Why Proactivity Matters

Will Thomas 0:00

The only way to really get ahead of some of this stuff is to just be more proactive.

Meet Will Thomas

Rachael Tyrell 0:05

Hello and welcome to episode six of season two of your Cyber Threat Intelligence podcast. Whether you're a seasoned CPI expert, a cybersecurity professional, or simply curious about the digital battlefield, our expert guests and host will break down complex topics into actionable insights. On this episode of season two, our host Pedro Kurtzman will chat with Will Thomas, known across the CPI community as the BushidoToken. Will is a senior threat intelligence advisor, fans FOR 589 co-author and instructor, and co-founder of Figurated Intelligence. He holds a Bachelor of Honors in Computer and Information Security, has contributed to the MITRE attack framework, and is the creator of the ransomware tool matrix, the ransomware vulnerability matrix, and the Russian ATT Toolmatrix. Over to you, Pedro.

Pedro Kertzman 0:56

Will thank you so much for joining the show. I'm really happy to have you here.

Will Thomas 1:00

Thank you very much, Pedro. It's nice to meet you and uh thanks for having me on.

Pedro Kertzman 1:03

Man, it's my pleasure. I took note here because I have to remember them all. You built ransomware tool matrix, vulnerability matrix, bridge report collection, and then also the threat actor profiling guide and the curated intel exchange. Uh, that's a lot for for like a single person. A few questions around those. First, do you ever sleep? That's the most important one. And uh no, just joking, but do you still see CTI teams on on average being generic, I would say, still dropping the ball a little bit when it comes to threat actor uh profiling? And if so, uh what would be like the recommendation? You know, not only on the technical parts of profiling, but then the next step. Hi, this the the so what, how are you gonna use that information upstream? Any insights around that?

Conti Leaks And What They Revealed

Will Thomas 1:57

Yeah, that's a good that's a good question. Um, yeah, no, I appreciate you uh sharing uh my uh blogs and things and my my projects and stuff. I I usually put those, I usually create it those whenever they're whenever I see that um the industry is maybe struggling with something, and I feel like I've kind of come up with a way to do something that I see others doing. I take feedback and discuss with people, and then I go away and create something, and then I just kind of release it. Um, and then from that, other people, you know, they give me feedback on how they use it. So the ransomware tool matrix is one that has done particularly well. People have really appreciated the the the uh free knowledge and knowledge graph and knowledge sharing there. And it's it's similar to open source software in a way. You've got multiple contributors contributing to something. Um, and I I was the one that kind of kicked it off and put all this knowledge in one place, uh, and then other people started contributing, which is great. But the funny thing is, like a lot of this knowledge comes from other other open source reports. So I would use sources like uh CISA, the US Cybersecurity and Infrastructure Security Agency, the DFIR report, other vendor blogs, and all sorts of stuff. But I just kind of put it all together, categorized it, made it much more usable and actionable uh as one as a single source of to go and get that information. The it's it's very similar with my threat actor profiling guide, in that I you know I read a lot of blogs on a daily basis, right? And I have to understand I have to try and figure out what I'm gonna do with that information. Um, and essentially that information uh is there is no real standard way to write a threat report or a blog about a threat actor. Everyone's kind of doing their own take on things, um, and even CTI teams and internal organizations are doing things their own way, which is which can be fine, but sometimes you get some really, really bizarre deviations from that, right? Um sometimes it can either be not enough information, it's too brief, so you're just left asking lots of questions, uh, or other times it can be so long, a hundred plus pages, that you know you're never really gonna have time to actually go through all of that uh because you have five other things to do that day, right? So it's all about striking a balance in many of those cases. So some of the guides and templates I've put together help researchers just make sure that they're hitting the right notes to make sure to benefit the broadest target audience.

Pedro Kertzman 4:30

Got it. No, that's that's great insights, thank you. And also, you spent, I think it was a few months going through 250,000 uh messages from the Conti threat actor. A few questions around it. Actually, uh again, do you ever sleep? No, just just kidding.

Will Thomas 4:51

I can't confirm I do actually sleep sometimes.

Pedro Kertzman 4:53

Oh my goodness, that's a lot of messages to go through. Absolutely. It's fair to say that you probably know more about Conti than any other person, I know, honestly. And uh just out of curiosity, were you the one like publishing or the first spot that famous uh EDR bypass list that that Conti got famous also on the dark web for releasing that stuff?

Will Thomas 5:18

Yeah, so I mean let's break break down like what the Conti leaks were for those who've never heard of it. Essentially, it was a ransomware gang that had it was the most prolific ransomware gang at the time. Yeah. Uh they're Russian speaking and based in Russia, but they are known to have affiliates elsewhere, some in Ukraine and things. So when the war kicked off in um February 2022, I believe now, the uh the gang kind of split, or one of the members of the gang or or or a researcher who had managed to infiltrate it, we actually still don't know the true origin story uh publicly um decided to leak all of those messages, thousands, hundreds of thousands of messages. Um, and as a result, the gang kind of ended up shutting down. Um, and but as for researchers, it was a gold mine of research. It was a gold mine of tools, tactics they used, how a gang like that operates. One of my favorite uh parts of the leak was this one message by one of the managers of the ransomware gang, because they ran it like a business, right? So they had managers and analysts and you know, pen testers, they used to call them. They used to think they were a legit business, but obviously they were a ransomware gang in hospitals and stuff. But one of the managers posted a message about um the a message called salary day, where they actually broke down how much they were spending to pay for all of their anal, all of their like employees' salaries. Um and people were getting like a thousand dollars a month in Bitcoin. Um and then it also broke down like how much they were spending on servers. Um there was hundreds of Bitcoin wallets in the leaks. So you so um, you know, my uh friends and contacts in the blockchain analytics companies, uh Chain Analysis and TRM Labs and others were you know had an absolute um you know great time analyzing those. Um and then as a result of the leaks, we also saw a number of members uh get indicted and added to the uh you know FBI most wanted list and sanctions lists and things like that. Um so it was a it was a huge, huge uh benefit for us as researchers for something like that to happen. And the same thing happened with a spin-off group called Black Bastor um a lot around a year ago, I believe. And you know, again, I went through the messages again. This time I didn't really go through every single one, but um I was able to break down one of their you know largest attacks, which is on a healthcare organization called um Ascension Health, which was in my my personal blog. Um I kind of broke down them walking through that attack. Uh the so you could see them writing and typing their messages as they were doing the attack, um, and you know, their reaction to the news coming out, their reaction to uh what the negotiators are saying. Um, so it was really crazy to a crazy inside look and what it's what it's like to be an operator during one of those major incidents. And I'll just say they didn't really handle it very well.

Pedro Kertzman 8:27

Got it. You know, this experience of going through thousands and thousands of messages, any best practices or lessons learned for people planning or going through this right now, whoever the threat actor uh might be, like not to get lost on the maybe the technical intricacies or the you know uh valid findings, but how not to get lost in that volume and actually have always that on the back of the mind how I'm going to generate uh intel from it, the so what from it, like the next steps after you come off of that um you know digging activity.

Will Thomas 9:07

Yeah, yeah, sure. Um when you have you're dealing with a big big list of files like that, big list of messages, the messages come in like a JSON format, and it's pretty pretty straightforward to analyze. I tend to just put them put it in some sort of um I actually ended up using like an IDE like VS Code because you can do um you know split off files and you can do uh regex searches in that. I do recommend using uh uh open source tool by GCH UK's GCHQ called Cyberchef. You can regex for things like IP addresses, Bitcoin wallets, email addresses, uh really quickly find filter through and find that stuff. And then you can even take take it one step further and put it in like uh an elastic search database, and then you can get some stats and things about uh like which which member, which user in the in the server had had the most messages and who spoke the most, doing some analytics on big leaks of message leaks like that. Um there's there's a number of approaches you can take, but it's all about data analytics, really, at the end of the day, as well as being able to manually review that stuff.

Pedro Kertzman 10:17

Got it.

Will Thomas 10:18

Keyword searching, things like tool names, things like CVEs, all that sort of stuff.

Emerging Threats Worth Tracking

Pedro Kertzman 10:23

That's that's awesome. So treat it more as like uh more like a database than actually uh as messages, individual messages. That's uh that's make absolutely sense. So you you picked threat profiling, uh emerging threats, and a structure data exchange from the CTI uh menu. Can I jump into emerging threats now? You have any um other things you would like to touch from a threat profiling first?

Will Thomas 10:51

Um no, I think that's that's clear. I I I I think a combination of uh threat profiling, of breaking down a threat actor's uh intentions and motivations and their attribution, as well as their capabilities, tool sets, infrastructure, all that sort of stuff, um, is is really important whenever you're trying to get across uh you know what type of threat actor that is and and whether the organization you're you uh are helping to protect uh should care about it. Um and doing that in a templated, repeatable approach will make things a lot more manageable. Um so emerging threats is something that I've been um that's probably been the focus of my career, right, in cybersecurity in general. I've been working in in CTI and threat hunting coming up to seven years now. Um and I've you know, when I'm at when I was at my first company, um I did I was at a UK CTI vendor and you know helped build the threat actor database there. So we're already already on a daily basis, we are updating a threat actor database with like the newest, latest threat actors that were mentioned by you know the rest of the industry or governments or whoever. Um, and that was always a fun and interesting job because you know sometimes some new information comes out about a threat actor that had has already been active for like five, five, ten years. But then other times it's a brand new one that um is getting loads of headlines, and then eventually enough information comes out of that allows you to type back to a threat act, a known threat actor. Um, so it was always a really fun and interesting way to profile and track threats. Nowadays, in my current day-to-day job, I do do spend a lot of my time focusing on the latest and greatest type of threats. So for me, it's like things like the Chinese uh cyber espionage campaigns, targeting telcos and things, using uh operational relay box networks, orb networks. Um, North Korean IT workers is a big one as well. So at Team Camry, we have access to uh a lot of net flow traffic, so we can track the communications by these types of threat actors and monitor what they're doing and who who they're targeting. Um, and then also I do like to I have been doing some research into more uh specific cybercrime trends. So I've seen a lot of the usage of AI-enabled tools, so things like Claude and Deep Seek and uh and MCP servers and jailbroken stuff. I'm seeing a lot more cyber criminals using that to automate attacks uh and build up their you know the what they have access to by scanning and and exploiting things on the internet.

Hacktivism Ranges From Noise To Harm

Pedro Kertzman 13:39

Yeah, no, that's that's a great point. I think you have uh ongoing research on cyber uh strike AI, isn't it? That's right. Yeah, that's like a really good one. Absolutely. We can put a link on on the on the description of the episode so people can check in more details. And you're talking about uh, you know, your background with threat actor uh profiling, just to to link here. I think it's if we ever doing that internally, if anybody's doing that in-house, treating all that work as not as like a document, but more like a live-in organism because they those guys change, right? Like uh Conti got uh quote unquote busted, but those guys are around unless unless they are arrested, they're around, they will shift and and and uh they will carry their favorite uh you know tool set techniques and and so on. So you kind of need to reorganize or reshift stuff if you're doing that in-house again. Uh it's important to keep to keep that in mind. A little bit uh mixing like threat actor profiling and emerging threats. I remember you you published also like the noise that some activist groups were creating on the uh on the middle list. Have you ever tried to put together or thought about if like all activist groups were created equal? If all of them in certain regions, you name it, are like mostly noisy, or some of them are more serious about their claims or more skilled to actually go and do something else other than the noise. Any insights around that?

Will Thomas 15:15

Yeah, I think activism is a activism is kind of like a there's like a sliding scale of the seriousness of a of a hacking activist group. Yeah, I love it. Some some of them are just noise making, don't really have an impact on anything. Um maybe they have a telegram channel where they claim they do stuff or a Twitter account where they post that they're going to attack something.

Pedro Kertzman 15:37

Yeah.

Will Thomas 15:38

Um, so like the the handala hack team, which has been linked to Iran, is is very active on social media, but um, you know, half the time I'm not sure really how effective their attacks have actually been. It's nothing really ultra s severe um so far, just seems to be a lot of noise. Uh and then from from Russia, we also see a activist group called Dossier, uh or linked to no name um 05716. They um the you know they're building up their sort of uh crowdsourced DDoSing style attacks and stuff. But the you know the the time, the amount of time that those attacks um cause issues for their targets, you know, it's talk we're talking minuscule amounts, really an hour or so at a time. Uh could could be a problem for you know for e-commerce or or certain sectors and stuff, but you know, uh most of the time it's it's it's barely a blip on the radar. Um and then other times you actually see very severe activism-related stuff. You know, one of the one of the threat groups, uh one of the activist groups that you know I've tracked in the past is uh a group called the Belarusian Cyberpartisans. Um, these are uh sort of Belarusian dissidents who many of some of them are living around in other parts of Europe or even the US, um, and they have been launching destructive attacks against the Belarusian government in protest to uh the regime. Um, so I would say they're more at the higher end of the severity of activist groups. Uh the interesting thing about activist groups is that sometimes they're usually just a front for a nation state uh launching their own campaigns. Uh there's not many that are truly um, you know, some sort of non-profit group or some idealist ideologue um lone wolf or something. Uh usually they are just some sort of front for a nation state. I think probably more often than not, to be honest. The years back, we probably had um, you know, some famous activists like Phineas, Phineas Fisher, um, or there's another one in South America called Guacamaya. Um hacktivism is a really super interesting topic, but it's all sorts of different types of groups there.

EDR Bypasses And Identity Led Intrusions

Pedro Kertzman 18:00

No, I love the uh sliding scale analogy, and it's still on emergent threats. I think you also published something about some blind spots for for EDRs. They just don't go after certain application dependencies and and things of that nature. The other applications that are supposed to go through dependencies on applications, they're not like really security products. I think that was kind of uh one of your predictions for for the year. Have you seen like things going down this path, like more exploits coming from threat actors using this type of blind uh security spot?

Will Thomas 18:38

Yeah, definitely. Um, EDR has been a big challenge for threat actors and they've had to evolve, right? No longer can they just land on an endpoint and you know, you know, buy a phishing or something like that. Those types of attacks are no longer seen as advanced in any way. Um, everyone has email gateways and everyone has EDR these days. So honestly, we've seen a lot of threat actors running uh what you call bring your own vulnerable driver attacks, where they take a driver from, you know, sometimes it's from some sort of like graphics driver or something like that. It has some sort of privilege escalation bone in it, um, and they can they can deliver that to the system, and it's a it's a legit file, it's a safe file, but then they exploit it to game privileged, um, privileges at privileged access, uh, and then they will terminate the uh processes running security software on there, like an EDR agent, um, using sort of system system and kernel level level access. The other thing that we have seen is something called uh bring your own EDR or EDR on EDR violence, other people are calling it, where essentially uh if you run a trial version of an EDR uh and then you deploy that agent on uh a system that's has another agent deployed on it, you can actually terminate that other agent with your agent. So it's it's not actually that difficult to do, right? And it helps you get around these advanced controls just because you know if you have that privilege access. Uh, but yeah, for to be able to do that, you do have to have some sort of foothold on the system first. So it's not an immediate bypass for EDRs, right? It's it's something that a threat threat actor does in a more later stage of the attack, but that's one way that they've been getting around it. Another way that we've seen threat actors getting around um EDRs and antiviruses using remote monitoring and management tools, um things like TeamViewer and Anydesk and stuff, these tools uh are used by a whole host of threat actors. You know, we mentioned my ransomware tool matrix. Uh there's probably about 20 plus threat actors using anydesk um uh according to the matrix and the data. Um so you know, if you if you if you see that on an endpoint, the threat actor is not necessarily going to be detected because it's again it's a legit tool, but it can be used maliciously. So we've seen quite an interesting trend towards getting around these systems. In other times, we've seen threat actors, you know, just trying to avoid running malware and things in any case. They have been going down the route of using legit tools, gaining uh advanced, uh sorry, gaining elevated privileges by use using stolen credentials, uh, and then just pivoting throughout an environment that way. You know, scattered spider type threat actors, threat actors from the Calm, shiny hunters, groups like that, and adversaries like that are doing a lot of social engineering to trick someone into giving them a credential, giving them a token, or running something on their behalf by you know calling them up and pretending to be IT support uh or some other technique that they can use, such as sim swapping, uh, to take over accounts. And then also Got that sort of corporate level identity compromise, they can log into things like Microsoft Teams, they can log into things like Slack, they can then authenticate to SSO um applications like Okta and stuff, and then they can see they can authenticate to whatever else that single sign-on has access to. And then they can find other credentials, they can find other files, they can pivot into um you know ESXI hypervisors and stuff. And once they're on there, then they launch the ransomware, right? Or then they download some data. So ETR is not really necessarily gonna help you with some of that stuff because it's all at the sort of identity level.

Fixing Threat Intel Exchange Beyond IOCs

Pedro Kertzman 22:38

Absolutely. Yeah, it's more complicated. Whenever they're leveraging any sort of uh either supply chain strategy or just stolen credentials, it's uh like a very fine line to be like on the false positive side, but really detecting something that can lead to uh like a real problem. If we can move to structure data exchange, have you seen like I would say on average I don't like averages a lot, but uh I still see a lot of uh when we're doing threat exchange, I see a lot of feeds these days uh focaling still heavily on IOC exchange and like STIX format, it's like so much more than that, right? We have like campaigns, intrusion sets, actor, like a gazillion other fields that could be leveraged for like a better picture, I would say. But is is it like a sticks problem, like a quote unquote technical exchange problem? Like, is it the best format? Or is it just uh like uh companies are not being as diligent to fill up the information that required to have like good complete information right flowing through through taxi servers? Uh where's the where do you see like the how can we improve that? And if first of course if you agree we're still heavily focused on on IOCs, and if so, how can we could we improve from there?

