Episode 03: What’s the Future of Threat Intelligence?

February 17, 2022

Listen on SpotifyListen on Apple Podcasts

Defenders are overwhelmed with the exponential growth of data, alerts, and responsibilities they’re tasking with – a trend that is expected to not only continue but reach massive proportions.

Given this trend, priorities are shifting to investing threat intelligence at unprecedented levels.

Yet, building a successful cyber threat intelligence program is a process and not a single event.

In this episode, Chris Roberts and Dov Lerner, Cybersixgill’s Security Research Lead will give you practical advice as you navigate your journey towards building a cyber threat intelligence system of tomorrow to manage the continuous stream breaches.

They’ll uncover how to maximize your success in designing, implementing, and obtaining the most value from your cyber threat intelligence program.

See you in the dark.

Guest at-a-Glance

Name: Dov Lerner

What he does: Dov is the Security Research Lead at Cybersixgill.

Company: Cybersixgill

Noteworthy: Dov’s background is in military threat intelligence.

Where to find Dov: LinkedIn

Podcast Insights

🎙️ The US Government is against ransomware.

As Dov explains, a significant challenge that ransomware operators will face soon is that not only will they have to contend against individual companies, but they’ll also have to compete with the government.

”The U.S. Federal Government is becoming more and more involved. They’re treating ransomware as a higher-level type of attack. They have an FBI task force treating it as if it’s terrorism. And there have been some mysterious events where similar [ransomware] groups have just vanished or apologized.”

🎙️ C-level executives must think about cybersecurity.

Security was the realm of the army and the government in the past. But today, it has transitioned to the digital space. That’s why companies, and especially executives, must think about establishing systems and hiring professionals who can help them understand, prevent, and protect themselves from cyber attacks.

”Nowadays, any company, any organization needs to buy their own ‘tank’ as foreign adversaries might be attacking a private company because they might have intellectual property or have some sort of data they want. And that’s a very big game changer. That’s something that shifts the world of the CEO.”

🎙️ Every organization should have an intel team.

Although threat intelligence is not a novelty, not many companies have a specialized team for it. Those who consider creating it must know that the job of an intel team is not to write tedious reports. The job of intel analysts is to bring the concept of cybersecurity closer to the organization.

”It’s a lot more about people and processes than technology. The organization needs to understand that this is here to help us maintain it [security] and understand the risks to every department. And we need to be receptive to what they’re saying. We have to listen to them and give them feedback; we have to give them directions.”

Episode Highlights

Intelligence Is Processed Information That Fulfills an Organizational Requirement

”There are two things. One, it can’t be theoretical information that someone says, ‘Hey, this might be interesting for you.’ The organization needs to want this intelligence. They need to request it. There are priority intelligence requirements. So that’s important.

And second, it has to be processed. The intel analysts can’t just be a pipe where one can go, ‘Okay, I found this piece of raw information, and I’m just going to dump it at your feet, and you figure out what to do with it.’ Intel analysts need to understand the entire threat landscape and the organizational profile. They should be able to process the intelligence, find the intelligence that’s relevant for the organization, and deliver it in a way that the consumers can understand.”

The Rise of an Underground Ransomware Economy

”One of the things that I’m finding on the underground dark web is just how much ransomware has proliferated. And not only ransomware, but I would say the underground ransomware economy.

So, in the underground, access sells — access to sites. So someone might be able to distribute malware onto a system, establish a backdoor to the system, and then hack the system themselves to go in and decrypt. Or they can sell access on what are called remote access markets or initial access brokers, same thing.

We found that initial access sales in the underground rose tremendously from 2019 to 2020 to 2021.

So, in 2019, in 2020, remote access to compromise endpoints was 937,000, and we’re talking about 4.28 million in 2021. So that’s a rise of 357%. That’s a very, very big number. It’s a huge rise.

So not only are we seeing more ransomware attacks, but we’re also seeing the entire underground economy shift towards providing the tools and services necessary for deploying major ransomware attacks.”

