Pedro Barros: 0:00

Especially if you're using free threat feeds, it's easy to just start stocking them up.

Rachael Tyrell: 0:05

Hello and welcome to episode number three, season one, of your Cyber Threat Intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of season one, our host, Pedro Kurtzman, will chat with Pedro Barros, who is a certified cybersecurity analyst with years of experience in threat intelligence detection, engineering and incident management. He works as a security analyst and also teaches at Houston Community College, where he integrates hands-on labs and real-world case studies to prepare future professionals Over to you, Pedro.

Pedro Kertzman: 0:53

Pedro, thank you so much for coming to the show. It's great to have you here. Yeah, thanks for having me. I'm very excited, Awesome, and I usually start asking the guests their journey, how they got to know cyber threat intelligence, what path they had to you know, all the way to bring them to their current role. Can you explore a little bit on that please?

Pedro Barros: 1:17

Yeah, so I started in the SOC as a junior SOC analyst as many would and then from there, of course, now I work as a mid-tier SOC analyst.

Pedro Barros: 1:31

At first, training intelligence was kind of a daunting role for me, but the more time I spent in the field I started noticing that I'm much more excited to kind of like a research type of work related to cybersecurity.

Pedro Barros: 1:47

I love incident responding. I've been doing that for basically all my career on cybersecurity. But I feel like threat intelligence is the one that touches, like all other areas and I think that's my philosophy as well when I approach threat intelligence is that I feel like threat intelligence should uh, it's one of those pillars that should support your cyber security operations, plans and goals for either your sock or, if you are an mss, msb right, because you get to find out, okay, what's important for me, what, what is it that I should be looking for, why I should look for that, and how I can get those information and fit into different roles such as detection, engineering, different roles like incident response or forensics, how you can kind of come and fit into that. We're talking about even red teaming and purple teaming. So I think a well-seated threat intelligence role should be able to fit into many, many different areas of the organization yeah, you touched on, uh, for me, a very important point.

Pedro Kertzman: 2:53

You mentioned pillar right, and, uh, for me, I I could not agree more, uh, and I also see threat intelligence as a guidance, right. So, yeah, what uh kind of firewall? Uh, if you will strategy your configuration, you're going to use nobody better than your threat intel peer area, if you have one in your company to to tell you, hey, because you name it, our industry, the firewalls brands we use, so on and so forth. So, because of the intel I have, you should start with these ones. Yeah, so we have always so many stuff to do on our, you know, busy days. Yeah, why not having that uh priority list? Yeah, coming from our people that are deep into the weeds to understand the mindset of your adversaries, right, exactly, yeah, that's awesome. And so you mentioned your path to the cyber threat intelligence role, and would you have any recommendations for people also looking at moving or starting their career into CTI?

Pedro Barros: 4:06

Yes, so, like Playa said, cti, it should touch basically every other area of cybersecurity, and I think you can thrive more in this role if you understand the fundamentals of incident responding, forensics, detection, engineering, vulnerability management, identity access management, iam. And if you get those fundamentals, I think you will better fit into the role of third intelligence, fit into the role of threat intelligence. Like I said, you are supposed to basically kind of like, come and make sure you are helping the team, being better and focusing on the things that matter for the company, whether this vulnerability management and many of these roles. In fact, they already kind of do some kind of a threat intelligence as well. Vulnerability management they also wanna make sure.

Pedro Barros: 5:03

Okay, should we really be concerned about this vulnerability right now? Is this something that is being exploited in the wild? Right, so you would either have them kind of performing a little bits of this role. Right, you talk about detection engineering. They want to be interested as well. Okay, is this detection something that we really need? Like, depending on your environment, whether it's windows, what type of system that you're using, does it really matter to us? So if you have understanding of those different roles uh, kind of like the fundamentals, I think it will be much, much easier for you to transition into intelligence and be able to, you know, bridge that gap that exists between those different roles excellent.

Pedro Kertzman: 5:47

Thank you very insightful, um, and and you know you mentioned your role right can you explain a little bit more about your role, the some of the things you do, uh, on your current role yes, so I currently uh.

Pedro Barros: 6:02

My main responsibility, like and I say that this is basically what I was hired for uh is incident responding, right, but I work. I work in a uh corpse corpse, uh corp sock, which means basically it's not an mss, msp, right, it's a managed service, security service provider. So I have certain responsibility. That, of course, of that of as well, security engineering, detection engineering and uh, basically reaching out to different uh stakeholders at the companies see what's bad things that we are finding and kind of like help them uh understand why this is bad and where we should move.

Pedro Barros: 6:37

Like, let's say, we found a uh a server that is supposed to, that is being uh that's hosting a service that perhaps is vulnerable or that is transmitting data in clear text. We want to make sure, hey, can we work on this so that we close this port and start using this port, because this port can provide more security, and kind of walk with them as well, like okay, through the step of implementations and testing until things are good. Besides that, of course, some responsibilities of course, were being added in a sense. Like something came up, you know how to do it, you start doing it, right, that's basically as well. Like kind of like how I got into my responsibilities doing threat intelligence for my current position as well.

Pedro Kertzman: 7:23

Awesome and any like uh experiences. Recent experiences you had working with the threat intel feeds, for example. Uh good, bad ugly. You know any advice around that.

Pedro Barros: 7:36

Yes, um, I have a big hic when it comes to uh combo list, right, because and I and I like to say that combo list is like, uh, powerpuff girls. There is a guy, uh, the professor, basically created pop-up girls and the way that starts the show is basically him making the potion, right, it goes sugar, butter and everything nice, and then he puts a chemical x and it explodes. The powerpuff girls come to existence. I feel like combo list is just like you know, someone put out there going okay, I got this emails, I got this PII and I got this hashes and for password hashes, and then it just bring like all from from any other, from every other breach that has happened, like in the past, and that's what combo list is.

Pedro Barros: 8:27

And when you have a thread feed that is literally looking into that very heavily, right, whatever new combo list that comes from that comes up, guess what they're gonna feed onto that data into their system. And they start learning hey, we found a bunch of uh emails, we're gonna be found the 100 emails from your, from your uh company on this combo list. And then when you start investigating that combo listen, you start finding a way this is these things are from breach that happened five years ago, right, seven years ago. There is, of course there is the is the fear of any like password reuse. But when you look into a breach that has happened five years ago, most of the time you have moved on from that right, at least if you are implementing good password policies. So that's kind of like my bad experience with some of the threat fears that you might find out there. They just start generating alerts and it creates creates sudden panic that is not there, right. And then of course, you have those good ones where you actually find like complete, uh, what I call complete threading threat intelligence, where they are not just feeding onto those data by just looking at their emails or password hashes. Right, if the data has more information in there that can identify where that, where that bridge occur, they will look into those and they will let you know.

Pedro Barros: 9:50

Uh, here's, here's when we think this bridge happened. We think this is coming from the brief that was reported perhaps two years ago, because the data sets look similar to this. You know they find some common, uh commonality into those data sets and make their own assumptions based on that. Um, I think that is more well equipped so that you, you have an idea, okay, whether this is going to be actionable or not. Right, instead of just having a large style, just you know, because someone can just grab another list of uh emails and password from a previous bridge, combine them and then post it on some kind of a web doc, web forum and of course, your, your feeders are gonna take it and then just generate more alerts. So that's why I'm like I'm I'm I'm very like, much against like combo lists and just using email and password to create alerts.

Pedro Barros: 10:40

Yeah, if you're gonna give me some intelligence. You know, do some more work on it and then send it, and then I'll see if no. Yeah, it's good.

Pedro Kertzman: 10:47

No, that makes sense and so you mentioned what I would understand is like you gotta be that you know three characteristics of a good CTI timely, relevant. People are like just creating a big Feed, but it's actually almost like a repository of historical. It's, yeah, breaches positives and noise that it's not super timely to to action upon uh, yeah, and and that's that's like very like the.

Pedro Barros: 11:21

You know the basics of threat intelligence, right, if it is the data accurate, is it, is it timely? Is it relevant to you? So I think those questions should, you know, still be applied. And one thing that I feel like, uh, we don't talk match as well is uh, it is like uh threat feeds evaluation right, you got this, you're receiving, you're using this product using uh the. You know their, their threat intelligence feed.

Pedro Barros: 11:48

Um, how often do you evaluate whether how much false positive has generated, how much the data that it has uh alerts that it has generated is relevant to you or not, and how timely that is right? So I think those are some things that we need to. You guys kind of talk about more when it comes to intelligence so that we evaluating it and if we are doing that and making those conversation as well with those 30 intelligence feed providers, I think they will also start looking tomorrow. You know what we should really start. You know looking more into our products, see how we can better our product, what our customers are saying about what we feed them.

Pedro Kertzman: 12:29

Yeah, no, that's awesome. I love this like a win-win. Yeah, so you're mentioning about evaluating right the threat feeds or the threat intel you're receiving. Can you expand a little bit more on that please? Sure.

Pedro Barros: 12:42

Yes. So I think we should start evaluating more. You know the value of itself, like of the trade feeds that we have, and I think that should be something that either is done quarterly or every six months, or you know, I guess, how comfortable you decide to be, maybe once a year, but I think quarterly or every six months would be a better place to be that. Uh, once a year, but I think quarterly or every six months would be a better place to be there, and that's it. So you, being in the third intel intelligence analyst on the receiving end and you're feeding intelligence as well to others, you're creating a workflow that will trigger alert for, for the sock, right, for the, for your, for your analyst. Look into the scene, right, you analyze the, the thread by you yourself looking into analyst. Look into the scene, right, you analyze the, the thread by you yourself looking into the data that is coming. Right, you know, as a third feed, by looking at yourself, uh, the data that is coming, but also by taking input from the team that you're serving inside your company. Right, how does the? How does the the the sock feels like? How does uh, how do the analysts feel like when those alerts are coming. Are they complete? Are they? Do they have to do a lot more work to to understand why this is an alert, why this matters? Right, if you're creating a alert base of that you also, you know it would be a good idea, so to kind of provide, like, certain things that they should be looking for. If that is missing, you know, talk with them. Okay, what do you think you wanna see when that alert comes, on that single plain pane of glass that you're basically kind of looking at the alert? What matters more to you and have you seen this on the alerts when they pop up, or is this something that you have to search more?

Pedro Barros: 14:28

You go into the detection engineering team, get the feedback from them. Is this valuable? Let's say, perhaps you're bringing some kind of YARA rules that you find this is interesting, and then you want perhaps your team to kind of like work and find a way to transfer that into their same technology or whatever technology that they are using. And even from a vulnerability management standpoint, right, how are they getting informed more about those vulnerabilities that they are trying to patch and mitigate, right? Do you provide some kind of more insight? Did you help them make their decisions easier when it comes to that. So there is the the one side where you have to actually kind of like, go and look into the data that you're receiving, um, see perhaps what's missing there, what's good, and if you're distilling that information to other other roles or departments in your company, get the feedback from them as well, ask them whether that data is valuable or it's just something that you know. Perhaps they see, oh, there's one more, came in right.

Pedro Kertzman: 15:38

So I think, uh, look into evaluation in in that way will be a great way to approach it yeah, just listening to what you're saying, it feels that we might benefit from having, for example, like an evaluation matrix for for feeds, data feeds, I don't know maybe parameters like completeness of the information or you name it, timeliness, so on and so forth to actually help judge, filter, what is the best feeds. I have, the most important ones, the ones that are actually making my analysts spend more time to actually come up or make sense of that, not as complete or accurate information. Maybe it could be something that I don't know.

Pedro Barros: 16:21

Maybe somebody will build something like that in the future to to help the industry in general yeah, that's a good idea, because I never thought about, you know, even just creating a matrix, but it would be interesting to look into that and see if you know something could be, uh, could be created so that people can have something to use as a reference when evaluating data feeds yeah, funny enough, a few months ago I was putting together a presentation for, like college students, so I was doing a presentation on a college here and, uh, you know, talking about the industry, tell them a little bit about the history around threat intelligence.

Pedro Kertzman: 16:59

And actually I realized that most of the security vendors, the big vendors that we know out there you name it, firewall vendors, endpoint security vendors out there they always had some sort of internal cyber threat intelligence practice and they used to use that to pump, to be able to have like a good, let's say, off-the-shelf products to pump that information into their, again, firewalls, endpoints and so on.

Pedro Kertzman: 17:29

But they never realized that at some point and that probably happened, I don't know, between anywhere between five and ten years we started seeing some more focused, uh, boutique ish players, um, you name it scraping dark web and then creating feeds out of it or, you know, collecting whatever other type of telemetry or intel and creating packages specifically to sell cyber threat intelligence. And then those, let's say, big players that had that internal knowledge but never thought that could actually be like a product and another subset of the industry, if you will. Uh, they were like, oh wow, wait up, let's, we can do this. We have this knowledge internally. So now all those big players decided to also create their threat intel offerings and you know the market is, as you know, right now clogged with so many offerings feeds all over the place, right so it's hard to judge and what's the best one for me.

Pedro Barros: 18:35

So you got to put a lot of work to to to make sense of what's the actual information that you need yeah, if you, especially if you're using free thread feeds, it's easy to just starting stacking them up, right, if you're not really looking much into why you wanna collect that specific data. Oh, just another one. Oh yeah, you know this happened, but we missed from those, let's say, 15 data feeds that we already have. We didn't get that information, but there's this one that we saw that provided that information. You know what? Let's add that to the list.

Pedro Barros: 19:15

It just starts piling up, piling up, and sometimes it becomes like in the question, of course, even, of course, the data ingestion into the SIMs. Right, how much are you gonna keep pulling? And just if you're not evaluating as well, you gotta deal with storage as well when it comes to many SIMs, not just ingestion, how much data you bring in, but also how much you're saving for how long you're keeping those data as well. So it can become, in a sense, just expensive for nothing.

Pedro Barros: 19:48

And one other thing as well now that you mentioned when you were starting up, is that I feel like threat intelligence. I think the way that we are right now, even in schools and colleges, it should become like a class of their own. I think at this point there should have been like a. You know there are many more colleges and universities that are creating cybersecurity curriculum, but most of the time you won't see any course related to threat intelligence. And I just start wondering why. Why that is? I think we are at a time where we it's something that we think is important and that it has matured enough to that point where we should have something related to that.

Pedro Kertzman: 20:32

Yeah, I could not agree more. That's why I reach out to colleges and other institutions that have cybersecurity programs to see if they have already anything related to CTI. If not, if they're interested to listen to anybody talking about that topic with their students, just to create more awareness around this important part of the industry, which kind of reminds me of a topic as well. We do have a fair amount of open source, slash free CTI feeds out there, but sometimes the quality, like you mentioned right you could, because we don't have like a huge amount of people behind that feed making sure you know timely, the information is relevant, so on and so forth. Uh, the flip side of it will be the analysts or the teams relying on that information having to, you know, work a lot more just to make make relying on that information, having to you know work a lot more just to make sense of that information popping into their systems.

Pedro Kertzman: 21:34

Yeah, no, that's awesome and you know I heard you recently spoke on another Cyber Threat Intelligence Conference. Can you just mention a little bit? How was it? Some good insights from it.

Pedro Barros: 21:52

Yes, this was actually my first speaking of engagement opportunity ever. There is actually one more coming up. It won't be necessarily on cyber threat intelligence, but it was super good. I remember coming into the night at the hotel and just seeing some, some guys uh, hanging on the lobby. I was like you know what, let me go introduce myself to those people. And I went and introduced myself. Guess what? There? Some of them were actually people who were at the board and the ones who decided which you know which talks they're gonna, they're gonna accept and which ones they're not. So they were very excited for my talk and that kind of encouraged me. I had a lot of stress being their first time speaker, but it was really just amazing.

Pedro Barros: 22:38

The only thing that happened and it's nothing to do with the conference I discovered that I am, I guess I'm very sensible to lights, so those stage light at the end of my talk. It caused me an immense headache. Oh no, yeah, but overall the conference was amazing. It was a great experience. I would recommend to people, to, you know, join conferences and go, listen to other people and you know, if you have, if you have something that you want to talk about, you know, submit your call for paper and see if it's gonna it's gonna be accepted or not yeah, honestly, that's for me, probably one of my favorite parts within the industry, especially in the cti.

Pedro Kertzman: 23:19

Overall in cyber security, we see that, but especially on cti, the amount of collaboration. Right, because we know, and across so many, you name it literature, we have forums, blogs, you name it we always hear about even though I'm going to name an industry, it could be so many others, even banks. In theory, from a sales and marketing perspective, they're competitors, but when it comes to operations, especially cybersecurity and cyber threat intelligence, forget this competitor mindset and collaborate. If we don't do that, we're always going to be outnumbered because frat actors do that.

Pedro Kertzman: 24:09

Right, yeah, they do that you know and they are yeah, no, go ahead.

Pedro Barros: 24:15

Yeah, and they are. They are well motivated, um, to do that, right. Yeah, um, sometimes they're. It's just, I guess, the promise of a great financial gain from whatever they're going to do, or if they're already even being paid right, talking about um advanced, persistent threat, if they're already being paid by, perhaps, the government or something like that, so they're well motivated to continue to share exactly, exactly.

Pedro Kertzman: 24:36

That's why we need to really get together to to flip the table, you know, get ahead of these guys, otherwise it's always going to be this uh nightmare that sometimes we we see, uh, oh, that's in talking about, you know, collaboration and uh, studying and references and stuff any, you know, blogs or books or references that you use to update your knowledge.

Pedro Barros: 25:08

Yes, one of my favorite books so far when it comes to threat intelligence is Visual Threat Intelligence by Thomas Rossia I hope I'm not butchering his name. It's great. It touches the fundamentals so well and the graphics in it it just uh. The book in itself, it looks like a comic, but the graphics in it just helps you understand those concepts uh much better. Um, I, I think I read that book. I started reading it like on one day and I finished it one day because it was that it was that good. It was just that good. I was just like you know, I was not getting tired, I was excited. The more pages I flip is just so good, so much fundamentals in there and it provides so much resources on how to do things and where to find them as well. So that's that. That's my main one to go. Now there is one that I find it very interesting as well. I think in the sense it's futuristic because it talks a lot about AI. It's by Justin Hutchins the Language of Deception Weaponizing Next Generation AI. It's so good.

Pedro Kertzman: 26:15

It touches many aspects of threat intelligence that think it will be a wonderful grade okay, that's awesome and, um, you know, it's still about you know reading materials and, uh, upgrading your knowledge per se. What about your knowledge? Is there? You have any ways. You, you know, share articles, write stuff, or, or you or you know conferences, you talk. If people want to learn more from you, uh, is there any where they should go?

Pedro Barros: 26:47

Yes, um, I have a blog of mine is called pemblabsnet Uh, that's P, e, m, b, uh, labs, l, a, b, s pemblabsnet. That's where I share my articles and I'm actually going to post something soon that I think is going to be very interesting read as well. But an infrastructure that I was able to track down and and you know, it got me to do that question of also kind of ethics on reporting, when you should report something when you find it as well. So I ended up finding this malicious infrastructure that ended up becoming a big campaign. But, yeah, before reporting it, I decided okay, let me spend some more days into this, really dig into it. Do a lot of OCint as well into that.

Pedro Barros: 27:39

I ended up finding more. It started from GitHub, went into certain pages. Do some do a lot of? Uh, all scenes as well into that? Um, they ended up finding more. Uh, they started from from.

Pedro Barros: 27:44

He started from github, went into certain pages. It went into one fishing pages to about five fishing pages and we're talking about it was. He did something very interesting that I thought he was just like oh, why is he doing this? Is that it was so targeted that it will only get you to is that it was so targeted that it will only get you to those phishing page landing page if you are part of that email list that it wanted to target. So you wouldn't get to that landing page if you were not part of it. So it was just interesting.

Pedro Barros: 28:15

And one other infrastructure ended up leading to one of these Telegram bots, so I was very excited about that. Did a lot of hosting on those Telegram bots that I haven't done before in the past, so it was just fascinating. So I'll be sharing there on my blog. That's again pamblabsnet. That's where I normally write my stuff. So far I don't have much written, but there are already some posts in there and I'm very hopeful that I'll finish writing this one and probably be up by the weekend. Awesome, yeah awesome.

Pedro Kertzman: 28:47

Thanks for sharing that. Yeah and and uh. One, one question I'd like to ask. Uh, all our guests from you know all the knowledge you acquired throughout your career, especially on the CTI area. Is there anything that you know today that you wish you knew on the very beginning, when you started on the CTI industry?

Pedro Barros: 29:15

Yes, I would say so. The way I look into CTI, right, touching into different roles, one that I like most is, you know, when I get to do malware analysis or reverse engineering, and if one thing I regret is to kind of skip a lot of data structures and system engineerings, right, I feel like if I had spent more time getting understanding fundamentals of that, it would be what I make my work as, when I'm analyzing a malware, much more easier I understanding the system calls and those, those functions that you already have there and in Windows or Linux, how they are borrowed from different libraries to use them to basically perform those actions that they're looking for. I feel like if I spend more time and I'm going to be spending some more time during this year reading a lot more into system engineering and understanding the file structure as well. So those are some of those things that I look back. I was like man, I wish I could have spent more time into that.

Pedro Kertzman: 30:29

Awesome. So I guess it's also some good recommendations on next steps for people looking for topics that will help them to be a better threat intelligence unit, and so on. Yeah, pedro, thank you so much for coming to the show. I really appreciate all the insights and I hope I'll see you around.

Pedro Barros: 30:51

Yeah for sure, we both speak Portuguese. We just learned that, so that's awesome. I'm very glad to have met you and have this opportunity to be here with you. It was really good.

Pedro Kertzman: 31:02

Same name, same industry, same mother language. Oh my goodness, nobody's going to ever beat that one. Thanks again.

Rachael Tyrell: 31:11

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group Cyber Threat Intelligence Podcast. We'd love to hear from you If you know anyone with CTI expertise that would like to be interviewed in the show. Just let us know. Until next time,