Uncategorized

Ep #109 – Understanding How Cybercriminals Operate Can Protect Your Business

109thumbnail2

In today’s cyber landscape, business leaders and security professionals need every edge they can gain to better protect their organizations and plan their defense against attackers. Why do hackers do what they do? What are they trying to steal from you? Who do they partner with to make money and avoid getting caught?

In this episode, hosted by John Verry, CISO and Managing Partner at Pivot Point Security, sits down with Raveed Laeb, Vice President of Product for KELA, who provides answers and explanations to explain the cybercrime business models, supply chains, and operational strategies.

Join us as we discuss:

  • How understanding your financially motivated adversaries can directly benefit your cybersecurity posture, incident response, and executive decision-making
  • “Business models” and “supply chains” that hackers use to monetize your assets (which can be a lot more than just your data)
  • What you need to hear to dispel any lingering notion that your org has nothing hackers want
  • How and why bad actors are increasingly specializing based on skill sets, and where and how they choose their business partners
  • How forward-looking businesses are using cyber threat intelligence (CTI) to reduce cyber risk

To hear this episode, and many more like it, we would encourage you to subscribe to the Virtual CISO Podcast on our YouTube here.

To Stay up to date with the newest podcast releases, follow us on LinkedIn here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

 

See Below for the full transcription of this Episode! 

Intro Speaker (00:05):

Listening to the virtual CISO podcast, providing the best insight on information security and security it advice to business leaders everywhere.

John Verry (00:39):

Uh, hey there, and welcome to yet another episode of the virtual CISO podcast with you as always your host, John Very, and with me today, Raveed Laeb. Did I get the last name right? Raveed?

Raveed Laeb (00:51):

Yeah, that’s perfectly correct.

John Verry (00:53):

Hey, excellent. How are you today?

Raveed Laeb (00:55):

Very good, John. How are you? Thank you so much for

John Verry (00:57):

Having me. Um, I’m, I’m looking forward to the conversation. I enjoyed our preliminary conversation, uh, and I think we’ll bring some value today. So, uh, I always like to start easy. Tell us a little bit about who you are and what is it that you do every day.

Raveed Laeb (01:09):

Sure. So my name is Rav. I live in Israel, um, born and raised, um, actually not born, but mostly raised. Um, I work for a cyber threat intelligence company called Killer. I lead product development. Um, so I’m the VP product. Prior to that. I’ve spent the last, the last seven or eight years in Keala as well, doing anything from research to pre-sales and a bunch of other stuff in the middle. And before that, my background is actually in military intelligence. I think like a lot of people in the industry, specifically the Israeli military intelligence, where I spent also around six years, um, and of the day-to-day I try to make our products better, uh, <laugh> to perform better in the market and help our clients protect themselves in the, in the best way possible, hopefully.

John Verry (01:57):

Cool. Um, I always ask what’s your drink of choice?

Raveed Laeb (02:00):

So I think probably, um, mostly, um, shit, the, the word escapes me. Sorry. I always keep forgetting how, how you guys call it in America. Um, so I think mostly sparkling water, that would be that, or club soda. I actually have like a litter right here. I, I never leave like anywhere with a lot of house parking water. Other than that, I think just to fit the way I look like glasses, beard, and tattoos. Uh, I probably, I’m, I’m very big into IPAs lately, so beer, um, kind of, you know, stereotypical I would say.

John Verry (02:38):

Yeah. Question for you in, in, uh, in Israel, is there a big, um, movement in, um, you know, micro breweries and things of that nature? Like in the US it’s, it’s huge, right? There’s literally thousands of breweries now.

Raveed Laeb (02:50):

So actually there is, um, it’s not, I think as, um, as prevalent. It is as in the states, but it, it has picked up up very much the past, like five or six years. It, I think seven, eight years ago, you couldn’t find any beer that’s not like a huge super commercial brewery in any store, probably. And now it’s all over. I very much enjoy that. I also come like from a home where my parents brewed beer, uh, before it was cool. So, so I really kind of complete close the loop there.

John Verry (03:22):

Yeah. Listen, it was probably cool then. It just wasn’t popular. <laugh>. Yeah. Correct. All right. So, so, uh, looking forward to our conversation cuz I wanted to change the discussion a bit relative to the way that we, you know, we usually talk about security. So I would say we tend to focus on security and compliance. We for good reason, right? It builds organizational value and it reduces the risk from bad actors. But we rarely talk about the bad actors themselves. And in our preliminary discussion, you talked a lot about bad actors, you know, you talked about means, motive and opportunity. Um, why do you think that understanding your adversary provides so much value?