Most Companies Still Don’t Have an Intel Team

”It’s a new field, and organizations are just learning how to do it. And not every organization has an intel team, maybe. Yes, the Fortune 100 and the Fortune 500 companies might have these teams, but it’s not a fixed role that every organization knows that they need to have.

It’s also not a role where there’s clarity around what we need to do with it, right? An accountant knows how to crunch numbers, and the accountant understands that there are certain rules and frameworks about how to be an accountant. It’s an old profession, with very clear boundaries and guidelines on how to act.

Intelligence teams are completely different from one organization to another. They’re trying to figure it out right now. It’s a profession that’s being written.”


[00:00:00] Dov Lerner: Security used to be the realm of governments and the realm of armies. ‘Cause, I mean, you know, the attackers are only coming in across the border somehow, and nowadays, any company, any organization needs to buy their own tank, and that’s a very big game-changer. They have to think about information security in ways that they didn’t even, 10, 20 years ago.

[00:00:18] Dani Woolf: This is our first Geek Week episode, and Dov, you are our first Geek Week guest from Cybersixgill. We are going to just dive into the future of threat intelligence, so before we do that though, um, Dov, why don’t you give us a little bit of your backstory? Who are you? What do Cybersixgill, and why did you get into Threat Intel?

[00:01:20] So, my name is Dov Lerner, uh, originally from Boston, but I’ve been living in Israel for the last 12 years. I am Cybersixgill security research lead. So, my background is actually in military threat intelligence, and then, uh, honestly, I was drawn to cybersecurity, information security because I realized what, what this means for, for the world that information technology I think is revolutionizing the world,

[00:01:45] Dov Lerner: but information security, I think, is also a fundamental challenge to all of the good that Infotech can bring. So, I, uh, came over to threat intelligence because I think it’s the natural field to really understand who the attackers are, what are they doing and how can organizations best protect themselves.

[00:02:01] In terms of at Cybersixgill, honestly every day, is different because the world of threat intelligence is different everyday too, you know. at new threats, it’s understanding what are emerging TTPs, thinking of ways that we can automate providing intelligence organizations and really just even processes, just trying to make the most of the Intel that we’re collecting, and then, uh, help our customers protect themselves. 

[00:02:25] Chris Roberts: Nice. Yeah, that sounds, I know that well, well enough. Ironically enough, we were talking about this, then the previous weeks when we were discussing, you know, how and what intelligence is, what’s data, I’d be interested, obviously, you live and breathe this every single day with all the variety that comes with it,

[00:02:43] how do you define threat intelligence? Give me your thoughts and ideas around what you’re calling threat intel, cyber threat intel, whatever you would like to call it.

[00:02:50] Dov Lerner: I’ll go back to the, uh, the traditional definition of intelligence, right, which is an older term from the military. This isn’t a new field. And, intelligence is processed information that fulfills an organization. So, that’s two things, right? One, it can be this theoretical information that someone says, “Hey, this might be interesting for you.”

[00:03:10] The organization needs to know, want this intelligence. They need to request it, right? There’s the priority intelligence requirements. So, that’s very, very important. And, second, it has to be processed. The Intel analysts can’t just be a pipe where, “Okay. I found this piece of raw information and I’m just going to dump it at your feet and you figure out what to do with it.” Intel analysts need to understand the entire threat landscape, the organizational profile, and, and be able to process the intelligence, find the intelligence that’s relevant for the organization, and deliver it in a way that the consumers can understand. So,So, cyber threat intelligence is just dealing with information security as, the organization. 

[00:03:52] Chris Roberts: Nice. That’s a nice way of doing it. I think when we were talking about it, it literally is taking information and going, “How do we make sense of this? How do we make something useful out of this? It’s actionable intelligence. What can we do with this amazing amount of data to give context to it for the very people that we need to help?”

[00:04:10] Dov Lerner: Absolutely. 

[00:04:11] Chris Roberts: So, from that side of it, so let’s, let’s take a dive back into last year, or obviously now in 2022, let’s take a look back to 2021. I’m interested in what your thoughts were looking back over the 12 highlights, some major developments, things where you’ve seen the world of information and intelligence morph,

[00:04:33] and then, you know, let’s talk about 2022 and 2023 and beyond as we go through this. 

