Cold Open And Welcome

Katya Kandratovich 0:00

If their personal email is part of the documentation of the company, they might contact you in your personal email.

Rachael Tyrell 0:06

Hello and welcome to episode three, season two of your cyber threat intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional, or simply curious about the digital battlefield, our expert guests and host will break down complex topics into actionable insights. On this episode of season two, our host, Pedro Kurtzman, will chat with Katya Kondrakovic, who has industry certifications from IFC Square and Kamtia. Her crux industry background gives her a unique perspective on risk, people, and technology, helping her translate highly technical findings into clear, actionable strategies for business leaders. A lifelong learner, Katya stays at the forefront of security trends through continuous study and by engaging with the InfoSec community. Fluent in English, Russian, and Italian, she enjoys sharing practical insights and encouraging more diverse voices to join the cybersecurity field. Over to you, Pedro.

Pedro Kertzman 0:57

Katya, thank you so much for coming to the show. I'm really happy to have you here.

Katya Kandratovich 1:01

Thank you, Pedro, for having me. I'm super excited to be here today.

Why Attribution Is Getting Harder

Pedro Kertzman 1:04

Amazing, me too. So we were talking about like the how attribution is getting more complicated these days. What are you seeing? Like, you think it's because of the amount of signals we're getting from threat actors or their skills to do, let's say, opsec and hide their trails are getting better? Is it because they're sharing more tools and then it's hard to pinpoint who is actually doing the work behind the scenes? What are you seeing down there uh in the deep web?

Katya Kandratovich 1:37

I will start the explanation like with a small explanation, but everything that you said, mentioned in your question, it's all part of the whole deal. Okay, yes, like everything is part of it, like there is not only like one incentive or one motive why they're doing this. Absolutely. Everything that you enlisted, it's actually part of the whole deal while attribution is getting more complicated. So I should start that Ransover is not going anywhere, it will stay as the one I think what most impactful cyber threat for 2026, like it was in 2025, because it still represents like a dominant threat for uh due to their like activity level and the results of the activity because it's still causing and might cause a lot of this serious disruptions to a major disruption to the organizations. Yes, organizations right now, I should admit, not all sectors, but they are more resilient to cyber attacks, they have more, I guess, experience too, right? Because ransomware has been here for a while, but I think they've started to pay more attention to their backups, they started to pay attention to the security postures, to the security policies, that it's actually part of the culture, not just like some of IT people only dealing with this. No, they're trying to implement it cybersecurity as part of the culture, and that unfortunately everybody can be attacked, doesn't matter how people said, like, I'm not important, I'm not going to be attacked. You never know what in the supply chain attack you're part of it, right? Exactly. So, yes, uh there, they're so that's why because organization becoming more resilient and they're becoming more professional to responding to those breaches, and also the involvement of law enforcement, because they're doing a great job of tracking the threat actors and taking down the infrastructure. Um, we have a lot of even I think I said like it's a Christmas, even March and the end of February, ramp is one of the hugest ones. Over the weekend, bridge forums is down again. There were two major operations, they're also taking down like 22 million malicious IPs. So uh law enforcement is doing a great job regarding this. Uh, the threat actors infrastructure is also resilient, but it doesn't mean that law enforcement actions don't have any impact. So, based on this, the resilience of the companies and law enforcement activity, it creates like incentives and motives for the threat actors to find a new avenues to monetize the activity because, as I said, if it's still bringing money, they just need to find a new way how to get money and that their money flow doesn't stop on that. Because they are also business people and they're also resilient to the certain takedowns and to the work and their rebranding, creating new sites, affiliates programs. It's also a good example. So that makes it ask for us too complicated sometimes to attribute because the first factor in new incentive, new motives for them to create new ways of monetizing the activity. Also, a lot of affiliates they're migrating between groups because they're also people who need money, who want better conditions. I know that we don't need to have sympathy for them because like they destroy companies and infrastructure, like they're not like nice people with sympathize, but from the point of view if completely to distract from that, they're also like employees, they want a better, but uh better appreciation, I guess, better tools to use, uh, better salary, not salary in a way that like all they all have salaries. Some of the groups they provide salaries, yes, but more better payment, and they know that if they're working with this organization, they know that we bring you, or they will give us access dependent on the affiliate programs, right? If they bring access, they will take care of me, or they can provide the negotiation service for me, or they actually provide the data analysis service for me, because some of the affiliates, yeah, they're skilled, but for example, they're skilled in bring in uh getting to the system, right? Not all affiliates are skilled to evaluate what kind of data they got. Because everybody has this, like, oh, I have personal identifier information, I have legal this, I have this, but do they really know? And plus, can be a language barrier, right? Because they're not all like not all of them speak English, so they need help with that. It's also this migration between affiliates. Again, it's not in you, it's not like I'm saying, oh, it became just this year or last year. No, well, migration between affiliates we saw before it exists, but we just see because of this pressure from so uh on those um threat actors, they're trying to promote more services, which should say, for the for the affiliates, and they're migrating more, like Dragon Force. Yes, they actually I think one of the most like vocal about the services, like they provided the legal services, data analysis, they provide also the service on the website, like, oh, you can create your own RAS Run Soviet as a service program, like your own team for one hour, and they give you step by step. And I think they even provide like a separate like a website that that you can go there. So they actually one of the very good ones who is doing their marketing jobs, and they actually them and Keeleen. I know a lot of researchers see if you go into the forums, you can see it's like uh like you know, the ad band is like, oh, join our team, join this.