Raveed Laeb (04:00):

So that’s a very good question. I think, um, it really comes down in a sense to the essence of what is intelligence work, which I could like go on about for two hours and I’ll try to hold myself <laugh>. But generally speaking, um, I think in intelligence, what you’re trying to do is to provide good advice on the best course you can take in a given moment. Um, basically really intelligence comes down to recommending a path of action to decision makers. Now, what intelligence can’t do necessarily, and that is uh, like kind of a common bias that people have, is that you can’t get get into the mind of someone else. You can predict the future. What you can try and do is explain and describe the present, and that is what you can use or, or that’s what decision makers, decision makers can use to make good decisions.

(04:55):

Like when push comes to shove or to plan strategy or like basically anything, right? So where that actually meets <laugh>, your actual question, and I’ll try not to go off to, to like faraway lands, is that in cybersecurity, if you want to make a good decision or a decision that is driven by stuff that you can actually measure and see, what you need to try and do, um, is to understand what, like, what bad guys do. Because you are playing an adversarial game. You’re trying to do something where every action that you take might or, and probably will have a counter-reaction by an adversary. So knowing what the adversary is trying to do, knowing what they want, um, and basically understanding the landscape via these means and understanding the present and what’s going on, uh, what’s going on outside your perimeter. That’s the way I think cyber threat intelligence, uh, professionals or practitioners view intelligence.

(05:55):

That’s the key thing. Um, because unless you look outwards at the adversary, you can only see what’s happening inwards. Um, and that’s usually not too indicative of how the reality actually looks like. Um, I think even more on top of that, when you think about most of the attacks that you hear about now and most of the financial damage incurred by attacks, and if you take into account a lot of research that has been done in the last few years, what you kind of get is that most attacks that really drive damage to organizations are financially driven. Um, a very interesting data point for me. It, it has been a recurring theme, but just to really, um, hit that on the head lately, the Verizon Data Breach investigation report, the 2022 edition notes that I think over 90% of network intrusions are performed by actors who are financially driven.

(06:48):

So if we’re talking about people trying to make money, um, and working within the market, that really, I think hits the nail on the hand on why you should understand the market. Um, simply because, again, it’s a market. Cyber criminals and organizations are in constant competition because they want the assets that you have, but you have, you want your assets to yourself. So you’re best, you’re basically competing with an adversary and probably just like you would spend some time and effort understanding your actual competitors in business, um, doing the same for your adversaries, understanding what it is that they want, um, and what you have that has value to them probably is a very good way to start understanding how to better protect yourself and how to plan your defense strategy.

John Verry (07:40):

Interesting. Quick question. As you were talking, I started thinking about an area that I’m interested in game theory. And you think about game theory, you know, you hear about it in politics, you hear about it in investing, you hear about it in sports gambling and things of that nature. Um, have, have you ever heard of someone applying game theory principles to, um, cybersecurity?

Raveed Laeb (08:02):

That’s interesting. I I actually haven’t. Um, I’m not big on that side. I think of the industry generally speaking. I wouldn’t say I’m too, I’m too big into, into game theory aside. I think from the kind of the few things that popularized it when it became like much more prevalent, much more prevalent like 10, 15 years ago, I haven’t, but that would be a very interesting notion. I do know, or I have seen in, in military intelligence, people that try to use the same principles to describe behaviors and to try and, um, understand why adversaries behave in, in the way they do.

John Verry (08:36):

Yeah. And what, yeah, cuz what’s interesting me about game theory is sometimes the logical play is not the optimal play. Right? You know, I mean, you know, and like, you know, I, I like to play poker and like in poker, right? You know, you know, there are some times where making a particular play now, you know, we’ll have, have, you know, what we refer as negative ev in the near term, but, you know, higher ev in the long term expected valuation. So it’s just interesting. I, I’d never really thought about that in cybersecurity concepts, but as a guy who comes out of the, the threat intelligence community, I thought that might have been something you’ve heard of, uh, something for maybe for both of us to look at. Cuz it’s an interesting idea. Yeah,

Raveed Laeb (09:14):

That’s actually a cool way to think about

John Verry (09:16):

That. Yeah. So you mentioned, um, you know, I’ve heard you speak before and you, and you’ve used what I’m gonna call conventional business terms, like business models and supply chains, when you were talking about cyber criminals. And so how cybercrime operates, uh, can you explain that and can you maybe give some examples of what you mean by these business models and the cybercrime supply chain?

Raveed Laeb (09:37):

Of course. Um, so basically again, going back to the fact or going back to the claim, at least I wouldn’t be, I, I wouldn’t say that I’m objectively correct, um, but going back to what I’ve said before about financially driven cybercrime and how that constitutes probably most of the threats that a lot of that a lot of organizations are seeing. Um, I’ve mentioned that there is a market because if you want to make money out of something, there has to be supply and demand. And just like that, a lot of the same concepts from like traditional normal business apply here as well. An analogy that I like to use is kind of to, um, refer to the, what a lot of people look at as the golden days of startups, where you’d have like an, an entrepreneur, um, building a billion dollar company out of, out of their garage with two other people.

(10:27):

And you have like two, three guys doing everything from coding to marketing, um, to customer success and anything in between. And as an organization grows, um, you understand that you need people who specialize in in things. You need engineers and you need DevOps people and you need marketing people and you need salespeople. And that is kind of the same thing that we see happening in cybercrime. As cyber criminals create better business models to make more money, they also need to specialize, they need people with very specific skills. And that creates a kind of an ecosystem where different cyber criminals offer, um, services and goods and products that can be exchanged where cyber criminals hire one another to do things that others can’t. Um, and essentially where they have a space to cooperate and to help one another in a distributed business because cybercrime mostly is a distributed business.

(11:26):

Um, and just to go into a few examples, one that I very much like because I think the industry has been buzzing, um, around that lately is what we call initial access brokers. Essentially a very specific tier of actor of threat actor, um, cyber criminal threat actor, even more so specifically that developed around ransomware or as kind of a bottom feeder for the ransomware ecosystem in the last few years. Now, just to reiterate a few things that you’ve said. When we talk about ransomware, usually what we hear is a type of attack or a type of breach. But really ransomware is a business model, just like you’ve said before. Um, when that actors have access to something, to your network, um, to, uh, something within it, the way they monetize it and the way they make money out of it, um, is ex essentially by extorting your or extorting the organization.

(12:24):

Um, and really in that sense, the ransomware, the executable, the trends on your machines, hopefully not your machines, um, is just the technical means of a business model. It’s the product that they use to make money off of what they have, um, achieved via network intrusion. Now, as that, as that business model grows, um, and becomes more distributed, and you have a lot of competitors, like different groups, um, that compete with one another, what you essentially get, like I alluded to before, is an ecosystem. So at first, ransomware started, or ransomware actors starting using affiliates to actually deploy the ransomware and carry out the actual attack within organizational networks. And affiliates are kind of like salespeople usually, not always, but usually. So they make commissions. So if you bring in a very good deal, like a very big organization that you were able to compromise, you get a very good commission, like you split with the operators, um, 60 40 for example, each group and their own license or again, specifically business model.

(13:30):

Um, but really what that creates is a lot of incentives and a lot of competition between different groups and different, um, different affiliates. And what affiliates have understood, um, say 2, 3, 2, 3 years ago is that they can’t do it all. They can’t deploy the ransomware, which really requires a specific skillset, but also get the initial beachhead, um, within the organizational network. So provide or like produce kind of that first part of the intrusion because that’s a very different skill set, at least theoretically. Um, so what was created is kind of another hierarchy where we’d see and still do see, um, opportunistic actors who have their own business model where they get in one way or another, um, access to an organ, an organizational network, be it by compromising credentials or exploiting vulnerabilities or performing social engineering and so on. They establish a foothold within the organizations network, and then they just go and sell it to anyone who wants to buy.

(14:35):

Now that can be a ransomware affiliate that would go and monetize that access and make money out of it via their business model, which is, again, ransomware or in theory and also in practice, but not probably as common. Um, that could be a different kind of actor who would use that network access to, for example, um, establish a, um, a foothold in the network that can then be used to steal credit cards or payment payment information that’s really through the system and go and sell that, uh, in a cyber criminal market. So really just to conclude kind of the train of thought is that I think the most interesting thing to me about ransomware is not kind of the technical complexity, it’s the fact that it’s a way to monetize network access. And what we see is kind of a gig economy surrounding that different people doing different things, um, like initial access brokers that specialize in obtaining and selling and maturing and network access.

(15:36):

But we also see, uh, ransomware groups working with translators because you want your ransom notes to be, um, written in very good English or you want to negotiate with US based organizations in an English, like in, in the language that they could understand, assuming that most of the actors do not necessarily speak, um, English very well, or we see them working with graphic designers. So you could have very nice banners that you could, um, use to advertise your services. Um, and really what that comes down to is supply chain, right? You do, you, you use it as the ransomware operator, you don’t want to necessarily go and hire directly graphic designers and translators and, and network intrusion in intruders. What you want is kind of a market that you can go to and procure these services from someone else. And I think that ransomware is just a very good example to kind of that minuscule financial ecosystem that revolves around the very, very specific cyber crime business

John Verry (16:36):

Model. Gotcha. So, uh, quick question for you, just for people who might not be familiar. Um, legitimate business models advertise on the internet and, and they sh and they, you know, you, you can go there and find the supply chain that you need. Where do the bad guys find their supply chains and where do they find these affiliates and where do they find people that access brokers and people of that nature?

Raveed Laeb (17:02):

So unsurprisingly they do that on the internet as well. I think a lot, a lot of vendors like to call the kind of websites that bad actors use the dark web, um, me specif, like me specifically. And I think that k the company I work for in general, we kind of dislike that notion or that phrase because I think it’s mostly commonly used to kind of instill that fear of like the big spooky dark web. Whereas in reality, um, what you do have is a set of websites, forums and markets, um, and like Telegram and Discord, like instant messaging channels and platforms that cyber criminals just use to communicate just like you and me would. Um, and what we see, what we see happening is forums that you can just probably to most of them go and, and browse with your normal browser without having to go beneath any icebergs.

(18:00):

Um, you probably need an invitation a lot of times though. Um, so like you would log in into one of these forms and most of the time what you see is like screaming big bulge banners like we would use to see on the internet 10 years ago. Um, which cyber criminals use to advertise their services, products that they sell, markets that sell compromised payment data, um, and so on. So they do op com, like they do communicate openly on the internet orbit in specialized specific parts of the internet, um, which is, you know, by chance, um, what we do as a company is monitor them so we can provide our clients with the intelligence, um, and the leads that they will need to protect themselves in a better way.

John Verry (18:43):

Gotcha. One of the, one of the things that I think is most frequent, the most frequent misconception that I have when speaking with clients and potential clients is that they’re, uh, quote unquote, I’m too small to be targeted, or my data isn’t valuable enough to be targeted. No one cares about my data. Um, and I believe that creates a false sense of security. Um, you know, do you see the same, uh, and it would seem that understanding how cyber criminals operate would maybe help dispel that notion.

Raveed Laeb (19:13):

So the answer is yes and yes, um, although not as frequently. So when we started doing cyber threat intelligence, um, and way when I specifically entered the field like seven, eight years ago, we would see that a lot. We would see that even not in small organizations, also in very big organizations. Um, and be, and that’s basically I would say, um, goes back to what you alluded to where you don’t necessarily, as someone who’s not a cyber criminal, think about what motives or like what, what motivations does a cyber criminal have? And I think there’s like a very common adage, um, that says that the vendors think in lists and the attackers think in graphs. Um, that might be true to threat hunting and network intrusions. But I think that that also comes down to, already relates to what you were saying. We as the vendors, as as people who work in organizations, we see a company, we see kind of the LLC that we’re a part of, we’ll see the taxes that we pay, we see the organizational structure that kind of defines the people and the company.

(20:23):

And we like to think intuitively, why would someone attack us? The company, the llc, the organization attackers don’t necessarily see that. What they see is assets, things that they can monetize. So for example, you might think as your com about your company as again, a set of people and organization, a threat actor sees the servers that you have like in the cloud, and they, they see that they can maybe sell access to the servers for a good few bucks, or they can use them to run, um, a crypto miner. Um, like if you were a few, a few years ago or coming back to ransomware as a business model, um, maybe no one else in the world cares about your data, but you probably do. So what would you do if someone were to encrypt it and then offer you back access for a fee?

(21:13):

So I think what that again comes down to is attackers don’t care about your business model. They care about their, there’s an example that I very much like from a few years ago, um, that that was reported in the press at the time where a Tesla AWS server was compromised by an attacker. Um, and you know, that’s a huge company according to the reports. The, the server also had like sensitive telemetry data going through it. So you’d say, oh, that’s like a huge asset for foreign intelligence or for sophisticated cyber criminals. Um, but what the cyber criminals that actually compromise that did according to the report, was to run a crypto miner on it. Um, and I very much like that example because it shows that there’s a discrepancy in what we think about as organizations because we think from a compliance standpoint, we know what we know.

(22:06):

And again, the discrepancy between that and what attackers see, where they don’t see organization, they see a database that someone might pay for just because p i i is worth money in cyber criminal, in the cybercriminal ecosystem, they see a server that they can use as a jump server or sell to someone. Um, they see credentials that they can go and sell. Um, they don’t care really about organization. They care about assets that you have that they can monetize as part of their business plan. And in that sense, each and every one of us has something that can be monetized.

John Verry (22:40):

Yeah, I think, I think that that idea that we’re targeted, people think I, I I’m too small to be targeted. I think they fail to understand that, you know, that a large percentage of attacks are, I’m gonna refer as opportunistic. You know, I mean, there are many, many cyber criminals that have scanners running perpetually in every new VM that comes out. You know, they’re gonna, okay, hey, there’s a ju law admin access vm. Okay, let me, let me set my scanner, let me go to sleep. Let me wake up in the morning. Oh, I’ve got 50 potential targets. Right? Right. So, and, and the fact that it’s you, they, they have no idea. It’s you, they have no idea it’s your organization. They weren’t after your organization. But once they gained that access, now, like you said, now the question is how am I going to monetize this access in some way?

(23:26):

Right. Um, you know, I I think the, you know, you talked about crypto mining, I mean, the other one we’ve seen people do things with like open S3 buckets where they were sharing, you know, pornographic materials that could put, you know, that they don’t wanna put it on their hosts because it’s gonna, it’s gonna put them at risk, but it’s putting you at significant risk. And now you have the, that challenge where, you know, if you have someone compromise a server that is sitting in Amazon or Azure, and they’re starting to hammer the hell outta the server and use it, you know, I’ve seen clients ring up some quite some big bills with a compromise, with compromise servers.

Raveed Laeb (24:00):

Exactly. I I, I think that’s a great, that’s a great point. The kind of relationship between organizations and attackers or defenders and attackers is not a zero sum game. I think that intuitively we think about being attacked. Is someone reaching out to my vault and taking my money and the money that I lose is the same amount of money that the bad, bad person and the internet gets. Um, and that is not the case at all. Um, your example with pornographic materials is like, is a great example for that. Maybe someone, um, just uses an S3 bucket that you have. You don’t really pay a whole lot, um, aside like from regulation, should you be, should you be caught, but they benefit, they save hosting costs, they save, um, being chased down by law enforcement, and they basically, what they get is your reputation mm-hmm. <affirmative>

(24:53):

That they can then use to spread material in a way that’s easier. We also see that happening with spam. Um, you would see legitimate organizations be compromised, have their, have their mail servers, um, used to send out spam or phishing emails, um, use an organization, the organization that’s been attacked you like, you’re not, um, you’re not paying money for that unless for the, like aside for the incident response that you then have to do. Um, no one takes money from you. They gain however, um, that, that financial benefit by exploiting something that you have, which is reputation. Um, and even the smaller, the smallest organizations that have like a very small website on the internet, they still have reputation in one way or another, um, that can also be exploited and used to make money for bad guys should be compromised. So I I very much like that example.

John Verry (25:48):

Gotcha. So, you know, Kela is, and I, and I, and you know, people are using different terms, right? Uh, yeah, I know you, you’re smiling already. You know, you see, you hear you, you know, attack service management’s a big buzzword. Digital risk management, digital business and risk management, cyber threat intelligence. And you know, this seems to be a fine line between, uh, all of them. Um, you definitely seem at Keela, uh, to focus on cyber threat intelligence, that component. Uh, why do you think that cyber threat intelligence is the critical component when we talk about these, uh, these, this new evolving, uh, space?

Raveed Laeb (26:25):

So really circling back to, um, my first kind of friend about intelligence and what we do with intelligence, um, when we started talking, I think that,

(26:36):

Or my perspective and and Kell’s perspective on cyber threat intelligence tries to be a tiny bit more holistic. Meaning intelligence is used again to drive decisions by decision makers. Um, a attack surface monitoring is another process in which you collect information that you can use to then do things. For example, maybe your attack, your attack surface management tool or platform or program tells you that you have a bunch of servers, um, up on the internet exposing a specific service to the internet. That’s good to know. That could either be crucial or that could be nothing based on how that service, for example, you’re exposing, um, as a sage banners to the internet knowing whether that’s something you should take care of and when, um, is not something that’s really driven by the attack surface management that’s driven by cyber threat intelligence. Because if you want to make a good decision, you need to know, okay, do bad guys care about the things that I expose to the internet?

(27:37):

So the way we see cyber threat intelligence is a bit more all encompassing. Cyber threat intelligence has a, or is a key component in actually doing things with the attack surface management findings. It’s also a key component in knowing what to do with D R P, digital risk protection findings. Um, and also it’s a practice of its own. So we like to call what we do cyber threat intelligence, um, because we think that’s like the general discipline. Um, however, we ourselves have a lot of elements for, or like a lot of elements of attack surface management and digital risk protection. Um, we just like to think of them as another byproduct or another deliverable of the broader cyber threat intelligence work. Um, I, I think also that that is kind of a dispute in term in the industry. I think that if you’d go between different vendors and different people who do cti, you would probably hear very different answers from each one about what they do.

John Verry (28:36):

So it, it, it seems to me like cy threat intelligence, is it, it contextualizes risk and vulnerability information?

Raveed Laeb (28:45):

Correct.

John Verry (28:46):

Okay. I

Raveed Laeb (28:47):

I would very much say that. Okay. Context is king

John Verry (28:49):

Really in city. Yeah. Con Yeah. Well, context is king in security, right? Because, you know, unless you understand, you know, specifically the information laws and regulations, that governance operation, you know, uh, and you know, client contractual obligations, legal obligations, unless you really understand then how do you know how to appropriately store? That’s the idea of people doing gap assessments without understanding the scope. You know, you can’t do a gap assessment. You can’t say whether or not a control is reasonable and appropriate if you don’t understand context. Right. Um,

Raveed Laeb (29:16):

You you could say in a way that, uh, regulation is cyber threat intelligence also just your adversaries the regulator, which, um, could be more dangerous than actual attackers.

John Verry (29:26):

Uh, yeah, <laugh>, yeah. Yeah, because regulators are generally not going to shut down your business, but we definitely see cyber criminals do. Um, so, um, when you think about cyber threat intelligence, would you refer to as proactive, reactive, or both? And then if you’d put a little color to that and explain, gimme an example of how clients are using the CTI that you’re providing them.

Raveed Laeb (29:52):

So probably both. I think you could make a case for being reactive and being proactive. Um, basically based on what you want to do, uh, you can go and actively collect things that bad actors know about you. Um, let, let’s take an example from our world. One of the key things that we do, by the way, not because we think it’s cool, but because cyber criminals, um, use the same tools. So we want to do what they do. Um, so we provide our clients with a good understanding of the cyber threat landscape. So one of the things that we do is monitor, um, online markets in which threat actors sell access to compromise credentials. So imagine one of your employees being infected with an info dealer with a very simple malware that steals credentials from their machine. And then these credentials are up for sale in an, in an online market for anyone who wants to buy them.

(30:45):

So one thing that we do there is monitor these markets and then allow our clients to proactively understand that a, um, that an attack on an employee has happened and go and remediate that attack before an actual bad person buys the credentials and does something with that. So in that sense, going and actively collecting intelligence from the same places that adversaries do, um, that’s kind of a proactive use case. Now, a reactive use case would be something that you do more kind of on a day-to-day basis basis. So enrichments, um, say that you have a solution that goes through net flow data extracts, observables, so things that you see within your, uh, within your actual network traffic. Um, what you can then do is compare that to cyber threat intelligence feeds that you get, um, kind of, again, in a reactive way. You see something, you check whether or not it’s interesting.

(31:41):

Um, and that provides a lot of value as well. So I think proactive and reactive are two different facets of cyber threat intelligence. Um, there is a big use case for both, um, and also a lot of different implications, a lot of different users for how do you actually do that and how do you do that at scale. Um, and I think kind of the thing that ties the two together and really goes down to how our clients and our users are using the intelligence that we provide is mostly on the lines of what I’ve mentioned before. So what we do best, um, at least I would say that I’m, I’m a tiny bit biased, um, but I would say that what we do best is collect intelligence from, again, the same places that cyber threat in that cyber threat actors, um, use as well.

(32:27):

So forums and markets and instant messaging platforms and so on. Um, and what we then try to do is kind of extend the notion of a attack surface management and cyber threat intelligence to really show you what bad people are seeing about your organization. That can come down to credentials that are posted in markets, um, that can count down to, um, employee emails posted in third party, uh, breaches, or it can be just your brand mentioned in discussions within illicit communities. Uh, um, and usually what our clients would do with that intelligence is take that understand kind of the root cause and then try to proactively defend themselves in a way that’s more efficient.

John Verry (33:10):

Gotcha. So, uh, talking about a specific use case, right? So you mentioned, you know, someone would, might use that credential, right? That would be, uh, early stage, you know, prevent potentially like a, a malware or ransomware infection. Uh, anything further down the attack chain, you know, as an example would be an example of how, you know, you might provide information that would prevent them from being subject to a ransomware attack.

Raveed Laeb (33:34):

So I think the, the lines really blur across the, um, the cyber kill chain kind of, because in a sense we are used to think about, we’re used to thinking about an attack as a linear thing starting in point A where someone does something bad to my network or one of my employees then linearly goes up until point point Z or Z because I’m, I’m talking to an American. Um, so up until point Z where I’m being monetized in one way or another, like via ransomware. However, in reality, and again, going back to the ecosystem and going back to financial driven, what we see is a lot of small kill chains and not a one big kill chain where you can see someone that infects an employee with a malware, then goes and sells it in a market, right? Sells the credentials in the market.

(34:31):

That’s like a small attack cycle that happened. Then someone else comes to that market, sees the VPN credentials for a US based organization, offered for sale, buys them pivots through the network, establish a foothold, um, stops there, goes and offers that network access being an initial access broker in a cyber crime forum. Then a different person comes, buys the access, um, goes through it, uh, infects all of the machines on the network with malware, um, with ransomware specifically. Um, and that that’s how we get from A to Z, but not in one linear mm-hmm. <affirmative>, um, path, but in three different paths, right? In that sense, what us and a lot of different vendors by the way, that’s like the practice right now are trying to do is to trans see where we can lodge ourselves in each one of these small attack pads that we can see mm-hmm. <affirmative>.

(35:25):

So we can, um, provide strategic, strategic intelligence to try and help organizations prevent the first infection, like the one that led to credentials being sold in, in a cyber crime market. Um, and ergo we can try and be very proactive and very active in the chain. Um, a different example would be that by identifying and going through these listings of initial access brokers, um, for network accesses that they post to informs and markets, we can identify a victim and let them know, um, that they’ve been compromised and help them like remediate the incident before they get ransom. But a lot down, like a lot further down the, uh, the, the the first initial access. So I think that really differs. Um, cyber threat intelligence can be very early in the stage. It can be very, um, late in the stage. It can be also outside of the cycle at all, strategic threat intelligence.

(36:23):

Um, for example, knowing how many organizations in your SEC sector and geography have been ransom lately, if we just follow up on the ransomware example, um, would serve as a very good finding that you as a CSO for example, can go to your board, um, and talk about the things that you need to do pro to protect yourselves better from a strategic standpoint. So what are we going to do in next year’s roadmap to try and prevent our next attack based on the TTPs the tactics techniques and, and sorry, in procedures that we now see being used by threat actors?

John Verry (36:59):

Yeah. So it seems to me that this idea of different players in an ecosystem, right? The supply chain gives us a little bit more, gives CTI a little bit more value because there is a time gap between the time, you know, a party a establishes a beachhead and then sells that to party B, right? So if that takes a day or two and we’re able to, you know, so it gives us that, that window because if someone, if the same person did every step in the process, they could get through those steps very, very quickly, I would assume. And then one other question I would have for you is, uh, you work in the, you know, what, what I perceive as being something that we’re seeing is that there is a longer window now between the time when somebody gains access into an environment and the time that they actually trigger the ransomware attack, because we see some fairly malicious things where they’ll, they’ll actually disable the backups mm-hmm. <affirmative>, you know, so, and then they’ll wait 30 days or a, a week or 60 days. Right? That because, you know, otherwise if you’ve, like, if they find you’ve got offsite backups, then they can’t compromise the offsite backups. Well how, what do they do? Well, we’ll turn off the backups. Most people aren’t going to realize that, or we’ll corrupt the backups and then we’ll launch the attack. So all of those things give us, I think, a longer window where cyber threat intelligence would provide more value.

Raveed Laeb (38:21):

Correct. So, uh, I think that’s, that’s an, that’s an interesting observation. I I would say the threat actors are becoming much, much quicker and streamlined. Um, so sometimes we would see access being sold hours after the,

John Verry (38:36):

Is it that fast

Raveed Laeb (38:37):

Tech? Yeah. Yeah. So it can be very fast. Okay. Um, you can have very like close knit, um, relationships between different actors. Uh, I do think that that ecosystem can make things lower and provide more, uh, more opportunities for defenders to intervene. I think more than that, more than the time aspect. There’s the visibility aspect, so mm-hmm. <affirmative> think about trying to deal with a foreign intelligence service, um, as say a small bank in the states. Um, you don’t have visibility into the internal communications of that foreign intelligence service that that compromises you. However, with cyber criminals, with the right tooling, with the right vendors, with the right practice of knowing how to do cyber crime, cyber threat intelligence, you can have that visibility because unlike that foreign intelligence service that only speaks internally, um, like using encrypted platforms and like nation state, great security cyber criminals, don’t they?

(39:38):

Or at least not all of them do. They share information and adverts for sale on forms and markets, and they, they kind of have to bob their head out a tiny bit above the water to advertise what they have if they want to make money. Mm-hmm. <affirmative>. So the financial and the market aspect is aside of the kind of the MTTR that it provides you, it provides you with visibility that you usually, like five years ago, seven years ago, you wouldn’t have had that just because the cyber crime, financial ecosystem wasn’t as developed as it is now. And a lot of the CT I practice was directed towards nation states where the, and, and again, foreign intelligence services where the kind of visibility and the kind of, um, intelligence that you collect is very, very, very

John Verry (40:24):

Different. Yeah. And then one other advantage we have, like you said, is the, you know, there’s a little bit of braggadocio, uh, you know, people like to boast, you know, there’s these hacker scoreboards and who’s the first, and they, you know, they post to show what they were able to, and, and you have to like, like post an image that truly demonstrates that you compromise this server. So I think that we have that as to our good fortune that, you know, that there’s a little bit of com competitiveness in all these people that are out there

Raveed Laeb (40:51):

That is very, very much, very much correct. And I think that also, um, that kind of what I, and I know a few other people and vendors in the industry dislike the phrase dark web, because dark web is like, you talk about the dark web, you show a lot of, like a lot of vendors or at least big parts of the media do these images of icebergs. And that kind of, that, that kind of, uh, resonates that the cybercrime underground is huge and messy and scary. Um, and it’s kind of like a tic. It’s, it’s fear, fear centered, uncertainty and doubt. Mm-hmm. <affirmative> where I think that in cyber threat intelligence and what, what some of the leading vendors in, in the industry are doing right now, we try to dispel that, is to explain and show that cybercrime is a financial market. It’s an ecosystem. And as an ecosystem, you can map it out, you can understand it, you can research it, you can establish key competitors within that, within that ecosystem and see how they talk to one another and what it is that they do and how they make money. And you can use that information and that intelligence to make better decisions as to how you better defend yourself. Um, and I think that visibility and kind of, um,

(42:09):

Kind of changing the approach that we had or that a lot of the industry has had around the dark web buzzword, um, for the last few years, that’s a key component in what we try to do is kind of shine a light and show you that what a lot of people talk about as an edge that goes for the attackers because they have all of the secret forms in which they’re share in which they share. Like that super secret stuff. Um, if you use that correctly, that’s not an edge for the attackers that that’s an edge for you because you have visibility into the same places that they do. Um mm-hmm. <affirmative> and I, and I would say that’s a very critical component in protecting digital business right now.

John Verry (42:55):

Um, this was awesome. Uh, anything we missed?

Raveed Laeb (43:00):

Um, no, I think that I got all of my agenda <laugh>, like I, I could really go, I could like, honestly, I could go about these things and like go into semi Phil philosophical areas for like three hours. Um, so that I think was a good dosage for me <laugh> to as to not es to not overkill.

John Verry (43:17):

Well, well, I, I appreciate you holding yourself back, <laugh>. Um, so, uh, give me a real world or fictional person you think would make an amazing or horrible ciso and why.

Raveed Laeb (43:30):

So for some reason, um, like two months ago, I, sorry, let me roll back a second. So for some reason around two months ago, um, I rewatched, uh, diehard, like after a very long time that I haven’t mi mind you, I’m like 32. So when Die, die, when diehard came out, I, I wasn’t really in the appropriate age to understand it. Um, so I rewatched it. I was preparing myself to not really enjoying, you know, because like it’s an eighties movie, how good can it be? I really did enjoy it. Um, and I think John McClain would be both a, a very good and very bad ciso. Um, because like basically he spends a like two hours running inside a building that comes down on him being injured, being burnt, um, seeing people die. And that’s incident response, right. And he’s fairly good at it. So that’s good. He brings in contractors from the outside. He knows how to delegate, he knows how to lead. So that’s good. Um, that would be the, the great CISO aspect, the horrible CISO aspect I believe would be everything else. <laugh>, like the way he treats his colleagues, the way he talks to people, um, the way he leads. Um, I think that like when push comes to Shov, John McClain would be a good CISO though.

John Verry (44:45):

Is that the, uh, is that the one that was the Christmas and he cut any and he the bare feet and with the blood? Yeah, yeah,

Raveed Laeb (44:52):

Yeah, exactly. Yeah. Classic incident response. Isn’t it Christmas

John Verry (44:56):

Eve, like check <laugh>, um,

Raveed Laeb (44:59):

Bare like barefoot people walking around in a deserted office check. Um, so that’s kind of your run of the mill incident

John Verry (45:06):

Response. Yeah, usually those incidents happen when you’re, you know, the, because the bad guys plan ’em at the times when, you know, we’re, we’re at our most vulnerable. Uh, it makes a lot of sense. Um, so if, uh, folks wanna get in touch with you, what’s the easiest way to do that?

Raveed Laeb (45:19):

Um, so I’m on Twitter, um, Rav, l r a v double e d l, um, that’s my handle. I’m also on LinkedIn, Rav Lebs or R R A V double e D. Um, that’s raved and Labbe is very weirdly spelled. Um, l a e b. Um, so that’s annoying <laugh>. So I’m on Twitter, I’m on LinkedIn. Um, Kalis on Twitter as well. Intel underscore by underscore K. That’s our, uh, Twitter. Come check it out. We’re also on LinkedIn, so that would probably be be the best ways, um, to catch us.

John Verry (45:54):

Awesome. Thank you, sir. Appreciate it. This was fun.

Raveed Laeb (45:57):

Thank you very much, John. I very much enjoyed our conversation.

John Verry (46:00):

Same here.

Raveed Laeb (46:01):

Thank you all.