Tammy Harper: 0:00

How do we extort more money? How do we put more pressure?

Rachael Tyrell: 0:04

Hello and welcome to Episode 19, season 1 of your Cyber Threat Intelligence Podcast. Whether you're a seasoned CTI expert, a cybersecurity professional or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of Season 1, our host, Pedro Kertzman, will chat with Tammy Harper, who is a seasoned threat intelligence researcher, passionate about cybercriminal ecosystems and shining light into the underground. She leads intelligence efforts on ransomware, data leaks and dark web threats, turning complex patterns into actionable insights for defenders. Her work spans from uncovering affiliate structures and malware ecosystems to developing training and awareness tools for the next generation of cyber professionals. Over to you, pedro.

Pedro Kertzman: 0:55

Tammy, thank you so much for joining the show. I really appreciate you coming here.

Tammy Harper: 1:00

Thank you very much for having me.

Pedro Kertzman: 1:01

Usually we start asking the guests their journey into CTI. Would you mind walking us through that please?

Tammy Harper: 1:08

Yeah, absolutely. So I don't think I have a very conventional entry into the world of CTI. I originally went to school and university for film studies and I ended up dropping out after two years. I couldn't afford school. It was too expensive. You have to like pay for your film, you have to pay for a lot of things, so I just couldn't afford it. So I went into tech right away. I started off with like help, desk stuff and IT support and really like just troubleshooting. I've always had a fascination for seeing how things worked and I worked my way up. It got to the point where I was managing a small, like family run office, like in terms of IT.

Tammy Harper: 1:50

When the pandemic happened, I decided to go back to school. And I went back to school, not for like a degree or anything like that, but just to skill up and really focus on cybersecurity. And I took, like it was called, advanced Cybersecurity at York University in Toronto, basically went through that program and it was a certification and it was fantastic. It was split up into two parts and like fundamentals and advanced, and when I got to the advanced section I really started to like hit my stride and to really like find like concepts that I really like started to like hit my stride and to really like, uh, find like concepts that I really like started to gravitate towards like forensics and penetration testing and things like that. And I, uh, one of the teachers basically uh, uh that was teaching one of the classes, was offering students to like, uh, go work at his company. He had already hired like another one of, uh, my, like one of another student that was in my class, my classmates. So basically he reached out to me and he's like, if you're interested, you can definitely like make an application. And so I did and that was how I got my first job.

Tammy Harper: 2:59

I was very, very, very lucky. I started from the bottom. I was an associate, I basically worked my way up and I did forensics, I touched penetration testing, incident response. Then it came to the point where I was doing a little bit more CTI because they, when we were doing incident response, we needed someone to basically go check on the dark web to see, like, if the threat actors had leaked or anything or if they were talking about the victim in specific ways.

Tammy Harper: 3:25

I had a collection like I had my own like internal database of like onions and stuff, and so I was like basically the one to always volunteer to be like, hey, I'm gonna, I have it, I can do this. Like let's show, like let me do it, and uh. So I basically became the one like responsible for a lot of that stuff, like keeping up to date with the latest locations and this sort of like intersects with another one of my projects, ransom Look, and we can discuss that after and after that I basically started really like falling in love with Threat Intelligence because I saw what the field was going into and how much demand there was for it. So then I ended up in my current position because I currently work at Flare. I essentially started when I saw that they had an opening for a researcher position in threat intelligence. I applied for it. The rest is history. I absolutely love threat intelligence.

Pedro Kertzman: 4:20

That's so nice. Maybe we can just, you know, go straight to the ransomware story as well. If you want to share with us, that would be awesome. That's so nice. Maybe we can just, you know, go straight to the Ransom Look story as well. If you want to share with us, that would be awesome.

Tammy Harper: 4:28

That's a funny story. So Ransom Look is an open source project and I've been volunteering with them for a little over two years now. So my collaboration with them started back in 2023 when Conti was starting to publish Move it Victims. So back then I had a Twitter account and I was X and I was basically like posting updates on there and I was interacting with a lot of the CTI community because back then, like Twitter actually had a quite a decent like CTI community. So I was, I had this like no name account and I was just into, I was just posting updates.

Tammy Harper: 5:08

One day my my twitter account got banned, so I was a little frustrated. So I reached out to one of the uh maintainers and admin of ransom look and I was like hey, I have a bunch of onions. I can give them to you if you want. They were like sure, I'll take them, I just continue. And this was done over like um discord at the time and I was just like sending them like a bunch of onions, onions, onions. And at the point and he was like, okay, so look, uh, can you, uh, do you want to like send it to me over signal? And I was like sure, I'll send them over to you over signal.

Tammy Harper: 5:42

And then from there like, uh, we made it a formal introduction, like, hey, my name is like Tammy and he gave me his name. And then we were like, okay, so can we follow each other on LinkedIn? He's like, yeah, sure. I was like Do you have a GitHub account? I was like, sure, I do. And so then I started like making commits, like, or like opening like issues on more, more so, opening issues on GitHub. And then I started like basically making more recommendations. And to the point where it was like a year later he was like okay, so like like, most of these new onions are yours, like they're thanks to you, so I'm going to make you like an official member of the team. That would be fantastic. And yeah, it's, it's been member of the team. That would be fantastic. And yeah, it's been one of the best teams to work with, for sure.

Pedro Kertzman: 6:29

That's amazing. That's an awesome project for sure. So you know you track ransomware gangs, cybercrime, any like particular I would say maybe aha moments. Oh, that's how those guys are moving on the. You know the other side recently or at any point in time.

Tammy Harper: 6:47

Yeah, so how these guys move is there's different variations of how they move Right. So there's because there's different types of groups. So there's the groups that are established, that are highly sophisticated. I classify these more like on a syndicate level. So these are very, very professional. They operate as a business. It's basically a vetted invite only process to getting into them and they don't really need to advertise. They do advertise on, like some of the forums, but like they keep it very to a very, very minimal.

Tammy Harper: 7:19

Recently there was a story, an article. Recently there was a story, an article, a research paper published by Talos, from Cisco, saying that chaos ransomware is a Texas to help them seize and basically liquidate a cryptocurrency account that is worth $2.4 million and that just came out that that was actually related to the April seizure of like and disruption of black suit infrastructure back in April of 2025. And so this is like connected to like chaos now and the threat actor behind that wallet is called Horse H-O-R-S. So this is like the syndicate level. These guys are making millions. They use like large, large, large networks and infrastructure to obfuscate and to move their money around and to do the conductor clandestine operations.

Tammy Harper: 8:28

But then there's like the other tier. And the other tier is like I call them, not necessarily at the syndicate level, but they're more like operators. They usually run smaller teams, they rely heavily on forum advertisements and they operate on Telegram, they operate on other types of networks and they basically are online 24-7. And they're trying to manage their infrastructure. They're trying to advertise their infrastructure. It's getting harder and harder to recruit red teamers like good red teamers, like the hackers that actually conduct the attacks on behalf of these ransomware gangs, because that's how the affiliate model works. So a lot of these guys are trying to get creative with their advertising.

Tammy Harper: 9:18

So that's like the operator level. And then you have the script kitty or the skid level, and this is where the other level is. Like these, again, they're talking everywhere, but this you'll see like skids or script kitties talking on the open forums like reddit, or they're going to be talking on open forums like tiktok, instagram, like this, and there's there's the, the level, um, the level of like, uh, opsec is just not there, right? Um, it's not that because they're they're worried is they don't really care, right, cause a lot of these script kitties are usually younger and um, so that goes into the, into playing into like uh, their inexpertise and their inexperience on the subject.

Pedro Kertzman: 10:05

No, that's awesome. And you mentioned a few things, let's say on this higher syndicate level. You mentioned the infrastructure aspect and also the ransomware as a service. Do you see those guys on the ERP level per se of operation kind of also doing the ransomware as a service kind of offerings, or have you seen any at any point? They're kind of also doing the ransomware as a service kind of offerings, or have you seen any at any point? They're kind of uh, jealous no, not my stuff, because when I hate somebody I only want to be known as that person and not like generic script kitty that paid for that payload or something like that yeah, absolutely.

Tammy Harper: 10:42

So I can take. Uh like lock bit was a syndicate level and they were ras and like chaos. Uh, chaos is actively being advertised on a forum right now. Um, they, they require a ten thousand dollar deposit to get into the to pass like verify, like a verification, like to, because this is to weed out law enforcement, or, more specifically, it's mostly done to weed out uh like researchers, um, like myself, uh, so they make the the entry bar really really high. Now, there's always ways around this, but, uh, it just makes the things a little more challenging to get around the.

Tammy Harper: 11:20

When they're they, they like they're advertising their ransomware as a service. Let me explain to you what that actually means. These guys are usually running an operation where they're going to offer a payload, which is the malware, which is also called a locker or an encryptor, and that is actually the ransomware that will be deployed and detonated on a network of, like an enterprise level or a company or a business, and that is what actually is going to go throughout the entire network finding files and encrypting them so that they cannot be accessed anymore. So they're essentially held at ransom. That little locker is going to drop a readme text file or sometimes change the wallpaper behind a desktop and say, like please contact me here, you need to pay in Bitcoin. This is an emergency right, really playing on that urgency of like trying to get your attention. So that's one of the things that they offer. The other thing that they offer is the ability to communicate safely outside of networks that could be monitored. So they're going to be usually using their own hosted version of a chat system, or they're going to be using a special type of privacy-forward emails like Onion Mail or Proton or Tuta or Tuta Nota emails like onion mail or proton or tuta or like tuta nota. Um, sometimes they'll even use, uh more like unregulated email services, uh like that are hosted in countries that like don't respect any form of like dcma takedowns or any like type of like law enforcement requests, or they're going to be using something like talks, which is like a decentralized, like instant messenger. They're going to be using like so then the, the ransomware as a service, provides that infrastructure as well. They're also going to provide the infrastructure of like hosting the victims, like actual data, which is really expensive, and they're going to be hosting the website, that the blog, so that they can shame each victim on there. So, um, there's actually a lot that these ransomware as a service provide and they have to keep updating these tools constantly so that they don't get detected by antiviruses or EDR solutions. So, like the exfiltrators, the stealers, the payloads, all this stuff needs to constantly be tweaked so that it doesn't get detected and hopefully there's no vulnerability in them for them, hopefully for them there's no vulnerability so that it can be exploited. And so then there's a vulnerability in the decryption and then all the data can be decrypted for free.

Tammy Harper: 14:02

This is the responsibility of the ransomware as a service, decrypted for free. This is the responsibility of the ransomware as a service and as an affiliate, I basically forego a cut of the ransom. So let's say, like, a ransom is $100,000. And so usually the model is an 80-20 split. What that means is 80% will go to the affiliate, so as the affiliate, I will retain $80,000. And then $20,000 will go to the ransom. So, as the affiliate, I will retain eighty thousand dollars and then twenty thousand dollars will go to the ransomware as a service. Um, now you have to launch that money and you have to move that money around, so, and you have to pay off your team, you have to pay off your intern initial access broker. You have to pay off a lot of people. Everybody has to pay off a lot of people to make this work, so your cut is going to get only going to keep going down as things go on, but that's essentially how the whole operation works, yeah that's perfect, and we were talking about infrastructure as well.

Pedro Kertzman: 14:57

I know it's more common to see, you know, gangs sharing tools, for example, but what about infrastructure and or operations? Have you seen it as well?

Tammy Harper: 15:08

absolutely so. There's recently been a gang called dragon force. Uh, so dragon force is trying to start something, um, that they're calling a cartel, is it? This hasn't is not new. Like this has actually been tried many times before, and they're really taking a page out of the playbook of, like, the mexican cartels in trying to unionize, like union, like bringing things together so that it's easier to manage and then, hopefully, you are the one managing that's.

Tammy Harper: 15:40

That's the play they want to do. What they're trying to do essentially is saying like, hey, you come to us, we will white label a ransomware as a service for you. So let's say, you have an idea of a group, let's call it I don't know Black Star, that's your ransomware gang. And I go to Dragonforce and I'm like hey, I want to start this gang, but I have no expertise in anything. I have money, I have, like an initial investment that I can give to you, that I can actually get this started, but I don't have a locker, I don't have initial access brokers, I don't have a team, I have nothing. So then what they're going to do is they're going to say like OK, so it's actually pretty expensive if you think about it. But what they're going to essentially do is they're going to give you a website, they're going to give you access to their builder, which is what creates the encryptors and the decryptors, and they're basically going to give you access to all of this stuff. They're going to use your logo, your brand, they're going to host the infrastructure, they're going to basically protect you against DDoS attacks and all that stuff, and then they're going to basically say we want a 20% cut of all of your ransom. So it's an 80-20 split still, but now it's on the like.

Tammy Harper: 16:57

So then so if I make $100,000, like as an affiliate, one of my affiliates makes $120,000, sorry, $100,000. I have to give them. It's like, let's say, I do an 80-20 split myself, so they keep $80,000. I have $20,000. I have to give 20% of that $20,000 now to Dragonforce for hosting my infrastructure and for creating all of my tools and for me to use all their tools. So I'm going to give them $5,000.

Tammy Harper: 17:29

So essentially, that's how a lot of these gangs now are not just only trying to get creative in how they're shipping off their platforms, but really they're also getting really creative in terms of marketing. We've seen some groups like Global and Black lock and van helsing essentially like start creating commercials, like video commercials, like flashy graphics and things like that, trying to attract talent and trying to uh get them to to sign up, and it really plays really hard on, like you want to be a millionaire, you want to drive that Lamborghini, like Lockbid was saying a lot of that stuff as well. So it's like it's really trying to twist on that and then prey on that idea of like a millionaire like Maverick, driving around in a Lamborghini with all the hot babes, like that's really the image that they're trying to sell, jeez.

Pedro Kertzman: 18:26

Yeah, it feels sometimes that we ended up seeing like a Dragonforce University coming down the pipe, I guess.

Tammy Harper: 18:33

Well, you're seeing that already a little bit with a group called Quillen or Killen, and again this is going through the issue of not having enough, like not having a lot of like good red teamers. There's a dime, a dozen red teamers, but I'm talking about like the good ones that can pull off like an enterprise level attack, like by themselves or with three other people, right like the good ones.

Tammy Harper: 18:59

Um, so like those ones, those are much rarer now, um, and because a lot of them retired, like they made their millions and now they're not, they don't want to heat anymore, they don't need it anymore and they're retired for the time being or for forever. So the next generation is going to come in. And so you see, like groups like quillen, essentially training on forums, like teaching techniques and tactics and procedures, like TTPs to anyone who's willing to learn on these like exclusive, like forums, saying hey, this is how you're going to do it, this is how you, you like, create a payload. We're seeing groups like Hellcat come out with manuals. Lockbit had their two manual versions come out like actual, like PDF manuals and how to train affiliates to conduct these attacks. Yeah, so it's actually like the school or the university of right. Like ransomware is actually a thing. Um, it's not in the clear web, but this is absolutely happening yeah, that's, um, you know, a sad part of uh so much knowledge available. I guess if you get people that doesn't have the, the core principles and all that, they can steer away from the bright side and maybe go to the not talking star wars but go to the to the dark side a little bit and um, but how you from a you know on the not on the dark side, but on the like learning this particular niche and get into like a ransomware uh tracking type of role and and all that, any like learnings throughout your path that you could share, people also getting interested in uh studying or tracking those gangs and all that could, could follow or best practices around that yeah.

Tammy Harper: 20:50

So there's so much happening right now and it could really feel intimidating to get started in learning like threat intelligence or specifically like ransomware absolutely, but the way I treat it is really learning about the lore, and it's no different than like studying the lore of like or the rings or dungeons and dragons, or like pokemon or whatever like. It's very like that. Or even like learning the statistics of sports teams like um. If you have a passion for it, you can learn anything and um, but definitely you need a passion for this Um, and if it's this is not your thing, there's no point in going into it. Um, like threat intelligence is not necessarily like an entry level position Like um. It is definitely something that um requires, uh, you to have various different skills. You need to understand a little bit of coding, you need to understand a little bit about network security, a little bit about psychology, a little bit about a lot of different things, and so it's definitely a role that you work your way into, but it is not far off from like another entry level position, like, but definitely it's something that you can work your way into.

