WEBVTT

1
00:00:00.120 --> 00:00:06.160
<v Speaker 1>Welcome to the deep dive. Today. We're tackling cyber threat intelligence,

2
00:00:06.360 --> 00:00:08.199
<v Speaker 1>a really crucial area, and we're.

3
00:00:08.080 --> 00:00:10.160
<v Speaker 2>Doing that using a great resource you shared with us,

4
00:00:10.359 --> 00:00:12.359
<v Speaker 2>Visual Threat Intelligence by Thomas Rochia.

5
00:00:12.519 --> 00:00:12.960
<v Speaker 1>Exactly.

6
00:00:13.080 --> 00:00:15.039
<v Speaker 2>Yeah. Our goal here is really to pull out the

7
00:00:15.119 --> 00:00:18.280
<v Speaker 2>key ideas, the essential concepts from the book.

8
00:00:18.120 --> 00:00:20.960
<v Speaker 1>Right, and the practical applications too, exactly and.

9
00:00:20.960 --> 00:00:24.039
<v Speaker 2>Make it really clear for you, even if your background

10
00:00:24.120 --> 00:00:25.039
<v Speaker 2>isn't super technical.

11
00:00:25.160 --> 00:00:28.239
<v Speaker 1>In this book, Visual Threat Intelligence, it seems perfect for that.

12
00:00:28.480 --> 00:00:31.839
<v Speaker 1>It's gotten praise from places like the DFIR.

13
00:00:31.239 --> 00:00:34.320
<v Speaker 2>Report that's Digital Forensics and Incident Response.

14
00:00:34.200 --> 00:00:38.079
<v Speaker 1>Right and Pulse Dive too. They highlighted its clear explanations,

15
00:00:38.119 --> 00:00:40.000
<v Speaker 1>its real world focus.

16
00:00:39.880 --> 00:00:42.840
<v Speaker 2>And the author Thomas Rochia, he definitely knows his stuff.

17
00:00:42.880 --> 00:00:45.719
<v Speaker 1>Oh yeah, over a decade at Microsoft as a senior

18
00:00:45.799 --> 00:00:50.000
<v Speaker 1>security researcher. Plus he runs security break dot io shares

19
00:00:50.039 --> 00:00:51.079
<v Speaker 1>his research there, and.

20
00:00:51.039 --> 00:00:53.640
<v Speaker 2>He's been involved in some big cyber events, contributes to

21
00:00:53.759 --> 00:00:57.240
<v Speaker 2>open source projects like the unprotect project.

22
00:00:57.399 --> 00:00:58.719
<v Speaker 1>So definitely experienced.

23
00:00:58.880 --> 00:01:02.479
<v Speaker 2>Absolutely so for you, our listener, thinking of you as

24
00:01:02.640 --> 00:01:05.519
<v Speaker 2>the learner, this should be a good shortcut.

25
00:01:05.200 --> 00:01:10.359
<v Speaker 1>Yeah, helping understand these important cybersecurity concepts, hopefully getting those aha,

26
00:01:11.079 --> 00:01:14.239
<v Speaker 1>moments without you know, getting totally bogged down in jargon.

27
00:01:14.640 --> 00:01:15.239
<v Speaker 2>That's the plan.

28
00:01:15.480 --> 00:01:20.200
<v Speaker 1>Okay, let's jump right in. Then fundamentally, what is threat intelligence?

29
00:01:20.680 --> 00:01:26.840
<v Speaker 2>Well, at its core, it's about gathering information on cyber.

30
00:01:26.519 --> 00:01:28.760
<v Speaker 1>Threats Okay, gathering info, yeah.

31
00:01:28.599 --> 00:01:31.920
<v Speaker 2>Then analyzing it to really understand those threats, and then

32
00:01:31.920 --> 00:01:35.120
<v Speaker 2>crucially sharing that understanding so you can improve security.

33
00:01:35.560 --> 00:01:38.519
<v Speaker 1>So it's kind of like reconnaissance, getting a step ahead

34
00:01:38.680 --> 00:01:41.239
<v Speaker 1>of attackers by figuring out who they are and what

35
00:01:41.280 --> 00:01:42.359
<v Speaker 1>they do decisely.

36
00:01:42.840 --> 00:01:45.519
<v Speaker 2>Now, the book makes it distinction, which is useful. There's

37
00:01:45.519 --> 00:01:49.439
<v Speaker 2>security intelligence it's broader any security info, right, and then

38
00:01:49.480 --> 00:01:53.719
<v Speaker 2>there's cyber threat intelligence CTI. Yeah, that's our focus today,

39
00:01:53.799 --> 00:01:55.519
<v Speaker 2>just like in the book. Often they just call it

40
00:01:55.560 --> 00:01:56.359
<v Speaker 2>threat intelligence.

41
00:01:56.359 --> 00:01:59.079
<v Speaker 1>I got it. CTI. It is, So what kind of

42
00:01:59.159 --> 00:02:01.239
<v Speaker 1>intelligence are we talking thinking about? The book lays out

43
00:02:01.519 --> 00:02:03.200
<v Speaker 1>three main types it does.

44
00:02:03.280 --> 00:02:06.439
<v Speaker 2>Yeah, and it's interesting these terms actually come from military

45
00:02:06.480 --> 00:02:10.639
<v Speaker 2>intelligence originally. So the first one is tactical threat intelligence,

46
00:02:11.120 --> 00:02:12.319
<v Speaker 2>think immediate.

47
00:02:12.560 --> 00:02:15.159
<v Speaker 1>Actionable, like what's happening right now exactly?

48
00:02:15.719 --> 00:02:19.639
<v Speaker 2>Threats targeting you in real time. Security teams use this

49
00:02:19.680 --> 00:02:25.199
<v Speaker 2>stuff daily for identifying ongoing incidents and responding quickly.

50
00:02:25.280 --> 00:02:28.039
<v Speaker 1>So spotting some specific malware trying to get in and

51
00:02:28.080 --> 00:02:30.439
<v Speaker 1>knowing exactly how to stop it right then and there.

52
00:02:30.560 --> 00:02:34.520
<v Speaker 2>That's a perfect example. Then you've got operational threat intelligence. Okay,

53
00:02:35.039 --> 00:02:38.319
<v Speaker 2>this goes a bit deeper into the attackers themselves. It

54
00:02:38.439 --> 00:02:42.240
<v Speaker 2>asks why are they attacking? What are their capabilities, their tools,

55
00:02:42.439 --> 00:02:46.879
<v Speaker 2>their methods, their tools, techniques, intentions, all of it. This

56
00:02:46.960 --> 00:02:50.000
<v Speaker 2>is super important for incident response. If you know who

57
00:02:50.000 --> 00:02:52.840
<v Speaker 2>you're dealing with, you can anticipate their moves better.

58
00:02:53.199 --> 00:02:55.800
<v Speaker 1>Right, So it's not just seeing the attack, but understanding

59
00:02:55.800 --> 00:02:57.159
<v Speaker 1>the attackers whole playbook.

60
00:02:57.199 --> 00:03:00.400
<v Speaker 2>Almost you got it. And the third type is strategic

61
00:03:00.479 --> 00:03:01.400
<v Speaker 2>threat intelligence.

62
00:03:01.560 --> 00:03:03.840
<v Speaker 1>Strategic sounds high level.

63
00:03:03.960 --> 00:03:06.960
<v Speaker 2>It is. It's the big picture view, long term analysis

64
00:03:06.960 --> 00:03:08.080
<v Speaker 2>of the whole cyber threat.

65
00:03:07.919 --> 00:03:10.159
<v Speaker 1>Landscape, looking at overall trends.

66
00:03:10.039 --> 00:03:14.240
<v Speaker 2>Trends, yeah, emerging threats, even how things like geopolitics might

67
00:03:14.280 --> 00:03:18.360
<v Speaker 2>impact cyber risk. This helps the leadership the execs make

68
00:03:18.400 --> 00:03:22.039
<v Speaker 2>informed decisions about the overall security strategy long term stuff.

69
00:03:22.080 --> 00:03:26.319
<v Speaker 1>Okay, that makes sense. So tactical for the now, operational

70
00:03:26.400 --> 00:03:29.240
<v Speaker 1>for the who and why, and strategic for the long view.

71
00:03:29.520 --> 00:03:30.560
<v Speaker 1>Each has its place.

72
00:03:30.800 --> 00:03:34.240
<v Speaker 2>Definitely, a complete security program needs all three working together.

73
00:03:34.599 --> 00:03:38.400
<v Speaker 1>Now, the book talks about a threat intelligence life cycle.

74
00:03:39.400 --> 00:03:42.639
<v Speaker 1>Why is having a structured process like that important?

75
00:03:42.840 --> 00:03:45.520
<v Speaker 2>Well, it gives you a systematic way to actually do

76
00:03:45.639 --> 00:03:50.039
<v Speaker 2>threat intelligence effectively. It's a recognized method turning raw data

77
00:03:50.280 --> 00:03:52.759
<v Speaker 2>just noise sometimes into insights you can actually use.

78
00:03:52.879 --> 00:03:54.599
<v Speaker 1>And you mentioned its origins CIA.

79
00:03:54.800 --> 00:03:57.800
<v Speaker 2>Yeah. Interestingly, a similar structured cycle was first developed by

80
00:03:57.800 --> 00:04:01.719
<v Speaker 2>the CIA for intelligence work, not just cyber. It's been

81
00:04:01.759 --> 00:04:02.599
<v Speaker 2>adapted since there.

82
00:04:02.639 --> 00:04:05.800
<v Speaker 1>Okay, and it has six stages. Let's uh walk through those.

83
00:04:05.840 --> 00:04:08.400
<v Speaker 2>Sure. It starts with planning and direction. This is crucial.

84
00:04:08.599 --> 00:04:10.759
<v Speaker 2>It is where you figure out what you actually need

85
00:04:10.800 --> 00:04:12.680
<v Speaker 2>to know, what threats matter most to.

86
00:04:12.680 --> 00:04:15.800
<v Speaker 1>Your organization, defining the mission basically exactly.

87
00:04:16.120 --> 00:04:20.319
<v Speaker 2>Then comes data collection, pretty straightforward, gathering the raw info

88
00:04:20.360 --> 00:04:21.519
<v Speaker 2>from all sorts of sources.

89
00:04:21.639 --> 00:04:21.959
<v Speaker 1>Okay.

90
00:04:22.360 --> 00:04:25.879
<v Speaker 2>Stage three is processing and exploitation. Here you take that

91
00:04:26.000 --> 00:04:29.040
<v Speaker 2>raw data and make it usable, filter out the noise,

92
00:04:29.480 --> 00:04:31.240
<v Speaker 2>organize it, format it.

93
00:04:31.199 --> 00:04:34.399
<v Speaker 1>Like panning for gold, sifting through the dirt to find

94
00:04:34.399 --> 00:04:35.560
<v Speaker 1>the valuable nuggets.

95
00:04:35.720 --> 00:04:39.040
<v Speaker 2>That's a great analogy. Actually, yeah. After that, Stage four

96
00:04:39.279 --> 00:04:43.519
<v Speaker 2>is analysis and production. This is where the real magic.

97
00:04:43.240 --> 00:04:44.759
<v Speaker 1>Happens, taking sense of it all.

98
00:04:44.680 --> 00:04:48.720
<v Speaker 2>Exactly, examining the process, data finding, patterns, connecting dots and

99
00:04:48.759 --> 00:04:53.079
<v Speaker 2>producing actual intelligence reports or briefings. Right then Stage five

100
00:04:53.160 --> 00:04:57.879
<v Speaker 2>dissemination hugely important, getting the finished intelligence to the people

101
00:04:57.879 --> 00:04:59.360
<v Speaker 2>who need it, the ones who can act on it.

102
00:04:59.519 --> 00:05:01.560
<v Speaker 1>No point the analysis if it just sits on a

103
00:05:01.600 --> 00:05:05.759
<v Speaker 1>shelf precisely, and the final stage six is feedback.

104
00:05:06.199 --> 00:05:09.959
<v Speaker 2>This closes the loop. Did the intelligence help? Was it useful?

105
00:05:10.279 --> 00:05:12.279
<v Speaker 2>What can we do better next time? It makes the

106
00:05:12.279 --> 00:05:14.839
<v Speaker 2>whole process iterative, always improving.

107
00:05:14.480 --> 00:05:18.279
<v Speaker 1>So it's a continuous cycle, constantly refining based on needs

108
00:05:18.319 --> 00:05:20.759
<v Speaker 1>and results, not just a one shot deal. The book

109
00:05:20.800 --> 00:05:24.439
<v Speaker 1>also mentions tailoring this life cycle. Can you give an

110
00:05:24.480 --> 00:05:25.519
<v Speaker 1>example of how that works?

111
00:05:25.639 --> 00:05:28.519
<v Speaker 2>Sure, the book uses a good one. Think about a

112
00:05:28.519 --> 00:05:30.920
<v Speaker 2>bank versus say, a manufacturing plant.

113
00:05:31.040 --> 00:05:32.800
<v Speaker 1>Okay, different priorities.

114
00:05:32.399 --> 00:05:36.480
<v Speaker 2>Totally different. The bank, in their planning stage would heavily

115
00:05:36.480 --> 00:05:41.000
<v Speaker 2>prioritize intelligence on threats targeting financial systems right like buoy

116
00:05:41.040 --> 00:05:44.720
<v Speaker 2>TOSEL malware. A tax on online banking makes sense, whereas

117
00:05:44.720 --> 00:05:47.439
<v Speaker 2>the manufacturing company might be much more focused on threats

118
00:05:47.519 --> 00:05:51.000
<v Speaker 2>to their industrial control systems, the ICs networks that run

119
00:05:51.000 --> 00:05:51.720
<v Speaker 2>the factory floor.

120
00:05:51.920 --> 00:05:54.680
<v Speaker 1>So the life cycle structure stays the same, but the

121
00:05:54.720 --> 00:05:59.759
<v Speaker 1>focus within each stage changes based on the organization's specific risks.

122
00:05:59.480 --> 00:06:03.839
<v Speaker 2>Exactly, and then tying back to dissemination, that tailored intelligence

123
00:06:03.879 --> 00:06:06.199
<v Speaker 2>needs to get to the right people for the bank.

124
00:06:06.439 --> 00:06:08.879
<v Speaker 2>Maybe it's the fraud team and the application security team

125
00:06:09.399 --> 00:06:12.240
<v Speaker 2>for the factory. Maybe it's the plant operations engineers and

126
00:06:12.279 --> 00:06:13.560
<v Speaker 2>the OT security group.

127
00:06:13.759 --> 00:06:16.519
<v Speaker 1>Got it okay, So we understand what the types of

128
00:06:16.560 --> 00:06:19.079
<v Speaker 1>intelligence and the how the life cycle. Now the book

129
00:06:19.160 --> 00:06:21.959
<v Speaker 1>moves into more practical aspects. What does that involve?

130
00:06:22.319 --> 00:06:27.000
<v Speaker 2>Right? Practical threat intelligence? This is where it gets really grounded.

131
00:06:27.439 --> 00:06:31.519
<v Speaker 2>The book talks about needing to consider real world context.

132
00:06:31.560 --> 00:06:34.839
<v Speaker 2>Geopolitics is a big one, how so well tensions or

133
00:06:34.879 --> 00:06:40.879
<v Speaker 2>alliances between countries can directly influence cyberactivity, state sponsored attacks, activism.

134
00:06:41.439 --> 00:06:43.040
<v Speaker 2>It's often linked to global.