[00:04:38] So, I’m guessing people are tired of hearing about ransomware, but ransomware’s not tired of hearing about everyone else. Uh, but it’s still happening. Yeah. 

[00:04:48] Dov Lerner: It’s still happening, ransomware, like, same as COVID, you know, you can’t shake it. We want it, like, “Okay, the year shifted from one to another, now we can talk about something new.”

[00:04:58] No, we can’t. I mean, one of the things that I’m following on the dark web, on the underground is just how much ransomware has proliferated and not only ransomware but, yeah, I would say the underground ransomware economy. So, on the underground, actors sell access to sites, right? So, someone might be able to distribute malware onto a system, establish a backdoor on the and they can

[00:05:24] Dov Lerner: now hack the system themselves, go in and crypt, or they can sell access on what’s called remote access markets, initial access brokers, same thing. What we found is the rise of initial access sold on the underground from 2019 to 2020 to 2021 was tremendous, right? Meaning, uh, here, let me actually pull up the numbers.

[00:05:46] So, in 2020, remote access to compromise endpoints, there was 937,000, and we’re talking about 4.28 million in 2021, so that’s, that’s a rise of 357%, right? That’s a very, very big number. It’s a huge rise. So, not only are we seeing more ransomware attacks, but we’re seeing the entire 

[00:06:08] Chris Roberts: Yeah. 

[00:06:08] Dov Lerner: underground economy shifting towards ransomware, towards providing tools and services necessary in in ransomware attacks. you said at the beginning, unfortunately, people are probably fed up of hearing around ransomware, statistics, you’ve said, this is a ridiculous, an ever-increasing issue that we’re dealing with. To you’ve gone from 7, 800,000 to plus million.

[00:06:33] Chris Roberts: My concern is, and as you’ve said the, the adversaries and the attackers in the scene are starting to build up these amazing systems. Do me a favor, dig into that a little bit ’cause I think some of the audience, start, this is where I like helping people understand the story of this. Give them, when you talk about that, what exactly are you seeing and how are you seeing this?

[00:06:56] Dov Lerner: this is the general chain that we will see on the underground, before an attack, again, it’s the story, is the initial access, we’re talking about for 10 dollars, someone can buy access to an endpoint. That’s not that much money. Now, the $10 won’t guarantee that it’s an endpoint for an enterprise system, right?

[00:07:17] You don’t, it doesn’t say what network is connected to, but there are clues, for example, it will explain which cookies are installed in the computer, which resources are logged in. So, for example, if I see that there’s a Slack log in, chances are as a business computer and not a personal one, same or Microsoft Teams or Zoom.

[00:07:35] So, there are clues there. In fact, actually, we can sometimes even tell what company and the company it is because a Slack link might include the name of the company or a Citrix, so we can actually figure that out. That’s all it takes. Once a ransomware group decides to go shopping, they’ll spend $10 on access to one, or probably they’ll buy many, many, they’ll just do a scan, automated scan, whichever endpoint they’re able to infect,

[00:08:03] Dov Lerner: then they say, “Okay, now what do we go, where do we go from here? Can we get from this endpoint, first of all, where we’re located, right?” This discovery phase of an attack, where am I located, on whose system am I sitting, what are the privileges of the system, the network, and then if they can go from there and it spread around the entire network, find the company’s crown jewels, the database, confidential emails, private information, things like that,

[00:08:29] then they’ll just basically exfiltrate the information, encrypt everything, and then demand the ransom and threatened to share all the exfiltrated information. So, it’s a well oiled machine. 

[00:08:42] Chris Roberts: Yeah. I mean, and actually, it’s interesting ’cause I know, years ago, when we were on the pointy end of this, where you are now, at that point in time, they weren’t at a point where they were basically handling the endpoint on a silver platter. They were selling the platforms to allow you to do that, you’d buy the platform to, to run the command and control centers, the platform to deploy a, the access, the platform to basically break into the system.