Cutting Through Deep Web Noise

Pedro Kertzman 7:33

So yeah, very professional. Yeah, yeah. I think the one of the craziest things I saw is when I realized like affiliates are actually shopping around for the best affiliate program within the threat. And I'm like, holy cow, the the point that we are, it's like like you mentioned, it's not new, but it kind of became a really prevalent uh part of the ecosystem, like those affiliate programs, because you know, things just grew so big that this is the way the most threat actors that are not only politically motivated do things these days from a profiling standpoint, all that noise in the deep web, sharing you name infrastructure payloads and all that. Where is like how can you distinguish from what is noise, what is really like good information, and that I should use to base my attribution or anything around that.

Katya Kandratovich 8:33

Sure. So I should just mention that yes, we pay a lot of attention to attribution and profiling. I just don't want people to have a wrong XP like impression that oh we like blindly following attribution, that like it's attributed to the threat actor and blindly following the profile, right? No, attribution and profile is just for other tools, what to expect, and based on the information that we get, it helps us to build our defense strategy for us and our clients better. It's a good question for you. Yes, it's a lot of noise, a lot of the and I'm using it myself, the researchers from other researchers whose opinion and work I trust. This is what one of the aspects that, like, what do you think? We always discuss, and that's why I appreciate actually the cybersecurity community, like threat intelligence community. That sometimes we question one another. It's like, do you think it's plausible? That's what we see, is that what we thought? Also, based on our internal cases, right? When we investigate in doesn't matter it's post-bridge restoration or forensics, also, we see certain patterns. Like, I just know this group for these three cases that we have with them, it was doing this and was doing that. So we just created this profile and attribution. Doesn't matter that they will not change because we just discussed with you because they keep trying. It's just for us the tools. I just want that for people to understand that we are not just blindly following this, but this is the tools that help us in our daily work, just to have an idea and to have an idea what to expect from certain from certain groups or from certain even affiliates. Because some of you are like, Yes, I'm part of this group, but you can still have a distinguished like signature in them. Like, good example, killing and secure trop. You have you could see that they even on the website put like a watermark that it's them. Like, yes, they were killing, but we like we're using their platform, and but you need to know that it's us. Eventually they created their own uh click site and like separate and like separate, but you could see it's like okay, yes, it's killing, but we still need to expect something different because we know this is like the affiliate, it's a little bit tricky. Maybe it doesn't like align to the profile that we get used to it, but we still keep it keeping adding because but it's still killing, so we might expect in negotiation, for example, we still might expect the certain pattern that we can get used to it. So, yeah, it's going, I think, with an experience and relying on people that you work with and like repeated pattern that you see also from the cases, because yes, there are a lot of research, a lot of reports going every week. You still need to be careful because yeah, sometimes it's misunderstanding, sometimes it's noise, and sometimes it's like I don't think so. Like, I didn't see okay. You saw it, good. I don't see, I don't think I have a confirmation for them, but you just still keep it in mind as like okay, it may happen. We still in Cypher, we based for us that what I see, and again on the proved already sources. This is my main goal. I'm still going through all the reports from the vendors, of course. So, because I need to be aware of what's going on. Maybe I miss something, but it's a good question. Yes, there is a lot of noise, and it's really easy to fall for it, and then it was like doesn't add to the picture that I see, and then you're trying to question like, am I wrong? So it's very tricky one, and I guess the more experience you have, I guess the more you're just like, okay, it doesn't it doesn't fit the picture, it's good to have, but I don't think so.

Old Tactics Still Win

Pedro Kertzman 12:21

It makes total sense, thank you. So you're talking about resilience, with the which I think it's gonna be like the the thing on cybersecurity this year, and probably for a few years now. People are realizing that it's not if or when you get breached and all that, like it's just gonna happen, and uh you have to be prepared. What's gonna your plans when that happened and and and all that. So, again, with that scenario in mind, of course, credactors have to adapt because companies, quote unquote, are not too worried about uh if they're gonna get breached because they know they will, but they will be more resilient to handle that breach without panicking, without maybe even the the end go, I should say, without even paying ransom, right? So, how do you see threat actors changing from a pressure point type of mindset? Are they changing to that more resilient industry trying to defend uh against them? Do you see that shift as well on their side?

Katya Kandratovich 13:29

You mean the shift that they're trying to find new uh pressure points to get yes, um yes, but uh before I also should mention that they use the same technique that we used before. It's not something again super sophisticated in the sense that it's still fishing and vision, it's very I know people still think it's like, oh, how you fall for it? Trust me, and especially with AI, fishings are very good. Oh, yeah, visions are very good. Skater Spider is a wonderful example, they'll all use it through the social engineering techniques. Uh so we just don't need to forget that uh from report to report that we see technically the techniques are the same. It's social engineers, it's liquid credentials and steeler's logs. That actually steeler's logs now started to get more proper attention because it is it does have a lot of information that can be used because it provides you, it's not just the credentials, it provide you information, yes, password, username, it's also provides a portal. It might be, of course, it might be copy and paste, it might be something wrong information, but it's still it provides you the portal where you can use those credentials, which is make it even more complicated, and still there's logs are becoming like popular. It hasn't it has before, but for some reason I don't know why it hasn't been talked about more often until I think the end of 2025, when even on LinkedIn, a researcher started to post it like actually, it's a huge risk. We need to pay attention. It's not like we just oh it's just leave credentials, it's all over the place. Yes, credentials in those combo lists, yes, they're reshared every month. Yes, they're all over the place. I agree, but stealers lock and you could prove with some attack that they are real risks that also need don't need to be ignored. Of course, vulnerability, zero days didn't go anywhere. Public-facing application social solutions, it's again the one of the main uh vectors. It that it didn't go anywhere. So all those three, it's still all there. So it's not like, oh yes, yes, they treat my technique that they might uh they start the threat actors used a lot of them native software and solutions inside the companies, and like remote monitoring management is like all over the place. EDRs is yes, they like to use it because when you investigate, you see the names like, but it's a legit software, right? I shouldn't like it, shouldn't raise an alert, but then it's like, oh, but we don't use that, and like why it's doing there, right? We uh also saw the case when I don't remember the name of the software, but the threat actors installed you know the software when they monitor the employees on their computers, so they installed this software for the to make screenshots, like you would see like okay, company might use it, right? Because just to monitor for this. No, it's threat actors like, oh, why not? We don't want to use the malware, we can use this one because it's a legit tool that doesn't bring the bell right away from that. So, and again, yes, they they like they like to use that. Also, I'm sorry, I'm already step step up from the topic. We also saw one of the reports, it wasn't our direct case in my company, but threat actors uh created the website, like it's uh not malware or anything, like it's I mean malware came later with the package, it came with the Trojan. But they created the website that promotes like remote monitoring management tool. I think it's called I forgot the name, but it sounds like a legit tool, a legit tool. You go into the website, you think it's fine. So they even went to that level that you can see, like I think it's even uh pop up in the search engine like a legit tool, because okay, something connects, something connect. Yeah, it sounds legitimate. I think I saw this tool before, but like just one word tweak, and then it's brought by by the end of the day. Who researched it? Yes, they found the retin side, remote Trojan side, is like okay, so it's not remote management tool, but you go into the website to check, and they even have the sign certificate for that. You want to check as like it's still legit, so but it doesn't fit the picture again, so it's not like a common case, but you still also have the cases that maybe these small tweaks can say, and again, they're using the large language model to create this, so it might have an idea that oh, okay, now it's all EI, it's completely new. No, there are cases like that that were interesting, but still the main attack factors are the same. Vision or vision engineer social engineering is still very effective and it's used. Like rendition, serious log, vulnerabilities in zero days, five zero days, any internet-facing application solution, they're all there, they're still attacked. And so that's why you wouldn't be surprised, like certain vendors they were all the time mentioned, and it's still not patched.

