Kees Pouw: 0:00

I had that wow moment. Oh my God, this is going to quite disrupt the industry and everybody should be looking at that.

Rachael Tyrell: 0:07

Hello and welcome to Episode 10, Season 1 of your Cyber Threat Intelligence Podcast. Whether you're a seasoned CTI expert, a cybersecurity professional or simply curious about the digital battlefield, our expert guests and host will break down complex topics into actionable insights. On this episode of season one, our host, Pedro Kertzman, will chat with Kees Pouw, who has over 20 years of experience in helping organizations excel in the areas of cybersecurity, risk management and architecture. He was the co-founder and managing partner of iSecurity, a leading North American cybersecurity firm developing custom-built solutions for many customers. Currently as the CISO of one of the largest brokerage firms in Canada, he brings distinct insights into the cyber threat landscape and the steps that the organization can take to build world-class cyber resilience. Over to you, Pedro.

Pedro Kertzman: 0:58

Kees, thank you so much for coming to the show. I'm really happy to have you here.

Kees Pouw: 1:02

Well, thank you, it's exciting to be here and to be talking about cyber threat show. I'm really happy to have you here. Well, thank you, it's exciting to be here and to be talking about cyber threat intelligence. I think it's a topic that, frankly, drives a lot of interest and excitement. Even when I need to talk to my executives, I can see that a lot of things related to cyber can be very boring to them. But when you start talking about cyber threat intelligence, they get excited, even though I think sometimes it's a little bit, uh, not clear what it is. It's a bit mystic thing around it. So I'm happy to be here and clarify some of that and what it can do for you and what it cannot, and, uh, what are the things that are available? Right, awesome.

Pedro Kertzman: 1:42

Yeah, I cannot agree more. I think it's the the topics like super hot nowadays, especially when we start seeing the boundaries or blurred lines between intelligence in general, geopolitical stuff, how it translates into the cyber universe and back and forth and all that. So probably that's why they get so excited when they start hearing the cyber consequences of some geopolitical decision or something like that. Again, thanks for coming to the show and, given your experience, I think it would be valuable for the listeners if you could bring, for example, what's the main value for an organization to build a CTI program? Any thoughts around that?

Kees Pouw: 2:30

Very good question right to start off why should we have a cyber threat intelligence program? And, speaking from the perspective of a CISO, right, my current role in a mid-sized organization where we have to be very smart about where we apply our resources and what's going to bring good outcomes right for a security program. So I like to step back and think about art of war. In essence, I love those concepts. It's amazing to me that they are thousands of years old and applies to what we're trying to do, including in the cyber. And I'd like to start with the statement from Sun Tzu about if you know yourself and you know your enemy, you're going to win all battles. If you just know yourself, you don't know your enemy, you're going to win half of the battles. And the other way around If you know about your enemies, you don't know yourself. It's also half.

Kees Pouw: 3:25

If you don't know yourself and your enemy, you're really in bad luck, right, you're going to lose most of the battles, and the cyber threat intelligence is that half. It's knowing about your enemy, it's knowing what are their intent, what are their motivation, what are their capabilities, what techniques they use. And, again, knowing that, I think you're going to be able to much better apply your resources when you're building your capabilities and, frankly, while it may be sound very easy to know yourself, organizations are very complex, right? So you don't have, like you don't, I don't step into this job and I get a list of all the applications that I have, everything that's externally exposed and what are all the data flows, everything documented. It's really not like that. So this is why getting to know your enemies and also having a view of your enemies on your infrastructure and how they can attack you, it becomes so, so important.

Pedro Kertzman: 4:26

And I think another quote that also resonates to me, but maybe it will be like a follow-up on this one after you know yourself and you know your enemy, it was kind of clear the quote-unquote value from a CTI perspective of that quote the best wars are won even before they start. So if you properly know you and your enemy, you won't actually have a war. They probably won't try to then translate it to CTI. They won't probably even try to go to your environment because just the way you're prepared for any particular tactics or methods they use to try to breach your environment, they will go there and just that's gonna beat you hard. So they go elsewhere, yeah so going back.