Tammy Harper: 22:10

Um, like I did um, and when you're like learning the lore, I recommend starting off with, like, for example, wanna cry uh, which was very, very popular.

Tammy Harper: 22:21

It's very well documented and it really is gonna like. If you go down the rabbit hole a little bit on on wanna cry, you'll start to see like how, like, shadow brokers had a little bit of a play in there and like how they weaponized like, uh, blue keep and internal blue, um, and then, like, you're gonna see like how it was like basically weaponized as a worm and, um, how it disrupted and how it spread and how it was stopped and um, so there's a lot of really cool lore that can you can start from there. And then this is since it happened in 2017. This is right before the advent of rass, like as ransomware, as a service. Right, because before it was like a standalone ransomware. And then you're going to basically start to see the evolution of like how it became like with gang crab and with all of these other gangs, like conti, and how it became, um, like an actual business model, um, so it's um. It's definitely where I would start, yeah

Pedro Kertzman: 23:21

no, that's awesome and and you're talking about you're just talking about business model. One thing that people don't realize there's a whole lot of. You know those gangs. They will try to hold their word. So it makes sense to people to keep paying them because they know they were gonna get the decryption keys and all that. So they're quote on quote trusted. But now we have, you know, triple extortion or I heard, quadruple extortion and all that. So it's kind of a. I hope that people at some point will realize they might not be as trusted as they thought in the beginning. Uh, any like other you know scenarios like gangs are trying to squeeze as much as they can from the same victims could be on this, you know, this same moment in time or down the road yeah.

Tammy Harper: 24:12

So this is again it's it's going to the point where it's getting really hard to to monetize this, and this is good. That means that law enforcement, uh, is disrupting this effectively, uh, but we're nowhere near winning the battle, right. We're winning small battles. We're nowhere near winning the battle, right. We're winning small battles. We're seizing some domains, we're seizing some infrastructure, but the war is not over. So what these gangs are doing is they're always trying to innovate. How do we extort more money? How do we put more pressure on victims? For example, there's one gang again go back to the example of Killen or Quillen One gang again go back to the example of Killen or Quillen.

Tammy Harper: 24:49

So how, they are trying to figure out how to adjust this problem from their perspective. Is they because, right now, like, they're telling new affiliates, like the new recruited affiliates, that they're going to like they get paid well one out of 20 victims and paid well isn't is like, regarded as six figures, right, that's a six figure ransom, so it's getting it's like, so that means that you have to, you have to attack 20 victims to get, hopefully, get paid well on one and you might get a few thousand on a couple of different ones, but like it's definitely way down from what it was before. Now this is one group and what they're doing to, to to address this and put more pressure is their killing is essentially saying, like we have a team of lawyers on hand that can help you assist during negotiations, hand that can help you assist during negotiations, and they can essentially, like, tell you what you have like, what type of data that you have, what type of regulatory bodies that you can contact to put more pressure on the victims. Because we saw, like Alf V and Black Cat do this in the past, where they were basically talking to the SEC and saying like hey, this victim did not disclose that they were breached. But now we're also seeing this with Anubis.

Tammy Harper: 26:16

Anubis is doing this with, like, australian regulatory bodies and European regulatory bodies. So Killen is basically taking a page out of that playbook and saying like hey, we can inform you on what to do with this and actually have lawyers Through your points. Exactly, they're going to have more manpower to essentially go through the data that was stolen and start calling the victims and calling the clients of the victims. So this is going to be more of like a supply chain attack where they can basically start to say like hey, this person or this company was breached, we have your data, now we want you to pay us, or they have to, or you tell them to pay us. So they're going to be trying to put more and more pressure and having, like some, like call center in Kazakhstan or something like that, or in Russia, start making these calls Right, so, or like anywhere, really it's really difficult, and so you're trying to put more and more pressure on people.

Pedro Kertzman: 27:28

So they're basically scraping the data they are exfiltrating to try to find from there their next victims. That's crazy yeah it's happened before.

Tammy Harper: 27:39

And also there's groups like, for example, global, which I mentioned earlier. Global is also rolling out AI-assisted negotiations, is also rolling out AI-assisted negotiations. And so because before it was really really interesting to see like the psychology models between the negotiator and the attacker and essentially China talked to the attacker and say like hey, I need more time because that way you can talk with your board and all of the people, your insurance companies and all that stuff and your recovery teams and trying to delay and stall so that you have a better understanding of what's happening during your incident response. But now, because these are models that threat actors are using that are specifically trained on this type of data, because they have all the data, they're like no, like you're not going to stall us, like we and the uh. It's getting harder and harder to negotiate right, and it's forcing a lot more companies to just get published right away, um, and go in and like the. the negotiation periods are getting harder and shorter and uh,

Pedro Kertzman: 28:51

so you mentioned the, the red team on the adversary side and and all that. Do you think it's fair, from what you see from a ransomware perspective, that it's probably nowadays rare, or more rare, to see ransomware straight up coming through an email or something like that, and it's more like a mix of living off the land or other attack techniques to get a foothold and only then dropping the payload like how's, like traditional tools, uh, functioning to that aspect, like, is it email still the main thing or not as much anymore?

Tammy Harper: 29:30

so, um, targeted attacks are definitely still like we're seeing a mix now, right. So every time there's like a big vulnerability for example, like the SharePoint one or that we just saw recently or right now in the news, there's the SonicWall one there's always groups that are going to try to race to find a proof of concept or an exploit or something that a researcher has published somewhere on GitHub or shared on their website, and they're going to try to leverage that, and then, essentially, this is like a one-day or an end-day type of situation where they're going to try to exploit basically those vulnerabilities. Now, a lot of the times, those types of vulnerabilities don't allow for encryption, just because of the type of access that you actually have to these file servers, and so essentially, it just becomes something like Movid, where it's all exfiltration, no encryption, and basically now you're extorting, you're doing single extortion based off of just the data that you have and not being paid off not to leak it. So, but now also, like going back to phishing, essentially, like we saw a lot of the stuff, it's phishing is still like probably one of the biggest infection vectors that we see today, and what that is is like how that looks like is. It's not the actual ransomware that you're going to get in an email attachment, it's going to be a Trojan, and that Trojan, essentially, is going to allow the attackers to add you to their botnet. And then they're going to basically allow you to recon into your network and they're going to snoop around for a few days, maybe a few weeks, and try to depending on the size of your network and they're going to try to find your company's crown jewels. They're going to start exfiltrating data Right, they're either going to do it all at once overnight, or slowly and methodically over a bunch of days, and then they're going to start wiping their traces, right, and then they're just going to deploy the payload. When you see the payload, when you see your systems encrypted right, it's too late. Like that's the last stage of the kill chain, right, and so it's not like that is not like an indicator of compromise, that's an indicator that you have been compromised. So like, definitely start reviewing firewall logs and stuff like that.

Tammy Harper: 31:57

Another way that a lot of these threat actors are getting access to infrastructure is through social engineering.

Tammy Harper: 32:04

Now we see groups like Scattered Spider. Now, scattered Spider is not a specific group of individuals, it's more a label attached to a loose collective of individuals that operate under similar tactics and techniques and procedures. So but how they how Scattered Spider usually gains access to infrastructure is like by leveraging compromised credentials or by social engineering and they're really good at social engineering and also SIM swapping, for example, there was like a really well-known attack that happened in Vegas a few years ago and how that attack was conducted was one of the employees was targeted over LinkedIn and essentially Scattered Spider called up the help desk of that company and basically tried to say hey, trust me, I just need a password reset. And it was able to convince the poor tech worker there, the poor help desk worker, to reset their password and this gave access the threat actor access to um, to that account and and to the vpn, and then from there they were able to um pivot and establish persistence into the network and start doing a whole bunch of damage yeah, no, that's uh.

Pedro Kertzman: 33:24

Yeah, I remember that episode and but basically from a attack stages type of thing, don't only look for that ransomware being sent anymore on your email, but for early stages of compromise, like you're mentioning the phishing and all that stuff. It's all that they need nowadays to put a foothold and then work their way through through their network. When the payload comes it's like you mentioned it's too late. That's because they were there doing stuff for weeks, months already.

Tammy Harper: 33:57

Exactly the longest compromise I've seen was from initial infection to ransomware being deployed was a year. So the threat actors and this was like a really, really large company, so the threat actors and this was like a really really large company and the threat actors basically were in there for a whole year and law enforcement even notified the company, saying like hey, we, we, we are getting weird metrics and and warnings and notifications from your network and we've detected like cobalt strike beacons from your infrastructure. Are you aware of this? Like what's happening? And the company was like, oh, we'll look into it, we'll look into it. And six months later they get ransomware. And that's when they actually took things seriously.

Pedro Kertzman: 34:53

Yeah, unfortunately, and that's when they actually took things seriously. Yeah, unfortunately, that's sometimes. They need, like a more shocking evidence that things are not as they should.

Tammy Harper: 35:01

Yeah.

Pedro Kertzman: 35:01

Okay and from, like I would say you're on a like an edge on the technology or research and the things that are happening out there. Do you find like traditional learning sources or kind of a need to create your own learning sources? How are you going to evolve on that role?

Tammy Harper: 35:26

So learning this is really something that you have to do hands on, because that's only good for, like, really really large companies that need to have or implement on that framework, because that's how their, their whole program and their whole department was built. Newer companies right that you're going to probably be working in a smaller team and your job is really to try is completely different. Um, it's all about being agile and being able to respond quickly. Um, you're usually going to be working with like the sock or like in tandem with the sock, um, and it's your responsibility to know like it's going to look different for every single company. But, uh, a lot of the times, like you want to know like what type. Like you want to know your infrastructure inside out, and that's why I'm saying like you, like, if you want to get into threat intelligence, like you need to have a background in other stuff. Because, like, you need to know the entire infrastructure of the company and you need to know, like the version numbers of things. Because if you see on a forum someone talking about oh I just I just wrote this exploit for this then, or in a private chat, or another researcher comes up to you and says, hey, there's this POC being shipped around. Like you know right off the bat that that can affect you. So you need to have, like that understanding of infrastructure. Or even like if something is just designed a specific way, because it doesn't mean like if you have something in your environment that is technically vulnerable to an exploit, it doesn't mean that the exploit can actually be leveraged, because sometimes configuration will supersede an actual vulnerable system. So, like, understanding how your systems are configured and how your network is configured is really important as well.

Tammy Harper: 37:32

So, learning I never stop learning. I'm always reading up on like CISA, government websites, like the latest TTPs. I'm constantly looking at different types of sources. So, like the best place to learn. This is like talking to other researchers and definitely like trying to get into the more like advanced types of learning mechanics. So like try HackMe or Hack the Box, things like that. That will give you a good understanding of how to like establish persistence and what the latest techniques that threat actors are doing. So that will definitely like give you a good understanding of that. So that's, I try to stay up to date on all of that and especially like all the latest groups and how they're operating.

Pedro Kertzman: 38:22

Yeah, that's awesome and any like. Closing thoughts to the listeners.

Tammy Harper: 38:28

I love my job, I love doing what I do. It is a very, very fulfilling career and I don't think I could be doing anything else. Answer any of your questions and um, you can also always, um, uh, check out your local animal shelter and volunteer there. That's my big thing, and um, so that way, uh, you can help absolutely, dami.

Pedro Kertzman: 39:06

Thank you so much for so many insights. Really appreciate you coming to the show and I hope I'll see you around. Thank you.

Tammy Harper: 39:15

Thank you very much.

Rachael Tyrell: 39:16

Bye and that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group Cyber Threat Intelligence Podcast. We'd love to hear from you If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure. We'll be right back.