Understanding Cyber Warfare and Emerging Security Trends With Jeremy Kirk From Intel 471 Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Understanding Cyber Warfare and Emerging Security Trends With Jeremy Kirk From Intel 471

February 18, 2025 • Joe South • Episode 184

Send us a text

We dive into the complex world of cybersecurity through the eyes of Jeremy from Intel 471, exploring his journey from journalism to cyber threat intelligence. The discussion encompasses the evolution of cybercrime, the significance of ransomware, and future trends impacting cybersecurity.

• Transition from journalism to cyber intelligence
• Engaging with threat actors in cyber forums
• Overview of Intel 471 and its mission
• Ransomware trends and their implications
• The intersection of nation-state actors and cybercrime
• Impact of law enforcement collaboration on cyber investigations
• Predictions for cybersecurity trends in 2025
• Importance of securing exposed attack surfaces
• Call to action for increased cyber resilience

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1: 0:54

How's it going, jeremy? It's great to finally get you on the podcast. I think we might have talked last, might have been in November at this point or something like that but I'm really excited for our conversation today. I think it's going to be really interesting. Yeah, thanks a lot for having me. You know how about you start off with telling my audience. You know how you got into this IT space, right? So you're a journalist and you focus on cybersecurity. So that takes a very I feel like that takes a very unique person, right, because even for myself, right, I'm in cybersecurity and I probably wouldn't want to be a journalist on cybersecurity. How do I make this content? That's extremely complex. How do I make it consumable for everyone? That isn't something that I would want to go into, right. So what made you want to get into that area?

Speaker 2: 1:49

Yeah, well, I was a journalist. I'm no longer a journalist because I'm now with Intel 471, which is a cyber threat intelligence company. But yeah, prior to joining them, I was a tech journalist focusing on cybersecurity, starting around like 2005. And it really was just sort of I just sort of stumbled into it working for a trade technology publishing company and you know, I got a job with them and they were sort of divvying up the beats and you know, somebody was doing sort of you know kind of cloud computing infrastructure and chips and whatever. And they said you know you're going to do security. I'm like sure, okay, knowing no idea anything about it at all, which is kind of like oddly how journalism kind of worked in those days no-transcript, that you know for a long time. And then I one of my sources was Intel 471. And I was always interested in sort of that underground cybercrime you know, tracing personas and trying to figure out real world IDs. And you know I did a lot of chatting with threat actors as a journalist, you know, because cyber criminals have to communicate one another and they were always accessible through. You know, it was Jabber like 10 years ago or 12 years ago and other ways you know before that, so it was always easy to reach them and so that was always my interest. And so when Intel 471 said, do you want to come work for us on our Intel analysis team? I said when Intel 471 said, do you want to come work for us on our Intel analysis team? I said, yeah, that sounds awesome. So now what I do?

Speaker 2: 3:45

I do a lot of like journalistic-y kind of things.

Speaker 2: 3:48

You know, I work with our analysis team and also like our malware researchers and our you know our analysts.

Speaker 2: 3:52

You know who are in the forums to basically look at ways like how can we talk about some of this intelligence that we collect right Because we're in all the forums, to basically look at ways like how can we talk about some of this intelligence that we collect right because we're in all the forums?

Speaker 2: 4:01

We're chatting with threat actors, you know, selling proof of concept for you know the latest sort of vulnerability and looking for ways to be able to talk about that publicly, because there's a lot of things that we can talk about. Actually, I should say that the other way, there's a lot of things we can't talk about and funny things that we can talk about, and that's because of our collection methods too, because we don't want to sacrifice you know any of the access, you know that we have. So, yeah, basically looking for ways to publicize that and I have a couple of podcasts on the side and I, you know, work with our executives on kind of like thought leadership, writing and things like that and do a little bit of you know, my own reading on the side. So that's kind of in sum.

Speaker 1: 4:44

Yeah, when you were getting started, was there a source that was kind of like your go-to source Maybe it'd be a person or a site or anything like that when you were trying to learn and just figure everything out?

Speaker 2: 4:57

or anything like that, when you were trying to learn and just figure everything out. I think, yeah, I mean being a journalist, you have the benefit of being able to just call up and talk to. You know most people. Computer security is kind of a it's a different kind of beat and I think it took me a long time to realize that because, and particularly like in the CCI field, because a lot of researchers and people in the field they don't want to have anything to do with the public or like they don't want to be out there with their name because and there's all kinds of reasons for that, you know we saw the issues that Brian Krebs had with you know threat actors linked to the comm going back 10 years ago, right when they were swatting him and sending, you know some of the Russians, I think, were sending heroin to his house and so you know there's always that risk of, I guess, harassment Like luckily it never happened to me, but there's just a lot of people that you know and this goes to all.

Speaker 2: 5:47

You know you work in security and like the whole issues around trust and sharing IOCs and sharing information about maybe specific things, that TTPs that your organizations have been targeted for and weaknesses, and there's a real reluctance to be like, oh, I just want to share this out. And so it's taken a long time for, like, trust groups to build up and people to participate in ISACs and talk about this sort of stuff. But I think, like as a journalist, like trying to cover this stuff, it did make it extra difficult, but I did find people that were more than happy to explain, like, can you explain BGP hijack to me? You know, or you know whatever things like that, like really technical things or, I guess, really sophisticated kind of like DNS. You know issues and use of DNS by malware and things like that.

Speaker 2: 6:33

There's always people out there that are happy to explain it. So I think you just have to, you know, kind of come to it from a really humble perspective and even you know now I mean our, you know when, like I'm going to write a post about a Android malware update that our malware analysis team found like last year, and so I'll be working really closely with them. You know they'll read my stuff and I'll have more questions for them, and it kind of works in in the same sort of way, because you have to think like even you know our our adversary analysis team are not necessarily malware analysis people, like a lot of them, have cross skills that apply. But you know everybody's got their real like sweet lane and zone um that they that they focus in. Everybody's really cautious about speaking outside of their own lane.

Speaker 1: 7:24

It's fascinating. Tell me a little bit about Intel 471. I actually haven't heard of it before I started talking to you. Maybe give my audience a little bit of background or something.

Speaker 2: 7:48

Sure, yeah. So we were founded more than a decade ago by a couple of folks that came out of. One was an Australian guy who hired me. He was a former AFP cybercrime technician and another is an American guy who is a former FBI contractor, who worked on a lot of investigations related to banking malware back in the early 2010s. You know, our company is kind of. You know, we're a cyber threat intelligence company, so we collect intelligence.

Speaker 2: 8:09

So we do a lot of underground forum scraping. We do a lot of engagements with threat actors. We write these really in-depth reports about offerings on underground forums. We gauge the reputations of threat actors, because that's really important, because it's like somebody saying hey, I compromised, joe South. You're like well, who's this person right? Do they have a history of reliable claims? Do they have a history of reliable claims? Do they have a history of reliable sales? We also do vulnerability intelligence and so we look at new CVEs and look at in the underground, because there's so many CVEs. So the problem is like well, what's the ones we should focus on? Where should we focus our patching efforts? And we approach it from the perspective of like okay, well, if underground actors are like hey, have you got poc for that new, I don't know sonic wall. You know rumor of a sonic wall vulnerability. You know we'll look at that and go okay, so this person wants to buy this. They're a reputable buyer. This person says they're developing, developing it. They're a reputable exploit developer. This is one you probably want to patch right, because this is the way it looks like it's coming down the pipeline.

Speaker 2: 9:25

We've also recently got into threat hunting. We acquired a company called Cyborg Security and so they make a threat hunting platform which is basically hunting in your SIMs, in your EDR systems and Sysmon, your logging systems, for those clues that you might have been infected by something. So, say, you've got like you don't use PSExec, right, like the remote management tool in your organization, and suddenly you've done a threat hunt for PSExec and you found it like in your SIM and you can go oh right, we don't run that. This is definitely something we should probably look at, and that's really tying into our whole malware intelligence too, which I spoke a little bit about, our malware intel team, and so you know we emulate uh, you know more than sort of like 300 malware families.

Speaker 2: 10:12

We collect samples directly from threat actors and also you know public repositories, extract indicators from those. So those could be like c2 addresses, other artifacts related to those malware families, and you know we write reports about those. Engage there from a threat. We can put a monthly malware report out basically to say, okay, this month we've seen thousands of downloads of SmokeLoader as a payload, or we've seen 5,000 downloads of Redline, an info stealer, so we can track all those malware families really granularly and that kind of feeds into threat hunting. So when we see a big malware campaign go out, say with Redline, we can take those artifacts and those indicators and then write detections for them in our threat hunting module. So you'll have packages of Go.

Speaker 2: 11:02

Basically, our analysts write the queries. The tough part of threat hunting is writing the queries. So, say, you use CrowdStrike, edr, so we have copy paste queries that we can go OK, I want to go and look for an abnormal process that's been launched, or process uh service launched from an odd location, right, typical sign-em-hour used by heaps of malware families. So you could just copy that query, plunk it into you know like crosswalk, and then search that, search those logs, for that activity requires a bit of tweaking, right, like nothing's like perfect, but yeah, that's the way, that's the way we in a nutshell.

Speaker 1: 11:37

I've probably spoken too much, but uh, what we do, no, you're totally fine yeah, you know, maybe maybe a year ago, maybe more at this point, I had on chris rock who not the, not the, not the comedian right, but he he described himself as like a cyber mercenary right where he's kind of like out, you know, on some forums and you know he's hireable for various things, right, and it was an interesting conversation.

Speaker 1: 12:10

For sure. It was the maybe the only conversation that I've ever had with someone that I felt like I should probably not have the conversation because of the things that he was talking about, that he did and everything. It was like, man, I really don't want the FBI like showing up at my door. This is one of those conversations where it probably would.

Speaker 2: 12:30

Right, yeah, yeah, there's a variance of practices in CTI. We have, you know, we have a strict sort of ethical code that we use for our operations, just to, you know, specifically ensure that obviously we don't want to violate, you know, any sort of, you know, computer security, fraud and abuse laws or anything like that. So you know this field. There's a variety of practitioners who have a variety of methods. Um, you know, some are more aggressive as well. Like you know, if you're logging into systems, you could get more intelligence right and that's also a possibility, you know, I mean, we've seen that happen with.

Speaker 2: 13:07

Like law enforcement is doing that now, you know, in the ransomware fight, right, like they're able to compromise. They compromise lock bit systems and, and you know that's something that we would not do, right, because that's not in our purview and it's not legal for us to do. But yeah, that's so sometimes when you see, you know you see some incredible intelligence, like we've got the entire list of lock bit affiliates right, and they're nicks right and that's what law enforcement released with lock bit, which is great stuff, and they're authorized to do it and that helps, you know, in the in the fight. But yeah, like I said, there's just a, a range of things. You know we work very closely with law enforcement, as do many other cti companies, because everybody's got like a little slice of the picture too. So you know, occasionally we'll be listed, you know, as helping with with investigations into some of these. You know really complex law enforcement operations that have been happening, you know, over the last couple of years well, okay, so now I now I have two questions, right.

Speaker 1: 14:08

So have you, have you actually come across other cyber mercenaries to some extent that are kind of for hire? Because I feel like that, just that whole place, that that whole like marketplace right, so to speak, is so I don't know, shady like I would not want to be. I would not want to be anywhere near that Tor browser, you know, or that Onion router. When you're trying to do that, have you talked to some people that are in that area and discussed like what they were doing and whatnot?

Speaker 2: 14:41

Well, not really. What kind of what are they doing? I guess this is how I would ask the question to you, I would ask the question to you.

Speaker 1: 14:50

Yeah, I mean, you know he talked about, you know gaining, getting footholds and you know enemy governments, electrical grids, and you know jamming the, jamming, the. What is it? It's the IED blockers. Back when you know, early 2000s, when America was in Afghanistan and Iraq, and you know IEDs were a huge problem, well, the NSA came up with something that would jam all the IEDs in the vicinity. This guy came up with a solution for Al-Qaeda to override that jam and still get through to the IEDs, right? So, talking about stuff like that, where it's like, it's like, you know, bad organizations organizations typically are- going on these forums hiring people.

Speaker 2: 15:31

Yeah, I think I've read actually, I think I recently read of somebody like that, of kind of I don't know if lone wolf is the right term for it. I mean, I think there are people out there that will insert themselves into situations, but I would caution. That that's. You know. The whole thing is like with law enforcement actions and things like that is that if you have people coming from the outside thinking that they're doing good, they could do harm. Right, because most likely, whatever target that they've decided to focus on may already be involved. You know the target of a, you know a formal investigation. So the risk of those people going in there and maybe, you know, tampering with potential evidence is really high.

Speaker 2: 16:20

So I think that you know everybody would probably encourage, like you know, right, it's good that you're involved in this and worried about this but maybe hold your fire to figure out, kind of what's going on, right, or send a tip to your, your local cert or law enforcement. You know about it, right, because I think that it is a team fight, right, but it's also, like you know, you don't want friendly fire either to kind of meddle with something. You know you don't want friendly fire either to kind of meddle with something. So yeah, I mean, I guess I would. My first instinct would be like just just kind of caution, like admire the enthusiasm, but just be aware that there already might be something going on and that you know your, your hacking might, you know, cause a cause. A bit of issue, right?

Speaker 1: 17:06

Yeah, it's, it's just a. It's a really dice, dicey. It's a dicey situation that I found myself in at one time with that interview where it's just like, man, I don't know if I should be talking to this guy right now. You know, it's like we might uh, we might end this thing a little bit early, you know, but it was a great conversation overall. But it's just like a crazy experience that, you know, going into running a podcast, you would never, you'd never think about, right, look, because why would someone in that area ever want to talk to me? But publicly I record his video, his face, you know, like it's like yeah, I don't know.

Speaker 1: 17:45

I don't know, you know, but he he did seem very legit and other you know halfway shady people have like vouched for him to me so I was like this seems too real. You know what are? Uh, you know you. You talked about potentially like assisting law enforcement to some extent with like highly complex. You know cases or situations and whatnot Can you tell me about? You know some of those situations? Is there any you know cyber criminal? Uh, you know actions or articles or anything that that are public knowledge that we that you may have assisted with or your company may have assisted with?

Speaker 2: 18:27

We've definitely been acknowledged by certain agencies before for providing intelligence, like we're an intelligence provider too, so we have law enforcement customers as well, and so if they would come to us and want more information about something, we would certainly provide it. I mean, I think you'll see, like a lot of these large law enforcement actions, you know there's a huge list of agencies that will often acknowledge private companies that have helped as well. You know, like I said, it's just because everybody has a little bit more of a piece right, and there's there's just a lot of threads to pull in cybercrime, so some organizations may have more data on certain groups or specific threat actors or, you know, specific malware campaigns than others. So, yeah, it's all big one and I think, like, honestly, from compared to maybe a decade ago, um, or even more, there, there's like a lot, just more coordination now than there used to be. You know, the adversaries were always able to exploit this really slow gap in between when a threat was identified or a group was identified and when something could actually happen. Now, granted, like this is never going to be, you know, super fast anyway, because cybercrime moves so fast, right, and their adaptability can far outpace formal organizations to be able to, you know, react. But I mean, just like the breach activity that we see day by day is just it's off. The scale Like, and I think like the scale of it right now is like really large. So it kind of forces investigators to go after kind of like the biggest sort of operations things too.

Speaker 2: 20:09

And you know there's been, you know pinch points that have been identified right in the last year. We've seen them go after ransomware groups. We've seen that go after malware infrastructure that's used to, you know, gain initial access to computers and then monetize that access. We've seen them, you know, shut down forums that have, like the gen Genesis market that was selling credentials or basically cookies. You know whole batches of data from compromised computers. We've seen them go after the cryptocurrency mixers that's been a whole thing too and also shut down cryptocurrency exchanges. So you know there's clear like choke points to focus on and we're seeing that. You know it's working in a way.

Speaker 2: 20:53

You know the latest ransomware payment numbers were, I guess the amount of money paid in ransoms last year, according to Chainalysis, was like I think it was a third less in 2023. It was, yeah. So, like, like, how do you attribute that impact. Well, probably a bit of law enforcement, a bit of disruption, um, you know, maybe difficulty and there definitely were difficulties in cashing out too, because chain analysis said, like a lot of funds are just sitting in addresses like now and not not, they're not moving it at all because it's been flagged. Right now we've got all these great blockchain companies that are flagging transactions, so we're seeing, I mean, you know it's, it's hopefully this is meaningful reductions and it's not gonna bounce back up.

Speaker 2: 21:39

I mean, I like to see, like you know, a couple of years, like two or three years, of numbers going trending down before you go. Okay, now we can go back and retrospect and analyze. Okay, what caused this? Right? Is this just like seasonal or just some yearly flux? Or, you know, like war in ukraine 2022 caused a big, big disruption? Is this because of, you know, sort of geopolitical events too, so it takes a while to go? Oh, okay, like this is really working, but I think I think it's on the right track that's really, that's fascinating that it went down by a third.

Speaker 1: 22:18

You know that's not a small number. I, I mean a company's, a company's revenue drops by a third and they're laying off a third of their workforce. You know, like, yeah, that's a substantial drop, and I I remember reading an article, you know, a couple months ago, about how hackers are going, going back to, you know, like social engineering and more basic attacks that they were that were more prevalent in like the 80s and 90s really, because companies have like kind of awoken to like cyber security and the importance of it and whatnot, and like this is something that you can't ignore and if you do ignore, you're gonna pay. You're gonna pay, quite literally, a lot of money and your brand reputation is damaged forever. I mean, who it's like? Who doesn't know about the target breach? Right, and that happened almost 10 years ago, maybe 10 years ago at this point, yeah, yeah yeah, who doesn't?

Speaker 1: 23:13

know about it right. Who doesn't know that target was breached?

Speaker 2: 23:17

yeah, yeah, yeah. I mean you know if you talk about well, to go back to the ransomware thing, like it dropped by a third I. But I was still a bit kind of cold on it in a way, because it still amounted to $800 million in ransoms paid. And I guess two points on that. One, it's always an underestimate because there's just stuff because of the way that we track or try to track ransomware that just escapes scrutiny. $800 million for a cybercrime enterprise is still pretty good.

Speaker 2: 23:47

And the other part of it that I thought was not great was that the attack numbers were just barely less like I think maybe less than five percent down. So you've got fewer organizations apparently paying because better cyber resiliency that's terrific, but you have the same number of attacks and you have to think like, ok, well, even if you don't pay a ransom, because that's one component of the cost of a ransomware attack, if you were attacked by a ransomware group and you were breached, there's still an enormous amount of costs associated with that Right and like disclosure and legal fees. And you know you might have cyber insurance but it might not cover all of it. So you know to capture the full cost or to go all right, is this a real reduction in the threat landscape? And I would argue not really right. It's better that you know.

Speaker 2: 24:41

Less people paying cyber criminals means that in theory, there's less incentive to do more cybercrime. Right, the more frustrated that they get. Right, like, the lower the hit rate, the less likely they're going to be like oh, this is getting hard. Maybe we'll move on to something else, you know, and that's good, but it's not the full picture, I think, of what we're seeing with ransomware. So I'm really reluctant to be like we've turned the corner on this. I think these are preliminary, really positive numbers, but I would say for enterprises going, okay, we can just kind of, you know, maybe take the foot off the gas and our resiliency plans or, you know, hardening or anything like that. I would say absolutely not. You know you've got to really be aware of, you know, these common vectors that ransomware groups are gaining access.

Speaker 1: 25:36

Yeah, yeah, that makes a lot of sense. That's interesting kind of that backstory like behind the numbers, right, because if you look at it at face value I mean that's the headline right there, right, ransomware payouts decreased by a third you think, okay, like we're doing something positive, like we've made a huge turn here. Ransomware isn't even going to be an industry in a couple years. Then, right, like that's that's the kind of mind jumps, that that you can take with a title like that.

Speaker 2: 26:07

And then you dig in and it's like not not quite right, not exactly yeah, yeah, I mean the reason why ransomware took off too, it's like, you know, 2015. It was basically like banking malware got really hard, like the banks got a lot better at stopping transactions to money mules and those transfers, right. And so then, when kind of ransomware came actually, you know, came back because you know the the proof of concept was like in the 80s. It was kind of like, hey, this is easy and this is big money, right? So, rather than trying to like, steal 150 grand and split it six ways into six different accounts and you know right, and the, and that got shut down it's like, oh, I could get $200,000 from a single organization like that, you know, using using crypto. I don't even have, I don't have to use a banking system. Oh, you know, I again, I would argue that, even if the amounts paid by you know, quote, unquote small two hundred thousand dollars, um, that's still a good pop right for for somebody who's just working to, you know, for for a ransomware group, because it's arguably easier than going back to the banking malware stuff.

Speaker 2: 27:30

Now, this stuff is always, you know, evolving, so but I think at the point, like, maybe we'll see a shift where it's just really hard to get a payout, you know, when you have people that are working really really, really hard to get you know, and it also, I think, if it becomes unfeasible to really run a ransomware as a service group, you know, kind of like the whole, like hey, we developed the malware in the backend and the whole affiliate model. When that kind of gets busted up too, when it gets too risky to do that, what we saw in the last year was a lot of um, you know, when alph v went down, like hive went down and lockbent went down, we saw a lot of like new ransomware brands kind of pop up from like smaller groups that some of them look like they were maybe started by threat actors that came out of, like, you know, conti and reuk, like kind of long-running actors and but these smaller operations, right, it makes ransomware harder to track. But our theory and a lot of other groups theory was that well, maybe they're doing this because they don't. You know they don't want to get exposed in like the big lockp pick bust right where you know the back end of lock bet is revealing.

Speaker 2: 28:40

You know, perhaps data about them, you know that can be used to track them. So we'll split into smaller groups and do smaller jobs. So I think that's what we, what we could be seeing going ahead. It just kind of makes sense to us yeah, yeah, that, that that's really fascinating.

Speaker 1: 28:57

So, to kind of switch gears a little bit right, peak my own curiosity here. Right, what have you seen with nation state actors and maybe even the inner workings between them, and different you know hacker groups that may not even be associated with that nation state actor? I'm thinking of things like you know, obviously, Iran and Russia and whatnot, and I'm also very interested to see or hear if you guys saw anything coming before the Russia invasion of Ukraine in 2022. Did you see any? You know any intel indicating, hey, this thing may actually happen, right?

Speaker 2: 29:40

With that only in open source, right. I mean I think that caught a lot of people off, caught a lot of. There was a lot of collaboration between Ukrainian threat actors and Russian threat actors but the war caused a big sort of split. But I mean prior to that, you know, just open source that everybody else sort of saw. But as far as nation state, I mean, you've seen this increasing intersection of cybercrime and nation state stuff and it's been happening for a few different reasons and depending on, like the threat actor, right, right. So we've seen a lot of like double dipping in the sense that we'll see, you know, like threat actors in like China or Iran, right Like oftentimes like the nation state stuff gets mixed up into like private companies, as it does in the West too, where you have private companies offering services to nation states for their operations, and sometimes we'll see some of of those actors kind of double dipping. I know we saw this with some China actors as well, where it kind of looks like they were doing sort of two sorts of jobs, like some kind of side jobs, like financially motivated things, and then the formal job. And with Russian threat actors, I mean we've seen the Russian state lean on threat actors for a long time, right for their own sort of purposes. So we know, like going back to like Game Over, zeus, trickbot and this is public knowledge too. This is not stuff that you know, you can't research, but you know there's been sanctions levied against the TrickBot actors where the US government has openly said and I think the UK government that there's open. You know there's been sanctions levied against the trick bot actors where the US government has openly said and I think the UK government that there's affiliations with Russian intelligence. And it kind of makes sense too that when you have very sophisticated threat actors running botnets that have access to millions of people's computers, that that could aid in their operations as well. So I'll give you another example of that too, right, so we saw a threat actor and I'm trying to remember the acronym, I think this person went by SXSP, and so this person was an initial access broker and this was probably like five to seven years ago, and this person was selling access or access credentials for solar winds. So and then, when you look at what happened now, now we, to be clear, like we were never able to I don't think we were able to specifically connect the sale of these access credentials to, like russian intelligence group, russian intelligence and the group that later breached solar winds and caused one of the biggest you know supply chain attacks. On on record, however, there definitely is right. There's this whole marketplace because I think fxm sp like took those credentials off like pretty quickly to indicating that they were sold. And that's typically what happens when credentials are sold is it's like there's an offering Sometimes they're not too specific about what organization that they've got access or credentials to or cookies for, and you know we can try to guess or, you know, engage the actor or sort of figure it out in the other way.

Speaker 2: 32:50

But I mean that's what. That's the type of thing that like other threat actors and ransomware actors like look for, is like, oh OK, you've got got credentials for this particular organization that's a good one that might pay a ransom. So anyway, we saw these credentials withdrawn and then we're later we're like oh, that's really interesting that you know the solar winds breach like this happened and then the solar winds breach could have happened another way. We don't know, but we know like a lot of organizations are breached because they've been phished.

Speaker 2: 33:17

You know you mentioned social engineering. I mean that's another way that kind of also sometimes works with phishing as well to get in. But there's like this, you know, to get back to the whole interplay between government and APTs like our government and financially motivated cybercrime there are definitely overlaps that we see sometimes in infrastructure as well overlaps that we see sometimes in infrastructure as well. Um, and actors going oh okay, this definitely looks like this person's doing, like these people are doing like a couple different things, right yeah, that's, uh, that's fascinating that they're almost like moonlighting.

Speaker 1: 33:50

You know, it's like man.

Speaker 1: 33:53

You know I was talking to someone that is a cyber warfare officer for the US military, right, and he talked about, like, actually, you know, getting target packages, developing the executable and you know, creating the documentation for the next guy to go and execute, you know the attack with his payload and everything Right, and he was talking to me about it and I'm just sitting here thinking like man. I really hope this guy never goes rogue because, like what he's talking about right now, it's just, it's unstoppable, right. Like I asked him, has there ever been a target package that you were handed handed, that you just couldn't get into? You just couldn't find a way in? Right, and he said no, couldn't find a way in? Right, and he said no, there's never been a single thing.

Speaker 1: 34:40

He goes sometimes, if you know it's really hard, I'll go and I'll hack you know, the phone sometimes and I'll go from the phone and I'll leap onto their laptop and when I'm on their laptop, it's game over, right, he's like and think about it If I have their phone, I have their MFA no-transcript. I know there was something to it, because this guy is non-existent spooky stuff.

Speaker 2: 35:28

You know that that that raises a really good point. And, um, it was something that I saw it came up on the risky business podcast. They were quoting a report from cyber cx, which is a big australian consultancy down here. They it was basically their annual report divided their investigations according to, uh, sort of adversary right. So I thought this was really interesting. Like five percent was like espionage, so that's like kind of APT 60, I think 60 something. 67% was financially motivated cybercrime. I think there was a third, a large, like 27%, was just kind of undetermined.

Speaker 2: 36:05

But I just heard the other day that CISOs and CSOs are often worried about APTs.

Speaker 2: 36:13

Right, and as well, you know, look, depending on your sector, if you're CNI, critical national infrastructure, I mean undeniably if you're hyper-focused on trying to stop an APT, you're probably missing the more likely source of an attack, which is financially motivated threat actors.

Speaker 2: 36:46

And you know, and, as you say, you know your source that you spoke with of right, if an APT is determined to get into your organization, I mean I would argue, good luck stopping them, not to say you shouldn't try, right, but yeah, right, like you know, it's going to be really really difficult if either China or Iran or Russia's top tier group of you know, cyber SIGINTEL, people decide we're gonna get into you, right, who have infinite amount of time, who have an infinite amount of resources, who are not looking to monetize quickly, right, because I guess that's one thing that separates well, a huge thing that separates apt from fin crime right, and this was also in that same report, like the dwell time for APT 400 days. Right, they're not looking to make a buck, they're looking for long-term access to be exploited down the road. Fincrime needs to get paid, right, they've paid for access credentials. They've paid for bulletproof hosting. They've got to pay for their fish kits.

Speaker 2: 37:54

They've got to pay for a bunch of you know they've got to pay for their fish kits they got to pay for a bunch of you know, they've got to pay for a bunch of stuff right, so they want to get a payout right and I think that dwell time was, like you know, matter of days now. So you know, not to say I'm not saying like apt is not important by any means, like for national security, it's hugely, hugely important. But I would say, like, if you are a private company, like right, and you have limited resources, probably studying Cozy Bear's techniques and ensuring you're perfectly guarded against those, the latest threat report that's come out you know, dfir report that's come out against Cozy Bear is probably not the best use of your resources. It's probably the thin crime folks that are going to cause you the biggest and most public headache. Because if you look at like right, what does thin crime do? They steal your data and they put it on breach forums, you know. Or they steal your data and put it on a ransomware, like it's a huge amount of hassle straight away, right, because it's like public, it's like they're trying to extort you and they're threatening you and it's really aggressive. They're WhatsAppping your you know CEO and harassing his wife or her wife. You know, it's just like a big, intense thing while you're. You know you're APT espionage. People are kind of like slinking in slowly, you're trying to slink out slowly. It's different, different, you know. It just depends on your threat.

Speaker 2: 39:15

It comes back to threat modeling, right, like who is most likely to attack you, how do you defend against that? Right, it's good to also not to just don't over complicate it, right, you have the added benefit that, like, a lot of fin crime groups and apts are now using the same techniques, right. So if you're doing like especially I see this in our, our threat hunt platform right, like we'll look at a specific technique. You know, like say, we'll take dns request from an application, from an application like that you didn't install, like an unorthodox dns request, right, and you look at, like, the techniques or the groups that will use that, and it could be like apt could be fin crime, right. So some of the stuff is cross applies, which I guess is good from a time perspective. But again, it's just like realizing, okay, who are, who's most likely to attack us and do we have those, those vectors, covered as best as possible?

Speaker 1: 40:10

yeah, I mean, like you said, right, it's extremely important to understand even who your adversary is, right, like you have to understand who's actually coming for you. You know who wants access to your computer or whatnot. You know, I talked to an AI security researcher at NVIDIA, right.

Speaker 1: 40:31

And he was talking about the security protocols that they put up for their chips, for all of their chips, all of their products, right, and he said that the only thing that's even comparable is when you go to a government facility and you have to go into a skiv right, and just to have a conversation about a certain topic, because the security at their facility is so top-notch that the government goes to see what they're doing so that they can replicate it in their environments. Right, and that's a that's a unique use case. Right, because I mean, how much would china spend just to get the blueprints for the next nvidia chip, just so that they could create it quicker than nvidia and come out with it and increase their ai power? Right, like I mean, that's something where it's just like hey, just get it done, don't worry about the money. Yeah, like, don't even worry about the check, you don't have to fill it out, I'll fill out the check at the end, you know?

Speaker 1: 41:31

like that sort of thing and that's that works for, you know, one percent of the world's companies and entities out there, right? But like you know, for for everyone else it's like hey, let's cover our bases first and if we got some money to blow then we'll talk about some other stuff with. That's more advanced, but as of right now, you know we're too soft of a target to even be worried about APTs.

Speaker 2: 41:57

Yeah, look, good security slows everything down. So if you look at the protocols that are in place for handling classified information within the US government, yeah, it skips, it's drop your electronic device at the door. It's designed to slow everything down and to make it as hard as possible. So good security slows everything down. That's the antithesis to business, right? So I mean, nvidia has decided and has made that choice that this is our most valuable intellectual property and we're going to take every step, no matter how inconvenient, right?

Speaker 1: 42:36

To be able to protect it. It might be the most valuable IP on the planet. Yeah, yeah, it definitely could be.

Speaker 2: 42:43

So, yeah, so like, look, you can always implement better security, and I guess that's always the trade-off with, you know, business processes of like, okay, well, what do we need to protect and how secure does it need to be, and how much is that a disruption to what we need to do? Uh, that we really need to do, like phishing resistant right, here's an example phishing resistant, um, you know, fido keys uh, basically, so you have to stick it in your computer before you log in, right like.

Speaker 2: 43:29

this is the best way to basically stop credential theft now because, um, you know, phishing kits and info stealers are basically grabbing credentials, grabbing cookies, grabbing everything off the machine and, if you have the cookie, mfa is irrelevant right, yeah, like, unless that cookie expires, you know you can set like short expiration dates, but anyway, like you know, and like the thing is of, like having to have something with you and insert in a machine is a pain, right, like that's something. That's something else that people might forget or you know. But you know we're, that's the point that we're at, and so you know, if you want it to be the most secure that it can be and I would argue that you know, protecting credential theft and cookie theft is, should be number one, because that's one of the primary ways that adversaries get access to machines so yeah, I think for better security, we're going to have to put up with some inconvenience or just a change in work processes and patterns. And you know that's where we're at. If that's what we have to do to protect data, then that's what we have to do. So you know, I mean remember, like even a few years ago, like there'd be a breach and like companies would be like, oh, we don't want to reset everyone's password because that would inconvenience people.

Speaker 2: 44:46

Like now, that's just kind of like what, it's a joke, it's laughable, right, we're laughing at it Like, of course, you have to reset everybody's password if your password database has been stolen, or whatever password if your password database has been stolen, or right or whatever. So, yeah, we just have to change our mindsets too and and be like things that are inconvenient at first glance often just become routine, right. Like you know, it's like, oh okay, there's been break-ins our neighborhood, maybe I should do the second lock, or whatever. Or you know, just like the things that we modify in our own personal lives because we perceive an increased, you know, threat risk. Like, okay, I'm going to really wash my hands because people have got the flu. Right, it's inconvenient, it takes longer to wash your hands three more times a day or whatever, but it probably lowers your risk of of, arguably, of getting the flu.

Speaker 1: 45:32

So, yeah, wow, yeah, I mean, you know, jeremy, we've been on this thing for a while now, right? The conversation really flew by, at least for me, right, and I'm very conscious of everyone's time, but I want to ask you one more question when do you think security is going in 2025? Where do you think security is going in 2025? What are some trends that you're seeing potentially? You know security trends, as in organizations potentially deploying more controls on a certain area, or you know areas that are being attacked more in 2025 that you can foresee. Well, am I allowed to talk about AI and deep seek? Yeah, I mean, I guess we go for another hour. Yeah, it's.

Speaker 2: 46:19

I mean, I think, uh organizations are going to be just increasingly challenged by like sort of deep fakes and things like that as well, and that's things that ai is like really good at. We won't get into the whole like malware development and things like that, but, um, you know, I think, like social engineering, you know ai is going to really has really been sort of boosting that audio defects, things like that, that are very tangible right now, and I think you know, I guess again with like the major sort of threat actors, I would say ransomware too, and it's like again just kind of like don't sort of overthink it. Move to phishing resistant authentication Like that's a huge one. Like you know, just patching stuff on CIS's CAV right, the known exploited vulnerabilities list, right CAVs is a dead simple thing. They just took the vulnerabilities, if they're exploited and put them on a list. Dead simple, right. We don't have to overcomplicate it. And those are the ones you should patch straight away, right, simple things like that.

Speaker 2: 47:19

I mean, I think organizations get caught off guard too by you know, social engineering is very powerful, especially for very large organizations like like telcos that have lots of customer service reps. You know we've seen that with like sim swapping and things of that nature too. So but misconfigurations as well, right. And just knowing your attack surface, right, what services are exposed to the internet? I mean, again, dead simple Attackers go to Census and Shodan and look for what internet-facing assets you have and compare that to their exploit code for it, you know, can I attack it?

Speaker 2: 47:56

So like securing edge devices and taking you know rdp, like knowing all if you've got exposed rdp ports, all this like brutally kind of basic stuff that people have been talking about for years is still extremely relevant. So I mean, I would say that's the biggest thing. Like know your attack service, know what's what's facing outwardly, because that's the first stuff. When you know attackers, attackers are going like okay, I'm going to enumerate subdomains and figure out the one that they've forgotten or whatever. You know all the, just the usual basic stuff that still gets a lot of mileage. So hopefully that's a concise answer to your question.

Speaker 1: 48:32

Yeah, yeah, I mean I think that's like as concise as you can be right, especially with those topics, I mean. But you know that just means that I'm going to have to have you back on for a part two or something like that. You know, maybe a little bit of like a regular or a biannual episode with you. I'd love it, it'd be great. Yeah, well, it was fantastic having you on Before I let you go. How about you tell my audience you know where they can find you, where they can find you know any other resources from Intel 471 that you want to direct people to?

Speaker 2: 49:06

Yeah, totally so. The signal to noise, or rather the noise to signal ratio on X, aka Twitter, these days it's just too high for me, so I've gone to Blue Sky, which is actually developing a nice sort of InfoSec kind of community there. I'm on Mastodon as well and LinkedIn. You know our blog puts out a lot of research from Intel 471 on malware and threat actors and deep seek. We've also got some great threat hunting content too. You know that's pretty hot right now.

Speaker 2: 49:35

Organizations are looking to, like you know, get ahead of their. You know's pretty hot right now. Organizations are looking to, like you know, get ahead of their. You know, if they're infected like assume you get infected and you want to get rid of it conduct threat hunts. So that's a whole new area that I'm very much learning about too, which is cool. So, uh, yeah, I'd say, and also I write a newsletter that comes out on tuesdays called the executive intelligence update.

Speaker 2: 49:54

It's actually aimed at just sort of security cti practitioners and it's basically like four items to kind of like sometimes big picture, sometimes Executive Intelligence Update. It's actually aimed at just sort of security CTI practitioners and it's basically like four items to kind of like sometimes big picture, sometimes strategic, sometimes a lot of strategic stuff, sometimes tactical and even operational stuff, like I'll write some about some malware campaigns that our malware team has been working on, but it's like a good summary of sort of infosec news. I know there's heaps of stuff out there to read and consume, but it's it's relatively short and it gets to the point, so I'd encourage people to sign up for that as well awesome.

Speaker 1: 50:25

I'm gonna have to sign up for it myself. That'll be great, awesome, awesome. Well, thanks, jeremy, I really do appreciate you coming on and you know I hope everyone out there enjoyed listening or watching on whatever platform you're on. Thanks everyone.

People on this episode

Joe South

Host