Pedro Kertzman 19:03

Yeah, no, that happens.

Living Off Legitimate Tools

Katya Kandratovich 19:04

No, that's why that's why it's still there. It's not due to the sophistication sometimes, but there are certain gaps, certain laps. So, yes, they're becoming sophisticated in trying to find, as native is really hard to get. And the last one, the attack we have tell us, right? The one that Shiny Hunters made, they claiming they took so huge amount of data. I was like, I don't I can't even imagine how you can store it and take it. But it also was without any malware, they use the native tool, they use the Microsoft in Tune to do what they needed to do without even installing any malware. Regarding that, yes, the pressure point and the talos is actually a good example because it's the the wiper was used. We saw get you that the wiper is more like uh by the state actors, right? More on the industrious infrastructure, it's more like that. So maybe it might. I mean, the threat actors who perform the attack, it's still not the like ransomware threat actor that we get used to. They're more like categorized as activists and also state actors, but still it might give an idea that oh, I'm sorry, I'm confused with the striker. The shiny hunters, it's different, so I'm confused. I'm confused to attack. It's too new. But uh but striker too, it's a good example that the threat actors might say, okay, yes, encryption is very damaged, bring a lot of damage, extortion, of course. But the wiper, it might get an idea, and the striker attacks show that you don't even need malware to install to wipe it. You can use this tool like Microsoft and Tune, you can type the command, and it's like certain hosts are like completely wipe, and so that might be also used. We didn't see it used by any ransomware groups because it's just happened, this attacks, but the vipers that's not good, but I think it might be also become one of the pressure points for that. Again, Talus we saw Shiny Hunters and Skater Spider, they're very good also creating the pressure points, contacting the victims, contacting the third party. They're very known, they're not all like skater spider. Sometimes they implement the encryption. Like shiny hunters, no. But what I mentioned that like their goal, and they actually post it on their campaigns, they love to create the files with the contact information of the people, with the script, who you can report to, how you can like what email you should send, how you call, how you call this person. It's kind of sometimes it's not like kind of an Information they got, but they're so focused on getting the contact information about the people because it's created the whole circle. It's like making the attack even more major because everybody gets in contacted like what's going on. Like, should we reply? How we should reply? Yes, it might not create the impact, meaning technically, it might not create the major interruptions. But for the people getting calls, getting emails, getting this, and if there are personal emails somehow, I guess in the chart documents as part of the documentation in the company, they might contact you in your personal email, even though it will even the company was targeted before. So this is another pressure point that can be used and is used. Maybe it can be used even more broader, but it can it's used by certain company like threat actors because those psychological pressure, it's really not many people can handle it, right? The company is trying to shield the employees, but still, if there's certain information there, they will still get targeted and bombarded with the certain emails of the certain phone calls. This is another pressure point, and it's not a new, they might add the denial of service attacks. It's also part of the deal. Maybe it can be used before. Again, it's like a short effect attacks, but it's still we're talking about psychological point of view, right? It's also we don't need to forget, yes, there is a technical part, which is but it's still at least you still I'm doing this, I'm doing this, I'm doing that. When it's becoming more about person, you don't know how you can react if if it can affect you. Maybe some employees are like, okay, I'm prepared, I was informed about that, I'm fine with it. For some employees, it can affect, they might even take a day off or something like that. So you will never know. And the threat actors, unfortunately, know about that. We should always, I don't want to, but we should give a credit to them, right? They're professionals, not all of them, but they are professionals, they know what they're doing. And when they see that it works, they keep continuing, and other groups, when they see that it works, they might sooner or later implement the same tack tactics. Maybe it won't be so successful, but it also can go case by case. So those pressure points are still there and it's going to evolve because yeah, it it is successful.

Supply Chain Risks And Monitoring

Pedro Kertzman 24:36

Is is the reality that we're you know just seeing these things. Yeah. And uh you were talking also about vulnerable applications. How do you see like supply chain playing a role down the line, like being a vector for new attacks? And is there any way that that you saw in the deep web, for example, that companies could monitor to try to get a little ahead of the supply chain attacks that might be coming down the line based on the technology stack they use, like monitor for specific applications that could be leveraged through a supply chain attack to target them? Like, is there any way to get ahead of it?

Katya Kandratovich 25:22

It's a tricky question because threat actors become an experience of what they can share on the forums because they know that the researchers and law enforcement are there and monitoring. There are certain people, there are certain threat actors or users on the forums. Yes, they posted like certain names, like oh, I have the data or have the access, and they actually sharing sometimes the solutions or applications. So you like kind of renabell, you can track that, but it's a small amount. Someone does like to, yes, they posted like I have the data for this company, I have so many records, I have so many of this, and you're just like, Okay, so this is a company that provides the servicer, so they might have other clients, so you can track that. But most of the time, I might be wrong, but what I see that they don't like to put the names anymore, that it makes sometimes for us difficult to track even our clients if there's any claims. They just put the, for example, the sector, the field, they put what access they have or what the data they have. And like if you want more information, you can contact us and all this, but you can't contact every single username on the forums, and it's not only one forum. So they become very good at the at the hiding, and it's a challenge to track them. That's why, like, private chats and rooms when other researchers exfiltrate it, it's more like useful, and it you will have much more results from that. Because, like, even though they don't give you the name, you can you have still more context to add things, is like, okay, I think they're targeting that once. This campaign is going on. Okay, I think I know what they're talking about, just in case if they don't provide the names, so yeah, like 100% that, like, oh, we don't do this to track it, not not really, but you might get lucky sometimes. Yes, but they're very like the major attack, they're usually very experienced and they don't disclose this kind of information unless there is like certain private circle circles that you manage to get in, and then you can have some kind of context what's going on. Yes, it can be, but it's it's still one of the tools to use, but yes, it's not like 100% bulletproof that just monitoring the forums this can give you the answer to your question, but it's still one of the tools to use. You don't need to ignore it. I know that like some people think like, oh, just monitoring forums a waste of time. No, you can sometimes get across very useful information. Yes, private rooms. I'm all for that. It's good, but sometimes you sometimes you can't get to the certain circles, right? So you should work with what you have. So yes, it's it's hard. And supply chain attack, we also like vipers, I guess we like to associate with something state actors doing. It's not. And I think one of the first threat actors that just come on the mind, it's Clopp, because they are very was like consistent with the campaigns, right? They're like MoveWait in 2023 was big, then Clear, then Oracle EBS, and they put it like they post in the small campaigns, and it gave us a track. And it's also was like just one each one, it was each campaign is like assigned to the zero day. So this is also they get to the one solution, one point, they get all this information, and that you can see how much they posted. Again, we what the end of 2025, even not August, Salesforce, right? It didn't leave the article, the headlines for so many times. It started with one attack, and then Salesforce was all again and again and again. It's also supply chain attack. Doesn't mean that the vendor was again breached, but they use information that they got it to use this. Even the talos that we mentioned, this five petabytes again by Shiny Hunters, they claim that they got it from the previous attack, the credential that they already have from that campaign, and now they're using for that. So even like what six months later, right? We thought, like, oh, we we're already done with this attack. No, there's like, oh no, by the way, we went through our documentation or where they store the notes. We can use one more, and here you go, another headline. So we use that. That's why management service service providers are one of the targets. Because if you breach them, oh yeah, how many clients they have?

Pedro Kertzman 30:16

Oh goodness, yeah, yeah.

Katya Kandratovich 30:18

So I think if I'm not mistaken, Dragon Force is uh like targeted in them because if you get just to one MSP, how much damage you can get?

Pedro Kertzman 30:30

It's just bad.

Katya Kandratovich 30:31

And we know that even MSP are the ones supposed to provide security, right? Those vulnerable, unfortunately.

Pedro Kertzman 30:38

Yeah, like any company.

Katya Kandratovich 30:40

So yeah, yes, and the integrations sometimes are overseen. Also, the security controls that, like, yes, it's the third party, you still need to put controls, but sometimes it's like, yeah, it's a third-party integration. We saw that we have security control, we thought we have MFA there, but we don't have anything.