135
00:06:42.720 --> 00:06:45.920
<v Speaker 1>Events, So you need to look beyond just the technical

136
00:06:45.959 --> 00:06:46.879
<v Speaker 1>bits of an attack.

137
00:06:47.079 --> 00:06:50.720
<v Speaker 2>Absolutely. The book suggests not just relying on news, but

138
00:06:50.759 --> 00:06:56.079
<v Speaker 2>maybe even consulting experts in economics, politics, sociology sometimes to

139
00:06:56.120 --> 00:06:58.439
<v Speaker 2>get a deeper understanding of a nation's goals and how

140
00:06:58.480 --> 00:06:59.920
<v Speaker 2>they might play out in cyberspace.

141
00:07:00.199 --> 00:07:01.759
<v Speaker 1>Interesting, that adds another layer.

142
00:07:02.079 --> 00:07:05.879
<v Speaker 2>It does, and practically it means gathering info from diverse sources,

143
00:07:05.920 --> 00:07:08.879
<v Speaker 2>not just your own logs, but security vendor reports, open

144
00:07:08.920 --> 00:07:13.199
<v Speaker 2>source feeds, but also being aware of vulnerabilities potential weaknesses

145
00:07:13.279 --> 00:07:15.959
<v Speaker 2>attackers might target. The analyst's job is then to pull

146
00:07:16.000 --> 00:07:16.639
<v Speaker 2>all that together.

147
00:07:16.759 --> 00:07:19.959
<v Speaker 1>Okay, and then we get to indicators of compromise IOCs.

148
00:07:20.000 --> 00:07:21.839
<v Speaker 1>We hear that term all the time. What are they really?

149
00:07:22.040 --> 00:07:25.120
<v Speaker 2>The IOCs are basically the breadcrumbs left behind by attackers,

150
00:07:25.399 --> 00:07:26.920
<v Speaker 2>digital footprints, like.

151
00:07:26.959 --> 00:07:28.399
<v Speaker 1>Clues at a crime scene.

152
00:07:28.519 --> 00:07:31.920
<v Speaker 2>Exactly like that. They are pieces of data that suggest

153
00:07:32.000 --> 00:07:34.920
<v Speaker 2>a system or network has been compromised. Could be a

154
00:07:34.959 --> 00:07:40.199
<v Speaker 2>malicious file hash, its digital fingerprint, or a suspicious IP

155
00:07:40.319 --> 00:07:43.360
<v Speaker 2>address the malwar talks to a weird domain name, maybe

156
00:07:43.439 --> 00:07:44.959
<v Speaker 2>unusual network traffic.

157
00:07:44.639 --> 00:07:46.319
<v Speaker 1>Patterns, things that shouldn't be there.

158
00:07:46.480 --> 00:07:50.839
<v Speaker 2>Right. They give you a concrete trace of known bad activity. Now,

159
00:07:50.839 --> 00:07:53.639
<v Speaker 2>the book does point out these IOCs can be fleeting.

160
00:07:53.839 --> 00:07:58.040
<v Speaker 2>Attackers change their tools their infrastructure to avoid detection.

161
00:07:58.120 --> 00:07:59.920
<v Speaker 1>So they might not be useful for law.

162
00:08:00.279 --> 00:08:03.120
<v Speaker 2>They might have a short shelf life, yes, but they

163
00:08:03.160 --> 00:08:07.879
<v Speaker 2>are still incredibly valuable. Collecting them, analyzing them, you can

164
00:08:07.920 --> 00:08:11.160
<v Speaker 2>often identify other compromise systems, and if you link those

165
00:08:11.199 --> 00:08:15.240
<v Speaker 2>IOCs back to that geopolitical context or other operational intelligence

166
00:08:15.480 --> 00:08:17.920
<v Speaker 2>you start building a bigger picture of the attackers campaign.

167
00:08:18.079 --> 00:08:20.759
<v Speaker 1>Ah so even a short lived IOC can be a

168
00:08:20.920 --> 00:08:22.839
<v Speaker 1>key piece of the puzzle, helping.

169
00:08:22.639 --> 00:08:23.959
<v Speaker 2>Connect dots precisely.

170
00:08:24.000 --> 00:08:27.639
<v Speaker 1>The book also briefly mentions the Diamond model of intrusion analysis. Here.

171
00:08:27.720 --> 00:08:28.639
<v Speaker 1>What's the gist of that.

172
00:08:28.839 --> 00:08:31.759
<v Speaker 2>Right, The Diamond model. It's a framework really for breaking

173
00:08:31.759 --> 00:08:35.000
<v Speaker 2>down an intrusion. It looks at four key interconnected points,

174
00:08:35.480 --> 00:08:40.600
<v Speaker 2>the adversary, their capabilities, the infrastructure they use, and the victim.

175
00:08:40.279 --> 00:08:42.279
<v Speaker 1>They target, like the corners of a diamond.

176
00:08:42.559 --> 00:08:46.360
<v Speaker 2>Exactly. By analyzing how these four elements relate in this

177
00:08:46.399 --> 00:08:50.200
<v Speaker 2>specific incident, analysts can get a much clearer picture of

178
00:08:50.240 --> 00:08:53.440
<v Speaker 2>the attack, who's likely behind it, and maybe what they're after.

179
00:08:53.759 --> 00:08:55.759
<v Speaker 2>We might touch on it more if other sources cover it.

180
00:08:55.840 --> 00:08:58.799
<v Speaker 1>Okay, another tool for analysis, Now, this next one sounds

181
00:08:58.799 --> 00:09:02.919
<v Speaker 1>really interesting. Analysis of competing hypotheses or ACH.

182
00:09:03.080 --> 00:09:07.200
<v Speaker 2>Yes, ACH is a really powerful technique, especially when you're

183
00:09:07.240 --> 00:09:12.039
<v Speaker 2>dealing with fuzzy situations, incomplete information, maybe even deliberately misleading

184
00:09:12.080 --> 00:09:14.200
<v Speaker 2>clues during an investigation.

185
00:09:13.639 --> 00:09:15.440
<v Speaker 1>Which happens a lot in cyber incidents.

186
00:09:15.480 --> 00:09:18.639
<v Speaker 2>I imagine it certainly does. ACCH was actually developed by

187
00:09:18.639 --> 00:09:21.679
<v Speaker 2>a CIA analyst back in the day. Its main purpose

188
00:09:21.799 --> 00:09:25.080
<v Speaker 2>is to help analysts overcome their own cognitive biases.

189
00:09:24.799 --> 00:09:27.399
<v Speaker 1>Like confirmation bias, where you just look for evidence that

190
00:09:27.440 --> 00:09:28.639
<v Speaker 1>confirms what you already think.

191
00:09:28.759 --> 00:09:33.120
<v Speaker 2>That's the big one, Yeah, confirmation bias. ACH tackles that

192
00:09:33.279 --> 00:09:37.600
<v Speaker 2>head on by forcing you to consider multiple possible explanations

193
00:09:37.639 --> 00:09:39.639
<v Speaker 2>hypotheses at the same time.

194
00:09:39.639 --> 00:09:41.919
<v Speaker 1>Instead of just fixating on one theory.

195
00:09:42.279 --> 00:09:46.039
<v Speaker 2>Right. And the key thing about ACCH the book stresses

196
00:09:46.639 --> 00:09:49.559
<v Speaker 2>is that the goal isn't to prove one hypothesis, right,

197
00:09:50.320 --> 00:09:54.159
<v Speaker 2>It's actually to disprove or eliminate the hypotheses that are

198
00:09:54.200 --> 00:09:55.519
<v Speaker 2>inconsistent with the evidence.

199
00:09:55.639 --> 00:09:59.080
<v Speaker 1>Oh, okay, It's about elimination, not confirmation exactly.

200
00:09:59.120 --> 00:10:02.960
<v Speaker 2>It pushes you to think critically, if hypothesis be We're true,

201
00:10:03.279 --> 00:10:05.879
<v Speaker 2>what evidence should I be seeing that I'm not. It

202
00:10:05.919 --> 00:10:08.159
<v Speaker 2>forces a more rigorous objective approach.

203
00:10:08.000 --> 00:10:10.720
<v Speaker 1>That sounds incredibly useful. How do you actually do it?

204
00:10:10.759 --> 00:10:11.639
<v Speaker 1>Is there a process?

205
00:10:11.720 --> 00:10:15.360
<v Speaker 2>There is? The book describes using a matrix. It's pretty straightforward. Conceptually,

206
00:10:15.440 --> 00:10:17.799
<v Speaker 2>you list your competing hypotheses, your different theories about what

207
00:10:17.840 --> 00:10:20.200
<v Speaker 2>happened across a top row, ok, and then down the

208
00:10:20.279 --> 00:10:22.720
<v Speaker 2>left column you list all the relevant pieces of evidence

209
00:10:22.759 --> 00:10:23.279
<v Speaker 2>or information.

210
00:10:23.320 --> 00:10:25.799
<v Speaker 1>You have got it evidence versus hypotheses.

211
00:10:25.919 --> 00:10:27.879
<v Speaker 2>Right, then you go sell by sell For each piece

212
00:10:27.919 --> 00:10:31.000
<v Speaker 2>of evidence, you evaluate how consistent it is with each hypothesis.

213
00:10:31.159 --> 00:10:33.879
<v Speaker 2>Does it support it, contradict it, is it irrelevant?

214
00:10:33.960 --> 00:10:38.000
<v Speaker 1>So you systematically weigh everything against every possibility.

215
00:10:37.360 --> 00:10:42.159
<v Speaker 2>You do, and this matrix visually shows you which hypotheses

216
00:10:42.279 --> 00:10:45.759
<v Speaker 2>are most consistent with the bulk of the evidence, and crucially,

217
00:10:46.080 --> 00:10:50.440
<v Speaker 2>which ones are clearly contradicted and can likely be ruled out.

218
00:10:50.519 --> 00:10:53.039
<v Speaker 2>The book even points to a template for this matrix

219
00:10:53.080 --> 00:10:57.360
<v Speaker 2>by Pasquale Sterparro, which is available online Hindi. Yeah, while

220
00:10:57.399 --> 00:10:59.600
<v Speaker 2>this chapter doesn't go into all eight steps of the

221
00:10:59.639 --> 00:11:02.799
<v Speaker 2>full eighth process, it gives you the core idea, the

222
00:11:02.799 --> 00:11:03.759
<v Speaker 2>core value.

223
00:11:03.960 --> 00:11:08.320
<v Speaker 1>Yeah, that structured thinking seems vital for complex investigations avoiding

224
00:11:08.399 --> 00:11:12.399
<v Speaker 1>those mental traps. Okay, Moving on, the book talks about

225
00:11:12.399 --> 00:11:16.159
<v Speaker 1>intelligence gathering disciplines. Sounds like different ways to get the

226
00:11:16.159 --> 00:11:17.200
<v Speaker 1>information in the first place.

227
00:11:17.320 --> 00:11:20.879
<v Speaker 2>Exactly, These are the various methods, the i iNTS as

228
00:11:20.879 --> 00:11:23.519
<v Speaker 2>they're often called. Each gives you a different perspective, a

229
00:11:23.559 --> 00:11:24.480
<v Speaker 2>different type of data.

230
00:11:24.600 --> 00:11:25.559
<v Speaker 1>So what are the main ones?

231
00:11:25.600 --> 00:11:28.159
<v Speaker 2>The book highlights several key ones. First up is open

232
00:11:28.159 --> 00:11:31.120
<v Speaker 2>source intelligence ohcent probably the most well known.

233
00:11:31.159 --> 00:11:33.759
<v Speaker 1>That's using publicly available stuff right the Internet.

234
00:11:33.639 --> 00:11:38.559
<v Speaker 2>Right, Internet searches, public databases, social media, news reports, academic papers,

235
00:11:39.039 --> 00:11:42.759
<v Speaker 2>even accessible parts of the dark web, anything publicly accessible.

236
00:11:42.879 --> 00:11:43.720
<v Speaker 1>Okay, what else?

237
00:11:43.840 --> 00:11:48.600
<v Speaker 2>Then there's human intelligence human seuman tea. This is gathering

238
00:11:48.639 --> 00:11:52.639
<v Speaker 2>info from people, interviews, conversations, maybe even things like social engineering,

239
00:11:52.639 --> 00:11:54.200
<v Speaker 2>though that gets ethically tricky.

240
00:11:54.120 --> 00:11:55.519
<v Speaker 1>Right, talking to people yep.

241
00:11:56.000 --> 00:12:01.639
<v Speaker 2>Then geospatial intelligence GUI in t uses imagery, satellite photos,

242
00:12:01.679 --> 00:12:05.039
<v Speaker 2>aerial picks plus mapping data can be useful for pinpointing

243
00:12:05.039 --> 00:12:07.360
<v Speaker 2>physical locations related to threats, like.

244
00:12:07.320 --> 00:12:09.240
<v Speaker 1>Where servers might be hosted.

245
00:12:08.879 --> 00:12:13.399
<v Speaker 2>Potentially yeah, or identifying physical infrastructure. Then you have signals

246
00:12:13.399 --> 00:12:18.519
<v Speaker 2>intelligence SIGANT. This is about intercepting electronic signals like communications,

247
00:12:18.559 --> 00:12:22.840
<v Speaker 2>recepting communications yeah, or analyzing network traffic metadata like NetFlow

248
00:12:23.200 --> 00:12:26.720
<v Speaker 2>to understand communication patterns without seeing the content. And the

249
00:12:26.720 --> 00:12:31.000
<v Speaker 2>book also mentions financial intelligence fem dietarian focusing on money

250
00:12:31.000 --> 00:12:34.919
<v Speaker 2>trails analyzing transactions. This is obviously huge for tracking things

251
00:12:34.919 --> 00:12:37.840
<v Speaker 2>like ransomware payments, often involving cryptocurrency these days.

252
00:12:38.159 --> 00:12:43.639
<v Speaker 1>That's quite a list ocent human joint singant finite. The

253
00:12:43.679 --> 00:12:46.399
<v Speaker 1>book mentions others too, like socent recon.

254
00:12:46.759 --> 00:12:50.480
<v Speaker 2>Yeah, they're more specialized ones like social media intelligence, sobsince,

255
00:12:50.679 --> 00:12:55.240
<v Speaker 2>imagery intelligence. I am in reconnaissance recon. The point the

256
00:12:55.240 --> 00:12:57.440
<v Speaker 2>book makes is that you rarely rely on just one.

257
00:12:57.679 --> 00:13:01.879
<v Speaker 2>You need a mix exactly. Combining insights from multiple disciplines

258
00:13:01.879 --> 00:13:05.360
<v Speaker 2>gives you a much richer, more comprehensive understanding of the

259
00:13:05.399 --> 00:13:09.559
<v Speaker 2>threat randscape that leads to better analysis and more effective responses.

260
00:13:09.960 --> 00:13:13.279
<v Speaker 1>Makes sense, build a fuller picture from different angles. Okay.

261
00:13:13.399 --> 00:13:16.200
<v Speaker 1>One last foundational concept from this part of the book,

262
00:13:16.799 --> 00:13:20.200
<v Speaker 1>the Traffic Light Protocol TLP. What's that about?

263
00:13:20.440 --> 00:13:23.720
<v Speaker 2>TLP is all about sharing information safely. It's a simple

264
00:13:23.759 --> 00:13:27.840
<v Speaker 2>standardized system for classifying sensitive information to indicate how widely

265
00:13:27.879 --> 00:13:28.559
<v Speaker 2>it can be shared.

266
00:13:28.759 --> 00:13:30.720
<v Speaker 1>Standardize is key, I guess. So everyone's on the same

267
00:13:30.759 --> 00:13:31.559
<v Speaker 1>page absolutely.

268
00:13:31.639 --> 00:13:34.720
<v Speaker 2>It was developed by first that's the form unsend response

269
00:13:34.759 --> 00:13:37.720
<v Speaker 2>and security teams to create a common language. It helps

270
00:13:37.799 --> 00:13:41.000
<v Speaker 2>organizations share threat intel with partners, but with clear rules

271
00:13:41.000 --> 00:13:42.559
<v Speaker 2>to prevent misuse or leaks.

272
00:13:42.759 --> 00:13:45.320
<v Speaker 1>Okay, so it's like a handling label. What are the levels?

273
00:13:45.559 --> 00:13:47.240
<v Speaker 1>The book mentions four colors.

274
00:13:46.960 --> 00:13:50.519
<v Speaker 2>Right four cash KELP r ED is the most restrictive,

275
00:13:50.600 --> 00:13:54.080
<v Speaker 2>basically for your eyes only or only the specific people

276
00:13:54.080 --> 00:13:56.240
<v Speaker 2>it was directly sent to. No further sharing.

277
00:13:56.559 --> 00:13:59.679
<v Speaker 1>Got it. Red means stop sharing, pretty much.

278
00:14:00.080 --> 00:14:03.200
<v Speaker 2>Than TLP dot amb This means you can share it

279
00:14:03.240 --> 00:14:05.759
<v Speaker 2>within your own organization on a need to know basis,

280
00:14:05.759 --> 00:14:06.919
<v Speaker 2>but not outside your org.

281
00:14:07.159 --> 00:14:09.679
<v Speaker 1>Okay, internal sharing allowed correct.

282
00:14:10.039 --> 00:14:14.279
<v Speaker 2>Next is TLP green. This allows sharing with trusted partners

283
00:14:14.360 --> 00:14:16.960
<v Speaker 2>or within a specific community like an industry group. But

284
00:14:17.120 --> 00:14:19.120
<v Speaker 2>it shouldn't be posted publicly on the Internet.

285
00:14:19.200 --> 00:14:21.919
<v Speaker 1>Wider sharing, but still within a defined community.

286
00:14:22.120 --> 00:14:26.399
<v Speaker 2>Yes. And finally, TLP clear, no restrictions, share it freely

287
00:14:26.519 --> 00:14:27.799
<v Speaker 2>publicly whatever.

288
00:14:27.600 --> 00:14:31.919
<v Speaker 1>Red ambergreen clear seems pretty straightforward, and the book says

289
00:14:31.960 --> 00:14:33.879
<v Speaker 1>it's the sender's job to label it correctly.

290
00:14:34.000 --> 00:14:36.440
<v Speaker 2>Yes, the originator labels the information it needs to make

291
00:14:36.480 --> 00:14:39.480
<v Speaker 2>sure the recipients understand what those labels mean and respect

292
00:14:39.519 --> 00:14:41.039
<v Speaker 2>the sharing boundaries.

293
00:14:40.559 --> 00:14:43.440
<v Speaker 1>And these labels get used in sharing platforms.

294
00:14:43.519 --> 00:14:47.840
<v Speaker 2>They do. Platforms like MISP and OPENCTI often have built

295
00:14:47.879 --> 00:14:51.519
<v Speaker 2>in TLP support, making it easier demand how intelligence is

296
00:14:51.559 --> 00:14:55.399
<v Speaker 2>distributed based on its classification. The book briefly outlines the

297
00:14:55.440 --> 00:14:58.799
<v Speaker 2>steps for senders using TLP, like being clear about recipients

298
00:14:58.840 --> 00:14:59.519
<v Speaker 2>for each level.

299
00:15:00.080 --> 00:15:03.840
<v Speaker 1>Clarifies TLP isn't the same as the Chatham House.

300
00:15:03.639 --> 00:15:07.240
<v Speaker 2>Rule, right, important distinction. Yeah, Chathamhouse Rule is about anonymity

301
00:15:07.240 --> 00:15:10.600
<v Speaker 2>of speakers at meetings. TLP is about the dissemination rules

302
00:15:10.639 --> 00:15:12.960
<v Speaker 2>for the information itself, different purposes.

303
00:15:13.000 --> 00:15:15.519
<v Speaker 1>Okay, that clears that up. So wow, that's a lot

304
00:15:15.519 --> 00:15:18.320
<v Speaker 1>of ground covered for the fundamentals it really is. We've

305
00:15:18.360 --> 00:15:23.799
<v Speaker 1>talked about what threat intelligence is, the different types tactical, operational, strategic.

306
00:15:24.200 --> 00:15:26.879
<v Speaker 1>We've looked at the structured life cycle for producing.

307
00:15:26.440 --> 00:15:27.600
<v Speaker 2>It, right, the six stages.

308
00:15:27.679 --> 00:15:32.039
<v Speaker 1>Then the practical side gathering info, considering context like geopolitics,

309
00:15:32.159 --> 00:15:33.759
<v Speaker 1>using IOCs as.

310
00:15:33.679 --> 00:15:38.080
<v Speaker 2>Clues, and critically analyzing things with frameworks like ACH to avoid.

311
00:15:37.759 --> 00:15:42.399
<v Speaker 1>Bias exactly, plus the different gathering disciplines ocent, human, et cetera.

312
00:15:42.720 --> 00:15:46.120
<v Speaker 1>And finally how to share information responsibly using TLP.

313
00:15:46.519 --> 00:15:49.120
<v Speaker 2>That's a really solid foundation from this first part of

314
00:15:49.200 --> 00:15:50.320
<v Speaker 2>visual threat Intelligence.

315
00:15:50.600 --> 00:15:52.960
<v Speaker 1>It definitely feels like it, and the book hints there's

316
00:15:52.960 --> 00:15:56.679
<v Speaker 1>more detail to come on things like specific threat actors,

317
00:15:56.759 --> 00:16:00.240
<v Speaker 1>diving deeper into IOCs and the tools used.

318
00:16:00.840 --> 00:16:04.159
<v Speaker 2>This initial exploration using visual threat intelligence has really set

319
00:16:04.159 --> 00:16:07.480
<v Speaker 2>the stage well, covering those core concepts and the structured

320
00:16:07.519 --> 00:16:11.360
<v Speaker 2>thinking behind CTI. You know, thinking about IOCs. Again, it's

321
00:16:11.399 --> 00:16:12.679
<v Speaker 2>not just finding one.

322
00:16:12.559 --> 00:16:15.120
<v Speaker 1>Clue, right, you said, it's like puzzle pieces exactly.

323
00:16:15.159 --> 00:16:19.639
<v Speaker 2>The real value is connecting them. Imagine security team sees

324
00:16:19.679 --> 00:16:24.039
<v Speaker 2>a weird file in IOC. Using ACH, they might brainstorm, okay,

325
00:16:24.360 --> 00:16:28.080
<v Speaker 2>hypothesis one, it's known malware X hypothesis Two, it's a

326
00:16:28.120 --> 00:16:31.360
<v Speaker 2>legit file acting weirdly hypothesis three it's something totally new.

327
00:16:31.440 --> 00:16:31.759
<v Speaker 1>Okay.

328
00:16:32.000 --> 00:16:35.480
<v Speaker 2>Then they gather more evidence network logs, process activity and

329
00:16:35.559 --> 00:16:38.559
<v Speaker 2>test it against each hypothesis. Using that matrix idea which

330
00:16:38.559 --> 00:16:40.879
<v Speaker 2>ones did the evidence contradict, which seem more likely? It

331
00:16:40.919 --> 00:16:43.039
<v Speaker 2>helps them focus their investigation effectively.

332
00:16:43.120 --> 00:16:46.919
<v Speaker 1>That practical application really helps solidify it. So for you listening,

333
00:16:46.960 --> 00:16:48.919
<v Speaker 1>we hope this deep dive has given you a clearer

334
00:16:48.960 --> 00:16:52.360
<v Speaker 1>picture of how threat intelligence works and frankly, why it's

335
00:16:52.399 --> 00:16:54.440
<v Speaker 1>so essential in today's cybersecurity world.

336
00:16:54.639 --> 00:16:57.519
<v Speaker 2>Yeah. Absolutely, and maybe it sparks a broader thought too.

337
00:16:58.559 --> 00:17:04.839
<v Speaker 2>These principles we've discussed, gathering diverse information, carefully weighing competing explanations,

338
00:17:05.079 --> 00:17:08.759
<v Speaker 2>being aware of bias. How amight applying that kind of

339
00:17:08.759 --> 00:17:12.400
<v Speaker 2>thinking be useful elsewhere in how you consume news, make

340
00:17:12.440 --> 00:17:16.119
<v Speaker 2>decisions just navigating the sheer amount of information we all

341
00:17:16.119 --> 00:17:16.880
<v Speaker 2>face every day.

342
00:17:17.119 --> 00:17:20.200
<v Speaker 1>That's definitely interesting food for thought, thinking like an intelligence

343
00:17:20.200 --> 00:17:22.160
<v Speaker 1>analyst in everyday life sort of.

344
00:17:22.240 --> 00:17:22.480
<v Speaker 2>Yeah.

345
00:17:22.680 --> 00:17:26.000
<v Speaker 1>Well, if this has piqued your interest, definitely consider exploring more.

346
00:17:26.039 --> 00:17:29.079
<v Speaker 1>Maybe check out those resources the book mentions like Security

347
00:17:29.119 --> 00:17:32.160
<v Speaker 1>break dot io or the unprotect project.

348
00:17:31.880 --> 00:17:34.000
<v Speaker 2>Or feel free to share other species with us for

349
00:17:34.200 --> 00:17:36.839
<v Speaker 2>future deep dives if there are specific areas you want

350
00:17:36.880 --> 00:17:37.720
<v Speaker 2>to explore further.

351
00:17:37.960 --> 00:17:42.079
<v Speaker 1>Absolutely, and thank you again for sharing this source visual

352
00:17:42.160 --> 00:17:45.359
<v Speaker 1>threat intelligence with us. It's been a fantastic starting point.

353
00:17:45.440 --> 00:17:48.000
<v Speaker 2>It really has a great way to understand these crucial

354
00:17:48.039 --> 00:17:48.680
<v Speaker 2>foundations