WEBVTT 1 00:00:00.000 --> 00:00:02.640 All right, so today we're diving into something pretty hefty. 2 00:00:02.839 --> 00:00:09.080 Oh yeah, the Threat Intelligence Handbook second edition, second edition. Wow, 3 00:00:09.359 --> 00:00:14.160 to unpack you know, how organizations are using threat intelligence, okay, 4 00:00:14.199 --> 00:00:17.160 to kind of move beyond just reacting to cyber attacks. 5 00:00:17.280 --> 00:00:17.480 Right. 6 00:00:17.559 --> 00:00:20.559 It's kind of like the difference between knowing that someone 7 00:00:20.640 --> 00:00:24.199 might break into your house, yeah, versus understanding exactly who 8 00:00:24.280 --> 00:00:27.079 they are, why they target you, and how they do it. 9 00:00:27.239 --> 00:00:28.480 Yeah. That's a great analogy. 10 00:00:28.600 --> 00:00:30.320 So that's what we're going to dig into today. I 11 00:00:30.399 --> 00:00:32.799 like it, and you know this, this handbook really dives 12 00:00:32.840 --> 00:00:38.000 into how to turn raw data into actionable insights. Yeah, 13 00:00:38.079 --> 00:00:41.479 that recipe for predicting and preventing cyber attacks. 14 00:00:41.520 --> 00:00:44.039 Absolutely. And what I found so fascinating about this book 15 00:00:44.079 --> 00:00:46.840 is how much it emphasizes the human element. 16 00:00:47.079 --> 00:00:47.840 Oh. Interesting. 17 00:00:48.039 --> 00:00:50.079 You can have all the data in the world, right, 18 00:00:50.200 --> 00:00:53.600 but without skill analysts to connect the dots, it's just noise. 19 00:00:53.719 --> 00:00:57.000 It's like having a million puzzle pieces exactly, but no 20 00:00:57.119 --> 00:00:58.679 picture on the box to guide. 21 00:00:58.479 --> 00:01:00.159 You a million puzzle pieces. 22 00:01:00.679 --> 00:01:04.840 Speaking of putting those pieces together, the handbook differentiates between 23 00:01:04.879 --> 00:01:10.280 two types of threat intelligence m HM, operational and strategic. Yeah, 24 00:01:10.359 --> 00:01:14.920 I'm curious, how do these two actually play out in 25 00:01:14.959 --> 00:01:16.480 a real world scenario. 26 00:01:16.760 --> 00:01:19.599 Okay, So let's imagine a company discovers that there's a 27 00:01:19.680 --> 00:01:25.079 vulnerability being exploited in their industry. Operational threat intelligence is 28 00:01:25.079 --> 00:01:28.439 what tells them, Hey, this vulnerability exists in your systems too, 29 00:01:29.079 --> 00:01:32.400 and right now someone is actively trying to exploit it. 30 00:01:32.799 --> 00:01:34.400 Oh wow, So it's very immediate. 31 00:01:34.480 --> 00:01:36.239 So it's like that on the ground, on the ground, 32 00:01:36.239 --> 00:01:38.040 real time, real time intel. 33 00:01:37.799 --> 00:01:39.879 Its security teams need to act fast. 34 00:01:39.920 --> 00:01:42.799 Yeah, it's almost like having a security camera right that 35 00:01:42.920 --> 00:01:46.519 highlights the exact spot a burglar is trying to pry open. 36 00:01:46.640 --> 00:01:47.640 That's a good way to put it. 37 00:01:47.680 --> 00:01:50.760 Intense. So then strategic thread intelligence would be. 38 00:01:51.000 --> 00:01:53.799 Strategic thread intelligence is more of the zoom out view. 39 00:01:54.319 --> 00:01:56.959 It might reveal that the attackers are a group known 40 00:01:57.040 --> 00:02:01.560 for targeting financial institutions and motive is to steal customer 41 00:02:01.680 --> 00:02:03.280 data to sell on the dark web. 42 00:02:03.319 --> 00:02:03.640 Got it? 43 00:02:03.959 --> 00:02:08.840 And so this helps security leaders make long term decisions 44 00:02:09.120 --> 00:02:13.719 like investing in better data encryption or partnering with law enforcement. 45 00:02:13.840 --> 00:02:17.120 Okay, I see the difference. Yeah, so operational is like 46 00:02:17.199 --> 00:02:20.159 you said, fighting the fire. Strategic is preventing the fire in. 47 00:02:20.080 --> 00:02:21.319 The first place, exactly. 48 00:02:21.400 --> 00:02:24.840 And the handbook lays out this process in something called 49 00:02:24.840 --> 00:02:26.439 the threat intelligence life cycle. 50 00:02:26.520 --> 00:02:27.000 It does. 51 00:02:27.520 --> 00:02:31.879 What surprised me was the focus on automation in certain phases. 52 00:02:32.439 --> 00:02:33.439 Is this new trend? 53 00:02:33.719 --> 00:02:36.719 Yeah, it's becoming more and more essential because think about it, 54 00:02:36.759 --> 00:02:40.199 with the sheer volume of data that's generated every second, 55 00:02:40.800 --> 00:02:44.800 no human team could possibly keep up. So automating things 56 00:02:44.840 --> 00:02:49.360 like data collection and processing really frees up analysts, Yeah, 57 00:02:49.560 --> 00:02:53.039 to do what machines can't do, which is interpret the data, 58 00:02:53.479 --> 00:02:57.400 make judgments, and connect those seemingly unrelated events. 59 00:02:57.680 --> 00:03:00.319 So it's like having a robotic assistance sifting through all 60 00:03:00.360 --> 00:03:01.319 those puzzle pieces. 61 00:03:01.439 --> 00:03:03.360 I like that analogy, so the human. 62 00:03:03.159 --> 00:03:06.879 Analysts can focus on finding the key pieces that fit together. Yeah, 63 00:03:06.960 --> 00:03:09.759 that makes sense. But how does all of this actually 64 00:03:09.840 --> 00:03:14.840 help specific teams within an organization? So what's say the 65 00:03:14.879 --> 00:03:18.639 security operations team. They're the ones dealing with those constant alerts, 66 00:03:18.759 --> 00:03:20.879 right exactly, like all day, every day exactly. 67 00:03:21.000 --> 00:03:25.360 Imagine a security operations center. Alarms are going off constantly, 68 00:03:26.120 --> 00:03:29.639 but a huge percentage of those are false positives. Oh wow, 69 00:03:29.680 --> 00:03:32.960 and threat intelligence can add context to those alerts. Okay, 70 00:03:33.039 --> 00:03:36.280 it might say, hey, this alite matches the behavior of 71 00:03:36.319 --> 00:03:39.319 a known hacking group that's targeting your industry, got it, 72 00:03:39.360 --> 00:03:43.080 which immediately raises its priority. Instead of chasing every shadow, 73 00:03:43.560 --> 00:03:45.000 they can focus on the real threats. 74 00:03:45.039 --> 00:03:47.639 That's like having a special alarm that only goes off 75 00:03:47.680 --> 00:03:50.240 if the burglar is using the right key to try 76 00:03:50.240 --> 00:03:51.120 and unlock your door. 77 00:03:51.639 --> 00:03:52.199 I like that. 78 00:03:52.360 --> 00:03:55.960 What I found impactful was this statistic that forty four 79 00:03:56.000 --> 00:03:58.680 percent of security alerts go uninvestigating. 80 00:03:58.759 --> 00:03:59.879 Oh, it's a huge problem. 81 00:04:00.000 --> 00:04:01.840 That's a scary thought, it is. 82 00:04:01.879 --> 00:04:07.000 And it really highlights why integrating threat intelligence with internal 83 00:04:07.000 --> 00:04:10.719 network data is so critical. Yeah, let's say an alert 84 00:04:10.759 --> 00:04:15.360 pops up about suspicious activity on a server. By combining 85 00:04:15.400 --> 00:04:18.839 that with external threat intel, the team might discover wait 86 00:04:18.879 --> 00:04:23.720 a minute, this server contains our most sensitive financial data 87 00:04:24.240 --> 00:04:26.879 and the activity matches a group that's known for stealing 88 00:04:26.879 --> 00:04:30.600 financial records. Oh wow, Suddenly what might have been ignored 89 00:04:30.800 --> 00:04:32.759 becomes top priority. 90 00:04:32.920 --> 00:04:37.199 That's a powerful example of how combining those different pieces 91 00:04:37.240 --> 00:04:40.720 of the puzzles can reveal a much bigger picture. And 92 00:04:40.720 --> 00:04:43.439 what about incident response teams. Okay, they're the ones who 93 00:04:43.480 --> 00:04:45.639 have to jump in when an attack is happening, right. 94 00:04:45.680 --> 00:04:46.959 Right, They're the ones on the front lines. 95 00:04:47.000 --> 00:04:48.160 It must be under pressure. 96 00:04:48.279 --> 00:04:52.839 Absolutely, every second counts. Yeah, but imagine this. A company 97 00:04:52.920 --> 00:04:56.480 is hit with ransomware, their incident response team, thanks to 98 00:04:56.519 --> 00:05:01.040 threat intelligence, already knows this particular ransomware strain. Oh wow, 99 00:05:01.160 --> 00:05:04.399 it's typical attack patterns and even potential weaknesses. 100 00:05:04.720 --> 00:05:07.800 Okay, so instead of starting from scratch, right, they already 101 00:05:07.800 --> 00:05:08.480 have a head start. 102 00:05:08.519 --> 00:05:11.040 So it's almost like having a playbook exactly or how 103 00:05:11.079 --> 00:05:13.480 to fight that specific kind of fire. 104 00:05:13.800 --> 00:05:14.319 I like that. 105 00:05:14.439 --> 00:05:16.920 Yeah, that could save precious time, you really can. 106 00:05:16.879 --> 00:05:19.399 And the handbook really highlights that time element. You know, 107 00:05:19.879 --> 00:05:23.480 statistics show that the time to detect and contain incidents 108 00:05:23.560 --> 00:05:26.759 is increasing. Oh really, and threat intelligence can help flip 109 00:05:26.759 --> 00:05:30.959 that trend by enabling teams to react faster and more effectively. 110 00:05:31.199 --> 00:05:34.680 That's reassuring, And it seems like thread intelligence isn't just 111 00:05:34.720 --> 00:05:39.319 about reacting to attacks, no, but proactively managing vulnerabilities too. 112 00:05:39.360 --> 00:05:39.839 Is that right? 113 00:05:40.079 --> 00:05:42.319 You hit the nail on the head. The handbook uses 114 00:05:42.360 --> 00:05:46.240 this great analogy of think of vulnerabilities like cracks in 115 00:05:46.279 --> 00:05:49.519 your house's foundation. Okay, you could try to patch every 116 00:05:49.600 --> 00:05:52.160 tiny crack you find, right, but that's a never ending 117 00:05:52.240 --> 00:05:54.839 task and some might be more critical than others. Sure, 118 00:05:54.920 --> 00:05:59.439 Threat intelligence helps prioritize those cracks based on real world risk. 119 00:06:00.120 --> 00:06:03.639 Okay, so instead of patching every tiny. 120 00:06:03.319 --> 00:06:05.879 Crack, you're focusing on the ones that a burglar might 121 00:06:05.920 --> 00:06:09.399 actually use to break in exactly. I like that. The 122 00:06:09.439 --> 00:06:12.839 hambook also talks about how threat intelligence is becoming essential 123 00:06:12.839 --> 00:06:16.480 for security leaders, right, like CISOs. Why is that? 124 00:06:16.759 --> 00:06:20.600 Well, imagine being a CISO. You're responsible for protecting your 125 00:06:20.759 --> 00:06:26.639 entire organization from cyber threats. But the landscape is incredibly complex. 126 00:06:26.759 --> 00:06:30.120 Oh yeah, there are thousands of vendors out there, each 127 00:06:30.199 --> 00:06:33.439 claiming to have the best solution. Yeah, threat intelligence can 128 00:06:33.439 --> 00:06:36.279 help cut through that noise and make strategic decisions. 129 00:06:36.800 --> 00:06:39.439 It's like having a map that highlights the most dangerous 130 00:06:39.480 --> 00:06:41.199 areas of the cybersecurity jungle. 131 00:06:41.319 --> 00:06:41.839 I like that. 132 00:06:42.040 --> 00:06:45.079 So the CISO can deploy their resources strategically. 133 00:06:45.199 --> 00:06:46.120 That's a good way to put. 134 00:06:46.040 --> 00:06:50.560 It makes sense. But how does threat intelligence help CISOs 135 00:06:51.040 --> 00:06:56.920 communicate risk to say a CEO or board of directors. Yeah, 136 00:06:56.959 --> 00:06:58.399 who might not be as tech savvy. 137 00:06:58.680 --> 00:07:01.600 That's a great question. So think about it this way. 138 00:07:01.920 --> 00:07:04.240 A CEO doesn't need to know the technical details of 139 00:07:04.240 --> 00:07:07.439 a vulnerability, but they do need to understand the potential 140 00:07:07.480 --> 00:07:11.480 impact on the business. Threat intelligence can translate those technical 141 00:07:11.519 --> 00:07:15.319 details into business terms. So, for example, it might say 142 00:07:15.839 --> 00:07:19.639 this vulnerability could allow attackers to steal our customer data, 143 00:07:20.160 --> 00:07:23.879 leading to lawsuits, regulatory fines, and reputational damage. 144 00:07:24.120 --> 00:07:29.319 So it's about connecting cybersecurity to real world business consequences. Suddenly, 145 00:07:29.360 --> 00:07:31.360 it's not just a tech issue. It's a boardroom issue. 146 00:07:31.399 --> 00:07:37.120 It is speaking of understanding complex concepts. The handbook talks 147 00:07:37.160 --> 00:07:39.160 about threat intelligence frameworks. 148 00:07:39.279 --> 00:07:39.800 It does. 149 00:07:40.279 --> 00:07:42.079 I admit this is where I get a bit lost. 150 00:07:42.360 --> 00:07:43.399 Can you break it down for us? 151 00:07:43.519 --> 00:07:47.759 Absolutely? So think of frameworks like different lenses you can 152 00:07:47.839 --> 00:07:51.439 use to examine a cyber attack. One popular framework is 153 00:07:51.480 --> 00:07:55.199 the cyber kill chain, which breaks down an attack into 154 00:07:55.199 --> 00:07:59.439 seven stages, from reconnaissance to achieving the. 155 00:07:59.399 --> 00:08:02.600 Attackers of So, it's like watching a security camera recording 156 00:08:02.639 --> 00:08:05.879 of a break in and labeling each step the burglar 157 00:08:05.920 --> 00:08:09.120 takes from casing the joint to escaping with the. 158 00:08:09.079 --> 00:08:13.319 Loot precisely, and by understanding each stage, you can develop 159 00:08:13.399 --> 00:08:17.240 countermeasures at every step. Okay, But as the handbook points out, 160 00:08:17.439 --> 00:08:20.399 real world attacks aren't always so linear. It's not a 161 00:08:20.439 --> 00:08:22.800 perfect model, more like a guide. 162 00:08:23.120 --> 00:08:25.959 Okay, So it's a useful tool, but not a fool 163 00:08:26.000 --> 00:08:29.839 proof system. What other lenses lenses Zoo does the handbook 164 00:08:29.839 --> 00:08:31.560 offer for looking at cyber attacks? 165 00:08:32.159 --> 00:08:35.799 Another valuable framework is the Diamond model. Okay, and instead 166 00:08:35.799 --> 00:08:38.720 of focusing on the steps of an attack, it focuses 167 00:08:38.759 --> 00:08:43.559 on the relationship between four key elements adversary, capability, infrastructure, 168 00:08:43.799 --> 00:08:44.639 and victim. 169 00:08:45.080 --> 00:08:47.159 So it's less about how they break in and more 170 00:08:47.200 --> 00:08:49.799 about who they are, exactly, what tools they use, and 171 00:08:49.799 --> 00:08:50.320 who they're. 172 00:08:50.200 --> 00:08:53.320 Targeting precisely, got it? And this helps you understand the 173 00:08:53.360 --> 00:08:56.960 motivations and patterns of specific attack groups. 174 00:08:57.159 --> 00:08:57.480 Got it. 175 00:08:57.639 --> 00:09:00.799 So let's say a company is hit with a campaign. 176 00:09:01.639 --> 00:09:04.120 The Diamond model might help them connect this to a 177 00:09:04.159 --> 00:09:08.639 specific group known for targeting that industry, using similar tactics 178 00:09:08.799 --> 00:09:11.600 and exploiting certain infrastructure vulnerabilities. 179 00:09:11.919 --> 00:09:14.240 So it's like building a profile on a criminal rather 180 00:09:14.279 --> 00:09:18.200 than just analyzing a single crime exactly. That's fascinating. Now, 181 00:09:18.320 --> 00:09:23.120 the handbook also delves into miter at ANDZK. Yes, which 182 00:09:23.399 --> 00:09:25.879 I know is popular but can be a little overwhelming. 183 00:09:26.000 --> 00:09:27.720 Yeah, it can be a bit daunting. 184 00:09:28.320 --> 00:09:30.799 How does it approach framing cyber attacks? 185 00:09:31.200 --> 00:09:34.120 So think of miter at and CK like a massive 186 00:09:34.240 --> 00:09:38.759 encyclopedia of attacker tactics and techniques. Okay, And it's based 187 00:09:38.799 --> 00:09:43.039 on real world observations, not theoretical models, got it. So 188 00:09:43.080 --> 00:09:47.120 you can see exactly how attackers are exploiting specific software, 189 00:09:47.679 --> 00:09:51.039 what techniques they use to move within a network, how 190 00:09:51.039 --> 00:09:52.320 they try to cover their tracks. 191 00:09:52.399 --> 00:09:55.759 That sounds incredibly valuable. It is, but also incredibly detailed. 192 00:09:56.279 --> 00:09:58.399 Is it really practical for every organization? 193 00:09:58.559 --> 00:09:59.360 That's a good question. 194 00:09:59.519 --> 00:10:01.440 To die into that level of detail. 195 00:10:01.919 --> 00:10:04.720 It can be daunting, but the handbook offers some good guidance. 196 00:10:04.960 --> 00:10:05.279 Okay. 197 00:10:05.360 --> 00:10:09.039 It suggests focusing on the tactics and techniques that are 198 00:10:09.080 --> 00:10:11.480 most relevant to your industry, got it, and the types 199 00:10:11.519 --> 00:10:12.360 of systems you use. 200 00:10:12.440 --> 00:10:12.799 Okay. 201 00:10:12.879 --> 00:10:14.919 So it's about finding the signal and the noise. 202 00:10:15.200 --> 00:10:18.039 So it's like having a customized guide, yeah, to the 203 00:10:18.039 --> 00:10:22.759 most likely attack paths exactly that could target your specific organization. 204 00:10:23.039 --> 00:10:24.399 That's a great way to think about it. 205 00:10:24.440 --> 00:10:27.120 That's a lot more manageable, yeah, than trying to learn 206 00:10:27.200 --> 00:10:31.679 everything it is. But I'm curious, even with all this intelligence, 207 00:10:32.519 --> 00:10:37.639 the handbook emphasizes starting simple. Yes, when building a threat 208 00:10:37.639 --> 00:10:39.919 intelligence program. Why is that? 209 00:10:39.919 --> 00:10:44.080 That's a great question. So imagine diving headfirst into a 210 00:10:44.080 --> 00:10:47.679 bunch of threat data feeds. Okay, without a clear plan 211 00:10:47.759 --> 00:10:50.720 in place, you'll be drowning in data. But will you 212 00:10:50.879 --> 00:10:52.639 actually gain useful insights? 213 00:10:52.799 --> 00:10:53.080 Yeah? 214 00:10:53.440 --> 00:10:56.279 Probably not right, So the handbook stress is starting with 215 00:10:56.360 --> 00:10:58.600 clear goals okay, and building from there. 216 00:10:58.679 --> 00:11:00.960 So it's like having a recipe but no idea what 217 00:11:01.000 --> 00:11:02.000 you're actually trying. 218 00:11:01.799 --> 00:11:02.840 To cook exactly. 219 00:11:03.000 --> 00:11:05.360 You might end up with a random assortment of ingredients, 220 00:11:05.799 --> 00:11:07.000 but not a delicious meal. 221 00:11:07.320 --> 00:11:08.879 Yeah, you don't want that makes sense? 222 00:11:09.480 --> 00:11:12.320 What are some of the essential ingredients ingredients for a 223 00:11:12.320 --> 00:11:13.879 good threat intelligence program? 224 00:11:14.039 --> 00:11:18.480 Well, first, you need to identify your most critical assets Okay, 225 00:11:18.840 --> 00:11:22.559 what data systems are processes? If compromised, would really hurt 226 00:11:22.600 --> 00:11:23.360 your organization? 227 00:11:23.919 --> 00:11:24.360 Got it? 228 00:11:24.399 --> 00:11:27.759 Then consider your biggest threats Okay, who might be interested 229 00:11:27.799 --> 00:11:34.000 in targeting those assets? Is it Nation States? Activists, cyber criminals? 230 00:11:34.279 --> 00:11:34.519 Right? 231 00:11:34.919 --> 00:11:37.360 Knowing this helps you focus your intelligence gathering. 232 00:11:37.600 --> 00:11:41.000 So it's about figuring out what you need to protect 233 00:11:41.200 --> 00:11:43.440 and from whom exactly before you go out and buy 234 00:11:43.480 --> 00:11:46.200 every security gadget on the market. It's right, that's a 235 00:11:46.200 --> 00:11:49.159 good reminder to be strategic. Yeah, but what about the 236 00:11:49.240 --> 00:11:52.240 people involved? Who are the key players on a threat 237 00:11:52.320 --> 00:11:53.200 intelligence team. 238 00:11:53.320 --> 00:11:57.600 So the handbook talks about the need for a core team, 239 00:11:57.639 --> 00:12:00.679 even if it starts small. You need anlysts who can 240 00:12:00.799 --> 00:12:03.759 sift through data and connect the dots, someone to manage 241 00:12:03.799 --> 00:12:07.480 the program, and security engineers who can integrate that threat 242 00:12:07.519 --> 00:12:09.000 intel into your systems. 243 00:12:09.200 --> 00:12:12.039 It's like having a team of detectives, a forensic specialist, 244 00:12:12.200 --> 00:12:15.159 and a tech expert all working together to solve the 245 00:12:15.159 --> 00:12:17.120 cyber crime puzzle. I like that, But how do you 246 00:12:17.159 --> 00:12:19.440 make sure all this intelligence actually gets used? 247 00:12:19.720 --> 00:12:23.039 That's where communication comes in. Okay, the team needs to 248 00:12:23.120 --> 00:12:28.480 create reports that are tailored to different audiences. A CISO 249 00:12:28.519 --> 00:12:32.559 needs to know the potential business impact, while security analysts 250 00:12:32.600 --> 00:12:34.879 need those technical details to take action. 251 00:12:35.360 --> 00:12:38.879 So it's about translating the intelligence into something that everyone 252 00:12:38.919 --> 00:12:42.720 can understand and act on. That makes sense. But with 253 00:12:42.799 --> 00:12:46.960 all this focus on data and technology, I wonder does 254 00:12:47.000 --> 00:12:51.159 the human element ever get lost in threat intelligence. 255 00:12:51.440 --> 00:12:54.639 That's a great question, and it's one the handbook addresses. 256 00:12:55.279 --> 00:12:58.960 It really stresses the importance of analysts who can think, critically, 257 00:12:59.000 --> 00:13:04.039 connect those seemingly unrelated dots, and even anticipate the attackers' 258 00:13:04.120 --> 00:13:04.720 next moves. 259 00:13:04.799 --> 00:13:06.039 Oh wow, So it's. 260 00:13:05.919 --> 00:13:08.879 About combining human intuition with machine power. 261 00:13:09.080 --> 00:13:12.799 That's reassuring. It's not just about algorithms and automation. It's 262 00:13:12.799 --> 00:13:16.679 about people using their expertise and judgment. But I'm also curious, 263 00:13:17.000 --> 00:13:20.440 with all this talk about cyber criminals and nation state actors, 264 00:13:21.720 --> 00:13:25.399 how does threat intelligence help with something like fraud prevention. 265 00:13:26.200 --> 00:13:29.919 That's a great question. Fraud prevention is all about understanding 266 00:13:29.960 --> 00:13:33.799 the tactics and motivations of those who would deceive and steal, 267 00:13:34.559 --> 00:13:37.679 and threat intelligence can really help shine a light on 268 00:13:37.720 --> 00:13:38.480 these activities. 269 00:13:38.519 --> 00:13:38.799 Okay. 270 00:13:39.320 --> 00:13:42.759 So imagine a bank wants to protect its customers from 271 00:13:42.919 --> 00:13:47.120 phishing scams. Okay, threat intelligence might reveal that a certain 272 00:13:47.159 --> 00:13:51.960 group is targeting customers with fake emails, impersonating the bank 273 00:13:52.519 --> 00:13:56.039 using specific lures and techniques. Oh wow, so they can 274 00:13:56.080 --> 00:13:56.720 be prepared. 275 00:13:56.919 --> 00:13:59.960 So it's like knowing the con artist's playbook before they 276 00:14:00.039 --> 00:14:03.519 even approach their mark exactly. That's incredibly valuable, it is, 277 00:14:03.600 --> 00:14:05.559 But how do you actually get that kind of intel? 278 00:14:05.799 --> 00:14:06.159 Okay? 279 00:14:06.240 --> 00:14:07.559 Is it all top secret stuff? 280 00:14:07.799 --> 00:14:08.799 Not necessarily? 281 00:14:09.000 --> 00:14:09.240 Okay. 282 00:14:09.360 --> 00:14:12.639 The handbook talks about open source intelligence, right, things you 283 00:14:12.679 --> 00:14:16.519 can find publicly, So, for example, monitoring social media for 284 00:14:16.679 --> 00:14:20.159 mentions of your brand, searching for leaked data, on pace 285 00:14:20.240 --> 00:14:23.320 sites can reveal early signs of an attack or a 286 00:14:23.360 --> 00:14:24.279 fraud campaign. 287 00:14:24.879 --> 00:14:27.080 So it's like keeping your ear to the ground and 288 00:14:27.159 --> 00:14:30.879 the digital world listening for whispers and rumors. Yeah, that 289 00:14:30.919 --> 00:14:31.919 could signal trouble. 290 00:14:33.159 --> 00:14:34.240 I like that analogy. 291 00:14:34.399 --> 00:14:35.559 And what about the dark web? 292 00:14:36.120 --> 00:14:38.080 Ah, the dark web isn't that where a. 293 00:14:38.080 --> 00:14:39.759 Lot of criminal activity takes place? 294 00:14:39.879 --> 00:14:44.240 You think of the dark web as a hidden marketplace, okay, 295 00:14:44.360 --> 00:14:49.799 where criminals buy and sell stolen data, hacking tools, even 296 00:14:49.960 --> 00:14:55.080 fraud services. Monitoring these forums can reveal what kind of 297 00:14:55.200 --> 00:14:58.960 data is in demand, what new attack methods are being developed, 298 00:14:59.120 --> 00:15:00.360 who the key player are. 299 00:15:00.440 --> 00:15:03.399 So it's like going undercover in the digital underworld. It 300 00:15:03.480 --> 00:15:05.200 is a little bit to see what the criminals are 301 00:15:05.279 --> 00:15:08.679 up to. Yeah, that's both fascinating and a little scary. 302 00:15:08.840 --> 00:15:09.559 It can be both. 303 00:15:09.679 --> 00:15:12.080 But how do you even access the dark web safely? 304 00:15:12.240 --> 00:15:13.399 Well that's a great question. 305 00:15:13.759 --> 00:15:16.240 I mean, isn't it full of malware and other dangers? 306 00:15:16.480 --> 00:15:19.519 It definitely is, and the handbook stresses the need for 307 00:15:19.639 --> 00:15:22.720 caution and the right tools. You wouldn't walk into a 308 00:15:22.759 --> 00:15:26.320 dangerous neighborhood without taking precautions, right, and the same applies 309 00:15:26.320 --> 00:15:27.120 to the dark web. 310 00:15:27.440 --> 00:15:27.879 Makes sense? 311 00:15:27.919 --> 00:15:31.679 There are specialized browsers and security measures that allow researchers 312 00:15:31.679 --> 00:15:34.080 to access these areas while minimizing risk. 313 00:15:34.559 --> 00:15:36.919 Okay, so it's not for the fate of heart no, 314 00:15:37.200 --> 00:15:39.519 but I can see how valuable that kind of intelligence 315 00:15:39.559 --> 00:15:44.279 would be for understanding the tactics and motivations of cyber criminals. Absolutely, 316 00:15:44.960 --> 00:15:49.080 and I imagine it's also useful for tracking data breaches right. 317 00:15:49.399 --> 00:15:53.200 Oh. Absolutely. After a breach, stolen data often ends up 318 00:15:53.240 --> 00:15:56.080 for sale on the dark web. Oh wow, So monitoring 319 00:15:56.120 --> 00:16:01.559 these marketplaces can alert organizations that their data has been compromised, right, 320 00:16:01.639 --> 00:16:03.679 even if they weren't aware of the breach initially. 321 00:16:03.879 --> 00:16:06.759 That's crucial for damage control. Yeah. Knowing your data is 322 00:16:06.759 --> 00:16:09.120 out there means you can take steps to protect your 323 00:16:09.120 --> 00:16:10.639 customers and your reputation. 324 00:16:10.879 --> 00:16:11.480 Absolutely. 325 00:16:11.960 --> 00:16:13.799 But what about the risks that come from outside your 326 00:16:13.799 --> 00:16:14.559 own organization? 327 00:16:14.840 --> 00:16:15.159 Okay? 328 00:16:15.200 --> 00:16:17.840 The handbook also touches on third party risk, right right. 329 00:16:17.879 --> 00:16:21.200 Think about all the vendors and partners your organization relies on. 330 00:16:21.559 --> 00:16:25.200 They might have access to your systems, your data, even 331 00:16:25.240 --> 00:16:26.559 your customer's information. 332 00:16:27.200 --> 00:16:27.440 Right. 333 00:16:27.879 --> 00:16:30.399 A weakness in their security is a weakness in yours. 334 00:16:31.039 --> 00:16:34.360 So it's like having a security system in your house. Yeah, 335 00:16:34.399 --> 00:16:37.080 but leaving the back door unlocked because the gardener has 336 00:16:37.120 --> 00:16:41.480 a key exactly. That's a worrying thought, it is. How 337 00:16:41.480 --> 00:16:44.919 does threaaten intelligence help with managing that risk? 338 00:16:45.399 --> 00:16:48.720 Think of it like due diligence, Uh, before you do 339 00:16:48.840 --> 00:16:52.320 business with someone? Okay, threat intelligence can help you assess 340 00:16:52.399 --> 00:16:56.360 a vendor's security posture, got it? Have they been breached before? 341 00:16:56.799 --> 00:16:59.720 Are they known for having weak security practices? Are they 342 00:16:59.799 --> 00:17:03.000 men connection with any suspicious activity on the dark web? 343 00:17:03.320 --> 00:17:05.880 So it's like doing a background check for your business 344 00:17:05.880 --> 00:17:08.960 partners to make sure they're trustworthy and reliable. Precisely, that 345 00:17:09.000 --> 00:17:10.440 makes a lot of sense. But it's not just a 346 00:17:10.480 --> 00:17:11.440 one time check, is it. 347 00:17:11.519 --> 00:17:15.319 No, not at all. Because the threat landscape is constantly changing, 348 00:17:15.920 --> 00:17:19.920 you need to continuously monitor your third parties for signs 349 00:17:19.920 --> 00:17:25.160 of compromise. So this might include monitoring for leaked credentials 350 00:17:25.200 --> 00:17:28.440 associated with their domain, got it, tracking mentions of their 351 00:17:28.480 --> 00:17:31.799 company on dark web forums, or even looking for changes 352 00:17:31.799 --> 00:17:34.720 in their network traffic that could indicate an attack. 353 00:17:34.880 --> 00:17:37.359 So it's like having a security camera pointed not just 354 00:17:37.440 --> 00:17:40.079 at your own property, yeah, but also at your neighbors' 355 00:17:40.079 --> 00:17:43.400 houses to make sure nothing suspicious is happening Over there. 356 00:17:43.920 --> 00:17:44.960 I like that analogy. 357 00:17:45.079 --> 00:17:45.839 It could affect you. 358 00:17:46.440 --> 00:17:48.839 It's a good one, and this is especially important when 359 00:17:48.880 --> 00:17:51.880 you think about the supply chain. If one link in 360 00:17:51.960 --> 00:17:56.079 the chain is weak, the entire chain is vulnerable, and 361 00:17:56.240 --> 00:18:00.880 threat intelligence can help identify those weak links and encourage 362 00:18:01.039 --> 00:18:03.799 better security practices throughout that ecosystem. 363 00:18:03.960 --> 00:18:07.559 That's a powerful reminder that security is a shared responsibility. 364 00:18:07.640 --> 00:18:07.920 It is. 365 00:18:07.960 --> 00:18:10.960 It's not just about protecting your own castle. It's about 366 00:18:11.000 --> 00:18:14.519 working together to make sure the entire kingdom is safe. Absolutely, 367 00:18:15.240 --> 00:18:19.319 But I'm also curious, how does threat intelligence help with 368 00:18:19.400 --> 00:18:21.480 something like protecting your online reputation? 369 00:18:21.880 --> 00:18:23.880 Okay, so think about all the ways that your brand 370 00:18:23.880 --> 00:18:28.200 exists online. Okay, your website, your social media accounts, even 371 00:18:28.240 --> 00:18:31.240 mentions of your company, and news articles or blog posts. 372 00:18:31.839 --> 00:18:35.440 Thread intelligence can help you monitor for things like fake 373 00:18:35.519 --> 00:18:41.000 websites impersonating your brand, phishing scams using your logo, got it, 374 00:18:41.119 --> 00:18:44.640 even negative publicity campaigns that are spreading misinformation. 375 00:18:45.039 --> 00:18:48.839 So it's like having a digital bodyguard for your brand, exactly, 376 00:18:49.039 --> 00:18:52.200 scanning the Internet for any threats to your reputation. 377 00:18:52.400 --> 00:18:53.519 That's a great way to think about it. 378 00:18:53.559 --> 00:18:57.079 That's pretty impressive. But with all this talk about monitoring 379 00:18:57.119 --> 00:18:59.960 and reacting. Okay, is there a way to use threat 380 00:19:00.119 --> 00:19:05.599 intelligence proactively to actually prevent attacks before they happen? 381 00:19:05.759 --> 00:19:09.960 Absolutely. One example is using threat intelligence to inform your 382 00:19:10.039 --> 00:19:14.079 security awareness training. Okay, so instead of giving generic advice, 383 00:19:14.680 --> 00:19:18.519 you can tailor that training to the specific threats that 384 00:19:18.559 --> 00:19:21.440 are targeting your industry or even your organization. So let's 385 00:19:21.440 --> 00:19:24.720 say a threat intelligence report reveals that there's a new 386 00:19:24.759 --> 00:19:30.519 phishing campaign that uses fake invoices to trick employees into 387 00:19:30.680 --> 00:19:34.759 clicking malicious links. Yeah, you can incorporate that real world 388 00:19:34.799 --> 00:19:39.039 example into your training, making it much more relevant and impactful. 389 00:19:39.240 --> 00:19:41.799 That's brilliant. Yeah, so like giving your employees a cheat 390 00:19:41.799 --> 00:19:44.799 sheet on how to spot the latest scams and avoid 391 00:19:44.839 --> 00:19:45.880 falling victim to them. 392 00:19:46.000 --> 00:19:46.440 Exactly. 393 00:19:46.440 --> 00:19:49.119 But with all this emphasis on the tactical side of 394 00:19:49.119 --> 00:19:52.640 threat intelligence, okay, I'm curious, how has it changed the 395 00:19:52.759 --> 00:19:55.160 role of the CISO and other security leaders. 396 00:19:55.480 --> 00:19:57.960 So threat intelligence has really elevated the role of the 397 00:19:58.000 --> 00:20:02.599 CISO from a technical exp to a strategic advisor. Interesting, 398 00:20:02.839 --> 00:20:05.440 so they're no longer just focused on firewalls and anti 399 00:20:05.480 --> 00:20:09.599 virus software. They're using threat intelligence to understand the risks 400 00:20:09.759 --> 00:20:13.759 facing the business. Okay, make informed decisions about security investments 401 00:20:13.799 --> 00:20:16.079