Kees Pouw: 5:15

The other one is, uh, to to know your enemy, you have to become your enemy. So then that's a nice one. Yeah, that's another good one where cyber threat intelligence can provide you a lot of value. And I think what you're mentioning as well is that if you want a battle when you don't even have the battle right, your enemy understands your capabilities, you know themselves, and they don't even try. And that's kind of ultimate goal. It's not to have a war at all because the enemy is going to go elsewhere, and I think this is very valid in the cyberspace because there's a lot of crimes of opportunity 100% and continue with that.

Kees Pouw: 6:00

I can give specific examples where having good cyber threat intelligence helps us focus our program. In my previous days, when I was running a lot of incident response, dealing with a lot of ransomware, we know that Lockbit goes after the VMware, the EXI host, and they go there and then they encrypt the entire territory of VMs, which is a very effective technique for them because it overwhelms. So when I start my new job, that's the first thing I'm going to look. Ok, let's protect the SSI host because that's a place they're going to go after Right, like if they breach my initial layers. That really informs the decisions that you have to make in terms of where to put your scarce resources to high effective protection. Excellent An example that I'm seeing now we're seeing a lot of increased attacks with fake capture.

Kees Pouw: 6:55

We've learned that from some feeds and it's a lot of living off the land and, for those who are not familiar with it, it's using less of malware but using the tools available.

Kees Pouw: 7:08

Let's call it dual use where, um, it's difficult because it could be a administrator or an engineer or a developer using these tools but in, in fact could be hackers using like powershell being one. One good example. So, in knowing that our training program, the simulations we do, are focused on that particular one as opposed to being too broad and generic, again, using resources in the most effective way because they're limited, even the time of individuals where they're going to pay attention for your training program, the more you know again right about your enemy you're going to be deploying these resources and, as you mentioned, in this case, if we are well trained about these attacks and the users behave well, we're even not going to have any war right or any battle because it's won before it was fought. I think that's that's actually the quote. The battles are before it was fought. I think that's actually the quote. The battles are won before they're fought right.

Pedro Kertzman: 8:08

Yeah, because you are well prepared for it. That's a great point. You mentioned a few times about that equation, especially for mid-sized organizations budget resources, best usage of those resources, so on and so forth. When it comes to a CTI program, any particular domains that you would focus with that resource constraint in mind, what would be the most valuable ones to have in place or invest in?

Kees Pouw: 8:42

Very good question. So, in accepting the importance of a program, I think the next question would be what is it? What would characterize a cyber threat intelligence program? Before we answer which ones, to start, I think it's worth spending some time clarifying. What does it mean? What are the functionality we expect to have from a cyber threat intelligence program or platform? I think the first thing that comes to mind at least to me, anyway. Like again, I'm speaking this from more a management perspective than a technician or a very deep domain expert it's about threat intelligence feeds. So I think this all started with okay. So if people are threat actors, are attacking, what are the IPs, what kind of domains they're using, and if there's malware a lot of it was related to malware what kind of hashes that we can go and find in the environment. This is kind of quite static type of information. Frankly, it's a whack-a-mole and the industry has moved away from it where we look more at behaviors in knowing the techniques. So it's kind of the more advanced.

Rachael Tyrell: 9:55

So, but that's how it starts Red intelligence feeds.

Kees Pouw: 9:57

then the other domain. It's about the dark web. To demystify this is people using servers using anonymization techniques like what we call Tor nodes, where you cannot really trace a box. So it started with the intent of privacy, but it allows the creation of these sites where people can anonymously fully anonymously or extremely difficult to trace them where they can just create forums and exchange information and you can monitor for credentials. That's kind of the classical one right, like what kind of databases from previous breaches where dumps of credentials are exposed or threat actors are exchanging information. You've got to think threat actors are supply chains. Some people are just finding compromised credentials and selling them. Others are taking those credentials and executing it ransomware. So it's a lot of exchange between them. So monitoring those sites to understand if your organization has any credentials, confidential information, or if there's any chatter or conversation about attacking the information. It could be people that sometimes people have been breached and they don't even know, if they go there and find out that a lot of information has been taken.