Pedro Kertzman 31:01

Yeah, no, it's really complicated. Like the amount of pieces. I think you mentioned it touched on a good point. Uh, the information we can get on the deep web will be will be part, like an extra piece of the puzzle. There's nowhere we're gonna find the answer for everything we need in a single place or see the detailed explanation. There's no documentation for for that stuff, so we need to be able to collect uh the pieces we can get.

Katya Kandratovich 31:28

Yes, uh, supply chain is not only about like we breach MSP or we breach any like service provider that has a lot of clients. It can be like, for example, North Korean, China. It's not like it's more like for Espernage, right? State actors, but it's still supply chain attack when they have certain NMP packages when they were targeting developers of certain companies. It's also part of supply chain attack. So we don't need to disregard the tools like, oh, we just get used big companies, this no GitHub, whoeverybody uses, it's also can be part of the supply chain attack because not everybody checking all those long calls, right? Yeah, even though there are again there are recommendations that like if if you if you have your GitHub you're using it, make sure in the production don't put your credentials, don't put any code that you don't check, but situation happens. Yeah, sometimes they happen like people just launch any packages on their work laptop, and it's right there. It seems legit, but it's also part of supply chain attack. So we don't need to forget that like it's all on industrial level or big companies level. No, something simple as GitHub, it's also supply chain attack.

Pedro Kertzman 32:44

Yeah, I agree.

Healthcare Becomes A Target

Katya Kandratovich 32:45

Just this one is direction that they're put the targeting certain people, like developers, right? Because developers have a lot of like rights in the system, privileges, yeah, yeah. Privileges, so it's also supply chain attack. So avenues like are very wide, and that's why again coming back to our converse to the beginning conversation that like yes, they're trying to look for new ways to monetize the activity and the action.

Pedro Kertzman 33:11

So yeah, our day today.

Katya Kandratovich 33:13

Uh to mentioned also we saw the trend about healthcare, it was like rules, right? Even about around threat actors that healthcare shouldn't be like touched or target, and even somehow there were cases when they target free decryption or were provided. But we just started to see that some of the groups they're openly posted in their affiliate rules that healthcare is no longer a red flag. Okay, it's a green flag, so it's part of the deal, you can go ahead and target them. It wasn't one of the groups in the affiliate rules. There was also another group that posted on the forums with the technically saying that I will buy the access to the healthcare facilities, yes. And we also saw even discussions of certain threat actors that some of the users saying like it's not right, you target the hospitals, you don't know what the consequence is. And their answer was just like it's part of the business. If they don't care to take care of the infrastructure and the security, why should we? We just technically give them a favor that we're showing where you have vulnerabilities, when you have weak points, so it's up to you to pay, resolve, and then take care of your system, meaning like it's your fault that you don't provide the security posture on the level of the proper level just to resist this kind of attack. So, yeah, that's that's important that unfortunately it's becoming it's not so widespread now because certain actors they are kind of target healthcare, but more like you know, technical, nothing to do with the hospital, this, but more like suppliers, like certain the equipment. So it's kind of healthcare, but more like manufacturing. Yeah, yeah. But like certain groups, like no hospitals, it's open. You go go ahead. It's kind of I guess you still don't want to believe in that because still hospitals, hospitals. Yes, we understand that they should have better security, should have this, but you still have the patient there that might cause the lethal cases, and there are other like fields you can focus on it, like just leave alone the healthcare, the kids, especially when they're posting the uh some of their children's hospitals, like you don't have to do that, like you really don't have to do that. So unfortunately, that's what we saw, and they're posting it. I don't know if it's becoming a wider trend, but just certain groups just technically claim it openly that they don't mind to target their healthcare. Yeah, and healthcare I'm talking about the hospitals.

Final Takeaways And Wrap

Pedro Kertzman 36:02

Yeah, that's really sad. I agree. Katya, thank you so much for so many insights. I really appreciate you coming to the show, and I'll hope we'll see you around. Thank you.

Katya Kandratovich 36:13

Thank you so much, Pedro. It was really nice conversation talking to you. Thank you.

Pedro Kertzman 36:18

Thank you.

Rachael Tyrell 36:21

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group, Cyber Threat Intelligence Podcast. We'd love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure.