Welcome And Guest Intro

Sergio Albea 0:00

I have thousands of new IOCs every day, but I have zero matches.

Rachael Tyrell 0:04

Hello and welcome to episode three, season two of your cyber threat intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional, or simply curious about the digital battlefield, our expert guests and host will break down complex topics into actionable insights. On this episode of season two, our host Pedro Kertzman chats with Sergio Albea, who is the SeasOC security expert at Switch, the Swiss National Research and Education Network, where he focuses on threat analysis and incident response for the education and research sector. With over 15 years of experience across diverse IT environments, his work emphasizes proactive security through threat intelligence, detection engineering, and security architecture, helping organizations anticipate, detect, and respond to emerging threats at scale. Over to you, Pedro.

Pedro Kertzman 0:54

Sergio, thank you so much for joining the podcast for this special episode. I appreciate it.

Sergio Albea 1:05

Amazing, amazing.

The Zero-Match IOC Problem

Pedro Kertzman 1:06

So yeah, you know, the reason for this special episode is basically I came across the Match 4 project, and it was like mind-blowing when I realized so many times during season one we were talking about the quality of intelligence, you know, how to make sure we're using the best possible intelligence instead of wasting time to things that are not so relevant and all that. And then I bumped into Match 4. So it was like, oh my goodness, somebody got it as well. And so, yeah, would you mind telling us a little bit about why Match 4, how the needs for it came, and uh tell, you know, tell us a little bit about the the story behind

Birth Of The Match4 Model

Sergio Albea 1:46

Yeah, of course. So basically, I'm working uh in a foundation that is totally focused on the education sector, it's called Switch. So basically, we are managing all the Swiss universities and Leichtein uh universities, and also we are managing all the CH domains and the LA domains. So, based on this education stuff, as you can imagine, I'm using a lot of TI feeds, for example, good ones, as can be URL house, malware bazaar, and other ones. And of course, it means that I have thousands of IOCs which are added daily in my different tenants. Yeah, but I discovered a reality. I have thousands of new IOCs every day, but I have zero matches. So it's like, okay, I'm executing a lot of flows, a lot of ingestion, but with zero results. Something is not working. So I start to analyze and I discovered that in these some of these uh trusted sources, Ural House and Marwell Badar, for example, which are really are really good, the content, they have high quality and and they are really true positive. But the reality is is that they are too generic sometimes. Which means that they can be for a specific sector that is not education, a specific language can be in Spanish, and where I'm based currently, which is Switzerland, the Spanish is not a language, so the ratio, the match ratio is totally lower. And things like that were coming to my mind, like I think that we should try to filter which are the IOCs that are totally oriented to our sector, no, or my my current organizations. So for that is when this match for intelligent radio model arrives, and basically it is divided in four four cases for the matches that is system, language, location, and sector. And based on these four cases is when I evaluate and I rate IOC.

Pedro Kertzman 3:54

Perfect.

Scoring By Location, Language, System, Sector

Sergio Albea 3:55

So to give you some insight a bit about these four cases, I'm giving my my example. If I have if I have an IOC, a URL, that in the URL I have something like uh Zurich, like Geneva, that are really known cities in my in my country, totally this IOC has more value than if the URL has, I don't know, Medellín, Sao Paulo, because the ratio that if I use a user or a student in Switzerland is clicking in these links is totally lower than if they are uh city-related to these ones. At the same inside of location also uh fits the typical service. No, for example, for trains in Switzerland we have SBB. So if I have a URL totally dedicated to a service located in Switzerland, for me also the reputation of the IOC is totally higher because the match ratio is totally higher in Switzerland. Same with language, if they are writing writing in German or French instead of uh, for example, Spanish, totally also have higher ratio. And the same happened with the system. If, for example, my company is working all with Macs, the ratio that people is clicking on Windows Update is totally lower. And finally, the same happened with sector. If I have emails that where the subject includes a research opportunity, PIC, things like that, is totally oriented to my sector. So it's when this match radio totally fits with all these IOCs.

Implementation With Logic Apps And MISP

Pedro Kertzman 5:37

It makes sense, yeah. So it's a common use cases that you will see around educational sector, could be loans, could be research, could be any words that are more that are more. That's that's awesome. And and um from a like how to operationalize or how to to apply the the the framework, how how that works from a from a how that works from a like operational or or uh implementation point of view, that's the word. How how how is it working from an implementation point of view?