Kees Pouw: 11:17

Then there is what we call digital risk protection. It's just monitoring lookalike domains, people trying to fake their organization, for example, to do accounting covers or trick people into going there and providing their credentials, thinking they are the organization and then subsequently using that and, the last element of that, external assets and vulnerabilities associated with that. But from the perspective of an attacker, right, a threat actor, not what you know internally, but what an attacker can see in terms of gathering intelligence and information about your organization. So, basically, what attackers can see about the environment? What are URLs, what are domains? Do they have any vulnerability associated to that?

Kees Pouw: 12:08

So to summarize we're talking about Threat intelligence feeds. We're talking about monitoring the dark web or any previous incident leaked information. We're talking about digital risk protections, like people faking to be you. And then attack surface meaning how do they see your organization, your domains and what vulnerabilities are associated with that? So that's a kind of high level. What are the domains? So to go back to your question, where to start, I would start with the elements of the threat intelligence feed and the attack surface management, because they are very natural extension of your security operations center. I'm assuming any mid-sized organization would have one, even the small ones these days. If they cannot have internally, they will have a third party which is monitoring their internal network, the logs, and looking for malicious activities in the environment. So that's kind of the internal part of things. So think of the cyber threat intelligence now monitoring the external side of things. Right Now you want to expand that monitoring of the internal assets. Where are the logs? Is there any abnormal behaviors there? And you want to say, okay, let's start monitoring on the outside things that are relevant to my inside, my assets. So again, the threat intelligence feeding into inside. Do I see any activity related to this, malicious IP URLs or any hashes, and what are those assets that are exposed on the internet, what they look like, what attackers would see. Those are the two areas right Now, going into things like the dark web monitoring and digital risk protection, my suggestion would be, if you're just starting, is to get engaged with a third party which could provide you a simple report or do a demo with one of the commercial tools.

Kees Pouw: 14:05

The vendors will be very happy to do a proof of value right, yeah, to show it to you. In fact, sometimes you even get these emails right. Oh, I found all these things on the dark web. Please have a look. Right, because they want to kind of scare you and show off the things that you may not know that's going on about potential leakage of information and same related to the digital risk protection. You do a demo with those and then see what the value is. Right. As I said, I would expand. The natural thing is, expand some of the functions of your security monitoring system. Assign somebody, full time or partially, to start looking into these domains and see what the value is, and they will have different.

Kees Pouw: 14:50

Depends on your business as well. If you are offering a lot of digital services. Right, depends on your business as well. If you are offering a lot of digital services, right, like if you have a customer portal, for example, and a large number of people using that portal, digital risk protection is something you want to look into. Otherwise, you're going to potentially like, for example, as we are a financial institution, this prevents fraud I can't word. It's mainly used for fraud.

Kees Pouw: 15:16

There's a big element of financial motivation talking about knowing your enemy right, there's a lot of element of financial motivation and the threat actors really trying to monetize against you. So I think that gives you kind of a kind of summarize it. And your SIM, your SOC, with the threat intelligence and attack surface management, because they're very important things to do anyway. And then the dark web, digital risk protection, and even if, when we look, those are things you may want to start with a third party and then, if you like, you buy the platform that, then you need to train and get somebody to dedicate more time to it perfect, and I love the way you put it the supply chain on the threat actor side, the working together in different areas of expertise to kind of leverage each other's knowledge when it comes to to an attack plan or something like that.

Pedro Kertzman: 16:14

They don't try anymore to know every single area within the cybersecurity space. They're just super specialized on like credential stealing or ransomware or web app application exploits and you name it. So they're kind of a and they also, you know, get together on this sort of a supply chain, as you mentioned, to try to go after their targets. That's a really nice way to put it.

Kees Pouw: 16:42

Yeah, they're trading right. So, as people in the real world realize I'm good in something and then I specialize on that something and then I start trading right, like I got these credentials, then the other one is really good at creating, like software development, so they would do ransomware platform, where somebody can just use that for the sake of doing the encryption and the negotiation and whatnot, while people specialize in getting that initial access to begin with, which provides you an opportunity. If credentials of access to environment exist and somebody is offering it and if we infiltrate that, we would be able to prevent that. That's another aspect of it where you can prevent a situation from happening. Again to your point earlier, you would would prevent you win the battle even before you're killing that aspect of the kill chain, right, yeah, now maybe it's a good point for us to talk about what are the challenges, but we speaking about all of these great capabilities and the benefits, but, as everything else, uh it, it has its disadvantages and challenges, right, and the first thing that comes to mind if we think about what we're talking about, like the internal and external and cyber threat intelligence being focused on the external, you can imagine the volume of information that you're talking about that's right All the forms that exist, the ones that you know of, the ones that you don't know of yet.

Kees Pouw: 18:16

So we're really talking about, with huge amount of information that needs to be processed, validated to be meaningful, and the amount of false positives that you can get. So I gave the example earlier of somebody saying, oh, I found a bunch of these credentials in the dark web and you now have to go and validate are these valid or not? Or is this documentation really mine or not? Is it really confidential? So you can spend a lot of time dealing with false positives, and I have a term that I use to my team, like it's chasing ghosts. Right, you're really chasing a ghost. It's not relevant, because the information, the intelligence, it has to be relevant, it has to be timely and it has to be impactful to something you do, and quite often it's not. It's still information. It may be a list of people that are not with you anymore, accounts are not active and if you're talking about thousands of them, you're going to have to reconcile that information and sometimes you spend a lot of time and you does not really yield anything. So it has an element of hit and miss that.

Kees Pouw: 19:25

I believe that it's a, it's a drawback of it and and if you have to focus, like you just think about, like the internal, the internal information about the internal, your SOC, is something you know, it's there, you control, while the information out there it's something that's somewhat outside of your control. So you have to balance that right, that you, you have to have the ability to quickly filter through that and and it goes back to having developing some skill set where a good integration with the internal team and also have a good handle about your assets information, which is a good thing to have anyway and you need it for internal protection. The other challenge would be cost. So if you move into a commercial platform, they're not cheap, they're expensive and the cost can add up Now the platform, the cost of an analyst, and if you're not using that actionable, impactful kind of intelligence, you may not be getting the full return on investment right. So that's the kind of challenge and the pitfall that I see.

Pedro Kertzman: 20:35

Awesome, Now that, let's's say, we know the recommendations of the three or some of the main domains to have on a CTI program, some of the drawbacks let's say the company is growing they are thinking about. Ok, so maybe it's time to really start a CTI program. Where is like ground zero kind of thing Would you recommend? Yeah, start your CTI program from your experience by doing this part of the equation and building from that kind of thing. Any thoughts around that?

Kees Pouw: 21:11

Sure, I think two kind of different approach you can take, right. So, more in the line that I suggested and that I frankly like it more, is to expand an existing capability. So it would start with your security operations center team and expand those functionalities into attack service management. As I said, the threat feeds and grow from there, right, awesome, I think that that's a kind of organic growth. Or you, you could, um, just go to the market and and acquire a cyber intelligence team, right, you just say, okay, I going to get somebody who has experience on this and then bring a person and then they start building a team that's high specialized. So it's a question of a budget.

Kees Pouw: 22:05

Very rarely in my career I say, okay, oh, now we have a couple million dollars to start this program, but it does happen, right, if that's the case, that's kind of a different approach where you can then build the program with that intent of building a sophisticated cyber threat intelligence, as opposed to growing what? What you have the? The other aspect of it is what are the skill sets like? Who are we going to assign to this function? And, as I said, most likely somebody from sock that can be expanded to the role. It could be as well somebody from an offensive team that can go there.

Kees Pouw: 22:41

I think the minimal knowledge that somebody has to have is to have a good understanding of threats, understanding of even I'll take a step back right Like having a good understanding of networking, how the attacks work, some understanding of coding, application, a very structured mind in terms of doing investigations and looking at things from an evidence perspective. It's very helpful Some past experience in dealing with incidents. That's why I kind of say SOC, a very analytical role that you can connect the dots and seep through the information and make the right conclusions. As I said, you can get information overload. I find some people are not really good at this because they start going crazy, they start speculating, they don't follow the evidence, the bias.

Pedro Kertzman: 23:30

And they go nuts.

Kees Pouw: 23:31

They start making stories on their head.

Rachael Tyrell: 23:33

And then you say what?

Kees Pouw: 23:34

evidence do you have? Or is it inside a thread? Okay, but there's no evidence of inside a thread here. People, human brain is very interesting. Right, like you, we have good large language models. Right, like you, have these blanks and try to fill the blank. Right, it doesn't have the information. Start making up information, start hallucinating to a degree, that's right. This is kind of uh, the way. The way I see it. And then I like to pair a lot the cyber threat intelligence team with the offensive team, because they, they, should be sharing a lot of information.

Kees Pouw: 24:07

Right now we talk about more sophisticated is about knowing the techniques, the methods is moving beyond that initial baseline of looking at static information and doing search on environment. It's about, okay, what are the techniques that are exploitable and which ones we have to worry about and which ones are being actively used, and are they relevant into relevant into our environment and putting the focus to fixing those right Again. So, is it relevant? We see it out there that redactors are using a lot. We know that this applies to us, so let's go and fix it right.

Pedro Kertzman: 24:51

That's awesome. That's super insightful. Thank you, okay. I think that's a good understanding for people. Thank you, okay, I think that's a good uh understanding for people. You know best practices, how to create your own cti program and one thing that, uh, it might like pepper in into, uh, many of different aspects of our previous conversation and it's probably the acronym of the moment kind of thing how do you see Agenic AI improving or changing, or how do you see Agenic AI within the CTI or cybersecurity context? What is your perspective on it?

Kees Pouw: 25:30

Yeah, I'm glad you brought that up. Overall, I believe AI agentic AI in particular it's going to disrupt our industry. I think it's disrupting many industries and maybe I'll start from what my view was when we first got to know about Chatipiti. That was that wild moment. First, of course, you're so amazed by what it can do. I look at this movie from uh called hidden figures. It's a bunch of uh black women right that were working for nasa and they were calculators, uh, and you know it was difficult for them and difficult for them to show their value and why kind of meal dominated industry. But the core of the story was that we had a profession called a calculator, which what these ladies were really doing, and they basically did the calculations right, Like they came with they want to calculate the trajectory, whatever that is. And then they went do all this math.

Kees Pouw: 26:43

And then they brought the IBM computer, forgot the name of the model, but that was the first one. So the leader of that group she was so smart said we got to learn this thing because this is going to replace us Bottom line. You don't have a profession called a calculator anymore, right, because the computer does the calculator. So when ChatsPT came and said okay, now this thing can write better than I can write, right, especially English being my second language. So now the thing can code better than many people. So now you see how it can transform and even change the professions that exist. We don't have calculators in the profession anymore.

Kees Pouw: 27:20

And now people may be worried about copywriters and even developers right, they may not be professions, but when it comes to cyber, one thing that I was really not thinking of the potential is because of hallucination, right, I said, oh, this thing can just meet up. We need something that is precise. Is this a threat? Not a threat. But agentic AI changed that. Now we're pairing a large language model where they can make calls to functions. Look at this large amount of data. I think this is going to be super helpful for cyber threat intelligence, because you're going to be able to create agents that can be doing specific tasks. We have ways of eliminating by query your own information, validating and making API calls, so that AI can orchestrate this and really do what is really good at it without hallucinating and automating the task.

Kees Pouw: 28:22

So I'll give you one particular example right, something that I'm experiencing with my team. So we talked about attack surface management, and it's a very simple example because I wanted people to visualize this. We have a URL that is exposed externally or, let's put it in a different way, we find a bunch of vulnerabilities that our endpoints report. Some can be executed. Now the question is okay, are these exposed externally or not? And if you happen to have a load balancer, what is exposed externally has like a virtual IP that maps to a bunch of the internal IPs and that's the report that we get, so then somebody has to go and get that information from the device and do a mapping. Okay, we have these vulnerabilities. Are they linked to this virtual IP, meaning they're exposed externally?

Rachael Tyrell: 29:14

right, that's a very simple thing.

Kees Pouw: 29:16

The analysts can do it and you can do that programmatically as well. But with AI, what we are doing is that now we can just ask the question. I have these IPs Go to the load balancer and we have this thing called model context protocol, which is MCP, which even means we don't really need to understand how the interface is. It's just a natural language. Say, go, and the large language model then is able to really understand the API. Go, get that information and with the instructions and the prompt that you, provided it can easily map. That. It's a very simple thing. It's something a human can do, provided it can easily map. That. It's a very simple thing. It's something a human can do. But you need somebody who needs to understand the syntax, somebody who needs to understand the device and how to get that information, to do that dynamically. Now we can have an agent that does that Very simple using common tools that are available now. So this is a reality. Now you can extrapolate this to all the things we talked about you can do. We're doing an agent where now we get a vulnerability, we want to go and to specific forums in the dark web. Are threat actors actually using this as we speak, and then, if it does, add a higher criteria to it? And if it does, do we have it internally? And if it does, does it have? So you can create all these workflows that we can do it with AI. Again, it's something that experts can do, something that you can do programmatically, but you can do much faster with AI and you can do it in a way that you can augment your stuff. You can do it in a way that it's easy to program, so you don't have to write so many lines of code. You don't have to worry about if the API changes now a little field change here, the whole structure of the program breaks right. So to me in long short answer is yes, I think it's going to drop.

Kees Pouw: 31:24

The potential is huge that a lot of these tasks and that information overload that I'm mentioning can be done through agents and that's so much more cost effective than having a bunch of experts. Of course, we're still at the very beginning of this. I have questions about the cost because if you have this huge amount of information and you have to pass that information to the large language model or tokens that's how tokens for simplicity would be like a word. So if you're passing a lot of that information, it can have a huge cost. So we can think to draw a parallel is cloud right? When cloud came and everybody? Initially they were just moving and lift and shift from their data sense to the cloud. But then you have the cloud native solutions and now in AI they call AI first. So basically you develop things with agents using a large range model. You don't do it in a traditional computing way, as I mentioned, right At attack surface. You can do that very programmatically using the techniques, coding techniques but you can do it as the example I provide. But now you may start spending so much money with it Same thing with the cloud that you may have to DEI what you did because you can't afford paying this large range of bonds.

Kees Pouw: 32:38

And then there's a whole discussion. I don't want to get into a tangent. You see, I get quite excited about this because it took me a while to see the potential, I have to admit. But when I saw the first agents and the concept of MCP, that I had that wow moment. Oh my God, this is going to quite disrupt the industry and everybody should be looking at that.

Kees Pouw: 33:00

As I said, there's many challenges. We're just testing this, so how accurate we can get, but I'm pretty confident. Especially when we're talking about more junior to intermediate staff, I think it can do as good as a job as those and then pass along to the more senior people. So quite a lot of automation is going to happen in this field.

Kees Pouw: 33:20

It's very information rich and I was even thinking about could you train a model with it? May be very expensive, right, but you could potentially train the model with all the information that exists in the dark web, because the models that we have today are trained with, obviously not with, the dark web information. But then there's the side of it, right. Maybe the attackers are going to do that. Thankfully, this is quite expensive to train a model we're talking about millions of dollars but a very sophisticated attacker or companies that are specialized in this, they could be doing that as well. So it could be feeding and retraining and you just be asking this information that, uh, using natural language and everything that we talked about here about leakages, could just be a provider.

Pedro Kertzman: 34:03

That's a potential scenario that's awesome and thanks for putting into such a easy way to understand. I appreciate that. I I agree the um, I think also with llms or even agents now like typewriters back in the day. Now the computers come in, you don't need, whenever you type like a mistake, you don't need to rip off a paper, start from the get-go so you just hit delete and then you start from there. So just expedite gives more scale to your work. Like you mentioned, cti specifically, we handle a massive amount of data Humans are not meant to handle like the amount of data computers can do. But then agents and LLMs they can do that. So, working hand in hand, I think it's going to be at scale. It's going to be the benefits of it. I 100% agree. It's going to be really interesting to see in the in the future it's happening, but even more so we're going to have a better grasp in the short term.

Kees Pouw: 35:07

I would say yeah you're right, I think it's already here, but we're just starting to to explore, to rip the all the Maybe. I'll just comment on another element of the challenge AI can be quite difficult to understand and have traceability why it does so. That's another thing, that having to understand why I gave this answer so that we and now we have layers upon layers of not understanding how it works. Right, like you could have a generator, uh, through tools like cursor, that then generates, like your mcp is that interface that I talked about, that people don't know how it was coded because it wasn't a human, and now we have the lms make these decisions that we don't have a full understanding. Why, to a degree, right, why it does so.

Kees Pouw: 35:54

It's even areas of research, a lot of research now, because we can create this, call it a monster, and now we're trying to understand exactly how the monster is. It's so complex as the, the way the neural networks and and, uh, what we call parameters, billions of them and trying to understand why it given an answer a and b, fully understanding. That is something that we trying to grasp at this point. So a lot of very exciting from my point of view, because I myself like disruption. It brings so much opportunity. It's dangerous too. You can be left behind, but it brings a lot of green field for people to explore.

Pedro Kertzman: 36:33

Yeah, no, that's a great point Any, especially if it's open source, uh, like tools that you see, or or maybe methodologies that you see that are useful, uh, for cti teams to handle all that, all that information or variety of sources and all that yeah, no, I no.

Kees Pouw: 36:57

I can give some hints here and, to be honest, I have my notes here, which I don't have to hide, because this is what I talk to my analysts. I think I'll start saying there's tons of tools, right, like there's tons of open source tools available there, things like Feedly, which is like a newsfeed aggregator. We have hundreds of sources. We have blogs, like Kevin Beaumont as an example, open intelligence platforms like Google Docs there are many more examples and then VirusTotal, url Scans, the Abusepdb the list goes on and on and we have as well CTI sharing communities like AlienVault. The list goes on and on, and we have as well CTI sharing communities like AlienVault, the OpenCTI. There's the MIS project right, which stands for malware information sharing platform, database, malware bazaar, url halls and some basic tools that people need to learn how to do right, the DNS passive tools such as Waze and Slookups, and, as I mentioned, they're important so that you understand how DNS and the networks work. Yeah, so this is quite a lot.

Kees Pouw: 38:07

Sense has a conference as well, which is awesome Cyber Intelligence Summit. I think it happens every year and a half or so, with amazing speakers and a lot of introductors and free courses available for folks. I think maybe we can. I don't know how we put the podcast, but we maybe can put some links associated with it. We can go and have a look, but there's lots of resources right and any using something like Gemini or ChatTPT to ask what the sources are, you're going to get tons of it. There's no lack of available materials there.

Kees Pouw: 38:51

You may just get stuck with the challenge of where to start and not get overwhelmed right by the number of platforms that exist. So Shodan actually it's one tool that I like. It's kind of paid but it's not that expensive in the attack surface. So you want to start learning about what exists, about the environment. It's a very good place to start and I would go as well do some demos. As I mentioned some of the commercial tools available, you know I'm not making any or endorsing any tool, but you know X record, future cyber hint they will happily go and allow you to check and validate their platforms. People would learn a lot right just by going through there and get a sense what are the things that they they provide you.

Pedro Kertzman: 39:44

Yeah, no, that's awesome. Uh, thanks for mentioning that and yeah, absolutely, we can put some links on the description of the, the episode. I appreciate it again case. So you mentioned like a quite a lot and we can see the, the variety of knowledge you're bringing related to to cti and not specifically like consuming the information on threat reports and, let's say, more dedicated sources like this. Do you have any recommendations where to go as a learning source from an overall CTI standpoint, like frameworks, new practices, things that would not be on the threat report, for example, but you know about CTI in general. Any places or people to follow, or blogs, conferences, name it, conferences, like you said, sense CTI I think it was a few months ago. Any other sources to learn CTI?

Kees Pouw: 40:46

Yeah, I think beyond that, I mean, sense is a very good one. It's just to reiterate. Right, I think ArcX has some free courses as well, but I want to go back to the very basics. So if you really want to start on this, I think you should really understand the Mitre attack and the cyber kill chain and even prior to that. People should have good knowledge of networking and should have a very solid foundation about that. And then programming and understanding minimum of hacking Like even myself, I don't really get into that depth, but have an understanding. Injection of code versus something that's more indirect like a cross-type descripting. What are the top attack techniques that OWASP common? I think those are very good because those are the techniques right that you are serious use.

Kees Pouw: 41:41

I think you need to get familiar, at least conceptually, in order to make good understanding, and I mentioned about the MITRE, which is the attack phases, which is linked to the kill chain. Have a good understanding of that. I think those are very foundational elements that people should have before they start trying to consume all this information specific to cyber threat intelligence. And then I believe, if you want to become very specialized now we're talking about more advanced hacking techniques and analyzing malware and understanding their behavior would be kind of the more advanced specialized fields right that people can apply and there's plenty of courses and certifications that you can go to to get specialized, even malware analysis and whatnot awesome wow, super insightful, I super insightful.

Pedro Kertzman: 42:35

I really appreciate it, kees. Any final thoughts, things that we didn't mention during the previous topics.

Kees Pouw: 42:47

No, I think it's a good segue into kind of wrapping it up, right, I think it's just to summarize in order to have an effective and efficient as well. Right, it's just to summarize in order to have an effective and efficient as well, like it's something that works, that protects the organization, and it's something that you put your efforts where you should be doing. So it speaks about efficiency. You need to have some elements of a cyber threat intelligence. One thing that I did not mention is that we'll start with that, but we did not elaborate much is now the executives, even the board of directors of organizations they're expecting somebody to have any cyber program, to have some element of that, to speak about the threats that organizations are facing, and they expect even to be provided with a report. So it's very important we touched upon as well what is the balance and how to start expanding from your secure operations center into the attack surface, which kind of have an overlap, and going beyond into what's completely outside your perimeter, which is the dark web and also people that are trying to fake you or go against your brand by faking websites or lookalike domains. And one point that we did not mention that I see a lot of attacks now is like malvertising. So even if they don't have a domain lookalike, they may be paying like google. So when you, when somebody googles the name of your organization or your product, they get a malicious link instead of going to your website. Right and and it's. It's about account takeover.

Kees Pouw: 44:30

What some people don't know is, even if you have a multi-factor authentication or if you're sending, if you have a complete man in the middle, you can actually bypass that because you have someone that is just in between the attack and especially if you're using something like SMS or even an authenticator, you completely hijack in that session. So you'll be able to take the session of the user and whatever you're trying to do, right, like do a transaction on the staff and whatnot. So those goes into the second level of your maturity in your program and, unless you have a lot of budget, I would start that, expand from the internal and then goes into those more sophisticated. And, lastly, you really have to be paying attention to AI and I recommend, if you have the resource, not just be looking for buying tools, but have the team understand, because if you have one good resource, you're going to be able to augment.

Kees Pouw: 45:34

I think this is a reality that's already there. Overall, I think thanks for bringing this topic to the forefront. I hope we have helped folks look into this, dismissify a little bit and understand a little bit more about what works and what doesn't, from our real perspective of running a program right and having to deal with the challenges of which functions to enhance which ones that we're going to put the efforts towards.

Pedro Kertzman: 46:07

That's a perfect, Kees. I really appreciate it. Super insightful conversation, especially for folks looking from an executive level like yourself to build those programs or enhance the CTI program. It was great. I really appreciate all the insights and I hope I'll see you around.

Kees Pouw: 46:27

Yeah, no, thank you. Appreciate the opportunity once more, Thank you.

Rachael Tyrell: 46:33

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group Cyber Threat Intelligence Podcast. We'd love to hear from you If you know anyone with CTI expertise that would like to be interviewed in the show. Just let us know. Until next time, stay sharp and stay secure. We'll see you next time.