[00:09:09] like one or two levels further, and now they’re just handing, basically, the hand in the corporate, the corporation on a silver platter.

[00:09:18] Dov Lerner: So, that’s, that’s, I would say the dark web in a nutshell, right? The dark web isn’t this crystal ball where you can tell the future, that’s a big misconception. The dark web is a place where people bring their tools and their services and collaborate with one another. So, I would say you can take any type of attack and look at the same exact chain.

[00:09:38] Right? For example, SIM swapping, I did a report on this, so, I, you know, versed in, in the underground chatting with SIM swapping. Let’s say, I want to know, intercept someone’s, um, multi-factor authentication is in this, right? Because 

[00:09:49] Chris Roberts: Yeah, 

[00:09:49] Dov Lerner: if I want to log into their bank account, I also want the SMS. On the underground, there are many ways to do that.

[00:09:54] Right? I can buy their identity information, I can therefore personate them. I can find an insider at Verizon or AT&T and have them port the number to me ’cause cause that works, that happens. I can also log into their online phone account and get their SMS the other browser, so there are many ways to do it.

[00:10:14] And, people are offering their goods and their services for sale, and then other people are saying, “You know what? Once you get to the bank accounts, we specialize in cash out.” The cash out is basically draining a compromised account of its money because that also takes skills, expertise to know how to do that without triggering a trip wire.

[00:10:32] Dov Lerner: And then someone else will say, “We specialize in transfers,” which is how they take that bundle of cash from wherever it is and moving it somewhere else and laundering, and then turning it into cryptocurrency. And so, someone with low sophistication, but, you know, some, uh, appetite for crime and a few fractions of a Bitcoin in their pocket can do a lot of damage by stringing together a sophisticated attack by just purchasing all the services necessary in that chain. 

[00:10:57] Chris Roberts: I think that’s, and I think, you know, you hit the nail on the head with this one as well. We look at, we look at the open stuff. We look at what we’re doing in technology, and we see how fragmented technology has gotten there. We see how it’s almost, I, I buy Office as a service, I buy my backups, if I buy backups, I buy backups as a service,

[00:11:17] I buy a lot of my other things as service. I think when we start talking about the darker side of the net, the underground, we foolish to not apply those same kinds of distributed architectures at that side of the world. I think so many people still think that it’s just one or two or three individuals just climbing together and they haven’t figured it out,

[00:11:37] it’s an entire marketplace to, exactly to your point, end-to-end service with a fraction of a Bitcoin, I can pretty much do what I want, where I want and how I want.

[00:11:47] Dov Lerner: I mean, I imagine to myself that, you know, you have a bunch of, like, these malware and service providers ’cause there are a lot of them, are sitting in their offices, uh, using JIRA to, uh, plan their sprints. Right. They’re agile. No, our customer wants the module, but, but that’s how it works because they have customer-support hours.

[00:12:06] They, they’re posting in the dark web, but, like, you-can-contact-us-office hours from 8 to 7, and if it’s something urgent, then, you know, let us know. I mean, this is, this is how it works. This is a real, there yes, there it’s, it’s a real economy, just it’s a, an underground economy, but in some places they can act with impunity anyways,

[00:12:24] so yeah,

[00:12:25] they’re probably using JIRA. 

[00:12:26] Chris Roberts: Yeah. Oh, the ads. So, and I remember years ago, we were doing some investigations, and the languages, and we’ve got another, we have another session of, of the geek side of it coming up soon, where we talk about languages and the separations with languages, and that’s fascinating because again, remember some of the early scams, the English versions of those were terrible.

[00:12:46] But then all of a sudden you had translations as a service, “You send me a fraction of a Bitcoin and you me a script. give you back in several different languages,” exactly how it’s meant to be for all the scams, for the fishing and everything else. And, that new itself has got it. So, here’s a question for you.

[00:13:01] We know where it was and you’ve got the old guy with the extra gray hair, we know where it is, which is you at the very pointy end of things. I’m interested in your thoughts on where we’re likely to go 2022, 2023 throw literally that crystal ball out a couple of years, I’m interested what your thoughts on where we’re heading with this?

[00:13:20] Dov Lerner: So, I’m actually going to take a little bit of a contrarian view on this one. I think people like to be apocalyptic about, uh, you know, cybersecurity, these, uh,Google Cyber 9/11, right? you know.

[00:13:32] Chris Roberts: Oh my Gideon, 

[00:13:33] Dov Lerner: Uh,

[00:13:34] Chris Roberts: blame for some, unfortunately. 

[00:13:36] Dov Lerner: Exactly. People like being very, very apocalyptic because I’m sure that it gets eyeballs to, to read articles,

[00:13:43] so Cyber 9/11, Cybergeddon, Cyber Apocalypse. Okay. Although you’ll find all those terms and a lot of contents written about those, I would say that the challenge that ransomware operators have right now is just like any type of crime or, you know, violence or whatever, is once their head stick up too much,

[00:14:05] right, once they are too successful then they become a victim of their own success. And, the reason for that is because instead of contending against individual companies, they’re going to have to contend against the full weight of the US Federal. And so, you know, again, siphoning off a little bit, it’s like the scene in office space, right?

[00:14:21] Dov Lerner: When you can, uh, you know, take a fraction of a penny off of every transaction, no one will notice, but all of a sudden, if you have a rounding error and you’re taking off, you know, half of every dollar or whatever, It’s a problem. So, so I think we saw through several major attacks at sea, or Colonial Oil Pipeline, where they hit critical infrastructure ’cause say all those attacks, the, the Brazilian meat processing plant as well, you know, “Don’t go after,” uh, “Don’t go after our burgers.”

[00:14:47] So, the US Federal Government is becoming more and more involved. They’re treating ransomware as a higher, higher-level type of attack. They have a FBI task force that’s treating it as if it’s terrorism on that same level, and there have been some mysterious events where ransomware groups have just vanished or apologized, or,

[00:15:06] Dov Lerner: cryptocurrency, which we thought was a one-way thing, you pay it and it’s gone, has suddenly come back to the people that paid the rans. And so I think that these, these major ransomware attacks are not sustainable because, you know, the US government is now more involved in trying to prevent these.

[00:15:23] And so I would assess that it’s probably going to go back towards status quo anti, of, you know, a year or two ago where yes, we’ll absolutely see ransomware attacks, we’re absolutely going to see these things, but I think the publicity blitz that these groups made that they want it to be noticed,

[00:15:38] Dov Lerner: they want it to get the headlines. They have these dedicated leaks sites, where they 

[00:15:41] wanted this media attention, I think they’re starting to realize that a lot that’s backfired. I mean, so the dark web forums don’t even allow ransomware operators to post in there. 

[00:15:50] Chris Roberts: Let me throw, let me play devil’s advocate for a second on this one. So, you’ve mentioned it a couple of times, ah, absolutely correctly, which is US Government’s getting involved. We already, we’ve seen not just US government, we have five eyes getting involved, we’ve seen various other countries getting involved. In Israel, obviously from an Israeli standpoint, this is, this is a battlefront and it has been for a number of years.

[00:16:12] So, if I was a smart operator, I’d be like, “Hmm, I’m going to leave those folks alone. I really don’t need to have a top-tier country after me. I’m going to go after the secondary tier of countries. start to go after maybe those organizations in those countries where their anti-digital fraud isn’t as effective, where they’re training whether end-users.”

[00:16:36] now, are we, or are you seeing anything where looking at countries really being targeted? And, the reason I ask this is I was sitting on a forum a couple of days ago, and I’m seeing a ton of hits out in other areas of the Middle East, Dubai, UAE, Qatar, and a few of those other places are starting almost overtaken them because they’re becoming softer and there’s less retaliation against the individuals any of that?

[00:17:05] I’ve read reports about it. I haven’t seen it specifically in, in research that

[00:17:09] Dov Lerner: I’ve done, but that makes sense. And, it makes sense also that instead of going after the critical infrastructure because that makes a lot of noise, they would go after a mom-and-pop retailer or a local school system, a municipality, those are, those are softer targets that aren’t going to hack back, that isn’t worth the full might of the US Government to get involved.

[00:17:30] Right? So, yeah, going after the targets where there won’t be retaliation, makes a lot of sense. I think that’s the direction that things are headed.

[00:17:37] Chris Roberts: And, let’s face it as well, and as terrible as it sounds, take a US centric-approach for a second, there are 30,000, I think companies which would be considered, you know, Fortune X. There’s about 30,000, but there’s 30, it’s either 30 or 31 million, the audience, so you have to challenge me on this one. It’s about 30 or 31 million small to medium businesses in the United States alone.

[00:17:59] That’s a pool, most part, don’t have anybody looking after them for a technology standpoint, don’t have access to a CSO or a virtual CSO or probably half the time don’t even know about it. 

[00:18:11] Dov Lerner: Yes. 

[00:18:11] Chris Roberts: That, unfortunately, the, in unfortunately many, many cases, you look at the security industry,

[00:18:19] we haven’t successfully managed to crack how to deal with that in scale.

[00:18:25] Dov Lerner: So,, what I like to say is, you know, security used to be the, the realm of governments and the realm of armies, right? And, what did you do, you needed to protect your borders as a country. ‘Cause I mean, you know, you know, the attackers are only coming in across the border somehow, and, and nowadays, any company, any organization needs to buy their own tank, because you know, the government of Russia or China or whatever it is, but, you know, foreign adversaries might be attacking them, a private company because they might have intellectual property or they might have some sort of data that they want,

[00:19:00] and that’s a very big game-changer. That’s something that,

[00:19:02] that really shifts, you know, the world of the CEO, right? Of what are my risks and all the C-levels who need to be interested in organizational risks and keeping the business going. They have to think about information security in ways that they didn’t, even 10, 20 years ago,

[00:19:18] and this isn’t a, this is a new thing. This isn’t something that they could have just learned from their mentor, uh, when they were, you know, young MBAs. 

[00:19:26] Chris Roberts: Yeah. So here’s, here’s another, here’s another side to the conversations. Well, obviously adversaries are very well aware, sometimes aware that we’re keeping an eye on things. They know that threat intelligence, cyber threat intelligence, has moved out of, to your point, the domain of just the militaries and the governments, and has moved into, or is moving into more of a mainstream set of conversations.

[00:19:50] What have you seen in how they react and how are we doing at keeping up and managing to still bring in enough information to move it into usable intelligence?

[00:20:03] Dov Lerner: Well, I would say that who won to shift towards discussing intelligence, right, that threat intelligence is a field again, that came from elsewhere, and organizations need to figure out how to do it. Because again, this isn’t a traditional process, the field of cyber threat intelligence

[00:20:20] as a, you know, we have a threat intelligence team in our company, you know, 5, 10 years old

[00:20:25] maybe. It’s a very, it’s a new field, and organizations are just learning how to do it, and not every organization that has an intel team. Maybe yes, the Fortune 100, the Fortune 500 might have these teams, but it’s not a, it’s not a role that is a fixed role that every organization knows that they need to have.

[00:20:42] And, it’s also not a role where there’s a clear thing of what we need to do with it, right? And, the accountant knows how to crunch numbers and the accountant understands that there are certain rules and frameworks about how to be an accountant, you know, an old profession with a, with a very clear set of

[00:20:59] Dov Lerner: boundaries and guidelines of how to act. Intelligence teams are completely different from one organization to another. They’re trying to figure it out right now. It’s a profession that’s being written.

[00:21:09] Chris Roberts: And, and that’s, I think, that probably answers part of it, which is part of our job, it’s to almost help them understand that, come up with some baselines, come up with some things that they, that they can think about. They can, that’s part of the reason we’re doing these podcasts is to, I think, peel back that mystery and mystique and say, “Hey, this is how we do it right,

[00:21:29] Dov Lerner: this is what we’re doing. These are the things you think about and ask, and this is how you can ingest it.” And, the accountant can make sense of it, and the finance, and the leadership and the technologists and the people that just, they’re in there to do their job. Yeah, I think, you know, how does the company measure the ROI of an intel team? Right. If you’re, you know, what are its KPIs, right? If you’re looking at your sales team, “Okay, are they closing deals? Are they not closing deals? Right? How much money are they bringing?” And, you have a target, “Are they exceeding or not?”