Sharing Indicators Across Universities

Sergio Albea 6:11

So basically, first of all, it was configured in in my universities now and basically based on this kind of filter, I was using a logic app. Logic app is a service in Azure, which is just a flow, nothing else than a flow, where you can, for example, execute KQL queries uh via uh via F Explorer with uh HTTP request to the different Azure tenant of the customers. And basically with the KQL query, you obtain different IOCs. You get all these IOCs, and I'm gathering all these IOCs inside of MISP. This is a malware sharing information platform, really known for sharing uh kind of this kind of IOCs. So I was starting with some one organization, then another, and then we realized that uh the indicators collected in one university were in uh in an important and match radio appearing in a second university. Why? Because hackers basically they they they an easy move for them is to say, okay, I attack University A, which is I don't know, language chairman by emails for uh phishing or malware, and then I just move to a second university with the same language, so the the ratio of the users clicking is totally higher. They will not move from one university then in a bank then in an hospital. And they will say, okay, let's let's go for this sector, and then of course they can uh they can update their threat to be more focused in other sectors, no? And this was really uh impacting the high ratio of cases of indicators happening in a second time. So, which was really nice that when an indicator was happening in one customer, farther than the MISP, also I'm using Microsoft Defender TI indicators, which basically means that when I catch a URL that is malicious in one university, I add this URL in the TI indicators, and then any device that is trying to access to this URL is not allowed.

Pedro Kertzman 8:26

Okay.

Sergio Albea 8:26

So that's really nice because you are protecting the users in the endpoint level. And for us, it's really important because our users which are students basically, they can travel around on the world and we cannot by policy to block them. So it can be that there is a user in Russia connecting with Tor and a Raspberry, and we cannot block by default.

Pedro Kertzman 8:50

That's interesting. Never thought about the use case, but that's yeah, that's interesting. Yeah, and uh so basically you're doing that curation, let's say you put a layer in between whatever CTI platform the organization is using, but you do the curation based on match four criteria before you actually deliver IOCs or whatever relevant information to their to their CTI platform.

Blocking With Defender TI Indicators

Sergio Albea 9:18

Exactly. And then also what I do is during this uh logica, during this flow, also I'm uh evaluating all the IOCs that I'm collecting. And what I I call them the golden ticket in case that I have, for example, uh a subject that is related to university, related to to uh located service in Switzerland. I tag them especially like hey, these IOCs have to be remaining in my system or not just one day of expiration, if not for seven days, things like that. So it's it's important to find it. So it's where I apply this match for where I'm collecting the IOCs to say in case that there is a match, also I want to save them for for a longer.

Pedro Kertzman 10:03

Got it. We get the golden ticket.

Sergio Albea 10:06

Exactly.

Pedro Kertzman 10:07

Yeah, got it. No, that's that's awesome. And uh any, you know, obviously, so valuable to have that kind of enrichment, if I can um call this. Would you call it? I think it's to me, it would be like a super valuable enrichment to to have if I can uh classify this way. Uh and uh from a collaboration standpoint, have you seen more, of course, on your day-to-day you're applying this, but have you seen traction on the community to also adopt uh the match for framework?

Curation Workflow And Golden Tickets

Sergio Albea 10:40

I I can give you a good project where I'm really excited. I'm currently working on it. So uh as I said, my company is uh my company is is a NREN. NREN is National Research and Education Network of Switzerland, and also what we are doing is we are in a project inside of another foundation called GEN. And basically, Gian is a kind of a group of all NRANs around Europe. So basically, what now we are implementing is this match for is this collection in all the European Nrands.

Pedro Kertzman 11:16

Oh wow.

Sergio Albea 11:16

So in that way, we are centralizing all this collection because uh this will be like the perfect TI fit because it's totally oriented to education, coming from IOCs happeningly happened in in Ireland, then happen in I don't know, Germany, France. So all the IOCs are coming to a centralized place and we are exchanging that data. So it's the perfect TI fit that you will not find it in the market. So it's totally what I recommend if there are other people that has the the has the fortune, I would say, to have access to multiple organizations of the same sector, that's a perfect way. Just gather all the IOCs because your CM and your defendant response solutions usually they they get this information. So you can build your TI feed.

Scaling Across European NRENs

Pedro Kertzman 12:09

That's amazing. That's that's great. You know, hopefully everything will play well on this on this project. And and by the way, if people wanna learn more how to implement that on their behind or actually in front of their current T platform, for example, is it open sourced? They can you know go to GitHub, for example, and and and check it out how to implement.

Open Source Collectors And GitHub

Sergio Albea 12:32

Yeah, exactly. They can access to my my GitHub, and basically there I have all the all the instructions, all the guide to go ahead since the beginning, and they can implement a logic apps because I have added a template with the Logic Apps to be able to start with some of these. I call them QQL collectors, which basically collect, for example, file hashes from files that has been targeted by Defender as as a malware. Then I have another QQL collector that is taking URLs that has been detected as phishing. So with this option, you can implement these logic apps. You have here the template, and also you can add all these collected IOCs into MISP. It's totally explained here. And I'm uh starting to add more collectors thanks to the to the feedback of different people in the community.

Pedro Kertzman 13:30

Oh, that's amazing. And just to confirm, so your GitHub is the github.com slash Sergio dash albea-git. That's the one. Yeah, exactly.

Sergio Albea 13:41

And inside just they have to uh look for ql collectors. Uh, in any case, also if someone is interested in kickwall, there is another folder called Defender Xier, and then I have a lot of KikL. But I will I I will not start to bore the people with that.

Pedro Kertzman 13:58

No, that's that's amazing. Open source, I think it's the way we get we ended up getting more collaboration, people have insights about that idea, and then the project grows and you know grows faster and or bigger. So it's so it's very important. Yeah, that's awesome. From what when you started until like today, do you see any how can I put this? Any new things or any new insights based on people actually utilizing the the framework that you thought that oh that's cool, let me expand on that new insight or something related to it?

Emerging Insights And Cross-Org Targeting

Sergio Albea 14:36

Yeah, good question. There is one that uh was not I would say listed at the beginning at all, but has uh is starting to be really useful, is uh the fact that as you are collecting IOCs from different organizations, you can have a kind of uh graph where uh it tells you hey, there is this uh domain or this IP that is uh uh targeting different organizations. Okay, we didn't uh had this in mind, but it's really useful because you you are able to to detect if there is some uh group, some IPs, some domains that is totally targeting or sector. That's totally useful. We we didn't expect that. We were the idea was at the at the beginning just collect useful IOCs and and add them to not allow the access to them. But now also we have these statistics.

Pedro Kertzman 15:31

Okay.

Speaker 1 15:32

So are being really, really useful.

Pedro Kertzman 15:34

That's that's interesting. Yeah, threat actors they tend to focus on particular or get specialized, quote unquote specialized on particular sectors.

Sergio Albea 15:46

And sometimes and sometimes we we lost the the time, no. Uh at least in Defender, you have by default just 30 days. So after this uh period, you are kind of losing all this data. So with all this integration, we can have data for longer time and know if something has happened in the past, have more historic data. So it's kind of things that are appearing in the in the in the way.

Retention, History, And Threat Hunting

Pedro Kertzman 16:13

Oh, that's that's interesting. Yeah, for you know, historical threat hunting, and you know, sometimes people don't realize they were actually compromised months ago, so that's that's important for this type of forensics investigation for sure. And uh no, that's that's amazing. Any other like interesting things related to the project that you would like to share with the listeners?

Sergio Albea 16:38

Um I would say this uh this integration with different organizations, also we as I said with other universities outside of Switzerland, I think that I think that will give us a lot of new visibility and insights about which are the real threats that are happening in our in our sector. So, as I said, if as there is the opportunity to to someone that can apply the same for banks, um hospitals and other sectors, I think that will be a really a really quick win, to be honest.

Pedro Kertzman 17:14

That's amazing. I don't wanna I don't wanna offer anything here, but would you be open to people from other industries to reach out, especially for you know not-for-profits or people from other sectors reaching out to collaborate on this project as well?

Sergio Albea 17:31

Totally, it will be a pressure.

Pedro Kertzman 17:33

Amazing. Oh, I know a few folks here from the education sector for sure that would be super interested in collaborating uh with you on that. That's amazing. And and Sergio, thanks again. And any like final thoughts for for the listeners related to the project or anything CTI related?

Sector Replication And Quick Wins

Sergio Albea 17:53

I I would say that please stop to accept these diamond TI feeds in the market or pay. Because at the end, uh what I found a lot of times is that a lot of these kind of uh perfect TI feeds are just content of another TI feeds and really generic sometimes, or even TI feeds that they are for a specific period of time and they are just abandoned or obsolated. So be more focused on what is useful for you. I just is a start of the focus for your organization, for your customers, and in that way what you are adding in your system will have a higher value. I would say this is the message that I like.

Pedro Kertzman 18:36

Perfect. No, I I love that. And uh you touched on a very good point. For me, oftentimes, if you some feeds are focused on high or super high even volume, when actually sometimes the smaller volume, super curated, precise, will be the ones that can really make a difference when you are you know trying to search through the noise. Those ones can be valid.

Community Collaboration Invitation

Sergio Albea 19:04

And then and then also the time, no, if at the end you have I don't know what 10,000 IOCs to evaluate in yours in just one tenant, the time of this 10,000 evaluation is really long, and once it catches something, perhaps it's too late.

Pedro Kertzman 19:20

So it's important to yeah, to be timely, yeah. Exactly. Sergio, thank you so much for bringing the project to the show. And yeah, hopefully people will reach out as well. And by the way, if they want to reach out to collaborate on on the project, what would be the best way to reach out to you?

Sergio Albea 19:39

Yeah, they can uh contact me at contact at sergiolvea.com, or if not, also I'm in LinkedIn. I'm uh really active there, so they can search me by Sergio Alvea.

Pedro Kertzman 19:49

Perfect. Sergio, thank you so much. Really appreciate all the insights. Take care.

Sergio Albea 19:54

Thank you.

Final Take: Precision Over Paid Feeds

Pedro Kertzman 19:55

Bye. Bye.

Rachael Tyrell 19:59

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group, Cyber Threat Intelligence Podcast. We'd love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure.