February 18, 2025 • 50 mins
We dive into the complex world of cybersecurity through the eyes of Jeremy from Intel 471, exploring his journey from journalism to cyber threat intelligence. The discussion encompasses the evolution of cybercrime, the significance of ransomware, and future trends impacting cybersecurity.
• Transition from journalism to cyber intelligence
• Engaging with threat actors in cyber forums
• Overview of Intel 471 and its mission
• Ransomware trends and their implications
• The intersection of nation-state actors and cybercrime
• Impact of law enforcement collaboration on cyber investigations
• Predictions for cybersecurity trends in 2025
• Importance of securing exposed attack surfaces
• Call to action for increased cyber resilience
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
How's it going, jeremy?
It's great to finally get youon the podcast.
I think we might have talkedlast, might have been in
November at this point orsomething like that but I'm
really excited for ourconversation today.
I think it's going to be reallyinteresting.
Yeah, thanks a lot for havingme.
You know how about you startoff with telling my audience.
(00:28):
You know how you got into thisIT space, right?
So you're a journalist and youfocus on cybersecurity.
So that takes a very I feellike that takes a very unique
person, right, because even formyself, right, I'm in
cybersecurity and I probablywouldn't want to be a journalist
on cybersecurity.
How do I make this content?
That's extremely complex.
How do I make it consumable foreveryone?
(00:50):
That isn't something that Iwould want to go into, right.
So what made you want to getinto that area?
Speaker 2 (00:56):
Yeah, well, I was a journalist.
I'm no longer a journalistbecause I'm now with Intel 471,
which is a cyber threatintelligence company.
But yeah, prior to joining them, I was a tech journalist
focusing on cybersecurity,starting around like 2005.
And it really was just sort ofI just sort of stumbled into it
working for a trade technologypublishing company and you know,
(01:20):
I got a job with them and theywere sort of divvying up the
beats and you know, somebody wasdoing sort of you know kind of
cloud computing infrastructureand chips and whatever.
And they said you know you'regoing to do security.
I'm like sure, okay, knowing noidea anything about it at all,
which is kind of like oddly howjournalism kind of worked in
those days no-transcript, thatyou know for a long time.
(02:08):
And then I one of my sourceswas Intel 471.
And I was always interested insort of that underground
cybercrime you know, tracingpersonas and trying to figure
out real world IDs.
And you know I did a lot ofchatting with threat actors as a
journalist, you know, becausecyber criminals have to
(02:28):
communicate one another and theywere always accessible through.
You know, it was Jabber like 10years ago or 12 years ago and
other ways you know before that,so it was always easy to reach
them and so that was always myinterest.
And so when Intel 471 said, doyou want to come work for us on
our Intel analysis team?
I said when Intel 471 said, doyou want to come work for us on
(02:48):
our Intel analysis team?
I said, yeah, that soundsawesome.
So now what I do?
I do a lot of likejournalistic-y kind of things.
You know, I work with ouranalysis team and also like our
malware researchers and our youknow our analysts.
You know who are in the forumsto basically look at ways like
how can we talk about some ofthis intelligence that we
collect right Because we're inall the forums, to basically
look at ways like how can wetalk about some of this
intelligence that we collectright because we're in all the
forums?
We're chatting with threatactors, you know, selling proof
(03:08):
of concept for you know thelatest sort of vulnerability and
looking for ways to be able totalk about that publicly,
because there's a lot of thingsthat we can talk about.
Actually, I should say that theother way, there's a lot of
things we can't talk about andfunny things that we can talk
about, and that's because of ourcollection methods too, because
we don't want to sacrifice youknow any of the access, you know
(03:33):
that we have.
So, yeah, basically looking forways to publicize that and I
have a couple of podcasts on theside and I, you know, work with
our executives on kind of likethought leadership, writing and
things like that and do a littlebit of you know, my own reading
on the side.
So that's kind of in sum.
Speaker 1 (03:50):
Yeah, when you were getting started, was there a
source that was kind of likeyour go-to source Maybe it'd be
a person or a site or anythinglike that when you were trying
to learn and just figureeverything out?
Speaker 2 (04:04):
or anything like that , when you were trying to learn
and just figure everything out.
I think, yeah, I mean being ajournalist, you have the benefit
of being able to just call upand talk to.
You know most people.
Computer security is kind of ait's a different kind of beat
and I think it took me a longtime to realize that because,
and particularly like in the CCIfield, because a lot of
researchers and people in thefield they don't want to have
(04:25):
anything to do with the publicor like they don't want to be
out there with their namebecause and there's all kinds of
reasons for that, you know wesaw the issues that Brian Krebs
had with you know threat actorslinked to the comm going back 10
years ago, right when they wereswatting him and sending, you
know some of the Russians, Ithink, were sending heroin to
(04:46):
his house and so you knowthere's always that risk of, I
guess, harassment Like luckilyit never happened to me, but
there's just a lot of peoplethat you know and this goes to
all.
You know you work in securityand like the whole issues around
trust and sharing IOCs andsharing information about maybe
specific things, that TTPs thatyour organizations have been
(05:06):
targeted for and weaknesses, andthere's a real reluctance to be
like, oh, I just want to sharethis out.
And so it's taken a long timefor, like, trust groups to build
up and people to participate inISACs and talk about this sort
of stuff.
But I think, like as ajournalist, like trying to cover
this stuff, it did make itextra difficult, but I did find
people that were more than happyto explain, like, can you
(05:28):
explain BGP hijack to me?
You know, or you know whateverthings like that, like really
technical things or, I guess,really sophisticated kind of
like DNS.
You know issues and use of DNSby malware and things like that.
There's always people out therethat are happy to explain it.
So I think you just have to,you know, kind of come to it
(05:49):
from a really humble perspectiveand even you know now I mean
our, you know when, like I'mgoing to write a post about a
Android malware update that ourmalware analysis team found like
last year, and so I'll beworking really closely with them
.
You know they'll read my stuffand I'll have more questions for
them, and it kind of works inin the same sort of way, because
(06:11):
you have to think like even youknow our our adversary analysis
team are not necessarilymalware analysis people, like a
lot of them, have cross skillsthat apply.
But you know everybody's gottheir real like sweet lane and
zone um that they that theyfocus in.
Everybody's really cautiousabout speaking outside of their
own lane.
Speaker 1 (06:31):
It's fascinating.
Tell me a little bit aboutIntel 471.
I actually haven't heard of itbefore I started talking to you.
Maybe give my audience a littlebit of background or something.
Speaker 2 (06:55):
Sure, yeah.
So we were founded more than adecade ago by a couple of folks
that came out of.
One was an Australian guy whohired me.
He was a former AFP cybercrimetechnician and another is an
American guy who is a former FBIcontractor, who worked on a lot
of investigations related tobanking malware back in the
early 2010s.
You know, our company is kindof.
You know, we're a cyber threatintelligence company, so we
(07:15):
collect intelligence.
So we do a lot of undergroundforum scraping.
We do a lot of engagements withthreat actors.
We write these really in-depthreports about offerings on
underground forums.
We gauge the reputations ofthreat actors, because that's
really important, because it'slike somebody saying hey, I
(07:36):
compromised, joe South.
You're like well, who's thisperson right?
Do they have a history ofreliable claims?
Do they have a history ofreliable claims?
Do they have a history ofreliable sales?
We also do vulnerabilityintelligence and so we look at
new CVEs and look at in theunderground, because there's so
many CVEs.
(07:56):
So the problem is like well,what's the ones we should focus
on?
Where should we focus ourpatching efforts?
And we approach it from theperspective of like okay, well,
if underground actors are likehey, have you got poc for that
new, I don't know sonic wall.
You know rumor of a sonic wallvulnerability.
You know we'll look at that andgo okay, so this person wants
(08:18):
to buy this.
They're a reputable buyer.
This person says they'redeveloping, developing it.
They're a reputable exploitdeveloper.
This is one you probably wantto patch right, because this is
the way it looks like it'scoming down the pipeline.
We've also recently got intothreat hunting.
We acquired a company calledCyborg Security and so they make
a threat hunting platform whichis basically hunting in your
(08:41):
SIMs, in your EDR systems andSysmon, your logging systems,
for those clues that you mighthave been infected by something.
So, say, you've got like youdon't use PSExec, right, like
the remote management tool inyour organization, and suddenly
you've done a threat hunt forPSExec and you found it like in
your SIM and you can go oh right, we don't run that.
(09:04):
This is definitely something weshould probably look at, and
that's really tying into ourwhole malware intelligence too,
which I spoke a little bit about, our malware intel team, and so
you know we emulate uh, youknow more than sort of like 300
malware families.
We collect samples directly fromthreat actors and also you know
public repositories, extractindicators from those.
(09:26):
So those could be like c2addresses, other artifacts
related to those malwarefamilies, and you know we write
reports about those.
Engage there from a threat.
We can put a monthly malwarereport out basically to say,
okay, this month we've seenthousands of downloads of
SmokeLoader as a payload, orwe've seen 5,000 downloads of
(09:49):
Redline, an info stealer, so wecan track all those malware
families really granularly andthat kind of feeds into threat
hunting.
So when we see a big malwarecampaign go out, say with
Redline, we can take thoseartifacts and those indicators
and then write detections forthem in our threat hunting
module.
So you'll have packages of Go.
(10:09):
Basically, our analysts writethe queries.
The tough part of threathunting is writing the queries.
So, say, you use CrowdStrike,edr, so we have copy paste
queries that we can go OK, Iwant to go and look for an
abnormal process that's beenlaunched, or process uh service
launched from an odd location,right, typical sign-em-hour used
(10:30):
by heaps of malware families.
So you could just copy thatquery, plunk it into you know
like crosswalk, and then searchthat, search those logs, for
that activity requires a bit oftweaking, right, like nothing's
like perfect, but yeah, that'sthe way, that's the way we in a
nutshell.
Speaker 1 (10:44):
I've probably spoken too much, but uh, what we do, no
, you're totally fine yeah, youknow, maybe maybe a year ago,
maybe more at this point, I hadon chris rock who not the, not
the, not the comedian right, buthe he described himself as like
a cyber mercenary right wherehe's kind of like out, you know,
(11:08):
on some forums and you knowhe's hireable for various things
, right, and it was aninteresting conversation.
For sure.
It was the maybe the onlyconversation that I've ever had
with someone that I felt like Ishould probably not have the
conversation because of thethings that he was talking about
, that he did and everything.
(11:28):
It was like, man, I reallydon't want the FBI like showing
up at my door.
This is one of thoseconversations where it probably
would.
Speaker 2 (11:37):
Right, yeah, yeah, there's a variance of practices
in CTI.
We have, you know, we have astrict sort of ethical code that
we use for our operations, justto, you know, specifically
ensure that obviously we don'twant to violate, you know, any
sort of, you know, computersecurity, fraud and abuse laws
or anything like that.
(11:57):
So you know this field.
There's a variety ofpractitioners who have a variety
of methods.
Um, you know, some are moreaggressive as well.
Like you know, if you'relogging into systems, you could
get more intelligence right andthat's also a possibility, you
know, I mean, we've seen thathappen with.
Like law enforcement is doingthat now, you know, in the
ransomware fight, right, likethey're able to compromise.
(12:19):
They compromise lock bitsystems and, and you know that's
something that we would not do,right, because that's not in
our purview and it's not legalfor us to do.
But yeah, that's so sometimeswhen you see, you know you see
some incredible intelligence,like we've got the entire list
of lock bit affiliates right,and they're nicks right and
that's what law enforcementreleased with lock bit, which is
(12:41):
great stuff, and they'reauthorized to do it and that
helps, you know, in the in thefight.
But yeah, like I said, there'sjust a, a range of things.
You know we work very closelywith law enforcement, as do many
other cti companies, becauseeverybody's got like a little
slice of the picture too.
So you know, occasionally we'llbe listed, you know, as helping
(13:01):
with with investigations intosome of these.
You know really complex lawenforcement operations that have
been happening, you know, overthe last couple of years well,
okay, so now I now I have twoquestions, right.
Speaker 1 (13:15):
So have you, have you actually come across other
cyber mercenaries to some extentthat are kind of for hire?
Because I feel like that, justthat whole place, that that
whole like marketplace right, soto speak, is so I don't know,
shady like I would not want tobe.
I would not want to be anywherenear that Tor browser, you know
(13:38):
, or that Onion router.
When you're trying to do that,have you talked to some people
that are in that area anddiscussed like what they were
doing and whatnot?
Speaker 2 (13:48):
Well, not really.
What kind of what are theydoing?
I guess this is how I would askthe question to you, I would
ask the question to you.
Speaker 1 (13:57):
Yeah, I mean, you know he talked about, you know
gaining, getting footholds andyou know enemy governments,
electrical grids, and you knowjamming the, jamming, the.
What is it?
It's the IED blockers.
Back when you know, early 2000s, when America was in
Afghanistan and Iraq, and youknow IEDs were a huge problem,
well, the NSA came up withsomething that would jam all the
(14:18):
IEDs in the vicinity.
This guy came up with asolution for Al-Qaeda to
override that jam and still getthrough to the IEDs, right?
So, talking about stuff likethat, where it's like, it's like
, you know, bad organizationsorganizations typically are-
going on these forums hiringpeople.
Speaker 2 (14:37):
Yeah, I think I've read actually, I think I
recently read of somebody likethat, of kind of I don't know if
lone wolf is the right term forit.
I mean, I think there arepeople out there that will
insert themselves intosituations, but I would caution.
(15:06):
That that's.
You know.
The whole thing is like withlaw enforcement actions and
things like that is that if youhave people coming from the
outside thinking that they'redoing good, they could do harm.
Right, because most likely,whatever target that they've
decided to focus on may alreadybe involved.
You know the target of a, youknow a formal investigation.
So the risk of those peoplegoing in there and maybe, you
know, tampering with potentialevidence is really high.
(15:27):
So I think that you knoweverybody would probably
encourage, like you know, right,it's good that you're involved
in this and worried about thisbut maybe hold your fire to
figure out, kind of what's goingon, right, or send a tip to
your, your local cert or lawenforcement.
You know about it, right,because I think that it is a
(15:48):
team fight, right, but it's also, like you know, you don't want
friendly fire either to kind ofmeddle with something.
You know you don't wantfriendly fire either to kind of
meddle with something.
So yeah, I mean, I guess Iwould.
My first instinct would be likejust just kind of caution, like
admire the enthusiasm, but justbe aware that there already
might be something going on andthat you know your, your hacking
(16:09):
might, you know, cause a cause.
A bit of issue, right?
Speaker 1 (16:13):
Yeah, it's, it's just a.
It's a really dice, dicey.
It's a dicey situation that Ifound myself in at one time with
that interview where it's justlike, man, I don't know if I
should be talking to this guyright now.
You know, it's like we might uh, we might end this thing a
little bit early, you know, butit was a great conversation
(16:34):
overall.
But it's just like a crazyexperience that, you know, going
into running a podcast, youwould never, you'd never think
about, right, look, because whywould someone in that area ever
want to talk to me?
But publicly I record his video, his face, you know, like it's
like yeah, I don't know.
I don't know, you know, but hehe did seem very legit and other
(16:57):
you know halfway shady peoplehave like vouched for him to me
so I was like this seems tooreal.
You know what are?
Uh, you know you.
You talked about potentiallylike assisting law enforcement
to some extent with like highlycomplex.
You know cases or situationsand whatnot Can you tell me
(17:18):
about?
You know some of thosesituations?
Is there any you know cybercriminal?
Uh, you know actions orarticles or anything that that
are public knowledge that wethat you may have assisted with
or your company may haveassisted with?
Speaker 2 (17:34):
We've definitely been acknowledged by certain
agencies before for providingintelligence, like we're an
intelligence provider too, so wehave law enforcement customers
as well, and so if they wouldcome to us and want more
information about something, wewould certainly provide it.
I mean, I think you'll see,like a lot of these large law
enforcement actions, you knowthere's a huge list of agencies
(17:55):
that will often acknowledgeprivate companies that have
helped as well.
You know, like I said, it'sjust because everybody has a
little bit more of a piece right, and there's there's just a lot
of threads to pull incybercrime, so some
organizations may have more dataon certain groups or specific
threat actors or, you know,specific malware campaigns than
(18:17):
others.
So, yeah, it's all big one andI think, like, honestly, from
compared to maybe a decade ago,um, or even more, there, there's
like a lot, just morecoordination now than there used
to be.
You know, the adversaries werealways able to exploit this
(18:37):
really slow gap in between whena threat was identified or a
group was identified and whensomething could actually happen.
Now, granted, like this isnever going to be, you know,
super fast anyway, becausecybercrime moves so fast, right,
and their adaptability can faroutpace formal organizations to
(18:59):
be able to, you know, react.
But I mean, just like thebreach activity that we see day
by day is just it's off.
The scale Like, and I thinklike the scale of it right now
is like really large.
So it kind of forcesinvestigators to go after kind
of like the biggest sort ofoperations things too.
And you know there's been, youknow pinch points that have been
identified right in the lastyear.
(19:20):
We've seen them go afterransomware groups.
We've seen that go aftermalware infrastructure that's
used to, you know, gain initialaccess to computers and then
monetize that access.
We've seen them, you know, shutdown forums that have, like the
gen Genesis market that wasselling credentials or basically
cookies.
You know whole batches of datafrom compromised computers.
(19:44):
We've seen them go after thecryptocurrency mixers that's
been a whole thing too and alsoshut down cryptocurrency
exchanges.
So you know there's clear likechoke points to focus on and
we're seeing that.
You know it's working in a way.
You know the latest ransomwarepayment numbers were, I guess
(20:05):
the amount of money paid inransoms last year, according to
Chainalysis, was like I think itwas a third less in 2023.
It was, yeah.
So, like, like, how do youattribute that impact.
Well, probably a bit of lawenforcement, a bit of disruption
, um, you know, maybe difficultyand there definitely were
difficulties in cashing out too,because chain analysis said,
(20:27):
like a lot of funds are justsitting in addresses like now
and not not, they're not movingit at all because it's been
flagged.
Right now we've got all thesegreat blockchain companies that
are flagging transactions, sowe're seeing, I mean, you know
it's, it's hopefully this ismeaningful reductions and it's
not gonna bounce back up.
I mean, I like to see, like youknow, a couple of years, like
(20:49):
two or three years, of numbersgoing trending down before you
go.
Okay, now we can go back andretrospect and analyze.
Okay, what caused this?
Right?
Is this just like seasonal orjust some yearly flux?
Or, you know, like war inukraine 2022 caused a big, big
disruption?
Is this because of, you know,sort of geopolitical events too,
(21:11):
so it takes a while to go?
Oh, okay, like this is reallyworking, but I think I think
it's on the right track that'sreally, that's fascinating that
it went down by a third.
Speaker 1 (21:25):
You know that's not a small number.
I, I mean a company's, acompany's revenue drops by a
third and they're laying off athird of their workforce.
You know, like, yeah, that's asubstantial drop, and I I
remember reading an article, youknow, a couple months ago,
about how hackers are going,going back to, you know, like
(21:45):
social engineering and morebasic attacks that they were
that were more prevalent in likethe 80s and 90s really, because
companies have like kind ofawoken to like cyber security
and the importance of it andwhatnot, and like this is
something that you can't ignoreand if you do ignore, you're
gonna pay.
You're gonna pay, quiteliterally, a lot of money and
(22:08):
your brand reputation is damagedforever.
I mean, who it's like?
Who doesn't know about thetarget breach?
Right, and that happened almost10 years ago, maybe 10 years
ago at this point, yeah, yeahyeah, who doesn't?
know about it right.
Who doesn't know that targetwas breached?
Speaker 2 (22:24):
yeah, yeah, yeah.
I mean you know if you talkabout well, to go back to the
ransomware thing, like itdropped by a third I.
But I was still a bit kind ofcold on it in a way, because it
still amounted to $800 millionin ransoms paid.
And I guess two points on that.
One, it's always anunderestimate because there's
just stuff because of the waythat we track or try to track
(22:46):
ransomware that just escapesscrutiny.
$800 million for a cybercrimeenterprise is still pretty good.
And the other part of it that Ithought was not great was that
the attack numbers were justbarely less like I think maybe
less than five percent down.
So you've got fewerorganizations apparently paying
(23:08):
because better cyber resiliencythat's terrific, but you have
the same number of attacks andyou have to think like, ok, well
, even if you don't pay a ransom, because that's one component
of the cost of a ransomwareattack, if you were attacked by
a ransomware group and you werebreached, there's still an
enormous amount of costsassociated with that Right and
(23:29):
like disclosure and legal fees.
And you know you might havecyber insurance but it might not
cover all of it.
So you know to capture the fullcost or to go all right, is
this a real reduction in thethreat landscape?
And I would argue not reallyright.
It's better that you know.
Less people paying cybercriminals means that in theory,
(23:52):
there's less incentive to domore cybercrime.
Right, the more frustrated thatthey get.
Right, like, the lower the hitrate, the less likely they're
going to be like oh, this isgetting hard.
Maybe we'll move on tosomething else, you know, and
that's good, but it's not thefull picture, I think, of what
we're seeing with ransomware.
(24:12):
So I'm really reluctant to belike we've turned the corner on
this.
I think these are preliminary,really positive numbers, but I
would say for enterprises going,okay, we can just kind of, you
know, maybe take the foot offthe gas and our resiliency plans
or, you know, hardening oranything like that.
(24:34):
I would say absolutely not.
You know you've got to reallybe aware of, you know, these
common vectors that ransomwaregroups are gaining access.
Speaker 1 (24:43):
Yeah, yeah, that makes a lot of sense.
That's interesting kind of thatbackstory like behind the
numbers, right, because if youlook at it at face value I mean
that's the headline right there,right, ransomware payouts
decreased by a third you think,okay, like we're doing something
(25:04):
positive, like we've made ahuge turn here.
Ransomware isn't even going tobe an industry in a couple years
.
Then, right, like that's that'sthe kind of mind jumps, that
that you can take with a titlelike that.
Speaker 2 (25:14):
And then you dig in and it's like not not quite
right, not exactly yeah, yeah, Imean the reason why ransomware
took off too, it's like, youknow, 2015.
It was basically like bankingmalware got really hard, like
the banks got a lot better atstopping transactions to money
mules and those transfers, right.
(25:36):
And so then, when kind ofransomware came actually, you
know, came back because you knowthe the proof of concept was
like in the 80s.
It was kind of like, hey, thisis easy and this is big money,
right?
So, rather than trying to like,steal 150 grand and split it
six ways into six differentaccounts and you know right, and
the, and that got shut downit's like, oh, I could get
(25:59):
$200,000 from a singleorganization like that, you know
, using using crypto.
I don't even have, I don't haveto use a banking system.
Oh, you know, I again, I wouldargue that, even if the amounts
paid by you know, quote, unquotesmall two hundred thousand
(26:22):
dollars, um, that's still a goodpop right for for somebody
who's just working to, you know,for for a ransomware group,
because it's arguably easierthan going back to the banking
malware stuff.
Now, this stuff is always, youknow, evolving, so but I think
at the point, like, maybe we'llsee a shift where it's just
(26:45):
really hard to get a payout, youknow, when you have people that
are working really really,really hard to get you know, and
it also, I think, if it becomesunfeasible to really run a
ransomware as a service group,you know, kind of like the whole
, like hey, we developed themalware in the backend and the
whole affiliate model.
When that kind of gets bustedup too, when it gets too risky
(27:08):
to do that, what we saw in thelast year was a lot of um, you
know, when alph v went down,like hive went down and lockbent
went down, we saw a lot of likenew ransomware brands kind of
pop up from like smaller groupsthat some of them look like they
were maybe started by threatactors that came out of, like,
you know, conti and reuk, likekind of long-running actors and
(27:30):
but these smaller operations,right, it makes ransomware
harder to track.
But our theory and a lot ofother groups theory was that
well, maybe they're doing thisbecause they don't.
You know they don't want to getexposed in like the big lockp
pick bust right where you knowthe back end of lock bet is
revealing.
You know, perhaps data aboutthem, you know that can be used
to track them.
So we'll split into smallergroups and do smaller jobs.
(27:52):
So I think that's what we, whatwe could be seeing going ahead.
It just kind of makes sense tous yeah, yeah, that, that that's
really fascinating.
Speaker 1 (28:04):
So, to kind of switch gears a little bit right, peak
my own curiosity here.
Right, what have you seen withnation state actors and maybe
even the inner workings betweenthem, and different you know
hacker groups that may not evenbe associated with that nation
state actor?
I'm thinking of things like youknow, obviously, Iran and
(28:28):
Russia and whatnot, and I'm alsovery interested to see or hear
if you guys saw anything comingbefore the Russia invasion of
Ukraine in 2022.
Did you see any?
You know any intel indicating,hey, this thing may actually
happen, right?
Speaker 2 (28:47):
With that only in open source, right.
I mean I think that caught alot of people off, caught a lot
of.
There was a lot ofcollaboration between Ukrainian
threat actors and Russian threatactors but the war caused a big
sort of split.
But I mean prior to that, youknow, just open source that
everybody else sort of saw.
But as far as nation state, Imean, you've seen this
(29:09):
increasing intersection ofcybercrime and nation state
stuff and it's been happeningfor a few different reasons and
depending on, like the threatactor, right, right.
So we've seen a lot of likedouble dipping in the sense that
we'll see, you know, likethreat actors in like China or
Iran, right Like oftentimes likethe nation state stuff gets
(29:32):
mixed up into like privatecompanies, as it does in the
West too, where you have privatecompanies offering services to
nation states for theiroperations, and sometimes we'll
see some of of those actors kindof double dipping.
I know we saw this with someChina actors as well, where it
(29:52):
kind of looks like they weredoing sort of two sorts of jobs,
like some kind of side jobs,like financially motivated
things, and then the formal job.
And with Russian threat actors,I mean we've seen the Russian
state lean on threat actors fora long time, right for their own
sort of purposes.
So we know, like going back tolike Game Over, zeus, trickbot
(30:13):
and this is public knowledge too.
This is not stuff that you know, you can't research, but you
know there's been sanctionslevied against the TrickBot
actors where the US governmenthas openly said and I think the
UK government that there's open.
You know there's been sanctionslevied against the trick bot
(30:33):
actors where the US governmenthas openly said and I think the
UK government that there'saffiliations with Russian
intelligence.
And it kind of makes sense toothat when you have very
sophisticated threat actorsrunning botnets that have access
to millions of people'scomputers, that that could aid
in their operations as well.
So I'll give you anotherexample of that too, right, so
we saw a threat actor and I'mtrying to remember the acronym,
I think this person went by SXSP, and so this person was an
(30:57):
initial access broker and thiswas probably like five to seven
years ago, and this person wasselling access or access
credentials for solar winds.
So and then, when you look atwhat happened now, now we, to be
clear, like we were never ableto I don't think we were able to
specifically connect the saleof these access credentials to,
(31:20):
like russian intelligence group,russian intelligence and the
group that later breached solarwinds and caused one of the
biggest you know supply chainattacks.
On on record, however, theredefinitely is right.
There's this whole marketplacebecause I think fxm sp like took
those credentials off likepretty quickly to indicating
that they were sold.
And that's typically whathappens when credentials are
(31:42):
sold is it's like there's anoffering Sometimes they're not
too specific about whatorganization that they've got
access or credentials to orcookies for, and you know we can
try to guess or, you know,engage the actor or sort of
figure it out in the other way.
But I mean that's what.
That's the type of thing thatlike other threat actors and
ransomware actors like look for,is like, oh OK, you've got got
(32:03):
credentials for this particularorganization that's a good one
that might pay a ransom.
So anyway, we saw thesecredentials withdrawn and then
we're later we're like oh,that's really interesting that
you know the solar winds breachlike this happened and then the
solar winds breach could havehappened another way.
We don't know, but we know likea lot of organizations are
breached because they've beenphished.
(32:24):
You know you mentioned socialengineering.
I mean that's another way thatkind of also sometimes works
with phishing as well to get in.
But there's like this, you know, to get back to the whole
interplay between government andAPTs like our government and
financially motivated cybercrimethere are definitely overlaps
that we see sometimes ininfrastructure as well overlaps
(32:46):
that we see sometimes ininfrastructure as well.
Um, and actors going oh okay,this definitely looks like this
person's doing, like thesepeople are doing like a couple
different things, right yeah,that's, uh, that's fascinating
that they're almost likemoonlighting.
Speaker 1 (32:57):
You know, it's like man.
You know I was talking tosomeone that is a cyber warfare
officer for the US military,right, and he talked about, like
, actually, you know, gettingtarget packages, developing the
executable and you know,creating the documentation for
the next guy to go and execute,you know the attack with his
(33:20):
payload and everything Right,and he was talking to me about
it and I'm just sitting herethinking like man.
I really hope this guy nevergoes rogue because, like what
he's talking about right now,it's just, it's unstoppable,
right.
Like I asked him, has thereever been a target package that
you were handed handed, that youjust couldn't get into?
You just couldn't find a way in?
(33:40):
Right, and he said no, couldn'tfind a way in?
Right, and he said no, there'snever been a single thing.
He goes sometimes, if you knowit's really hard, I'll go and
I'll hack you know, the phonesometimes and I'll go from the
phone and I'll leap onto theirlaptop and when I'm on their
laptop, it's game over, right,he's like and think about it If
I have their phone, I have theirMFA no-transcript.
(34:30):
I know there was something toit, because this guy is
non-existent spooky stuff.
Speaker 2 (34:35):
You know that that that raises a really good point.
And, um, it was something thatI saw it came up on the risky
business podcast.
They were quoting a report fromcyber cx, which is a big
australian consultancy down here.
They it was basically theirannual report divided their
investigations according to, uh,sort of adversary right.
(34:55):
So I thought this was reallyinteresting.
Like five percent was likeespionage, so that's like kind
of APT 60, I think 60 something.
67% was financially motivatedcybercrime.
I think there was a third, alarge, like 27%, was just kind
of undetermined.
But I just heard the other daythat CISOs and CSOs are often
(35:17):
worried about APTs.
Right, and as well, you know,look, depending on your sector,
if you're CNI, critical nationalinfrastructure, I mean
undeniably if you'rehyper-focused on trying to stop
an APT, you're probably missingthe more likely source of an
(35:49):
attack, which is financiallymotivated threat actors.
And you know, and, as you say,you know your source that you
spoke with of right, if an APTis determined to get into your
organization, I mean I wouldargue, good luck stopping them,
not to say you shouldn't try,right, but yeah, right, like you
(36:12):
know, it's going to be reallyreally difficult if either China
or Iran or Russia's top tiergroup of you know, cyber
SIGINTEL, people decide we'regonna get into you, right, who
have infinite amount of time,who have an infinite amount of
resources, who are not lookingto monetize quickly, right,
(36:35):
because I guess that's one thingthat separates well, a huge
thing that separates apt fromfin crime right, and this was
also in that same report, likethe dwell time for APT 400 days.
Right, they're not looking tomake a buck, they're looking for
long-term access to beexploited down the road.
Fincrime needs to get paid,right, they've paid for access
(36:57):
credentials.
They've paid for bulletproofhosting.
They've got to pay for theirfish kits.
They've got to pay for a bunchof you know they've got to pay
for their fish kits they got topay for a bunch of you know,
they've got to pay for a bunchof stuff right, so they want to
get a payout right and I thinkthat dwell time was, like you
know, matter of days now.
So you know, not to say I'm notsaying like apt is not
important by any means, like fornational security, it's hugely,
(37:18):
hugely important.
But I would say, like, if youare a private company, like
right, and you have limitedresources, probably studying
Cozy Bear's techniques andensuring you're perfectly
guarded against those, thelatest threat report that's come
out you know, dfir reportthat's come out against Cozy
(37:38):
Bear is probably not the bestuse of your resources.
It's probably the thin crimefolks that are going to cause
you the biggest and most publicheadache.
Because if you look at likeright, what does thin crime do?
They steal your data and theyput it on breach forums, you
know.
Or they steal your data and putit on a ransomware, like it's a
huge amount of hassle straightaway, right, because it's like
(38:01):
public, it's like they're tryingto extort you and they're
threatening you and it's reallyaggressive.
They're WhatsAppping your youknow CEO and harassing his wife
or her wife.
You know, it's just like a big,intense thing while you're.
You know you're APT espionage.
People are kind of likeslinking in slowly, you're
trying to slink out slowly.
It's different, different, youknow.
It just depends on your threat.
(38:22):
It comes back to threat modeling, right, like who is most likely
to attack you, how do youdefend against that?
Right, it's good to also not tojust don't over complicate it,
right, you have the addedbenefit that, like, a lot of fin
crime groups and apts are nowusing the same techniques, right
.
So if you're doing likeespecially I see this in our,
our threat hunt platform right,like we'll look at a specific
(38:43):
technique.
You know, like say, we'll takedns request from an application,
from an application like thatyou didn't install, like an
unorthodox dns request, right,and you look at, like, the
techniques or the groups thatwill use that, and it could be
like apt could be fin crime,right.
So some of the stuff is crossapplies, which I guess is good
(39:06):
from a time perspective.
But again, it's just likerealizing, okay, who are, who's
most likely to attack us and dowe have those, those vectors,
covered as best as possible?
Speaker 1 (39:17):
yeah, I mean, like you said, right, it's extremely
important to understand even whoyour adversary is, right, like
you have to understand who'sactually coming for you.
You know who wants access toyour computer or whatnot.
You know, I talked to an AIsecurity researcher at NVIDIA,
right.
(39:37):
And he was talking about thesecurity protocols that they put
up for their chips, for all oftheir chips, all of their
products, right, and he saidthat the only thing that's even
comparable is when you go to agovernment facility and you have
to go into a skiv right, andjust to have a conversation
(40:00):
about a certain topic, becausethe security at their facility
is so top-notch that thegovernment goes to see what
they're doing so that they canreplicate it in their
environments.
Right, and that's a that's aunique use case.
Right, because I mean, how muchwould china spend just to get
the blueprints for the nextnvidia chip, just so that they
(40:23):
could create it quicker thannvidia and come out with it and
increase their ai power?
Right, like I mean, that'ssomething where it's just like
hey, just get it done, don'tworry about the money.
Yeah, like, don't even worryabout the check, you don't have
to fill it out, I'll fill outthe check at the end, you know?
like that sort of thing andthat's that works for, you know,
one percent of the world'scompanies and entities out there
(40:46):
, right?
But like you know, for foreveryone else it's like hey,
let's cover our bases first andif we got some money to blow
then we'll talk about some otherstuff with.
That's more advanced, but as ofright now, you know we're too
soft of a target to even beworried about APTs.
Speaker 2 (41:04):
Yeah, look, good security slows everything down.
So if you look at the protocolsthat are in place for handling
classified information withinthe US government, yeah, it
skips, it's drop your electronicdevice at the door.
It's designed to sloweverything down and to make it
as hard as possible.
(41:25):
So good security slowseverything down.
That's the antithesis tobusiness, right?
So I mean, nvidia has decidedand has made that choice that
this is our most valuableintellectual property and we're
going to take every step, nomatter how inconvenient, right?
Speaker 1 (41:43):
To be able to protect it.
It might be the most valuableIP on the planet.
Yeah, yeah, it definitely couldbe.
Speaker 2 (41:50):
So, yeah, so like, look, you can always implement
better security, and I guessthat's always the trade-off with
, you know, business processesof like, okay, well, what do we
need to protect and how securedoes it need to be, and how much
(42:20):
is that a disruption to what weneed to do?
Uh, that we really need to do,like phishing resistant right,
here's an example phishingresistant, um, you know, fido
keys uh, basically, so you haveto stick it in your computer
before you log in, right like.
this is the best way tobasically stop credential theft
now because, um, you know,phishing kits and info stealers
(42:44):
are basically grabbingcredentials, grabbing cookies,
grabbing everything off themachine and, if you have the
cookie, mfa is irrelevant right,yeah, like, unless that cookie
expires, you know you can setlike short expiration dates, but
anyway, like you know, and likethe thing is of, like having to
have something with you andinsert in a machine is a pain,
right, like that's something.
(43:05):
That's something else thatpeople might forget or you know.
But you know we're, that's thepoint that we're at, and so you
know, if you want it to be themost secure that it can be and I
would argue that you know,protecting credential theft and
cookie theft is, should benumber one, because that's one
of the primary ways thatadversaries get access to
(43:25):
machines so yeah, I think forbetter security, we're going to
have to put up with someinconvenience or just a change
in work processes and patterns.
And you know that's where we'reat.
If that's what we have to do toprotect data, then that's what
we have to do.
So you know, I mean remember,like even a few years ago, like
(43:46):
there'd be a breach and likecompanies would be like, oh, we
don't want to reset everyone'spassword because that would
inconvenience people.
Like now, that's just kind oflike what, it's a joke, it's
laughable, right, we're laughingat it Like, of course, you have
to reset everybody's passwordif your password database has
been stolen, or whateverpassword if your password
(44:06):
database has been stolen, orright or whatever.
So, yeah, we just have tochange our mindsets too and and
be like things that areinconvenient at first glance
often just become routine, right.
Like you know, it's like, ohokay, there's been break-ins our
neighborhood, maybe I should dothe second lock, or whatever.
Or you know, just like thethings that we modify in our own
personal lives because weperceive an increased, you know,
threat risk.
Like, okay, I'm going to reallywash my hands because people
(44:28):
have got the flu.
Right, it's inconvenient, ittakes longer to wash your hands
three more times a day orwhatever, but it probably lowers
your risk of of, arguably, ofgetting the flu.
Speaker 1 (44:39):
So, yeah, wow, yeah, I mean, you know, jeremy, we've
been on this thing for a whilenow, right?
The conversation really flew by, at least for me, right, and
I'm very conscious of everyone'stime, but I want to ask you one
more question when do you thinksecurity is going in 2025?
(45:00):
Where do you think security isgoing in 2025?
What are some trends thatyou're seeing potentially?
You know security trends, as inorganizations potentially
deploying more controls on acertain area, or you know areas
that are being attacked more in2025 that you can foresee.
Well, am I allowed to talkabout AI and deep seek?
(45:24):
Yeah, I mean, I guess we go foranother hour.
Yeah, it's.
Speaker 2 (45:26):
I mean, I think, uh organizations are going to be
just increasingly challenged bylike sort of deep fakes and
things like that as well, andthat's things that ai is like
really good at.
We won't get into the wholelike malware development and
things like that, but, um, youknow, I think, like social
engineering, you know ai isgoing to really has really been
sort of boosting that audiodefects, things like that, that
(45:48):
are very tangible right now, andI think you know, I guess again
with like the major sort ofthreat actors, I would say
ransomware too, and it's likeagain just kind of like don't
sort of overthink it.
Move to phishing resistantauthentication Like that's a
huge one.
Like you know, just patchingstuff on CIS's CAV right, the
(46:12):
known exploited vulnerabilitieslist, right CAVs is a dead
simple thing.
They just took thevulnerabilities, if they're
exploited and put them on a list.
Dead simple, right.
We don't have to overcomplicateit.
And those are the ones youshould patch straight away,
right, simple things like that.
I mean, I think organizationsget caught off guard too by you
know, social engineering is verypowerful, especially for very
large organizations like liketelcos that have lots of
(46:35):
customer service reps.
You know we've seen that withlike sim swapping and things of
that nature too.
So but misconfigurations aswell, right.
And just knowing your attacksurface, right, what services
are exposed to the internet?
I mean, again, dead simpleAttackers go to Census and
Shodan and look for whatinternet-facing assets you have
(46:58):
and compare that to theirexploit code for it, you know,
can I attack it?
So like securing edge devicesand taking you know rdp, like
knowing all if you've gotexposed rdp ports, all this like
brutally kind of basic stuffthat people have been talking
about for years is stillextremely relevant.
So I mean, I would say that'sthe biggest thing.
(47:19):
Like know your attack service,know what's what's facing
outwardly, because that's thefirst stuff.
When you know attackers,attackers are going like okay,
I'm going to enumeratesubdomains and figure out the
one that they've forgotten orwhatever.
You know all the, just theusual basic stuff that still
gets a lot of mileage.
So hopefully that's a conciseanswer to your question.
Speaker 1 (47:39):
Yeah, yeah, I mean I think that's like as concise as
you can be right, especiallywith those topics, I mean.
But you know that just meansthat I'm going to have to have
you back on for a part two orsomething like that.
You know, maybe a little bit oflike a regular or a biannual
episode with you.
I'd love it, it'd be great.
Yeah, well, it was fantastichaving you on Before I let you
(48:03):
go.
How about you tell my audienceyou know where they can find you
, where they can find you knowany other resources from Intel
471 that you want to directpeople to?
Speaker 2 (48:13):
Yeah, totally so.
The signal to noise, or ratherthe noise to signal ratio on X,
aka Twitter, these days it'sjust too high for me, so I've
gone to Blue Sky, which isactually developing a nice sort
of InfoSec kind of communitythere.
I'm on Mastodon as well andLinkedIn.
You know our blog puts out alot of research from Intel 471
(48:35):
on malware and threat actors anddeep seek.
We've also got some greatthreat hunting content too.
You know that's pretty hotright now.
Organizations are looking to,like you know, get ahead of
their.
You know's pretty hot right now.
Organizations are looking to,like you know, get ahead of
their.
You know, if they're infectedlike assume you get infected and
you want to get rid of itconduct threat hunts.
So that's a whole new area thatI'm very much learning about
too, which is cool.
So, uh, yeah, I'd say, and alsoI write a newsletter that comes
(48:57):
out on tuesdays called theexecutive intelligence update.
It's actually aimed at just sortof security cti practitioners
and it's basically like fouritems to kind of like sometimes
big picture, sometimes ExecutiveIntelligence Update.
It's actually aimed at justsort of security CTI
practitioners and it's basicallylike four items to kind of like
sometimes big picture,sometimes strategic, sometimes a
lot of strategic stuff,sometimes tactical and even
operational stuff, like I'llwrite some about some malware
campaigns that our malware teamhas been working on, but it's
(49:19):
like a good summary of sort ofinfosec news.
I know there's heaps of stuffout there to read and consume,
but it's it's relatively shortand it gets to the point, so I'd
encourage people to sign up forthat as well awesome.
Speaker 1 (49:31):
I'm gonna have to sign up for it myself.
That'll be great, awesome,awesome.
Well, thanks, jeremy, I reallydo appreciate you coming on and
you know I hope everyone outthere enjoyed listening or
watching on whatever platformyou're on.
Thanks everyone.
How's it going, jeremy?
It's great to finally get youon the podcast.
I think we might have talkedlast, might have been in
November at this point orsomething like that but I'm
really excited for ourconversation today.
I think it's going to be reallyinteresting.
Yeah, thanks a lot for havingme.
You know how about you startoff with telling my audience.
(00:28):
You know how you got into thisIT space, right?
So you're a journalist and youfocus on cybersecurity.
So that takes a very I feellike that takes a very unique
person, right, because even formyself, right, I'm in
cybersecurity and I probablywouldn't want to be a journalist
on cybersecurity.
How do I make this content?
That's extremely complex.
How do I make it consumable foreveryone?
(00:50):
That isn't something that Iwould want to go into, right.
So what made you want to getinto that area?
Speaker 2 (00:56):
Yeah, well, I was a journalist.
I'm no longer a journalistbecause I'm now with Intel 471,
which is a cyber threatintelligence company.
But yeah, prior to joining them, I was a tech journalist
focusing on cybersecurity,starting around like 2005.
And it really was just sort ofI just sort of stumbled into it
working for a trade technologypublishing company and you know,
(01:20):
I got a job with them and theywere sort of divvying up the
beats and you know, somebody wasdoing sort of you know kind of
cloud computing infrastructureand chips and whatever.
And they said you know you'regoing to do security.
I'm like sure, okay, knowing noidea anything about it at all,
which is kind of like oddly howjournalism kind of worked in
those days no-transcript, thatyou know for a long time.
(02:08):
And then I one of my sourceswas Intel 471.
And I was always interested insort of that underground
cybercrime you know, tracingpersonas and trying to figure
out real world IDs.
And you know I did a lot ofchatting with threat actors as a
journalist, you know, becausecyber criminals have to
(02:28):
communicate one another and theywere always accessible through.
You know, it was Jabber like 10years ago or 12 years ago and
other ways you know before that,so it was always easy to reach
them and so that was always myinterest.
And so when Intel 471 said, doyou want to come work for us on
our Intel analysis team?
I said when Intel 471 said, doyou want to come work for us on
(02:48):
our Intel analysis team?
I said, yeah, that soundsawesome.
So now what I do?
I do a lot of likejournalistic-y kind of things.
You know, I work with ouranalysis team and also like our
malware researchers and our youknow our analysts.
You know who are in the forumsto basically look at ways like
how can we talk about some ofthis intelligence that we
collect right Because we're inall the forums, to basically
look at ways like how can wetalk about some of this
intelligence that we collectright because we're in all the
forums?
We're chatting with threatactors, you know, selling proof
(03:08):
of concept for you know thelatest sort of vulnerability and
looking for ways to be able totalk about that publicly,
because there's a lot of thingsthat we can talk about.
Actually, I should say that theother way, there's a lot of
things we can't talk about andfunny things that we can talk
about, and that's because of ourcollection methods too, because
we don't want to sacrifice youknow any of the access, you know
(03:33):
that we have.
So, yeah, basically looking forways to publicize that and I
have a couple of podcasts on theside and I, you know, work with
our executives on kind of likethought leadership, writing and
things like that and do a littlebit of you know, my own reading
on the side.
So that's kind of in sum.
Speaker 1 (03:50):
Yeah, when you were getting started, was there a
source that was kind of likeyour go-to source Maybe it'd be
a person or a site or anythinglike that when you were trying
to learn and just figureeverything out?
Speaker 2 (04:04):
or anything like that , when you were trying to learn
and just figure everything out.
I think, yeah, I mean being ajournalist, you have the benefit
of being able to just call upand talk to.
You know most people.
Computer security is kind of ait's a different kind of beat
and I think it took me a longtime to realize that because,
and particularly like in the CCIfield, because a lot of
researchers and people in thefield they don't want to have
(04:25):
anything to do with the publicor like they don't want to be
out there with their namebecause and there's all kinds of
reasons for that, you know wesaw the issues that Brian Krebs
had with you know threat actorslinked to the comm going back 10
years ago, right when they wereswatting him and sending, you
know some of the Russians, Ithink, were sending heroin to
(04:46):
his house and so you knowthere's always that risk of, I
guess, harassment Like luckilyit never happened to me, but
there's just a lot of peoplethat you know and this goes to
all.
You know you work in securityand like the whole issues around
trust and sharing IOCs andsharing information about maybe
specific things, that TTPs thatyour organizations have been
(05:06):
targeted for and weaknesses, andthere's a real reluctance to be
like, oh, I just want to sharethis out.
And so it's taken a long timefor, like, trust groups to build
up and people to participate inISACs and talk about this sort
of stuff.
But I think, like as ajournalist, like trying to cover
this stuff, it did make itextra difficult, but I did find
people that were more than happyto explain, like, can you
(05:28):
explain BGP hijack to me?
You know, or you know whateverthings like that, like really
technical things or, I guess,really sophisticated kind of
like DNS.
You know issues and use of DNSby malware and things like that.
There's always people out therethat are happy to explain it.
So I think you just have to,you know, kind of come to it
(05:49):
from a really humble perspectiveand even you know now I mean
our, you know when, like I'mgoing to write a post about a
Android malware update that ourmalware analysis team found like
last year, and so I'll beworking really closely with them
.
You know they'll read my stuffand I'll have more questions for
them, and it kind of works inin the same sort of way, because
(06:11):
you have to think like even youknow our our adversary analysis
team are not necessarilymalware analysis people, like a
lot of them, have cross skillsthat apply.
But you know everybody's gottheir real like sweet lane and
zone um that they that theyfocus in.
Everybody's really cautiousabout speaking outside of their
own lane.
Speaker 1 (06:31):
It's fascinating.
Tell me a little bit aboutIntel 471.
I actually haven't heard of itbefore I started talking to you.
Maybe give my audience a littlebit of background or something.
Speaker 2 (06:55):
Sure, yeah.
So we were founded more than adecade ago by a couple of folks
that came out of.
One was an Australian guy whohired me.
He was a former AFP cybercrimetechnician and another is an
American guy who is a former FBIcontractor, who worked on a lot
of investigations related tobanking malware back in the
early 2010s.
You know, our company is kindof.
You know, we're a cyber threatintelligence company, so we
(07:15):
collect intelligence.
So we do a lot of undergroundforum scraping.
We do a lot of engagements withthreat actors.
We write these really in-depthreports about offerings on
underground forums.
We gauge the reputations ofthreat actors, because that's
really important, because it'slike somebody saying hey, I
(07:36):
compromised, joe South.
You're like well, who's thisperson right?
Do they have a history ofreliable claims?
Do they have a history ofreliable claims?
Do they have a history ofreliable sales?
We also do vulnerabilityintelligence and so we look at
new CVEs and look at in theunderground, because there's so
many CVEs.
(07:56):
So the problem is like well,what's the ones we should focus
on?
Where should we focus ourpatching efforts?
And we approach it from theperspective of like okay, well,
if underground actors are likehey, have you got poc for that
new, I don't know sonic wall.
You know rumor of a sonic wallvulnerability.
You know we'll look at that andgo okay, so this person wants
(08:18):
to buy this.
They're a reputable buyer.
This person says they'redeveloping, developing it.
They're a reputable exploitdeveloper.
This is one you probably wantto patch right, because this is
the way it looks like it'scoming down the pipeline.
We've also recently got intothreat hunting.
We acquired a company calledCyborg Security and so they make
a threat hunting platform whichis basically hunting in your
(08:41):
SIMs, in your EDR systems andSysmon, your logging systems,
for those clues that you mighthave been infected by something.
So, say, you've got like youdon't use PSExec, right, like
the remote management tool inyour organization, and suddenly
you've done a threat hunt forPSExec and you found it like in
your SIM and you can go oh right, we don't run that.
(09:04):
This is definitely something weshould probably look at, and
that's really tying into ourwhole malware intelligence too,
which I spoke a little bit about, our malware intel team, and so
you know we emulate uh, youknow more than sort of like 300
malware families.
We collect samples directly fromthreat actors and also you know
public repositories, extractindicators from those.
(09:26):
So those could be like c2addresses, other artifacts
related to those malwarefamilies, and you know we write
reports about those.
Engage there from a threat.
We can put a monthly malwarereport out basically to say,
okay, this month we've seenthousands of downloads of
SmokeLoader as a payload, orwe've seen 5,000 downloads of
(09:49):
Redline, an info stealer, so wecan track all those malware
families really granularly andthat kind of feeds into threat
hunting.
So when we see a big malwarecampaign go out, say with
Redline, we can take thoseartifacts and those indicators
and then write detections forthem in our threat hunting
module.
So you'll have packages of Go.
(10:09):
Basically, our analysts writethe queries.
The tough part of threathunting is writing the queries.
So, say, you use CrowdStrike,edr, so we have copy paste
queries that we can go OK, Iwant to go and look for an
abnormal process that's beenlaunched, or process uh service
launched from an odd location,right, typical sign-em-hour used
(10:30):
by heaps of malware families.
So you could just copy thatquery, plunk it into you know
like crosswalk, and then searchthat, search those logs, for
that activity requires a bit oftweaking, right, like nothing's
like perfect, but yeah, that'sthe way, that's the way we in a
nutshell.
Speaker 1 (10:44):
I've probably spoken too much, but uh, what we do, no
, you're totally fine yeah, youknow, maybe maybe a year ago,
maybe more at this point, I hadon chris rock who not the, not
the, not the comedian right, buthe he described himself as like
a cyber mercenary right wherehe's kind of like out, you know,
(11:08):
on some forums and you knowhe's hireable for various things
, right, and it was aninteresting conversation.
For sure.
It was the maybe the onlyconversation that I've ever had
with someone that I felt like Ishould probably not have the
conversation because of thethings that he was talking about
, that he did and everything.
(11:28):
It was like, man, I reallydon't want the FBI like showing
up at my door.
This is one of thoseconversations where it probably
would.
Speaker 2 (11:37):
Right, yeah, yeah, there's a variance of practices
in CTI.
We have, you know, we have astrict sort of ethical code that
we use for our operations, justto, you know, specifically
ensure that obviously we don'twant to violate, you know, any
sort of, you know, computersecurity, fraud and abuse laws
or anything like that.
(11:57):
So you know this field.
There's a variety ofpractitioners who have a variety
of methods.
Um, you know, some are moreaggressive as well.
Like you know, if you'relogging into systems, you could
get more intelligence right andthat's also a possibility, you
know, I mean, we've seen thathappen with.
Like law enforcement is doingthat now, you know, in the
ransomware fight, right, likethey're able to compromise.
(12:19):
They compromise lock bitsystems and, and you know that's
something that we would not do,right, because that's not in
our purview and it's not legalfor us to do.
But yeah, that's so sometimeswhen you see, you know you see
some incredible intelligence,like we've got the entire list
of lock bit affiliates right,and they're nicks right and
that's what law enforcementreleased with lock bit, which is
(12:41):
great stuff, and they'reauthorized to do it and that
helps, you know, in the in thefight.
But yeah, like I said, there'sjust a, a range of things.
You know we work very closelywith law enforcement, as do many
other cti companies, becauseeverybody's got like a little
slice of the picture too.
So you know, occasionally we'llbe listed, you know, as helping
(13:01):
with with investigations intosome of these.
You know really complex lawenforcement operations that have
been happening, you know, overthe last couple of years well,
okay, so now I now I have twoquestions, right.
Speaker 1 (13:15):
So have you, have you actually come across other
cyber mercenaries to some extentthat are kind of for hire?
Because I feel like that, justthat whole place, that that
whole like marketplace right, soto speak, is so I don't know,
shady like I would not want tobe.
I would not want to be anywherenear that Tor browser, you know
(13:38):
, or that Onion router.
When you're trying to do that,have you talked to some people
that are in that area anddiscussed like what they were
doing and whatnot?
Speaker 2 (13:48):
Well, not really.
What kind of what are theydoing?
I guess this is how I would askthe question to you, I would
ask the question to you.
Speaker 1 (13:57):
Yeah, I mean, you know he talked about, you know
gaining, getting footholds andyou know enemy governments,
electrical grids, and you knowjamming the, jamming, the.
What is it?
It's the IED blockers.
Back when you know, early 2000s, when America was in
Afghanistan and Iraq, and youknow IEDs were a huge problem,
well, the NSA came up withsomething that would jam all the
(14:18):
IEDs in the vicinity.
This guy came up with asolution for Al-Qaeda to
override that jam and still getthrough to the IEDs, right?
So, talking about stuff likethat, where it's like, it's like
, you know, bad organizationsorganizations typically are-
going on these forums hiringpeople.
Speaker 2 (14:37):
Yeah, I think I've read actually, I think I
recently read of somebody likethat, of kind of I don't know if
lone wolf is the right term forit.
I mean, I think there arepeople out there that will
insert themselves intosituations, but I would caution.
(15:06):
That that's.
You know.
The whole thing is like withlaw enforcement actions and
things like that is that if youhave people coming from the
outside thinking that they'redoing good, they could do harm.
Right, because most likely,whatever target that they've
decided to focus on may alreadybe involved.
You know the target of a, youknow a formal investigation.
So the risk of those peoplegoing in there and maybe, you
know, tampering with potentialevidence is really high.
(15:27):
So I think that you knoweverybody would probably
encourage, like you know, right,it's good that you're involved
in this and worried about thisbut maybe hold your fire to
figure out, kind of what's goingon, right, or send a tip to
your, your local cert or lawenforcement.
You know about it, right,because I think that it is a
(15:48):
team fight, right, but it's also, like you know, you don't want
friendly fire either to kind ofmeddle with something.
You know you don't wantfriendly fire either to kind of
meddle with something.
So yeah, I mean, I guess Iwould.
My first instinct would be likejust just kind of caution, like
admire the enthusiasm, but justbe aware that there already
might be something going on andthat you know your, your hacking
(16:09):
might, you know, cause a cause.
A bit of issue, right?
Speaker 1 (16:13):
Yeah, it's, it's just a.
It's a really dice, dicey.
It's a dicey situation that Ifound myself in at one time with
that interview where it's justlike, man, I don't know if I
should be talking to this guyright now.
You know, it's like we might uh, we might end this thing a
little bit early, you know, butit was a great conversation
(16:34):
overall.
But it's just like a crazyexperience that, you know, going
into running a podcast, youwould never, you'd never think
about, right, look, because whywould someone in that area ever
want to talk to me?
But publicly I record his video, his face, you know, like it's
like yeah, I don't know.
I don't know, you know, but hehe did seem very legit and other
(16:57):
you know halfway shady peoplehave like vouched for him to me
so I was like this seems tooreal.
You know what are?
Uh, you know you.
You talked about potentiallylike assisting law enforcement
to some extent with like highlycomplex.
You know cases or situationsand whatnot Can you tell me
(17:18):
about?
You know some of thosesituations?
Is there any you know cybercriminal?
Uh, you know actions orarticles or anything that that
are public knowledge that wethat you may have assisted with
or your company may haveassisted with?
Speaker 2 (17:34):
We've definitely been acknowledged by certain
agencies before for providingintelligence, like we're an
intelligence provider too, so wehave law enforcement customers
as well, and so if they wouldcome to us and want more
information about something, wewould certainly provide it.
I mean, I think you'll see,like a lot of these large law
enforcement actions, you knowthere's a huge list of agencies
(17:55):
that will often acknowledgeprivate companies that have
helped as well.
You know, like I said, it'sjust because everybody has a
little bit more of a piece right, and there's there's just a lot
of threads to pull incybercrime, so some
organizations may have more dataon certain groups or specific
threat actors or, you know,specific malware campaigns than
(18:17):
others.
So, yeah, it's all big one andI think, like, honestly, from
compared to maybe a decade ago,um, or even more, there, there's
like a lot, just morecoordination now than there used
to be.
You know, the adversaries werealways able to exploit this
(18:37):
really slow gap in between whena threat was identified or a
group was identified and whensomething could actually happen.
Now, granted, like this isnever going to be, you know,
super fast anyway, becausecybercrime moves so fast, right,
and their adaptability can faroutpace formal organizations to
(18:59):
be able to, you know, react.
But I mean, just like thebreach activity that we see day
by day is just it's off.
The scale Like, and I thinklike the scale of it right now
is like really large.
So it kind of forcesinvestigators to go after kind
of like the biggest sort ofoperations things too.
And you know there's been, youknow pinch points that have been
identified right in the lastyear.
(19:20):
We've seen them go afterransomware groups.
We've seen that go aftermalware infrastructure that's
used to, you know, gain initialaccess to computers and then
monetize that access.
We've seen them, you know, shutdown forums that have, like the
gen Genesis market that wasselling credentials or basically
cookies.
You know whole batches of datafrom compromised computers.
(19:44):
We've seen them go after thecryptocurrency mixers that's
been a whole thing too and alsoshut down cryptocurrency
exchanges.
So you know there's clear likechoke points to focus on and
we're seeing that.
You know it's working in a way.
You know the latest ransomwarepayment numbers were, I guess
(20:05):
the amount of money paid inransoms last year, according to
Chainalysis, was like I think itwas a third less in 2023.
It was, yeah.
So, like, like, how do youattribute that impact.
Well, probably a bit of lawenforcement, a bit of disruption
, um, you know, maybe difficultyand there definitely were
difficulties in cashing out too,because chain analysis said,
(20:27):
like a lot of funds are justsitting in addresses like now
and not not, they're not movingit at all because it's been
flagged.
Right now we've got all thesegreat blockchain companies that
are flagging transactions, sowe're seeing, I mean, you know
it's, it's hopefully this ismeaningful reductions and it's
not gonna bounce back up.
I mean, I like to see, like youknow, a couple of years, like
(20:49):
two or three years, of numbersgoing trending down before you
go.
Okay, now we can go back andretrospect and analyze.
Okay, what caused this?
Right?
Is this just like seasonal orjust some yearly flux?
Or, you know, like war inukraine 2022 caused a big, big
disruption?
Is this because of, you know,sort of geopolitical events too,
(21:11):
so it takes a while to go?
Oh, okay, like this is reallyworking, but I think I think
it's on the right track that'sreally, that's fascinating that
it went down by a third.
Speaker 1 (21:25):
You know that's not a small number.
I, I mean a company's, acompany's revenue drops by a
third and they're laying off athird of their workforce.
You know, like, yeah, that's asubstantial drop, and I I
remember reading an article, youknow, a couple months ago,
about how hackers are going,going back to, you know, like
(21:45):
social engineering and morebasic attacks that they were
that were more prevalent in likethe 80s and 90s really, because
companies have like kind ofawoken to like cyber security
and the importance of it andwhatnot, and like this is
something that you can't ignoreand if you do ignore, you're
gonna pay.
You're gonna pay, quiteliterally, a lot of money and
(22:08):
your brand reputation is damagedforever.
I mean, who it's like?
Who doesn't know about thetarget breach?
Right, and that happened almost10 years ago, maybe 10 years
ago at this point, yeah, yeahyeah, who doesn't?
know about it right.
Who doesn't know that targetwas breached?
Speaker 2 (22:24):
yeah, yeah, yeah.
I mean you know if you talkabout well, to go back to the
ransomware thing, like itdropped by a third I.
But I was still a bit kind ofcold on it in a way, because it
still amounted to $800 millionin ransoms paid.
And I guess two points on that.
One, it's always anunderestimate because there's
just stuff because of the waythat we track or try to track
(22:46):
ransomware that just escapesscrutiny.
$800 million for a cybercrimeenterprise is still pretty good.
And the other part of it that Ithought was not great was that
the attack numbers were justbarely less like I think maybe
less than five percent down.
So you've got fewerorganizations apparently paying
(23:08):
because better cyber resiliencythat's terrific, but you have
the same number of attacks andyou have to think like, ok, well
, even if you don't pay a ransom, because that's one component
of the cost of a ransomwareattack, if you were attacked by
a ransomware group and you werebreached, there's still an
enormous amount of costsassociated with that Right and
(23:29):
like disclosure and legal fees.
And you know you might havecyber insurance but it might not
cover all of it.
So you know to capture the fullcost or to go all right, is
this a real reduction in thethreat landscape?
And I would argue not reallyright.
It's better that you know.
Less people paying cybercriminals means that in theory,
(23:52):
there's less incentive to domore cybercrime.
Right, the more frustrated thatthey get.
Right, like, the lower the hitrate, the less likely they're
going to be like oh, this isgetting hard.
Maybe we'll move on tosomething else, you know, and
that's good, but it's not thefull picture, I think, of what
we're seeing with ransomware.
(24:12):
So I'm really reluctant to belike we've turned the corner on
this.
I think these are preliminary,really positive numbers, but I
would say for enterprises going,okay, we can just kind of, you
know, maybe take the foot offthe gas and our resiliency plans
or, you know, hardening oranything like that.
(24:34):
I would say absolutely not.
You know you've got to reallybe aware of, you know, these
common vectors that ransomwaregroups are gaining access.
Speaker 1 (24:43):
Yeah, yeah, that makes a lot of sense.
That's interesting kind of thatbackstory like behind the
numbers, right, because if youlook at it at face value I mean
that's the headline right there,right, ransomware payouts
decreased by a third you think,okay, like we're doing something
(25:04):
positive, like we've made ahuge turn here.
Ransomware isn't even going tobe an industry in a couple years
.
Then, right, like that's that'sthe kind of mind jumps, that
that you can take with a titlelike that.
Speaker 2 (25:14):
And then you dig in and it's like not not quite
right, not exactly yeah, yeah, Imean the reason why ransomware
took off too, it's like, youknow, 2015.
It was basically like bankingmalware got really hard, like
the banks got a lot better atstopping transactions to money
mules and those transfers, right.
(25:36):
And so then, when kind ofransomware came actually, you
know, came back because you knowthe the proof of concept was
like in the 80s.
It was kind of like, hey, thisis easy and this is big money,
right?
So, rather than trying to like,steal 150 grand and split it
six ways into six differentaccounts and you know right, and
the, and that got shut downit's like, oh, I could get
(25:59):
$200,000 from a singleorganization like that, you know
, using using crypto.
I don't even have, I don't haveto use a banking system.
Oh, you know, I again, I wouldargue that, even if the amounts
paid by you know, quote, unquotesmall two hundred thousand
(26:22):
dollars, um, that's still a goodpop right for for somebody
who's just working to, you know,for for a ransomware group,
because it's arguably easierthan going back to the banking
malware stuff.
Now, this stuff is always, youknow, evolving, so but I think
at the point, like, maybe we'llsee a shift where it's just
(26:45):
really hard to get a payout, youknow, when you have people that
are working really really,really hard to get you know, and
it also, I think, if it becomesunfeasible to really run a
ransomware as a service group,you know, kind of like the whole
, like hey, we developed themalware in the backend and the
whole affiliate model.
When that kind of gets bustedup too, when it gets too risky
(27:08):
to do that, what we saw in thelast year was a lot of um, you
know, when alph v went down,like hive went down and lockbent
went down, we saw a lot of likenew ransomware brands kind of
pop up from like smaller groupsthat some of them look like they
were maybe started by threatactors that came out of, like,
you know, conti and reuk, likekind of long-running actors and
(27:30):
but these smaller operations,right, it makes ransomware
harder to track.
But our theory and a lot ofother groups theory was that
well, maybe they're doing thisbecause they don't.
You know they don't want to getexposed in like the big lockp
pick bust right where you knowthe back end of lock bet is
revealing.
You know, perhaps data aboutthem, you know that can be used
to track them.
So we'll split into smallergroups and do smaller jobs.
(27:52):
So I think that's what we, whatwe could be seeing going ahead.
It just kind of makes sense tous yeah, yeah, that, that that's
really fascinating.
Speaker 1 (28:04):
So, to kind of switch gears a little bit right, peak
my own curiosity here.
Right, what have you seen withnation state actors and maybe
even the inner workings betweenthem, and different you know
hacker groups that may not evenbe associated with that nation
state actor?
I'm thinking of things like youknow, obviously, Iran and
(28:28):
Russia and whatnot, and I'm alsovery interested to see or hear
if you guys saw anything comingbefore the Russia invasion of
Ukraine in 2022.
Did you see any?
You know any intel indicating,hey, this thing may actually
happen, right?
Speaker 2 (28:47):
With that only in open source, right.
I mean I think that caught alot of people off, caught a lot
of.
There was a lot ofcollaboration between Ukrainian
threat actors and Russian threatactors but the war caused a big
sort of split.
But I mean prior to that, youknow, just open source that
everybody else sort of saw.
But as far as nation state, Imean, you've seen this
(29:09):
increasing intersection ofcybercrime and nation state
stuff and it's been happeningfor a few different reasons and
depending on, like the threatactor, right, right.
So we've seen a lot of likedouble dipping in the sense that
we'll see, you know, likethreat actors in like China or
Iran, right Like oftentimes likethe nation state stuff gets
(29:32):
mixed up into like privatecompanies, as it does in the
West too, where you have privatecompanies offering services to
nation states for theiroperations, and sometimes we'll
see some of of those actors kindof double dipping.
I know we saw this with someChina actors as well, where it
(29:52):
kind of looks like they weredoing sort of two sorts of jobs,
like some kind of side jobs,like financially motivated
things, and then the formal job.
And with Russian threat actors,I mean we've seen the Russian
state lean on threat actors fora long time, right for their own
sort of purposes.
So we know, like going back tolike Game Over, zeus, trickbot
(30:13):
and this is public knowledge too.
This is not stuff that you know, you can't research, but you
know there's been sanctionslevied against the TrickBot
actors where the US governmenthas openly said and I think the
UK government that there's open.
You know there's been sanctionslevied against the trick bot
(30:33):
actors where the US governmenthas openly said and I think the
UK government that there'saffiliations with Russian
intelligence.
And it kind of makes sense toothat when you have very
sophisticated threat actorsrunning botnets that have access
to millions of people'scomputers, that that could aid
in their operations as well.
So I'll give you anotherexample of that too, right, so
we saw a threat actor and I'mtrying to remember the acronym,
I think this person went by SXSP, and so this person was an
(30:57):
initial access broker and thiswas probably like five to seven
years ago, and this person wasselling access or access
credentials for solar winds.
So and then, when you look atwhat happened now, now we, to be
clear, like we were never ableto I don't think we were able to
specifically connect the saleof these access credentials to,
(31:20):
like russian intelligence group,russian intelligence and the
group that later breached solarwinds and caused one of the
biggest you know supply chainattacks.
On on record, however, theredefinitely is right.
There's this whole marketplacebecause I think fxm sp like took
those credentials off likepretty quickly to indicating
that they were sold.
And that's typically whathappens when credentials are
(31:42):
sold is it's like there's anoffering Sometimes they're not
too specific about whatorganization that they've got
access or credentials to orcookies for, and you know we can
try to guess or, you know,engage the actor or sort of
figure it out in the other way.
But I mean that's what.
That's the type of thing thatlike other threat actors and
ransomware actors like look for,is like, oh OK, you've got got
(32:03):
credentials for this particularorganization that's a good one
that might pay a ransom.
So anyway, we saw thesecredentials withdrawn and then
we're later we're like oh,that's really interesting that
you know the solar winds breachlike this happened and then the
solar winds breach could havehappened another way.
We don't know, but we know likea lot of organizations are
breached because they've beenphished.
(32:24):
You know you mentioned socialengineering.
I mean that's another way thatkind of also sometimes works
with phishing as well to get in.
But there's like this, you know, to get back to the whole
interplay between government andAPTs like our government and
financially motivated cybercrimethere are definitely overlaps
that we see sometimes ininfrastructure as well overlaps
(32:46):
that we see sometimes ininfrastructure as well.
Um, and actors going oh okay,this definitely looks like this
person's doing, like thesepeople are doing like a couple
different things, right yeah,that's, uh, that's fascinating
that they're almost likemoonlighting.
Speaker 1 (32:57):
You know, it's like man.
You know I was talking tosomeone that is a cyber warfare
officer for the US military,right, and he talked about, like
, actually, you know, gettingtarget packages, developing the
executable and you know,creating the documentation for
the next guy to go and execute,you know the attack with his
(33:20):
payload and everything Right,and he was talking to me about
it and I'm just sitting herethinking like man.
I really hope this guy nevergoes rogue because, like what
he's talking about right now,it's just, it's unstoppable,
right.
Like I asked him, has thereever been a target package that
you were handed handed, that youjust couldn't get into?
You just couldn't find a way in?
(33:40):
Right, and he said no, couldn'tfind a way in?
Right, and he said no, there'snever been a single thing.
He goes sometimes, if you knowit's really hard, I'll go and
I'll hack you know, the phonesometimes and I'll go from the
phone and I'll leap onto theirlaptop and when I'm on their
laptop, it's game over, right,he's like and think about it If
I have their phone, I have theirMFA no-transcript.
(34:30):
I know there was something toit, because this guy is
non-existent spooky stuff.
Speaker 2 (34:35):
You know that that that raises a really good point.
And, um, it was something thatI saw it came up on the risky
business podcast.
They were quoting a report fromcyber cx, which is a big
australian consultancy down here.
They it was basically theirannual report divided their
investigations according to, uh,sort of adversary right.
(34:55):
So I thought this was reallyinteresting.
Like five percent was likeespionage, so that's like kind
of APT 60, I think 60 something.
67% was financially motivatedcybercrime.
I think there was a third, alarge, like 27%, was just kind
of undetermined.
But I just heard the other daythat CISOs and CSOs are often
(35:17):
worried about APTs.
Right, and as well, you know,look, depending on your sector,
if you're CNI, critical nationalinfrastructure, I mean
undeniably if you'rehyper-focused on trying to stop
an APT, you're probably missingthe more likely source of an
(35:49):
attack, which is financiallymotivated threat actors.
And you know, and, as you say,you know your source that you
spoke with of right, if an APTis determined to get into your
organization, I mean I wouldargue, good luck stopping them,
not to say you shouldn't try,right, but yeah, right, like you
(36:12):
know, it's going to be reallyreally difficult if either China
or Iran or Russia's top tiergroup of you know, cyber
SIGINTEL, people decide we'regonna get into you, right, who
have infinite amount of time,who have an infinite amount of
resources, who are not lookingto monetize quickly, right,
(36:35):
because I guess that's one thingthat separates well, a huge
thing that separates apt fromfin crime right, and this was
also in that same report, likethe dwell time for APT 400 days.
Right, they're not looking tomake a buck, they're looking for
long-term access to beexploited down the road.
Fincrime needs to get paid,right, they've paid for access
(36:57):
credentials.
They've paid for bulletproofhosting.
They've got to pay for theirfish kits.
They've got to pay for a bunchof you know they've got to pay
for their fish kits they got topay for a bunch of you know,
they've got to pay for a bunchof stuff right, so they want to
get a payout right and I thinkthat dwell time was, like you
know, matter of days now.
So you know, not to say I'm notsaying like apt is not
important by any means, like fornational security, it's hugely,
(37:18):
hugely important.
But I would say, like, if youare a private company, like
right, and you have limitedresources, probably studying
Cozy Bear's techniques andensuring you're perfectly
guarded against those, thelatest threat report that's come
out you know, dfir reportthat's come out against Cozy
(37:38):
Bear is probably not the bestuse of your resources.
It's probably the thin crimefolks that are going to cause
you the biggest and most publicheadache.
Because if you look at likeright, what does thin crime do?
They steal your data and theyput it on breach forums, you
know.
Or they steal your data and putit on a ransomware, like it's a
huge amount of hassle straightaway, right, because it's like
(38:01):
public, it's like they're tryingto extort you and they're
threatening you and it's reallyaggressive.
They're WhatsAppping your youknow CEO and harassing his wife
or her wife.
You know, it's just like a big,intense thing while you're.
You know you're APT espionage.
People are kind of likeslinking in slowly, you're
trying to slink out slowly.
It's different, different, youknow.
It just depends on your threat.
(38:22):
It comes back to threat modeling, right, like who is most likely
to attack you, how do youdefend against that?
Right, it's good to also not tojust don't over complicate it,
right, you have the addedbenefit that, like, a lot of fin
crime groups and apts are nowusing the same techniques, right
.
So if you're doing likeespecially I see this in our,
our threat hunt platform right,like we'll look at a specific
(38:43):
technique.
You know, like say, we'll takedns request from an application,
from an application like thatyou didn't install, like an
unorthodox dns request, right,and you look at, like, the
techniques or the groups thatwill use that, and it could be
like apt could be fin crime,right.
So some of the stuff is crossapplies, which I guess is good
(39:06):
from a time perspective.
But again, it's just likerealizing, okay, who are, who's
most likely to attack us and dowe have those, those vectors,
covered as best as possible?
Speaker 1 (39:17):
yeah, I mean, like you said, right, it's extremely
important to understand even whoyour adversary is, right, like
you have to understand who'sactually coming for you.
You know who wants access toyour computer or whatnot.
You know, I talked to an AIsecurity researcher at NVIDIA,
right.
(39:37):
And he was talking about thesecurity protocols that they put
up for their chips, for all oftheir chips, all of their
products, right, and he saidthat the only thing that's even
comparable is when you go to agovernment facility and you have
to go into a skiv right, andjust to have a conversation
(40:00):
about a certain topic, becausethe security at their facility
is so top-notch that thegovernment goes to see what
they're doing so that they canreplicate it in their
environments.
Right, and that's a that's aunique use case.
Right, because I mean, how muchwould china spend just to get
the blueprints for the nextnvidia chip, just so that they
(40:23):
could create it quicker thannvidia and come out with it and
increase their ai power?
Right, like I mean, that'ssomething where it's just like
hey, just get it done, don'tworry about the money.
Yeah, like, don't even worryabout the check, you don't have
to fill it out, I'll fill outthe check at the end, you know?
like that sort of thing andthat's that works for, you know,
one percent of the world'scompanies and entities out there
(40:46):
, right?
But like you know, for foreveryone else it's like hey,
let's cover our bases first andif we got some money to blow
then we'll talk about some otherstuff with.
That's more advanced, but as ofright now, you know we're too
soft of a target to even beworried about APTs.
Speaker 2 (41:04):
Yeah, look, good security slows everything down.
So if you look at the protocolsthat are in place for handling
classified information withinthe US government, yeah, it
skips, it's drop your electronicdevice at the door.
It's designed to sloweverything down and to make it
as hard as possible.
(41:25):
So good security slowseverything down.
That's the antithesis tobusiness, right?
So I mean, nvidia has decidedand has made that choice that
this is our most valuableintellectual property and we're
going to take every step, nomatter how inconvenient, right?
Speaker 1 (41:43):
To be able to protect it.
It might be the most valuableIP on the planet.
Yeah, yeah, it definitely couldbe.
Speaker 2 (41:50):
So, yeah, so like, look, you can always implement
better security, and I guessthat's always the trade-off with
, you know, business processesof like, okay, well, what do we
need to protect and how securedoes it need to be, and how much
(42:20):
is that a disruption to what weneed to do?
Uh, that we really need to do,like phishing resistant right,
here's an example phishingresistant, um, you know, fido
keys uh, basically, so you haveto stick it in your computer
before you log in, right like.
this is the best way tobasically stop credential theft
now because, um, you know,phishing kits and info stealers
(42:44):
are basically grabbingcredentials, grabbing cookies,
grabbing everything off themachine and, if you have the
cookie, mfa is irrelevant right,yeah, like, unless that cookie
expires, you know you can setlike short expiration dates, but
anyway, like you know, and likethe thing is of, like having to
have something with you andinsert in a machine is a pain,
right, like that's something.
(43:05):
That's something else thatpeople might forget or you know.
But you know we're, that's thepoint that we're at, and so you
know, if you want it to be themost secure that it can be and I
would argue that you know,protecting credential theft and
cookie theft is, should benumber one, because that's one
of the primary ways thatadversaries get access to
(43:25):
machines so yeah, I think forbetter security, we're going to
have to put up with someinconvenience or just a change
in work processes and patterns.
And you know that's where we'reat.
If that's what we have to do toprotect data, then that's what
we have to do.
So you know, I mean remember,like even a few years ago, like
(43:46):
there'd be a breach and likecompanies would be like, oh, we
don't want to reset everyone'spassword because that would
inconvenience people.
Like now, that's just kind oflike what, it's a joke, it's
laughable, right, we're laughingat it Like, of course, you have
to reset everybody's passwordif your password database has
been stolen, or whateverpassword if your password
(44:06):
database has been stolen, orright or whatever.
So, yeah, we just have tochange our mindsets too and and
be like things that areinconvenient at first glance
often just become routine, right.
Like you know, it's like, ohokay, there's been break-ins our
neighborhood, maybe I should dothe second lock, or whatever.
Or you know, just like thethings that we modify in our own
personal lives because weperceive an increased, you know,
threat risk.
Like, okay, I'm going to reallywash my hands because people
(44:28):
have got the flu.
Right, it's inconvenient, ittakes longer to wash your hands
three more times a day orwhatever, but it probably lowers
your risk of of, arguably, ofgetting the flu.
Speaker 1 (44:39):
So, yeah, wow, yeah, I mean, you know, jeremy, we've
been on this thing for a whilenow, right?
The conversation really flew by, at least for me, right, and
I'm very conscious of everyone'stime, but I want to ask you one
more question when do you thinksecurity is going in 2025?
(45:00):
Where do you think security isgoing in 2025?
What are some trends thatyou're seeing potentially?
You know security trends, as inorganizations potentially
deploying more controls on acertain area, or you know areas
that are being attacked more in2025 that you can foresee.
Well, am I allowed to talkabout AI and deep seek?
(45:24):
Yeah, I mean, I guess we go foranother hour.
Yeah, it's.
Speaker 2 (45:26):
I mean, I think, uh organizations are going to be
just increasingly challenged bylike sort of deep fakes and
things like that as well, andthat's things that ai is like
really good at.
We won't get into the wholelike malware development and
things like that, but, um, youknow, I think, like social
engineering, you know ai isgoing to really has really been
sort of boosting that audiodefects, things like that, that
(45:48):
are very tangible right now, andI think you know, I guess again
with like the major sort ofthreat actors, I would say
ransomware too, and it's likeagain just kind of like don't
sort of overthink it.
Move to phishing resistantauthentication Like that's a
huge one.
Like you know, just patchingstuff on CIS's CAV right, the
(46:12):
known exploited vulnerabilitieslist, right CAVs is a dead
simple thing.
They just took thevulnerabilities, if they're
exploited and put them on a list.
Dead simple, right.
We don't have to overcomplicateit.
And those are the ones youshould patch straight away,
right, simple things like that.
I mean, I think organizationsget caught off guard too by you
know, social engineering is verypowerful, especially for very
large organizations like liketelcos that have lots of
(46:35):
customer service reps.
You know we've seen that withlike sim swapping and things of
that nature too.
So but misconfigurations aswell, right.
And just knowing your attacksurface, right, what services
are exposed to the internet?
I mean, again, dead simpleAttackers go to Census and
Shodan and look for whatinternet-facing assets you have
(46:58):
and compare that to theirexploit code for it, you know,
can I attack it?
So like securing edge devicesand taking you know rdp, like
knowing all if you've gotexposed rdp ports, all this like
brutally kind of basic stuffthat people have been talking
about for years is stillextremely relevant.
So I mean, I would say that'sthe biggest thing.
(47:19):
Like know your attack service,know what's what's facing
outwardly, because that's thefirst stuff.
When you know attackers,attackers are going like okay,
I'm going to enumeratesubdomains and figure out the
one that they've forgotten orwhatever.
You know all the, just theusual basic stuff that still
gets a lot of mileage.
So hopefully that's a conciseanswer to your question.
Speaker 1 (47:39):
Yeah, yeah, I mean I think that's like as concise as
you can be right, especiallywith those topics, I mean.
But you know that just meansthat I'm going to have to have
you back on for a part two orsomething like that.
You know, maybe a little bit oflike a regular or a biannual
episode with you.
I'd love it, it'd be great.
Yeah, well, it was fantastichaving you on Before I let you
(48:03):
go.
How about you tell my audienceyou know where they can find you
, where they can find you knowany other resources from Intel
471 that you want to directpeople to?
Speaker 2 (48:13):
Yeah, totally so.
The signal to noise, or ratherthe noise to signal ratio on X,
aka Twitter, these days it'sjust too high for me, so I've
gone to Blue Sky, which isactually developing a nice sort
of InfoSec kind of communitythere.
I'm on Mastodon as well andLinkedIn.
You know our blog puts out alot of research from Intel 471
(48:35):
on malware and threat actors anddeep seek.
We've also got some greatthreat hunting content too.
You know that's pretty hotright now.
Organizations are looking to,like you know, get ahead of
their.
You know's pretty hot right now.
Organizations are looking to,like you know, get ahead of
their.
You know, if they're infectedlike assume you get infected and
you want to get rid of itconduct threat hunts.
So that's a whole new area thatI'm very much learning about
too, which is cool.
So, uh, yeah, I'd say, and alsoI write a newsletter that comes
(48:57):
out on tuesdays called theexecutive intelligence update.
It's actually aimed at just sortof security cti practitioners
and it's basically like fouritems to kind of like sometimes
big picture, sometimes ExecutiveIntelligence Update.
It's actually aimed at justsort of security CTI
practitioners and it's basicallylike four items to kind of like
sometimes big picture,sometimes strategic, sometimes a
lot of strategic stuff,sometimes tactical and even
operational stuff, like I'llwrite some about some malware
campaigns that our malware teamhas been working on, but it's
(49:19):
like a good summary of sort ofinfosec news.
I know there's heaps of stuffout there to read and consume,
but it's it's relatively shortand it gets to the point, so I'd
encourage people to sign up forthat as well awesome.
Speaker 1 (49:31):
I'm gonna have to sign up for it myself.
That'll be great, awesome,awesome.
Well, thanks, jeremy, I reallydo appreciate you coming on and
you know I hope everyone outthere enjoyed listening or
watching on whatever platformyou're on.
Thanks everyone.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!