Threat Intelligence: Insights on Cybersecurity from Secureworks

On this episode of the Six Five Podcast - Cybersphere, host Shira Rubinoff is joined by Secureworks' Alex Rose, for a conversation that delves into the critical topic of threat intelligence within the sphere of cybersecurity.Their discussion covers:

• The evolving landscape of cyber threats and the importance of intelligence-driven security strategies.
• Insightful analysis of recent high-profile cybersecurity incidents and the lessons learned.
• Secureworks' unique approach to partnering with governments and organizations to fortify defenses.
• The role of AI and machine learning in enhancing threat detection and response capabilities.
• The future of cybersecurity and the collaborative efforts needed to mitigate emerging threats.

Learn more at Secureworks.

Shira Rubinoff:
Hi, this is Shira Rubinoff, President of Cybersphere, a Futurum Group company. I'm here with Alex Rose, Director of Governmental Partnerships and Director of Threat Research at Secureworks. Alex, it's a pleasure to have you here today.

Alex Rose:
Thank you so much for having me.

Shira Rubinoff:
Oh, it's a pleasure. So today we're going to talk threat intelligence, and as we know in cybersecurity, that is a critical topic, a huge topic, and something that really spans the entire cybersecurity ecosystem, to even play it lightly. And what I'd like to do is really dive deep from the bottom up. And Alex, can you please describe for our audience, what is threat intelligence and how do you collect it?

Alex Rose:
Yeah, that is a big question and I liken threat intelligence to a couple different things in order to simplify it a bit more. In one case, it's a bit like a GPS or a roadmap that helps us understand the cyber threats before they hit. It's able to do this because it's already been discovered or it's been mapped, right? Hence, the reference to roadmap or GPS. It shows us who's behind the attacks, what tactics they use. It's about learning from what has already happened. But because it's not just about what's in the past, I also think about it a bit like the weather forecast, where we're taking in what we've studied, that historical information, we're taking in what we know about the issues, but we're coupling that together with what we are seeing emerging, new patterns, new activities, new vulnerabilities, and more, so that we can prepare for and identify what's on the horizon.

I think in either of these approaches, it's not just about sharing the ideas of what's out there, it's not just the report or the fun story, which there are a lot of them, but it's also translating that into the technical terms so that organizations can use that to defend themselves. And for the other half of your question, how do we collect that? I could go on for days, but I think the way that I would focus that is, it's about having a broad aperture. The broader your aperture is, the better that your collection is going to be. And so for us, we're really lucky to collect from multiple sources, think things like we learn from our own customers and what's going on in their environment. Incident response work, that's a rich source of information.

We, have teams on the underground forums, experts in every area you can imagine, cyber crime, ransomware, state-sponsored threat actors. We take all of that together. We have partners that we discuss these things with around the world, and that helps form the broader picture of what's going on. Any one of us isn't going to have the complete picture, but when you have multiple sources, the closer you are getting to that goal of having a full rich understanding of the threat landscape.

Shira Rubinoff:
Well, that's a great explanation, thank you. And just to ping pong off that, as we know, our threat landscape is getting bigger and bigger all the time. It's vast, it's growing exponentially, and organizations are scrambling. How do we know that we're getting everything? How are we focused on the right thing? Can you talk to that point for a moment?

Alex Rose:
Yeah, I think that it's a tough challenge. You have so much information coming at you and how do you make sense of it? And so I think it's breaking it down by the right parts of your organization, who needs what and when do they need it? And ultimately, grabbing those insights and figuring out how you apply it and what is the practical outcome for each part of your organization. And so I think at the end of the day, it's about breaking it down. You don't need to have the whole picture here or there. It is breaking it down for each part of your organization and where it makes the most sense.

Shira Rubinoff:
Oh, that's great. And Alex, how can organizations apply threat intelligence to their security programs? And again, it's a bit of a big question because I know there is no one size fits all we've mentioned. What can you say to that?

Alex Rose:
Yeah, I think that they can apply in a few different ways in order to strengthen their defenses here, right? First, it's going to help them understand the threats that are most relevant to their organization based on the technology they use, for example. That allows them to focus the resources where it matters. I think that threat intelligence can... Not, I think, I know threat intelligence can help highlight new vulnerabilities and the exploitation of those allowing companies to patch in a way that makes sense or adjust security controls, in conjunction with the evolving threat landscape. I think a second way that it's really helpful is in incident response. So when an organization's had that really bad day and a threat is detected, intelligence gives the security teams the context they need to respond quickly and effectively. And I think ultimately, that's what threat intelligence is. It's context for what you need to do to secure your mission, your part of the mission, your business, and it helps you prioritize in the right way. And the last way I'd say this is, it integrates and it can integrate well with your security programs, so that it allows organizations to shift from being reactive to proactive. And so it's that application, in the right teams, in the right ways.

Shira Rubinoff:
And that's a very strong point you hit on to be proactive rather than just reactive. We all know that in the past, cybersecurity has been mostly reactive and it's taken a turn on its head as we've seen everything advance over the number of years. And being proactive is not a may do, it's a must do, so that's a great point you made. Thank you. So what do you think Alex, are some of the best practices for pulling out the right level of detail for different audiences, from different business leaders, to IT admin, to security analysts? And again, everybody has different needs within the organization and we're very careful within the organizations that we don't want to give over the wrong information or access or data, to those folks who don't need to utilize it. So there's lots of levels of security, lots of levels of access you have to think about. Can you talk to that point?

Alex Rose:
Yeah, I think this is a really important question and something that I enjoy talking about and actually was in some great conversations recently. And I think the thing here that matters most is, you're adjusting what you share with each audience as you already referenced. And I think it's important for a few reasons, because, if you're talking to a business leader, they're typically focusing on the big picture, how threats can impact their overall risk, their finance, their reputation. If you jump into all the technical details, the message that you need them to get is going to be missing. For those folks, focusing on less technical jargon, highlighting how this impacts their strategic insights, how potential business disruption or regulatory requirements could impact their bottom line and their ultimate goals as a business.

And then you move down through things like IT admins, we've talked about this a bit already when it comes to vulnerabilities. They need the technical steps to address the threat, which things are practical, actionable insights that they need to be able to respond to, to get their systems to a state that they're comfortable with. And then you also have the security and analyst community where we get to share the rich details and all of the technical deep dives, the TTPs, all of the techniques that they're carrying out so that they can ultimately hunt, detect, and respond to these threats. But like I said, each different audience requires different information. You have to adapt that story. You have to adapt that picture for what is going to resonate for them. Because I think as a threat intelligence professional, my ultimate goal is that I know this information is rich and really important and it needs to be able to be used by the people in the right way. And so we've got to meet folks where they are.

Shira Rubinoff:
I love that you said that. I kind of phrase it as, make it relevant, make it meaningful, and then make it impactful. All three come together, you're going to give over the right information and you'll get the best out of your people. So a great way of explaining that. So Alex, what are some of the top themes organizations should be aware of, based on today's threats? And that's a really big question, but I know that you have a lot to say around that.

Alex Rose:
Yeah, and I was going to say, you could go so many directions with this. I think the direction that I will go today is focusing on what we call the initial access factors. How do people get in? Because at the end of the day, I can talk the ins and outs of different threat groups and emerging things, but what matters is that we prevent them from being able to carry out the harmful work that they're looking to do. So these are three different things in my mind. We're talking unpatched, internet-facing vulnerabilities, credential attacks, identity-based things, and then commodity malware, and so if I open that up just a bit. Unpatched internet-facing vulnerabilities account for half of the initial access for ransomware operators. And so when you're able to have a program that prioritized patching, again, it's not an all or nothing thing, use the threat intelligence to help shape what you can do today, right? Help you minimize the risk. We're not going to reduce all risk, but help you minimize where you can and/or pass on risk where you're able.

And then things, like I said, the credential attacks, commodity malware, things like info stealers. You have the rise, I wouldn't even say it's a rise anymore, it's just the steady state of remote work. Employees have personal devices and behaviors in their personal life can inadvertently expose corporate data. So the info stealer, example there, is collecting your login credentials. Well, guess what? If I pick up my phone right now and scan a QR code and it was actually a fake thing, I've given my credentials away to those threat actors. And so it's about having strong credential hygiene, multi-factor authentication, and not just plain old MFA, it's about fishing resistant multi-factor authentication. I think that there are many conversations to be had about that, but when you're focused on internet facing vulnerabilities, so you're patching, you're focused on credentials and how you get into things like MFA and then ultimately commodity malware. So you have end-to-end detection. So endpoint detection, network detection, those kinds of things together, really do a number in helping stop and prevent the spread of something like ransomware, helping prevent some of those key breaches that are happening today.

Shira Rubinoff:
Certainly, and you really took it full circle. Really, the people, the process and technology you're talking about, all the technology factors that we need to think about across the organization in a way for it to be set up to be secure, in a very tight manner. But then as you mentioned, when it comes down to the people, making sure they're doing specific things. So one of the pieces our people look at as the human, as the weakest link in the chain, from your perspective and what you talk about all around Secureworks is, let's now arm the humans to be part of the solution. Let's give them the tools, let's educate them. Let's make sure that they're part of the army within our organization, to make sure no breaches happen, proper cyber culture and hygiene within the organization. So that's a great thought process to have within your organization to have complete security across it.

So a lot of what we talk about, people we talk about, different theories and different ideas, but some of the things that people really love to hear about are stories that happen within organizations or you've heard about, you've been part of. So do you have a favorite or a current story about the threat that helps organizations realize what they're up against? Something that would make people say, "Really, this has happened?" But I think those are the stories that stand out the most that make an impact for people?

Alex Rose:
Yeah, I think there are kind of two things that come to mind here, which is the rise of threat types that we've seen, but how they're being carried out, makes them really upfront and in our face. And one of those is looking at groups like Scattered Spider. So these are groups of young criminals using social engineering primarily, to target organizations. That's calling up the help desk and saying, "Oh no, I'm so-and-so," and by the way, they've looked at your social media profiles, they know who you work with because they've looked at your LinkedIn, for example, and they are able then to get a password reset and then log in and we can just go out there and list several examples of how they've compromised organizations from, like I say, something as simple as, let me search for somebody in social media, see how they're connected and pick up that phone and call their help desk.

So that really, I think that they've demonstrated that you can hit high-end organizations, organizations that thoroughly invest in their security, and they're able to take something as simple as that and be able to go and get around the controls that do exist. The other thing I would say is what we've seen North Korea doing over the past, I mean for quite some time, but really in the forefront over the past few months. And so I think when it comes to North Korea, it's bringing this idea and the concept of insider threats back to the forefront here. And so we've seen large organizations across the US, UK, Australia and beyond, who have actually employed North Korean IT workers, technical folks, and they have produced fraudulent credentials to get hired on initially, and then they continue to get paid and make money. And that goes back to North Korea and their regime and what they plan to do with that.

And I point that one out because this is another one where I think it really demonstrates the importance of security together with the rest of business operations. Because when you have something like this happening, it's the security team having a conversation with the team of HR that's doing the hiring. And so I think that it just really puts to us the fact that security is intertwined. And I think it's a story when you really lay out that one in particular, end-to-end, other people in the business, their eyes really open wide and they realize the broader implications there. And I think the last point I'll make is it's happening far more than you would think. So when you go into an organization, not us, it's really important to look around and have conversations, because I've even been shocked sometimes, how far reaching that it is. And so those are the two things that I would say right now.

Shira Rubinoff:
True, it's not if, it's really when. No, thank you for all that great insight. So I'm going to throw one more question out at you. I always like to ask my interviewees for maybe a cyber tip or a little cybersecurity thing they'd love to share with our audience. Maybe something that they hold dear or some sort of tip that would be relevant for a watching audience, that you think would be important for them to know.

Alex Rose:
Yeah, it's a tough one. I would say, I think for me, I've alluded to this a little bit, but it's not about knowing the ins and outs of everything. It's about knowing your role and who should know the ins and outs of it. It's about knowing that, in my case, threat intelligence, threat intelligence plays a role and understanding how that plays a role in your world. And so you do not need to be the expert on all of these things, and that is absolutely okay. You need to know who are your partners in your organization. You need to know where you can turn to and that you should be able to turn places to help you make decisions and walk you through some of these things. But the key is we talk about cybersecurity is always a team sport, but I genuinely believe there's just so much information out there. You should not be expected to know it all, and you should be comfortable knowing that you don't know it all. And that's an okay thing. I think that we are incrementally getting better and that is what matters.

Shira Rubinoff:
Some great points there, Alex. Thank you so much for your time. We very much enjoyed our conversation and I'm sure our audience gained a lot of knowledge from you.

Alex Rose:
Thank you so much. I appreciate the time.

Shira Rubinoff:
Certainly, and I look forward to talking to you again soon.