in
this place who just seems tohave it out for us.
Or if it's like specificquestions that you're being
asked by like the SOC, the CISO,the board.

(01:00:23):
And I think the second thingthat is really important to me,
and I think it's probably one ofthose things that has to be
better understood is that ascyber threat intelligence team,
doesn't necessarily have to worksolely to the SOC.
I think a lot of companies getinto this trap where, well, you

(01:00:46):
do cyber, they do cyber, you dothe intelligence bit to whatever
they want.
Whereas the front intelligenceteam really needs to be working
from almost like the board downis where the direction, because
the front intelligence teamshould be understanding what the
business is doing and where thebusiness is heading and how

(01:01:09):
When we write a report and wesay, oh, we absolutely shouldn't
be doing this.
This is foolish.
There might well be a businessreason why we're putting a data
center over here in a countrythat you might think is stupid
or like preposterous.
You have to understand likewhat business is doing to then

(01:01:31):
be able to really support thebusiness properly.
So you can spend all daywriting reports about ransomware
groups or, you know, people areposting on forums, but At the
end of the day, the job of theCTI team usually is to help
protect the business from cyberattack.
And you can't really do that ifyou don't really understand
what the business is trying todo, what the business's
priorities lie.
And I think it's hard because,I mean, getting FaceTime with

(01:01:57):
CISO in a large company is goingto be difficult, right, as a
threat intelligence team.
It's probably hard, especiallywhen it boils down to
understanding priorities and,like, the strategic direction of
the company.
But ultimately, if you don'tknow those pieces of
information, you can't really dothe job to the best extent, I

(01:02:22):
think.
So I think understanding that,because I mentioned earlier
about how sometimes we'd writereports that we thought were
cool.
And I think it's kind of, whenI worked at SkyWay, we ended up
establishing the intelligencerequirements process because
quite often we'd write a reportand we'd think like this is
really interesting really cooland you know obviously we should
be caring about like thisthreat actor or whatever but

(01:02:45):
that's because we've made thatdecision and that assessment
based on our knowledge and notbecause we ever sat down and
asked like the people that readthese reports what what actually
is important to them so i thinkand that's kind of where this
really came from for me was ifyou don't really understand your
requirements or the directionof the business and the

(01:03:07):
business's priorities and youcan't really provide the best
quality reports and you mightspend a lot of time writing
reports on things that never getread or never get actioned
because ultimately the businessdoesn't care or it's just not a
priority because the prioritiesare in other areas.

Pedro Kertzman (01:03:29):
yeah no that's awesome i think it's fair to say
at this point that every singleguest uh in one way or the
other we touched on theimportance of not only having
the technical skills but how tocommunicate that in a way that
uh the company understand whatit's actually aligned with the

(01:03:49):
company goals and uh needs andand all that otherwise it's just
yeah a bunch of uh bits andbytes right so no

Aaron Roberts (01:03:59):
100 yeah i think fundamentally like communication
obviously is effectively that'swhat we do right we are
communicators um so we you knowwe'll take the we'll take the
data and we'll gobbling away onlike some research and
effectively one way or anotherwe end up creating a product and

(01:04:21):
that can be you know it can bea long form report it can be can
be a couple of lines in anemail it can be a beautiful
diagram it can be a slideshow itcan be a verbal briefing it can
be any of these things eveninterpretive dance um but yeah i
think and i guess that'sprobably the third thing i would
say is like yeah you have to becomfortable taking what can be

(01:04:44):
a deeply technical piece ofinformation and being able to
convey that in a way that theaudience either a will
understand or b can make goodthat's the word i'm looking for
um effectively take good actionsfrom and i think that can be

(01:05:05):
really hard because you oftenread like and you know i'm not a
coder by any stretch so readinglike a technical breakdown of
like a particular piece ofmalware i i struggle to read
those reports because i thinkit's it when it goes into the
mind minutiae of like, this iswhat this bit of the code does.

(01:05:27):
And then you can see that thishappens and then this and this.
And I'm like, I don't see that.
I'm taking your word for it.
But what I can do is sort ofget the gist of what this report
is telling me and understandwhat that means within the

(01:05:47):
business context.
And I'm probably not going tosend a CISO like one of these
malware report, unless I'mtrying to get fired, right?
There you go, read that.
But, you know, or I'm not gonnasend that to the board.
Like here's a 28 page breakdownabout this malware line by
line.
Because I mean, A, they'renever gonna read it.

(01:06:10):
And secondly, you know, it'scompletely the wrong type of
thing to send to that group.
So understanding your audienceand being able to communicate to
them the right information atthe right level should be, I
mean, it's like intelligence 101really.
And I think I feel luckybecause my background coming

(01:06:33):
from intelligence community, itwas like always like, that's
exactly just how we do business.
And I think particularly now,like as junior analysts come in,
you might not ever have thatexposure or you might not have
the like, I guess the seniorityin the team that might've had
that experience.

(01:06:53):
So I think there's always arisk that that could get missed.
Um, I think it was veryfortunate.
Like I've never really comeacross that myself today, but I
think as the industry hasmatured and as intelligence has
become a, you know, an industry,we still need to make sure that

(01:07:13):
we're doing the right thingsfundamentally.
And I think like with the OSINTspace, there's a lot of very
engaged and very keen peoplethat are new to this space.
And so we talk a lot intraining courses at Deliver
around understanding what thetools can give you.

(01:07:36):
And you can download a scriptfrom GitHub and it will blow
your mind with the informationit'll bring back.
And you're just like, I can'tbelieve that this was free, or
this took me two minutes, or itused to take me days.
I think we fall into this trapparticularly in the chasing like

(01:07:57):
the shiny shiny that we'll usethese tools we'll get a load of
data back and then we'll callthat intelligence and
fundamentally what we need to bedoing is you know putting the
the intelligence part into theOSINT so doing the analysis
figuring out like either ourhypotheses around what the data

(01:08:22):
is indicating or what it'sproving or disproving.
And fundamentally, how weanswer those intelligence
requirements.
Because it's always okay toturn back to somebody that's
either asked you a question thatthey think this means this bit
of information.
Can you prove it?
And to turn around to them andsay, well, no, because the data

(01:08:43):
says, the data here we'veanalyzed and it all indicates
something completely different.
And that can be a really goodexample of that i think was like
the olympic destroyer malwarefrom the winter olympics must be
probably six seven years agonow um whereas like when that
story broke and like the attackhappened yeah everyone's

(01:09:07):
immediately it's like oh northkorea did this and it wasn't
until something easier you getteams actually sat down doing
the analysis and actuallyworking through things and
looking at those hypotheses andfiguring things through, where
you turn and go, no, actually,that's not the case.
There are all these otherindicators which indicate a

(01:09:28):
completely different scenario.
Obviously, I think that wasattributed to the GRU in Russia,
I think.
But that's fundamentally, Ithink, when we talk about
communication and disseminatingreports, understanding the
audience what they're expectingand being able to pitch at the

(01:09:52):
right level is such a invaluableskill because you could take
that you could leave threatintelligence behind forever but
if you can still do if you canstill do that like i can take
this thing i can convey it towhoever and they will get it or
they can make use of thatinformation then you can go and

(01:10:15):
probably work in any industryand use those skills
immeasurably because that's suchan important life skill.
And especially if you can takesomething that's complicated and
effectively distill it down tosomething that like a
five-year-old could effectivelyunderstand, at least at a high
level, then we're doing theright job.

Pedro Kertzman (01:10:36):
Really cool.
Aaron, thank you so much forcoming to the show.
Really appreciate it.
All the many insights, reallyinsightful conversation.
And I hope I'll see you around.

Aaron Roberts (01:10:47):
Thanks so much, Pedro.
It's been great chatting to youand I really enjoyed it.

Rachael Tyrell (01:10:53):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup, Cyber Threat
Intelligence Podcast.
We'd love to hear from you.
If you know anyone with CTIexpertise that would like to be
interviewed in the show, justlet us know.
Until next time, stay sharp andstay secure.

All Episodes

Season 1 - Episode 6 (Pedro Kertzman & Aaron Roberts)

Episode Transcript

Popular Podcasts

NFL Daily with Gregg Rosenthal

On Purpose with Jay Shetty

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Season 1 - Episode 6 (Pedro Kertzman & Aaron Roberts)