[00:21:59] Intel team, you know, is it, “How many reports up there?” Right? Because that’s a terrible metric because they’re just going to keep on writing more and more reports that no one reads. But 

[00:22:07] Chris Roberts: Oh, but That used be at the guy used let’s face it. It was, the suit. your success was measured on how thick that blustered report was. It’s terrible. 

[00:22:15] Dov Lerner: So, let’s just send them outside to dig holes and then fill them up again. It’s the same thing. So, so that’s a terrible.

[00:22:21] metric. How many attacks they stop? Well, they’re not really in the business of actually stopping attacks and, and what if the adversaries are doing, right? So, I think the best way to do it is measure it by what is their influence on the organization,

[00:22:32] but that brings a second problem because and intel team is only as influential on an organization as the organization allows themselves to be influenced. Right? If the CEO says, “Who are these people who are writing to me to tell me how to run my organization?” or, you know, or if the intel team, by the way, can’t articulate the language of business, right?

[00:22:51] Dov Lerner: If they’re talking in cyber, cyberese, and not, you know, this is what we need to do in order to maintain critical business functions, right? So, that’s an issue too, right? So, the organization needs to be receptive. It’s a lot more about people and processes than, than technology. The organization really needs to understand this is here to help us maintain it, to understand what are the risks on every level, you know, to every department in the organization, and we need to be receptive to what they’re saying. We have to listen to them and it has to be feedback, we have to give them direction. 

[00:23:24] Chris Roberts: I think, I mean, you hit it perfectly. It’s not a technology conversation, it’s, it’s a human conversation. It’s the soft skills that unfortunately, as technologists, we haven’t all learned them as effectively, communication, collaboration, cooperation, and then exactly at your point, how do I take a very complex conversation over, over what we’re doing and translate that into business risk?

[00:23:46] Where does it apply? Is that GSP, is a GEO? Is it political? Is it third party? Is it supply chain? Is it the internal? Is it a human, and all the other areas that we need to influence the business? That, for me, that for me is where I personally, this is where I would love to see our, what we’re doing in the cyber or the threat intelligence world, businesses understand, which is, “Hey, how can we help you more effectively?”

[00:24:15] Dov Lerner: Yeah. I think that that’s something where, you know, it’s, first of all, it’s about automating the processes as much as we can on our side because the amount of intelligence out there is tremendous. So for, for us to be able to say that we can automate intelligence collection, right?

[00:24:33] We can save time because time, I think is, um, time and, you know, personal effort, right? That’s, that’s the resource in shortage of supplies, right? A Fortune 500 company can hire a very large team, but it’s never a big enough team if the team has to read every single possible threat, 

[00:24:51] Chris Roberts: Oh my God. Yeah, absolutely. 

[00:24:52] Dov Lerner: there, you know. Cybersixgill, we’re collecting 6, 7 intelligence items every single day,

[00:24:57] right? give a team what you need to read off, you know. That’s, that’s a lifetime of reading, uh, you know. I don’t even want to think about how much So, so to be able to say that we can automate that, right, we can automate the process of, source discovery collection and then go from that 6, 7 million items to the 10, 15 items that interest you as organization,

[00:25:17] that’s a process that, on our side, we know how to automate, and that’s not just like a force multiplier, it’s a game-changer, right? I mean, that’s something where, okay, from there, those intel analysts can take it from there. They understand those, I would say, those intel items better than we ever could,

[00:25:32] Chris Roberts: right? ‘Cause they know what they mean, they might know how to do further investigation, they know the people that they have to talk to, and so then they can take it from there and, and really use it to impact their organization. I think the other part of that as well, which is, which is what you’ve hit on, the company itself needs to understand what it needs to ask. company has got to be able to look to itself and go, “Hey, this is what we need to under,” you know, and this goes back to the fundamentals of security, is know what you have, and then you can start talking about how to protect effective, reduce risks on it.

[00:26:04] And, I think that’s something, again, where we in the industry, especially as we look at intelligence, we can turn around the organization, say, “Hey, look, I can give you a long laundry list, have a conversation about what you care about, what you need to care about fiduciary and also the human,” et cetera, et cetera.

[00:26:21] I think those are some very critical things that I would love to see, and I think we need to probably help on that 2022, 2023, 2024 journey.

[00:26:28] Dov Lerner: And, when you say the company, it’s, I agree with you, it’s the whole company, right? It’s not just the IT team.Security is not just an IT issue. So, for example, that, you know, the SIM swapping, right? Where someone says, “Hey, I have access to insiders at Verizon and AT&T to do SIM swaps me,” not an IT issue. That’s HR, right? And, when was the last time in the HR what threat intelligence is doing? And if, what would do if they have this, post-coming crop, you know, from the dark web coming across their desk saying, someone’s saying they’re the insiders company, to collaborate for fraud.

[00:27:02] But that’s it is, right? I mean, the whole company at every And I part of our job, to articulate this, company at every single level, every business department and the strategic operational tactical levels can use threat intelligence for something. but they need to, make aware of that.

[00:27:20] Dov Lerner: this is available to them that there is something in this world for them, and they need to say, “You know what? I want to learn about this. I want to know this, teach it to me because I want to make better decisions.” 

[00:27:31] Chris Roberts: So, I got one final question for you because we’re getting close on time. I give you a clean sheet of paper, you’ve got all the knowledge that you have about everything that you’ve used, bill, put together, designed and worked with up until this point, but now I give you an entirely clean sheet of paper and I give you and I, and I give you the purse, you know, the bottomless purse.

[00:27:55] I go, “Build me the platform that you want to build.” What are you going to do?

[00:28:01] Dov Lerner: So again, I think the goal of that platform is being able to consume intelligence from every single right? So, that’s number one, right? So, it’s, it’s the collection. 

[00:28:13] Chris Roberts: Yeah. 

[00:28:14] Dov Lerner: Then being able to filter that data, right? So, it’s got it’s, it’s raw data, so to filter that data, according to the organizational requirements, right?

[00:28:25] Obviously, on the other flip side, the organization needs to be able to give the requirements, so the data to the organizational requirements, right? Meaning it has to be subjective because might interest one organization will not interest the other. And then being able to deliver that intelligence with some sort of assessment automated, but that’s difficult because a lot of the times assessments are humans that require human insights and human understanding of what makes the human tick, but, but to try to give, at the very least, identify trends and patterns and, you know, data points, which, which computer can do that.

[00:29:01] So, to deliver, you know, those automated insights as much as possible, but again, giving the key intel to the people that really understand what to do it. You’re not going to replace humans in this. I’m not, you know, concerned that a computer is going to replace intelligence analysts anytime soon. So, so yeah,

[00:29:16] Dov Lerner: to deliver it to them and then some sort of playbook, how, what do I do with this? How do I action this intelligence?

[00:29:22] Chris Roberts: Nice. Fantastic. And, it sounds like we’re getting there on some of that areas, definitely. Moving closer, but there’s work to do. 

[00:29:29] Oh, there are, there always is. I think, again, one of those probably final conversations is there is no end to this. This is a continual evolution. It’s a game of chess with our adversaries, et cetera, et cetera, et cetera.

[00:29:41] And, I think part of the other thing with intelligence is it isn’t just about producing something to hand somebody else, it’s us learning what those next steps are in games of chess. Um,this has been fantastic. Dov, I can’t thank you enough. I am absolutely grateful for these conversations.

[00:30:00] And, thanks a ton for appealing method a little bit of the insights. At some point, I’d love to have you back on again, and I’m pretty sure we’re going to be talking about all sorts of other interesting stuff. So, thank you so much. Yeah. Thanks a ton for being on with us on this one. Thanks a ton for setting this up, and audience,

[00:30:15] thanks everybody for listening. And, with that, I’m going to shut up for a second.