39:10

Episode 02: What the Heck IS Threat Intelligence?

February 17, 2022

Listen on SpotifyListen on Apple Podcasts

We all understand the value of information, but what we’re still struggling with is turning that into actionable intelligence, and nowhere more than within the digital threat realm. There’s no denying the power of understanding your adversaries and being able to anticipate or predict their next moves. Think of this as not only understanding how and where chess pieces go but also knowing the tactics and moves your opponent is likely to level against you. In the real world we understand this; however, in the digital realms, this is still something we grapple with understanding.

Until now…

In this episode, Chris defines what exactly threat intelligence is and how to stay ahead of the curve with its use. He’ll uncover how to measure it and how to operationalize it to improve your organization’s performance. Do you have threat intelligence in your organization? Evaluating a new solution? Chris will uncover the criteria you should keep in mind as a litmus test for quality intel…and more!

See you in the dark.

Podcast Insights

🎙️ Unlike the physical world, the digital world is limitless.

Chris shares his take on the difference between intelligence and information by making parallels between the physical and digital world.

”In the physical world, we have limitations. There are limitations on the number of humans. There are limitations on the number of countries and limitations on all sorts of things, like the number of potential threat actors, et cetera. In the digital world, we don’t have those limitations. The digital world is expanding probably about as fast as the universe. It’s ridiculous how much data we’re creating in such a short space of time. And so we’ve gone from building an intelligence system that said, ‘Hey, I can find the needle in a single haystack.’ And we’re now at a point where we’re looking for the needle in a hayloft.”

🎙️ Trust, but verify.

When asked about measuring cyber threat intelligence, Chris says that it is all about the relevance of data.

”If we look at our industry, we used to have these wonderful words — ‘trust, but verify.’ And they’ve served us well for 20 years, give or take a few, depending on how cynical you are of this industry. Now, when we look at things, we need to verify and then, maybe, trust. So if you turn around to me and say, ‘Hey, you’re an organization, you’ve got a ship coming in. By the way, I see problems with the ship. You’ve got pirates coming after the ship.’ That’s actionable intelligence. However, is it credible intelligence? What have you done not just to provide me with that data source but also to validate it yourself?”’

🎙️ We can place our data in various boxes.

Chris explains the difference between open, deep, and dark web and shares how he classifies information.

”I always look at information as four different boxes. There’s the box that says, ‘I’m gonna go to the social media websites and go, woohoo, this is me. I have no problem. I’ll put all that information out there.’ There’s that other box that I want to be a little bit more careful about. I’ll hand it out to close friends or whatever. Then, there’s the box, which is much more restricted. It’s the financial information, the bank accounts, and the social security. Then there’s that box, which has got a hell of a lock and key on the darn thing. It’s any of the classified stuff and the other stuff that I’ve done in the past that shouldn’t be on the internet.”

Episode Highlights

The Word ‘Intelligence’ Is Thrown Around

”You get the folks who say, ‘I’ve got threat intelligence.’ What do you have? Is it strategic? Is it something I can use to help with the organization of the business? Is it operational? Is it ongoing? Is it something that would be information for the technical side of it? Is it technical intelligence? What are you giving me?

Perfect example — some of the breaches that have occurred because of third-party supply chain providers. When we look at that, that’s very technical, or is it just purely tactical? So what is the latest threat coming out of ABC country? Geopolitical, geospatial, or anything like that? And the problem is that people aren’t very good at disseminating it and, in many cases, are terrible at separating.

The poor recipient of this information — this intelligence feed — is getting inundated with alerts and data and systems and, at the end of the day, is having to look for a needle in a haystack.”

So What Is Threat Intelligence?

”It’s targeted actionable intelligence. So, for that, you need an educated organization. So the organization you’re talking with needs to understand what they care about. So now we get back to the basics of security information, security, cybersecurity, whatever. I swear that’s what we need to do if we’re going to keep using the word ‘cyber.’

Our job, as intelligence analysts, isn’t just going, ‘Hey, here’s a feed, good luck with that,’ and collecting the paycheck. No, our job is to sit down with the organization and go, ‘You all know what your problems are, don’t you?’ And they’ll be like, ‘Oh no.’ Then, ‘Let’s help you understand. Let’s talk about whether we need to look at strategy.’

So you have the board of directors meeting. What do they care about? They care about finance. They care about operations. They care about resources. Great. Let’s talk about threat intelligence at a strategic level.”

The Difference Between Open, Deep, and Dark Web

”If you can google it, the chances are it’s the open web. Every time you interact with it, you’re handing over bits of your information. Sometimes willingly, sometimes unwittingly. Social media platforms are a prime example of this.

[…] If you look at the deep web, go out to your regular browser, get in, and you typically have to log in. So now you’re going into forums, into posts, into various areas where you’ve either got a paywall or a registration wall — something where you have to take an action to get to the information.”

[…] Now, you start getting into the darker side of the world. That’s where information is, so to say, traded insofar as it is a target. Now I get targeted because somebody wants my passport. They want to use and abuse my identity. They want to go out and buy drugs on my behalf. They want to print out my driver’s license or make another driver’s license, all of these other activities.

And don’t get me wrong, there is some amazingly fantastic, good stuff on that side of the darker internet.”

Intelligence Is Seen As a Nice to Have Instead of a Need to Have

”A good way of looking at it is that I sit inside my house; we all sit inside our four walls. If you look at the open web, we know what’s out there. We know what’s around; we know what’s out. But if I want to open my front door and walk out into the world, I want to know what I’m facing.

I know social media is getting data. I know Lexus is listening, Google’s listening, the computer’s listening, Siri’s probably yelling at me behind the scenes, and all these other things. Those are things and risks that I either accept or don’t, and I turn them off.

Whereas when I step outside of my four walls, when I walk out of my door into the world to go get groceries or whatever else, I want to understand and know what risks I’m about to face. That, to me, is a big difference, and that, to me, is when you look at the darker side of the net and go, ‘What’s coming at me or what’s already out there and I just didn’t see it coming?’

[…] If you have a darker side of intelligence, you might’ve caught a sniff of it on a forum or a chat channel, or somewhere you might’ve seen somebody wanting to go up against you. You might’ve gone, ‘Hey, I haven’t minimal risk here, there are people looking to break in.’

It’s the same thing in the physical world. If I see somebody coming at me from the various cameras I have around this place, at least, I know what the threat is. I can see them coming. I can assess that level of threat and go, ‘I care, or I don’t care, and good luck. I’m setting the dogs on you, have a nice day. I don’t have to feed them tomorrow.’ Whatever that mentality might be. So I think that to me is where it goes from ‘want to have’ to a ‘must have.’”

Transcript

[00:00:00] Chris Roberts: LexisNexis is listening, Google’s listening, the computer’s listening, Siri is probably yelling at me behind the scenes, all these other things. Those are things and risks that I either accept, or I don’t, or I turn them off. Whereas when I step outside of my four walls, when I walk out of my door into the world, I want to understand and know what risks I’m about to face. That to me, I think is the big difference. 

[00:00:56] Dani Woolf: All right. Good morning. So Chris, what are we going to be talking about today? 

[00:01:02] Chris Roberts: We, I think are going to be having a nice and good conversation about what the heck is intelligence. So, a long conversation about the difference between information and intelligence and between threat intelligence and cyber threat intelligence, for which there’ll be probably a bit of a ramp going on. But, a bit of a conversation today really about kind of what is it, what types of intelligence there are, how do we use it, what can we use it effectively, and just a whole bunch of conversations around that. So kind of looking forward to that. It’s going to be a good session. I think one of those intro-type sessions as well, to help people understand why this is necessary, why we need to be thinking about it, how we can use it effectively, and all those other good things.

[00:01:47] Dani Woolf: So I think we had an interesting conversation as we were prepping for this episode. And you had mentioned that what pisses you off most is what people call threat intelligence or how they define it. Take me through that. What, what ticks you off there?

[00:02:02] Chris Roberts: I just so, I mean, it’s you’re right. And I think the biggest challenge I have with it is ’cause the words thrown around. The word intelligence is thrown around. You have people tend to use those like, “Oh, we have an intelligence feed.” Well, what do you actually have? Are you just giving me a raw data dump of stuff? That’s not intelligence, that’s information. And I can probably go find a bunch of it on the internet myself. And then you get the other folks who, when they just turn us out, “I’ve got threat intelligence.” What do you actually have? Is it strategic? Is it something I can use to help with the organization of the business? Is it operational? Is it something that’s ongoing? Is it something that would be information for the technical side of it? Is it technical intelligence? You know, what are you giving me? Perfect example, some of the breaches that have occurred because of third-party supply chain providers. When we look at that that’s very technical in nature. Or is it just purely tactical? So what is the latest threat coming out of ABC country, geopolitical, geospatial, or anything like that? And the problem is, is people aren’t very good at disseminating that, are absolutely terrible at separating in many cases. And the poor recipient of this information, this, this intelligence feed, it is getting inundated with alerts and data and systems and is having to try to sort through the needle in a haystack at the end of the day. And I think this is where you look at that huge difference between information and intelligence, especially in the digital world. In the physical world, we have limitations. There are limitations on the number of humans. There are limitations on a number of countries. There are limitations on all sorts of things. Number of potential threat actors, et cetera, et cetera. In the digital world, we really don’t have those limitations. I mean, the digital world is expanding probably about as fast as the darn universe is expanding to be perfectly honest. It’s ridiculous how much data we’re creating and how in such a short space of time we doubling the amount of data. And so we’ve gone from building an intelligence system that said, “Hey, I can sort the needle in a single haystack.” And we’ve now had a point where we’re sorting, you know, the needle in a hayloft for goodness sakes. And we’re not talking those small haylofts, we’re talking those badass lot feeds of haylofts. I mean, it’s when you put it into a context like that and you just send roar information to people no wonder, unfortunately, threat intelligence, cyber threat intelligence has actually gotten not the best name in the industry.

[00:04:46] Dani Woolf: Right. Right. So how are you defining actual cyber threat intelligence? 

[00:04:52] Chris Roberts: I think it’s, it’s targeted actionable intelligence. So, but for that you need an educated organization. So the organization you’re talking with needs to understand: A, what they care about. So now we get back to basics of security, information security, cybersecurity, whatever. I swear what we need to do if we’re going to keep using the word cyber, I’m getting it. Every bottle of alcohol and a shot glass. And every single time it’s going to be shot, cyber, shot, or we’ll be drunk, like halfway through the darn session. But that will be fun. All that to be said, when we take a step back and we go, “Dear organization, do you know what risks you have? And the company goes, “Well, no.” Our job as practitioners is to go, “Let’s have a conversation with you. Let’s play Dungeons and dragons for business.” The one of the podcast episodes that we’re going to be doing on a cyclical basis, what would happen if I went into the data center, kicked out the plug, what would happen if I took the computer from your leadership, from your technical team? What would happen if we played the London red bus incident? Let’s run over a couple of your key people. When you start talking about that, and you start talking about assets, you know, do you know where all the company’s assets are? “Well, we’ve got stuff over here and we’ve got stuff in these six countries of which four of the countries are at war.” Maybe that’s something we need to think about. Maybe supply chain. So our job as intelligence analysts, as organizations presenting it, isn’t just going, “Hey, here’s a feed, good luck, have at it, and collect the paycheck.” Our job is to sit down with the organization and go, “We all know what your problems are, don’t you?” And they’ll be like, “Oh no.” Let’s help you understand. Let’s talk about whether we need to look at strategic. So you have a board of directors meeting. What do they care about? They care about finance. They care about operations. They care about resources. Great. Let’s talk about threat intelligence at a strategic level. You care about tactical. Maybe you are making acquisitions. Maybe you’ve got tater coming in. Maybe you’re bringing on a new supplier. You have decided you’re going to go acquisition, new supplier, mergers and acquisitions, anything like that. Well, let’s, let’s talk about that kind of technical, tactical and strategic, and let’s hope you understand what the risks would be. So our job really is to look at a company and go, “How can we best help you? How can we best provide actionable intelligence?”

[00:07:23] So take me through how do you measure cyber threat intelligence, one? And then how do you also, as an analyst, apply data to that intelligence?

[00:07:37] Chris Roberts: So part of it’s going to be, how actionable is it? How trusted is that data? How relevant is that data? You know, perfect example. If we look at our industry, we used to have these wonderful words called trust but verify. And that’s served us well for 20 odd years, give or take a bit less, depending on how cynical you are in this industry. Now, when we look at things, we need to verify and then maybe trust. So if you turn around to me and say, “Hey, you’re an organization, you got a ship coming in. By the way, I see problems with the ship. You got pirates coming after the ship.” That’s actionable intelligence. However, is it credible intelligence? What have you done to provide me, not just with that data source, but to validate it yourself. Perfect example, if you think about it, when we look at alerts. So again, go back 10, 15, 20 years, the network and security operations folks would sit in front of these nice consoles and go, “Hey, I see an alert, let me deal with it.” Fast forward to where we are with technology today, those alerts are coming in hot and fast. So we’ve had to build orchestration technology to bubble up to the surface on the really, really useful and interesting and relevant and actionable ones. And it’s the same thing with intelligence. I need to give you something that’s actionable. I need to give you potentially something you can share. You know, one of the biggest frustrations I have, I work, you know, I have one foot in the civilian, one foot in other communities. One of the biggest challenges is, you know, you go into a room, they close the door and like, “Oh, we’re gonna tell you something secret.” And you’re like, ” Great, but I can’t do anything with it. I can’t use it. I can’t take it outside of this room and help the very people I’m meant to be protecting.” And then also the other thing is as well as it comes with lessons. So if you think about, you know, our most valuable asset, and unfortunately our most vulnerable asset are typically the humans. Well, I don’t just want to be told there are continually a threat. How do I do something with it? When you tell me, “You know, we do this a lot of times inside the squad.” If I’m going to tell you something’s wrong, I’m not only going to tell you, “Hey, this is wrong.” I will help you understand why it’s wrong, but also what can you do about it. Is it an education? Is it an awareness thing? Is it a training thing? Is it, unfortunately, the fact that you are going to have to say, “Hey, I’m going to ask you to promote you to customer.” You know, what one of those conversations needs to be hand with somebody to help them maybe understand what’s going on. So when you start looking and you start measuring, you’re also going to have to go, “How does this help?” We all have risks. You know, the world is full of them. Getting out of bed is a risk in the morning. Staying in bed is a risk for crying out loud. So you have to then quantify that risk. And you go, “Okay, does this information that you’ve done into a diligence and handed to me, how does this help me look at business risk? How does that help me look at technical risks? How does it help me tactical? Can it actually helped me adjust my risk?” And that’s everything. That’s, that’s from just everyday risks through to compliance. So I think a lot of the measurements needs to come hang useful, is this data to me? And part of that’s also us explaining it. We, you know, perfectly example, and we’ll talk about this in a little bit, you know, when I look at something, I’m not just looking at you, I’m going to look at all the influences around you. I’m going to look at everything that might be influenced by you, or that might influence you in the decision-making process and all this other things. In the intelligence world, we talk about strong and weak links. So, you know, family bonds. Family bonds, famous last word, typically a fairly strong links sometimes. But on the other hand, somebody that you had a passing conversation within the shop, that’s a weak link. It might be still a link ’cause you remembered who they are. You saw the tattoos they had, and it’s a weak link. And now it’s, what are the influences? And so you’ve got all these different bits and pieces that you have to be with. And so that also comes into a lot of it as well. When you start talking about, “How can I use it? How is it actionable?” We have to be good enough. We have to be eloquent enough to explain that to people.

[00:11:56] Dani Woolf: You just unloaded, you know, so many different topics that we could just drill down into. And, you know, this is great ’cause we’re going to. Yeah, we will. Exactly. We’re going to, we’re going to, you know, take this through throughout the season. But, I want to kind of drill down into, kind of the process of operationalizing it. Like, take me through what, what it looks like for an analyst. How do they go about it? 

[00:12:23] Chris Roberts: Let’s take an organization. So if I’m an analyst and I’m working for you. You’re running a successful company. You have a couple of different locations. Let’s say you’re retail. We’ll take retail ’cause that’s for good of about one of the ones. So you have a retail organization, and you’ve got supply chain. You’ve got a number of locations. You’ve got employees and everything else. We would have sat down and had a conversation. What do you care about? Where are your issues? Where are your challenges? Well, one of them is going to be credit cards. You have to be PCI DSS compliant. You have to have this. But you’ve also got supply chain coming in from several other countries. Now typically, unfortunately, with supply chain you have loss prevention, which means you are going to have slippage and other things. And you’re going to have employees. Maybe you trust them all. Maybe you’ll sensible and you don’t trust them, you verify them first. So we’ll take a look at them. We’ll go, “Okay. Now let’s, let’s take a look at the company itself. What information’s already out there on the company? What email addresses do you use? Where’s your domain? Where’s your system? Where are your physical locations?” Now we run those through, you know, and, and we’ll heck this is being run by Cybersixgill. The nice thing about it is, is we can run them through the portal, and I can input all of these data points. I’m building basically an intelligence packet. And it’s a baseline. So my baseline includes, “Are there risks with the people? Are there risks through the email addresses?” If I look for your older stat dot, you know, basically Dani’s company.com. Do I see a bunch of compromised passwords? Hey, are you still using these? Yeah. Okay. Right.” Now we’ve helped on that one. “Hey, I see this location over here. Hey, I see some interesting stuff on Craigslist that’s showing up. That some of your merchant, did you know about that? No. Okay. Hey, you’ve got supply chain and you got three, you got three, uh, three places over in a couple of different countries. Did you realize that the, uh, factory next to you is having issues with child labor? Oh no. Right. Now let’s do an investigation there before you are on the front page of the media for that. Did you realize that your senior leadership might be messing around?” So there’s all these types of conversations that you have as just a simple baseline. And that really is, it’s an understanding of where everything is. And some of it might be all those passwords I handed you might be three years old. Now, touch word, you’ve change the darn things on a fairly regular basis. But if you don’t, now you’re aware of them. Maybe you’ve got intellectual property. Maybe the credit card system that you’re using six months ago got compromised and we found 10 different databases of it on, on our files. “Hey, by the way, be aware of this.” These are the tactics that the attackers are using to get to those types of machines. How are you protecting it? Are you looking your regress? Everybody’s got these nice core things called firewalls, and everybody goes, “Oh, it’s protecting me. I got everything monitored on the way in, but we tend to forget about the darn stuff that’s leaving the network.” So now you maybe know the tactics that the folks are using on a high port, they’re using a different IP port or something. So, there’s all these baselines that you tend to do. Then you’ve got your baseline established. You’ve given the organization kind of an overload, but you’ve given them a lot of baselining stuff. And they’re like, “Holy smoke. We care about this. We care about this. Not so bothered about this ’cause we can mitigate the risks.” Now let’s, now you can help them look to focus. “What have you got going on? Well, where, you know, Dani your place is kicking ass and you’re about to acquire Fred’s company over there. Well, let’s take a look at Fred.” We’re not being intrusive, we’re not attacking Fred. We’re not taking Fred out and sticking bamboo under his fingernails or any of this kind of stuff. What we’re doing is taking a look at Fred in the digital realm, everything that’s available. We’re not breaking in, we’re not pen testing or attacking him without his knowledge or, or anything else. We’re looking around at Fred. And you realize Fred’s got different credit card companies. And by the way, you just found a couple of thousand of them on the internet. Fred might not know about it. So now we’re going to have to have that conversation as part of discovery. So there’s all these things that you can help a company understand. You can keep an eye on people. We do it. I mean, we use the system, the Cybersixgill has to monitor our clients. Hilda hit squad has, uh, you know, we run a high net worth clients. We use the system to monitor our clients to make sure their credit cards don’t appear, to make sure their addresses don’t appear. To make sure none of the info, to made sure their cars don’t all of a sudden appear on anything. A lot of our assets, you know, some of our clients have got quite a number of interests. So we have the client, and we have all these criteria around the client that we want to watch for. And so you’ve started building up these profiles and these areas. If our clients travel, well, let’s take a look at where they’re traveling to. Let’s look at the client, the area of the hotel, the location, the plane, and all this stuff and go, “Yeah, you’re in good shape.” Or, “You may be want to be a bit wary of over here.” So it’s all of this stuff. And if all of a sudden we see something appear, well, now let’s dig into it. So you end up with this very decent baseline and you end up seeing the individual things that you need to focus on. So now you can go from a very strategic conversation to a very tactical conversation. And, if you’ve done the job right, you’re only addressing ones and twos, not this plethora of things coming in. 

[00:17:47] Dani Woolf: You either have threat intelligence or you don’t have it. If you do have it, how do you know if you’re ready to, to use it? ‘Cause you know, it’s a tool, a tool at the end of the day is a tool.

[00:17:59] Chris Roberts: It is. Yeah. Oh, absolutely. Yeah. It, and a lot of times it’s a tool that adds context. So another way of looking at it. Perfect example on this one is, let’s say I’m sitting here and I get an alert that one of my users has just established a connection on their computer to add a Mongolia. Actually, you know, we’re going to use New Zealand. Well, we’re going to use New Zealand. New Zealand is our new hotbed of criminal activity, just because I still want to get out of there. So you’ve all of a sudden established a connection to New Zealand. You’re like, “That’s not standard procedure. That’s not normal. They haven’t done that before. It’s an anomaly. Whether they’ve gone? They’ve gone to this IP address. They’ve gone to this location. Well, now let’s run that through the intelligence tool. Is the IP address known? Do we care about it? Do we not care? Have we seen it before? Where’s the address? Who’s there?” So now you’ve taken that one piece of information and you can put context around it. You can turn around and say, “Well, it’s somebody who’s selling Lamb’s wool. Okay. Well that makes sense. ‘Cause that person, we’ve seen them go out to the knitting sites. We’ve seen them go out to the yard. We’re in good shape.” Or it’s another conversation, which is, “Hang on, we’ve seen that one. Oh yeah. We, we just found them on dark web forums. Yeah. They’re selling meth. Let’s have a conversation about that with our four users, shall we? The conversation about their opportunities for rehab and all those other things that we need to have conversations about. So, you can very quickly understand established context of alerts that maybe don’t directly flow in. Humans, perfect example, terrible way of looking at it. As humans we, we assess risk. When I walk up to another human, I assess the risk. Is that person I would flight or fight or freeze? Fight, flight, or freeze? And typically it’s fight or flight with symptoms like, “Ooh.” So in the digital sense, and even in the human sense, if you’re coming to, I’m coming to work for you. You’re going to look at me and go, “Well, we’re going to run a background check”. And they can look at it and go, “Oh, you Zay, we’re not coming anywhere near this lunatic.” But if you wanted to find out a bit more information, “Hey, let’s just run it through the Intel feed. What’s Chris got out there?” We’re bringing Chris in maybe in a senior leadership role, a very visible role. We’ll hang on if that’s the case, why is Chris got ABCD and all the way to Zed? Or we’re bringing Chris into a financial role or whatever it might be. Understanding more about that human, understanding more about a group, a company we’re going out to bring in a new vendor. Well let’s see all about the information. So there’s so many different ways that you can operationalize it if the data, the feed, the platform, the information, the accessibility is being built so that it will work seamlessly. It integrates with whatever, if then log monitoring system you have, it integrates into whatever source security orchestration system you have, or it’s a standalone architecture that is very intuitive.

[00:20:58] Dani Woolf: So it’s fair to say that those are, those keywords that you just mentioned are the criteria, or for like a litmus test for quality Intel and for success as an alumnist or researcher or hunter. 

[00:21:11] Chris Roberts: Absolutely. Yeah. I mean, there’s a ton of tools out there. You know, the Analyst’s Notebook is probably one of the most infamous ones that a lot of us have used over the years. And it’s a really good one. And it’s, you build up a profile, and you put things in, and you add things in. But you want to always do it in context. And if I’m having to do something in an incident response situation, you know. If I’m walking in and the walls and everything’s on fire in the digital sounds, I need to very quickly and effectively establish what happened, who might’ve done it, what the tactics and procedures might’ve been, and whether we’re, you know, the lawyers hopefully are already in, but how quickly and effectively can they brief them as to the extend? And then we look at the remediation. Is this something we’ve seen before? Is this a known CVE or is this something brand new that we just got advanced warning on? So all of these criteria come into play, but yeah, the litmus test is honestly I want actual intelligence. Don’t just give me information, it’s hardly useless to me.

[00:22:11] Dani Woolf: Do you have any like concrete, like real-life examples of using actionable proactive versus not? Like what, what does it look like? 

[00:22:21] Chris Roberts: Oh my gosh. Oh, absolutely. I mean totally. Absolutely. Again, you know, we, we use the product of the organization that’s sponsoring all of these podcasts and we use it on a daily, almost a daily basis. And we use it because we can go, “Hey, we’ve built up the profile of our clients, and we’ve built up the information, and we know when situations change. We know when operational systems change. We know one strategic stuff changes. And so we can adjust accordingly. But again, you know, a, probably an even more concrete example. We were doing some work for a client down in South America, large mining organization. And, they, they understood geopolitical situations. So, you know, for good or for bad, you know, we all use electronics and they use rare metals. So every now and again, you’ve got to go knock on the door of a neighboring country and say, “I say, could we possibly have your mountain? We’d like to just lock the whole thing off and dig around a bit and get some of these. We’ll promise we’ll take care of you ish.” That’s what they say up front. Whatever happens on the back is unfortunately a very different conversation. So the mining company goes in and got a whole bunch of heavy gear and a whole bunch of other things. They’re looking to fly some of their leadership down. Well, we get intelligence that says there’s potentially some activism planned. So we saw doing our digging around on it, and we realized that, yeah, there’s activism that’s likely to happen when those individuals turn up. So we change plans. We basically remove the risk for the leadership team going in there. I mean, they weren’t overly happy about it but I’d rather have them sitting around webinars like this than then sitting, you know, elsewhere in the middle of the shrubbery, should we say. Another perfect example, I worked for a large retailer for a number of years, on and off and help them. And we had to use the intelligence in two very, very different areas. We had, the organization on an annual basis had what they would call that $200 million worth of slippage. In other words, between the factory and the shop floor on an annual basis, they lost around about $200 million worth of merchandise. And part of our job was to go, “How do we reduce that?” So when, you know, when an intelligence company comes in and says, “We’re going to charge you a ton of money”, it was like, “You know what? If you help reduce this big number, we’ve got you covered.” And so we used very, very effectively. We used it for tracking crates, tracking individuals, tracking teams, tracking organizations down, a whole bunch of other things. And we were able to start to basically profile. We profiled who was targeting us. We profile the criminals on both sides of the supply chain. We look, we, we did a ton of work. We figured out where the clothing was going. We figured out where the systems were coming from. And we figured out who was running stuff at night on the machines and during the damning, all sorts of things. A number of operations got put in place, and below and behold the financial impact on the annual basis decreased considerably. Well, actually one more, and this is really, really recent. So I have a bit of a passion for watches. We’re starting up like a horology organization as well for giggles. And I got asked by an organization, can’t say who, but then I spent an organization that was having some problems with their servicing side of the world. So what was happening, people were sending in their high-end watches to get serviced. Some were getting returned, some were getting lost, and some were coming back that, that weren’t quite where they should have been. So we used the platform and we ran full Intel, full backgrounds, the whole lot, and we realized what was happening. In some cases, some of the watch materials and parts were being sold on the secondary market, and that folks were buying, how should we say, not genuine parts and swapping them out with pieces in the watches. All sorts of interesting stuff going on. That is a use of intelligence. That is a use of cyber threat intelligence in this case, because they were using some of the forums to discuss where to buy parts, how to get parts, how to bargain in a battle for parts. All sorts of interesting stuff. So we built a full Intel packet, and then we just let the folks on the other side of the country deal with it.

[00:26:26] Dani Woolf: Right. That’s awesome. And so like, from my understanding, obviously it’s threat Intel is just, is, is everywhere. 

[00:26:35] Chris Roberts: Yeah.

[00:26:36] Dani Woolf: But why, why is it important to distinguish between clear web deep and dark web? And, to add to that question, I know it’s a loaded one, is the underground more than just the dark web? 

[00:26:57] Chris Roberts: Yeah, that’s a really, that’s a huge one. That’s a, I love those questions. So here’s where it gets really interesting because we are, I mean, if you really, really think about humans, we are nothing more than a walking target. I mean, I hate to say we are a target. And if you look at everything on the open web, what we consider the open web? So if you can Google it, the chances are probably the open web. Every single time you interact with it, you’re handing over bits of your information. Now, sometimes willingly, sometimes unwittingly. You know what I mean? So the social media platforms are a prime example of this. You literally just open the kimono and go, “Woo. Look at me.” Some people do that anyway, but others, you know, it’s, it’s a virtual thing. It’s life. So in that sense, we at least have a level of awareness understanding and we are arguably willing participants. You know, when you open up social media, you, you are the products, you know, you are the target, you are whatever you want to call it. We know this, whether we like it or not, it is what it is. So that’s the open web, and, you know, it’s all out there anyway. Now you start getting into the deepest side of the web. If you look, you’ve got really four main layers. Dark, open web, deep web, dark web, and then just a more closed off stuff. So if you look at the deep web it’s still, going out to your regular browser, get in, and you typically have to log in. So now you’re going into forums, into posts, into various areas where you’ve either got a paywall or a register wall, something where you have to take an action to get to an information. Perfect example are some of these lookup websites. So you look me up, Chris Roberts, you’ll find email addresses and various other things. If you go out to a company’s database, you’ll find other things, you’ll find the addresses and everything else. If you want to know maybe the secret phone number, then maybe you’ll have to pay a couple of companies to give me that information. You know, LexisNexis, all sorts of other people have this information. And so that’s a paywall. So that’s still the open internet. And again, that information is available and you can do a nice profile on somebody, but it’s still public information. Now, you start getting into the darker side of the world. That’s where information is, is, so we say traded insofar as being a target. Now I get targeted because somebody wants my passport. They want to use and abuse my identity. They want to go out and buy drugs on my behalf. They want to print out my, uh, driver’s license or make another driver’s license, all of these other activities. And there’s, don’t get me wrong with this, some amazingly fantastic good stuff on that side of the darker internet. No two ways about it. You know, we’ve got another show coming up where we’ll talk a lot more about that. But there’s also, unfortunately, a lot of areas where if I steal your PayPal account, because I’ve managed to get a user ID and a password, well, I’m going to sell it there for 10 cents on the dollar or 5 cents on the dollar. That’s the more negative aspect of information. You know, that’s the stuff that I hold key to me. I always look at information as four different boxes. There’s the box that says I’m going to grab to, to the social media websites and go, “Woohoo. This is me. I have no problem. I’ll put all that information out there.” There’s that other box that I kind of want to be a little bit more careful about. I’ll hand it out to close friends or whatever. Then there’s that box, which is much more restricted. You know, it’s, it’s the financial information. It’s the bank account, it’s the social security. Then there’s that box which has got a hell of a lock and key on the darn thing. You know, it’s any of the classified stuff. Any of the other stuff that I’ve done in the past that really just shouldn’t be out there on the internet. That, you know, those two bottom boxes are where unfortunately you find a lot of that data sitting out on the darker side of the world. So that unfortunately is where you have a huge marketplaces, plurals, and they’re off. You’re also going to find the attacks, the exploits, the conversations where somebody knows how to break in to gather that information, where somebody building the exploits to take it off of my phone, or my car, or my computer or any of those other things. So I think that’s, that is for me, the big difference between what we’re willingly handing over and what’s being taken from us.

[00:31:21] Dani Woolf: So there’s clear value in threat intelligence. Those, the audience listening in understand that value, people who are purchasing tools understand that value. But in some cases, the dark dark web threat intelligence is seen as some, sometimes a nice to have, right? Instead of a need to How do, how do you tip it over towards the need to have within or enterprises? 

[00:31:49] Chris Roberts: I think it’s, you know, I think the good way of looking at it is it it’s, we’ll sit inside. You know, I sit inside my house, we’ll sit inside our four walls. If you look at the open web, we kind of know what’s out there. We know what’s around, we know what’s out. But if I want to open my front door and walk out into the world, I want to know what’s facing me. I want to know if, I want to know about my neighbors. Are they great people or are they window-looking lunatics? It’d be nice to know. I want to know about my neighborhood. I want to understand in the physical world, what risks are outside of basically my perimeter. I want to know what’s coming at me. You know, I know the social media is getting data. I know LexisNexis LexisNexis is listening, Google’s listening, the computer’s listening, Siri is probably yelling at me behind the scenes, all these other things. Those are things and risks that I either accept, or I don’t, or I turn them off. Whereas when I step outside of my, my four walls, when I walk out of my door into the world to go get groceries or whatever else I want to understand and know what risks I’m about to face. That to me, I think is the big difference. And that to me is when you look at the darker side of the net and go, “What’s coming at me? Or what’s already out there and I just didn’t see it coming?” You know, we talk about that meantime to discovery, unfortunately, in our industry, you know, it’s, as an adversary, I’ve been creeping around your house for 50, 60, 70, 80, a 100 days. You had no bloody clue. Whereas if you had darker side of intelligence, you might’ve caught a sniff of it on a forum or a chat channel or somewhere. You might’ve seen somebody wanting to go up against you. You might’ve gone, “Hey, I have a minimal risk to, ha there are people looking to break in.” Same thing in the physical world. If I see somebody coming at me from the various cameras I have around this place, I at least know what the threat is. I can see them coming. I can assess that level of threat and go, “I care, or I don’t care. And good luck. I’m sending the dose on you. Have a nice day. I don’t have to feed them tomorrow.” You know, whatever that mentality might be. So I think that’s, that to me is where it goes from, um, want to have to a must have. If you don’t know what’s coming at you in the digital world, you’re a sitting duck, you really, really are.

[00:34:19] We’re heading up towards kind of the last leg of the episode, but kind of w what do you want to top off to the audience here? Like what, what’s necessary for them to understand and to know, and take away from this episode? 

[00:34:35] Chris Roberts: I think brilliant, I think the wrap-up on this one where it comes down to awareness. I think a lot of it, and that are really what it comes down to you know. And, and the situational awareness for those of us that have come out of like, you know, first responder .mil .gov or dot anything along those lines of the world, it’s situational awareness. You know, it’s having a better understanding as to your surroundings. I mean, we were trained to not go running into a room unless we had a better understanding as to what the heck was coming up against us. So when you think about that in the digital realm, it’s the same kind of mentality. You know, we all have a presence in that digital world. It would be nice to know and nice to understand what’s around us. You know, who are we dealing with? Who are we interacting with? Who’s coming at us? Maybe it’s nobody. That’d be fantastic for a change. It would actually be nice. You know, it’d be nice to actually sit there and go, “Hey, get a good night’s sleep for a change.” Unfortunately, more often than not, it’s it’s understanding risks. So for again, it comes down, it really comes down to awareness. And I think that’s, you know, from this episode, the takeaway is if you are looking at any kind of like cyber threat intelligence system, it has to help you become more aware. It has to do in a way that you understand. It can’t be something that I want to tell you. It has to be how you understand it. Which again, unfortunately, or fortunately means you got to understand the business.

[00:36:07] Dani Woolf: Alright, that’s awesome. I love it. What do we got going on next week? I w, we talked about dark web, are we’re going to take a look at, a look at it, take a look at some real-life examples? What are we doing? What are you doing next week? 

[00:36:19] Chris Roberts: Yeah, I think it is. We’re going to take a look. We’re going to take a wander around, wander around the internets. So we’re going to load up tour, load up onion and go for a wander around. We’re going to have a guided tour of some interesting stuff on the darker side of the world. If you would like to assassinate your, your boss, your friends, or your family, especially after the holiday season, we can actually help you with this. We will point you at a couple of sites. Now, like anything on the internet, you’re never really sure who’s behind the keyboard. It could be somebody who’s willing to get out the sub-machine gun for you, or it could be an intelligence agent. So good luck on that conversation. If you would like to procure some elicit narcotics or anything else, we’ll help you with that one as well. We got that one pretty well sorted and covered. If you would like to buy a, an exploit, we can actually help you with everything from zero-day exploits on your favorite platforms, all the way through to probably some rather interesting stuff all across the entire cyber security arena. Pick a country. We can have some fun with countries as well. If you would like to go for a wander around the Russian forums to understand what they’re up to, we can have some fun with that one. I have noticed I’ve been on a couple of Middle Eastern and Far Eastern forums. Our poor friends in the United Arab Emirates are getting hammered on a few things. I saw one last night where they’re selling 305,000 users who’ve been buying property in UAE. So we can share all of their emails if you’d like or what properties they bought, how much they paid for them and that what currency they use and Bitcoins and everything else. If you’d like to buy, speaking of Bitcoins, if you want to spell wallet, we can actually help you with that. Yeah, I mean, take your pick, pick your poison. We’ll also have some fun stuff as well. I’m pretty sure our federal friends have probably whackable The Pirate Bay, like half a dozen times. So we’ll take you to the latest one of that if you’d like to mess around with that one. So yeah. We’ll wonder ransom some interesting, fun and lively sites on the darker side of the internet.

[00:38:04] Dani Woolf: That’s awesome. That’s awesome, Chris. I mean, I appreciate it. This was super insightful. Really looking forward to next week. I’ve never been on the dark web, so I’m looking forward to. 

[00:38:14] Chris Roberts: Oh, we’ll have some fun. 

[00:38:15] Dani Woolf: Never. So I’m, I’m looking forward to just sitting back with my coffee, maybe put a little bit of Kahlua in there, and get ready to go 

[00:38:23] Chris Roberts: Yeah. Yeah. We probably need to, we need to preface this, which is a, yeah, for any of you with what’s the warnings they always put out the, you know, the warnings if you, if you’ve got any kind of like heart murmurs or warning, just grab a bottle of whiskey, or talk nicely to the, to the, to the folk sponsor. And we might even be able to send you a bottle of this point. So yeah, we’ll have some fun with it, definitely. But yeah, it’ll be really interesting, and then lively.

[00:38:47] Dani Woolf: Cool. Cool. Alright cool. Thanks, Chris. 

[00:38:50] Chris Roberts: Thank you very, very much. And, see you in the dark.