Will Thomas 24:03

Yeah, I would I would say like just uh I I am getting a lot more interested in the topic of threat intelligence exchange with my job at Team Camry. So my my job as an advisor is to help people leverage our data. And since I joined Team Camry last year in April, uh and ever since then I've been working with our customers and talking to prospects as well. And it's really, really fascinating to learn about you know what setups do they have. Um, and you know, a lot of the time, a lot of big companies will have a threat intelligence platform, um, but it won't be fully operationalized, right? Um they may have it turned on, they may have one or two feeds coming in, but then the the tip may not actually even be hooked up to their theme or something like that, or hooked up to their EDR. It's just kind of sitting there, not doing anything. Um, and it's it's pulling in IOCs that are like just that was just mentioned on a block somewhere. You don't know when that IOC was was was actually malicious still. Um, and it's you know it's it's it's a kind of just gonna be a false positive generating machine. So essentially I've been getting a lot of uh interest, I've been getting really interested into this topic. And I guess the number one thing, people who are you know thinking about running a threat intelligence platform, thinking about overhauling their program around threat intelligence platforms and stuff, um, there's two things I've seen. So there's number one, I've seen people uh ingesting feeds. So it has to be this is why the STIX format is important because it's a standardized format that you can use across all sorts of tools. So for us as a CTI provider, it's super important useful because then we don't have to go and build a custom integrator that every single seam and saw and whatever else and every tip out there. Um, everyone is all working on the same level. Those systems may have some sort of custom uh field mapper and parser and stuff, um, but ultimately you have to use that sticks-taxi format. So I I would say it's it is important. It's actually more what's more important is the quality of the data uh and how refresh that data is. So for us, for Teen Camry, we are scanning the internet on a daily basis, we're collecting NetFlow logs on a daily basis, uh, and we're enriching those logs with our analytical research fingerprints and algorithms. So we're tagging things as malicious, as suspicious, based on either the net flow behavior or the attributes of the IP address. And then that can be really, really useful because you're ingesting this intelligence on a daily basis into your logs, and you know if something's tagged as malicious today, it's actually still currently malicious, and you should go and check out what that connection is rather than a research team did some great research, they put a blog out, they shared some IOCs, but those IPs are no longer even used by the threat actor. Um, and then when you ingest them into your tip, the other thing is that maybe you're only alerting forward. So you ingest them into the tip, and then you add them to a watch list, and now anything generated, it doesn't necessarily mean that there's a threat actor, right? So then the other thing to do is to have a a bidirectional tip and seam relationship. So your seam is every time you have some sort of alert, um, maybe it's over some sort of threshold, then it should be going into a tip and stored there so that when new intelligence comes out, you can correlate those two things together. So this IP was in an alert two weeks ago, some new intelligence came out, came out and said they saw that this thing was malicious two weeks ago. Now you can call it correlate, and we call those sightings. So this is a really that's a really important part of a threat intelligence program that I'm not seeing a lot of organizations uh fully utilizing. Plus, so there's the hunting backwards, so those sightings, and then hunting forward with the with the daily uh threat intelligence feeds.

Pedro Kertzman 28:00

That's awesome, that's great insights. Thank you. Will like really nice conversation. Any final thoughts for the listeners?

Will Thomas 28:08

Final thoughts. I'd just say, um, yeah, there's there's so much going on in the world this week with the Iran conflict, um, the AI enablement of cyber criminals, things seem to be getting faster and faster. Um, and honestly, the only way to really get ahead of some of this stuff is to just be more proactive, uh, building fingerprints, building rules, get it doing threat hunting. Like if your organization is a sizable entity and you're not threat hunting, your IR team, your analysts are just gonna get burned out because the cyber threats are speeding up, they're coming at you from all sorts of different ways. And if you're not proactively getting ahead of them, you know, you're just gonna run out of time.

Pedro Kertzman 28:50

Yeah, that's that's absolutely right. And uh yeah, thanks for bringing that up. Will, thank you so much for so many insights. I really appreciate you coming to the show, and I'll and I'll hope I'll see you around. Thank you.

Will Thomas 29:04

Appreciate it, Pedro. Thanks for the opportunity.

Pedro Kertzman 29:06

Thank you.

Rachael Tyrell 29:10

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group, Cyber Threat Intelligence Podcast. We'd love to hear from you. If you know anyone with CPI expertise that would like to be interviewed in the show, just let us know. Until next time, stay shocked and stay secure.