Speaker 1: 0:06

Hello and welcome to another episode of the Simple Talks from Securonix. I am your host, augusto Barros. In this episode we have our first Securonix employee guest. I have here with me Tim Pack, senior Security Researcher with Securonics. Tim is really in charge of a lot of the very interesting threat research that Securonics put out there, so I'm really excited to have him as the first Securonics guest here at the podcast. So, tim, hello, nice to have you here. Why don't you introduce yourself and talk a little about kind of where did you come from and how did you end up here doing threat research for Securonics?

Speaker 2: 0:53

Absolutely. Thanks, augusto, thanks for having me. So I've been in the cybersecurity space for more than 10 years, Started out even before that doing sysadmin work Linux sysadmin, windows sysadmin kind of morphed into the cybersecurity space as a threat analyst, then eventually got into consulting and incident response and that led into, I guess, my desire to understand threats even more, taking things apart, understanding malware systems, how those run, you know what the ATP, what the bad guys are using and how those systems are designed. And you know even more complex campaigns like ransomware campaigns. You know how they start, how they end. You know those type of things, kind of the whole life cycle, and it kind of just led into. You know my role here as a senior threat researcher at Securonix and that's what I do here and not only you know we kind of start to finish right, you know, start with threat intel, get information on how to detect threats and then you know build these detections to detect them and we try to stay ahead of the game too.

Speaker 1: 2:10

But that's me as kind of a threat researcher and how it all started and what I do here and love it Right, and that's something that was interesting when I joined Securonics back in 2020, you know, that's something that was interesting when I joined Securonics back in 2020, I think Securonics was one of the few pure play SIM vendors that actually kind of was putting out threat research and at least for me, that was a very important factor to consider Securonics as a company to join, right. So. And I think today kind of when you look at the market, I think kind of things have evolved so say, most of our competitors are also doing some level right so, and I think today kind of, when you look at the market, I think kind of things have evolved so say, most of our competitors are also doing some level right of threat research. So on that sense, right, why do you think it's important, right kind of, for a SIEM vendor to have its own threat research team?

Speaker 2: 3:01

I think it's critical, especially SIEM, or, if you're in the cybersecurity space in general, especially SIEM, because you know what's the goal of SIEM. We're taking that log aggregation to the next level and turning it into something that can produce actionable alerts. Right, we already know that the bad guys are out there. They don't stop, they don't slow down, they innovate very well, having a threat research team for a SYN vendor is critical because it allows us to get ahead of that or stay current with that, with the latest tactics and techniques that those bad guys are using, and integrate that knowledge into a product. So SYN especially, I think that's incredibly important. But if you're going to be a cybersecurity player, you kind of have to have that threat research baked into your product to stay current. But that's kind of my philosophy as to the why, and I think we do a pretty good job at staying ahead and catching some of these threats quickly and baking that into the product.

Speaker 1: 4:11

Right, and the output of that research. How do you think it is more valuable to the vendor? If you look only into our Securonics realm here, right? Where do you think we get most value from this research? Is that by seeing things that we are probably kind of currently not able to detect and having to to improve the product to catch up with that? Or is it about content production, right? Kind of essentially kind of having material to create more unique rules, for example, if we use a more simple language related to the same space, in a way that the customers wouldn't have to do that on their own? Where do you think it's the heaviest weight for the value of the research that you're producing?

Speaker 2: 5:03

It's certainly both. But you know a lot of customers they're not going to have dedicated threat research team with resources as far as acquiring like the latest threat intel, and so that is where we step in and we're able to be pretty rapid with some of these. You know, for instance, if we take our advisories, if you go out on the Securonics blog, we have quite a few that we've put out. The nice thing about those is not only are we helping the industry as a whole, we're helping, you know, the Securonics customers in general. By the time those advisories hit, the news hit the media, you know we've already baked all these detections into the product already.

Speaker 2: 5:45

So it allows us to position ourselves kind of a step ahead of just the industry in general, but also kind of shake up the bad guys too as well. So a lot of times when we're developing detections for unpublished threats, we have to be quick, and a lot of times it's funny, unpublished threats. We have to be quick and a lot of times it's funny. Sometimes we'll put out an advisory. You know where C2 servers at the time are live, and as soon as we publish the advisory they'll go down, you know. So we're kind of shaking up the bad guys too, as well, as you know, helping out the industry at the same time. So it allows us to be a bit more rapid in that aspect.

Speaker 1: 6:23

Right and kind of. When I look at kind of some of the research that we produce and probably not only kind of we, but kind of from the entire community in general sometimes I have the impression there is a lot of more of the same right, Like, oh, there is this group here that we see them doing this and that, and now there's a small variation in their malware. Now, instead of sending their attachments an email, instead of an LNK file, now it is a zip file. We see this small variations in the attacks. But that gives me the impression that we see these small changes, but we don't see huge evolutionary steps in the way that the threat actors operate. Is that because they really do not need to do that and they just tweak their methods and their practices, their TTPs essentially right, Kind of to find the next one that it will work, or are they kind of slowing down in terms of innovation?

Speaker 1: 7:29

Or are we just kind of from a threat researcher, kind of effective in this point of view, just finding those small variations and maybe for some reason, we may be missing the big changes that are happening kind of from the threat side. So for first, I think probably I end up kind of going too long in the question. First, kind of why is there this impression of more of the same and is that kind of from kind of the research side? Is that from the threat actors way right of evolving kind of their practice? So why do you think that sometimes that impression exists? Yeah, no, absolutely that impression exists.

Speaker 2: 8:03

Yeah, no, absolutely. Those small variations are way more common, but they're worth tracking. A lot of times, you know, they'll take the path of least resistance. You know, right, If they can just make a small tweak that you know bypasses a certain AV vendor, if they know their target, well, that's all they need to do versus completely retooling. We do see both. But to your point, yeah, we do see a lot more subtle variations and maybe you know an early stage loader or, like you said, an LNK file. You know, maybe they adapted to a you know a different execution method or a phishing email tactic. So it's definitely going down the path of least resistance.

Speaker 2: 8:43

A lot of times you'll see certain trends with certain threat actors. They favor this particular malware dropper loader or initial infection method and they kind of stick to that. And a lot of times it really helps with attribution because it's like oh, this is a classic APT37 or APT39 initial infection. So a lot of that data is useful, whether we're building detections or not. Like other aspects, like I said, attribution is another one and identifying, but every now and then we do come across some pretty novel changes where we are able to attribute the either malware or attack campaign to a certain group and it's totally out of left field. But then again, yeah, sometimes you see those small changes and those are all great to track to because you know when we're building detections and we're tagging them for particular groups or variants of malware, ransomware, you know we're able to stay accurate on that aspect.

Speaker 1: 9:46

Oh yeah, on that sense, right, you end up connecting to kind of another question that I wanted to ask you right, what are the most interesting findings? Right, you've seen right kind of doing in your research, kind of what is the thing that you found and said, wow, these guys are doing this or that right kind of, or that wasn't expected, right.

Speaker 2: 10:10

Kind of, what are the most exciting findings? Oh yeah, there's been a few, yeah, and those are always the best. Honestly, when you discover a brand new tact or a new strain of malware, um, I'd have to say the couple that stand out the most. Um, we, we published our findings on. It was either last year, the the year before on Stark Vortex, which was kind of in light of the Russia-Ukraine war.

Speaker 2: 10:29

This was an incredibly targeted piece of malware to the Ukraine military, and what made it targeted was the way it would propagate through systems Traditional malware, ransomware. It typically propagates through network protocols, right, smb, you know, you name it. It'll have built-in network scanning. This didn't do any of that. It propagated purely through USB drives. It's Stuxnet style, right? Exactly, yeah, so it would basically just put some dropper lure on USBs Anytime it ran. It would persist in the system really well.

Speaker 2: 11:08

But if you kind of step back and think about how the Ukraine military operates, it's a very distributed system, right. There's not some centralized network. When you're out in the field, you know USB drives, if you think about it, would be the primary source for sharing or distributing information, and so it was kind of an interesting finding and there wasn't a lot of research at the time around that it seems to be getting a little bit more common now. But it was pretty novel at the time and pretty interesting. But it just kind of goes to show that when it know, when it comes from a threat actor standpoint, you know understanding your target, you know and that's something that a lot of these high profile APT groups do really, really well, right, that's kind of witnessing cyber war going live, right, totally, that's certainly exciting right from a research point of view.

Speaker 2: 11:59

Yeah, it's like cyber war over the top of an actual physical war. So yeah, really interesting. It's like cyber war over the top of an actual physical war. So, yeah, really interesting, I'd say. The other one you asked for a couple, so I'd say Steep Maverick was another fun one.

Speaker 2: 12:12

This one was just layers. Maybe to me it was more fun, but it was just layers and layers of the malware. I mean, its obfuscation level was absolutely insane. It. It took forever to analyze but it was rewarding because it was really interesting.

Speaker 2: 12:32

There's probably like 13 layers to that, but you know it embedded in the system and dropped a custom payload at the very end and you know it was kind of cool seeing this brand new tactic. I couldn't I can't remember the lure off the top of my head whether keeping it came in through fishing or not, but generally we don't see that many obfuscation layers coming in through the malware. But it had a lot of new ways of hiding code and I like that too, because I kind of see it as a puzzle where if you're able to get something to execute that shouldn't execute because it would normally be blocked by antivirus, but that particular campaign just had a lot of that. So that was more of a, for me, fun to analyze. Obviously, you know, to kind of rope it back to your question it was very new for the industry. This was something we hadn't seen before.

Speaker 1: 13:26

So it kind of fits both of those pretty well and I remember reading that specific piece of research, the layers and layers of obfuscation, and what came to me when I was going through it was well, there's really a lot of effort to bypass primarily endpoint detection right.

Speaker 1: 13:47

So it really looked like what was probably the biggest pain for the threat actor in that scenario was being detected on the endpoint right or by an endpoint security solution.

Speaker 1: 14:00

And when we look at the entire threat chain right for many of these cases there are so many other opportunities for detection that sometimes I have the impression that the actors are just not trying to improve in being more stealthy or harder to detect in some of those layers, like the identity side kind of, in the way that they are trying to elevate privileges, or sometimes even the command and control side, because so many organizations today put so much emphasis on kind of their EDR capabilities, for example, or their endpoint security.

Speaker 1: 14:36

Then we even see the outcome right of that kind of on the threat actor side right, kind of they're putting so much effort to bypass right or to avoid detection from those security components, while the kind of the defense side could, looking at those other points and under other steps in the attack, probably kind of avoid having to be so much involved or it's kind of putting so much effort on that end point, because there are other places that the threat actors are not evolving as fast or as constantly that are also kind of very good opportunities for detection. Am I right with that impression Kind of? What do you think?

Speaker 2: 15:13

Oh, absolutely no. You know, detection in general is a huge net and I kind of like to run with the philosophy of. You know it's a very basic cybersecurity principle that I think a lot of times we overlook and you've, I'm sure you've heard this before network defense, everything valuable products, especially when you pair it with a SIM right. Edr bypass is a thing. In fact there's a MITRE tactic around it. Threat actors are very good at understanding EDR and how to bypass them. You know it'd be foolish to think that they probably don't have some form of oh man, I don't know how you would phrase this but a way of sandboxing their malware and running it against some EDR platforms. You know these, especially APT groups, these state sponsored groups. They're very resourceful, so if they know a target is running, you know EDR vendor X right.

Speaker 2: 16:18

You can iterate and experiment right, so they have an opportunity right.

Speaker 2: 16:22

Exactly.

Speaker 2: 16:23

And so it's a thing you know and it's I wouldn't say it's easy to do, but it's certainly possible and with the amount of resources that they have it can be done.

Speaker 2: 16:32

And so when you pair your technologies, you know EDR plus SIM or NIDS, you know whatever it's going to be your odds of catching something, go through the roof, right, you know, in the sake of Steep Maverick, you know it did generate a lot of noise. However, it was very good at bypassing AV. So you know, and when we published this detection, you know, obviously, you know, like, like I mentioned before, we published some detections for the product that can catch this as well. So it's all about kind of overlapping, spreading out your detections as much as you possibly can, and, you know, obviously, fine-tuning them. At that point it's a process, but it certainly can be done. So so the interesting aspect with SIEM is that, compared to EDR bypassing, edr bypassing is pretty well documented. Bypassing a SIEM is kind of a wild card because you don't really know what the capabilities of the product are, kind of jumping into it.

Speaker 1: 17:32

What telemetry you're collecting right, so you don't know, what signals you're generating, right, so it's hard for the attacker right kind of to make sure that they're not leaving anything behind that the sim is looking for, right, exactly.

Speaker 2: 17:47

so I mean you could use your sim as like an ultimate weapon, right, because I mean it's it's hard, you know, whether you're doing red team simulation or you are concerned about legitimate threat actors in your network. You know you can dial in these detections really really well to catch these guys because, yeah, they, unless they have somehow access to your product, which you know that I I can't think of a single campaign where that's happened but you know they don't know what you're, they don't know what to know at that point, so it makes it a bit more difficult for them, right, but in the end, you know it's all about adding those layers, right.

Speaker 1: 18:26

That's right. And I think one thing that we probably do not do as well as an industry sometimes we end up kind of putting, on the defense side we put many layers on the same place, so the attacker's kind of their behavior is the most expected one right. They'll just avoid that place right when there are no other layers. So defense in depth right Is not about kind of having three endpoints, secured solutions running on your endpoints, right, but kind of covering kind of many, many places where you have the detection and even kind of the attack disruption opportunities. So if right, kind of the attack disruption opportunities, so if for some reason your end point capabilities are not performing or not doing their job, you'll be able to find something on the identity and credentials level. You'll see someone kind of using permissions or kind of receiving privileges that they should not have, and so on. You have visibility across multiple places.

Speaker 1: 19:21

I think the defense in that I remember having discussions and there was a time when we were talking about putting firewalls from different vendors. You have two layers of firewall in front of a network, one from Cisco and another from Checkpoint. It was such a silly thing to be done because the attackers were just going to do something different, right? Or just go to the internal systems directly or, as you mentioned, kind of in one of those cases, use a USB drive, right, and then the firewall doesn't matter anymore, right, it doesn't matter if you have one or three. So I think kind of, when you look at the defense in that aspect, that's something that really needs to be well thought right. Kind of the you're putting the layers where it matters more and not duplicating efforts in a place that can be easily bypassed.

Speaker 1: 20:07

Exactly, of course, kind of you already mentioned kind of the value that research has for us, right, kind of as a security provider Now for our, for the end-user organizations, either our customers or not, how do you think that they should be using the output of threat research? I call it threat intel. So you're essentially producing threat intelligence. So how the organizations that could be targets or victims of all those threat actors, how they should be using the research that you put out there?

Speaker 2: 20:44

Oh, man, I'd say, you know, don't rely just on our research. There's a lot of really good research out there. I think the stuff that we put out, you know not to toot our team's own horn, but it's good, um, and fortunately, you know, you know being part of the product, we kind of have the opportunity to kind of bake it in there. But, you know, aside from just the direct research and our publications, you know we do feed in direct threat intel into, like a product, autonomous threat sweeper, things like that. So that's probably a very direct and easy way to get some of this threat intel that we do.

Speaker 2: 21:27

Other than that, if you want to take a proactive approach, I tell everyone this run your own honeypot, see what you can find. And a lot of times that can help with detections because you'll understand who's targeting you, what ports are open, what bots are actively trying to scrape your content. And if you want to take that an even further step further, go down the cyber deception route. That is where, in my opinion, any SIM technology can absolutely shine. It would require work on your end, but create a Honey Domain Admin, create canary lures all over your network and then tie in specific SIM rules into those.

Speaker 1: 22:14

Oh, you're touching on my favorite topic. Don't even start it.

Speaker 2: 22:18

I mean, the great thing about canaries and cyber deception is that they don't false positive. And so somebody on a network share touched passwords, dot text, right, that's always going to be weird. Who did that, you know? Or if you have a, like like I said, a honey domain admin, that's not allowed to log in, but somebody is trying to log in as that user, that would always be weird, you know. That could either be it's a very high fidelity signal exactly yeah.

Speaker 2: 22:47

so that that's like generating your own threat intel and also is just a really easy way to catch some of that low-hanging. Those canary rules are usually pretty good because your threat actor is not going to know that they're there and anytime something triggers it's going to be suspicious. So generating your own threat intel through cyber deception, I think would probably be my number one.

Speaker 1: 23:15

Yeah, cool. Yeah, there is kind of an interesting piece of forgotten history here, right, you mentioned kind of the honey accounts, honey domain accounts or canary right. Many times I refer to it as honey tokens right, and I accidentally created that term back in 2002 in a Focus IDS mail list discussion. That was kind of a fun piece of history. Oh nice, that's awesome.

Speaker 1: 23:46

We're also kind of looking at some of this threat intel and what I see very often is people from the SOC.

Speaker 1: 23:53

They very quickly they focus on the indicators they're associated. For example, when you put an advisory out there, right, you have all the explanation about what you found, what kind of it's the apparent motivation on that case, what they were trying to achieve, kind of their methods, et cetera, and then in the end, right, you have all these indicators. Sometimes my impression is the people from SOX will very often directly go to that list of indicators and throw those into their tools, into either their SIM or kind of whatever kind of they have that can look for those indicators, right, Kind of either kind of retroactively as our autonomous threat sweeper, or kind of kind of in a more kind of online detection mode, but they jump over all the text that you have on that research right, and my impression is that they are missing the most valuable part, right? How do you think these groups should use right Kind of the long explanation about the threat that you have in those advisories, as opposed to what they normally do with the indicators?

Speaker 2: 24:59

Well, definitely use the indicators, but I feel like a lot of times our advisories yeah, they can probably be a little technical. I think our team is just very technical, so that's what it translates to, and I don't think it's us, it's probably just the whole industry. Some of those can be 20-something pages. So I won't take personal offense, but I think sitting down and reading them, if you can take the time, it should get you into a threat actor's head a little bit more. Um, especially with kind of the early stage and late stage, um the middle. You know how they obfuscate, how they are able to bypass. You know from a attack defense, attack defense standpoint. I think that's important. But if you take a look at our advisories, you know where.

Speaker 2: 25:45

Where do most of these start? You know it's probably on through some phishing email. Phishing's still incredibly common, tried and tested. It still works. Um, we read about new campaigns. Or you know exploitations that happen across. You know all these breaches through companies. And how did it start?

Speaker 2: 26:03

You know phishing email, probably, um so um, yeah, pay attention especially to how things start, because I think that should help you understand, like, how these threat actors are getting into your systems and how they're able to execute code from an early stage, how they're able to lure or trick, use social engineering to get you to run whatever file that is.

Speaker 2: 26:27

They're getting more and more creative and clever, especially going down the route of malvertising and things like that Masquerading is a legitimate product or service and you end up installing malware on your system the early stage. I would always encourage you to read through any security advisory just to understand, to get into those threat actors head. And I think the more you get into those threat actors head, the more you start translating that into your real life practices. So if you're a cybersecurity leader, anybody in the cybersecurity space like thinking like your opponent is how you beat your opponent in the end. Right, so it's probably just a more of the more you understand, the more you know, the more that'll translate into your productive work life to build in those habits or those systems or those technologies, whatever it takes to be able to stop and catch those bad guys.

Speaker 1: 27:25

Yeah, I think that there's sometimes kind of the they lack the organizations lack the ability to look into these advisors with a more tactical instead of operational approach. I could even say strategic, but I think maybe that's kind of an exaggeration sometimes. But from a tactical approach, right, you were mentioning kind of the phishing pieces and in many of these cases there are attachments involved, right, and you look at the type of attachments and then there's that question okay, kind of what would be the impact if we block certain types of attachments? They are very connected to some of these campaigns, right, connected to some of these campaigns, right. And just by doing a quick search in your environment you see that, oh, you almost never received the type of extension in an attachment. So what would be the impact on your operation if you block it versus kind of the immediate benefit, right of not receiving kind of those emails kind of that are related to the threat activity anymore, right?

Speaker 1: 28:18

So that's a kind of a tactical step that many organizations can take by really reading through this research that can really improve their chances to resist against certain threats, that they're really missing the opportunity, some kind of basic steps of security hygiene that they can justify better if they use these types of research.

Speaker 1: 28:41

Right Kind of. I remember kind of wanting to change, sometimes, settings in email systems or kind of removing privileges for certain groups of users, and getting a lot of resistance right Within the IT team or kind of the developer's team. And when you have the threat research to back up the reason, right kind of, okay, we are doing this, we want to do this because the attackers are actually exploiting these weaknesses, that really kind of makes kind of the lives of the security team easier. So kind of when I ask right normally kind of about how organizations are using threat research apart from the indicators, it's really related to that type of activity right Kind of taking using them as right Kind of as the rationale and kind of the source of ideas to other changes to the environment that will be beyond just looking for the indicators.

Speaker 2: 29:31

Absolutely, yeah, definitely. Feel free to take these and use them as either a system or practice hardening guide. You know whether that, like you said, is through email, this can be translated into the cloud, you know, like with access tokens, those type of things, but it definitely applies to, like, any research out there. Yeah, no, the advice would be just to read and apply, you know, because generally, I mean anytime you see any cybersecurity publication, right, they're a result of something, right, and so you don't want to be the one that has that cybersecurity publication written about you. Yeah, that's true. Right, there's a victim somewhere, right?

Speaker 1: 30:10

Exactly Yep, and we are past 30 minutes. So now my self-imposed rule of not talking about AI in the first 30 minutes of the podcast, right. So now I am authorized to bring the word in. So will AI change how you do threat research, or is it changing, or has it changed it already?

Speaker 2: 30:32

Oh, yeah, absolutely. It absolutely already has, I think, for the sake of automation. It's been great, whether we're using it to analyze obfuscated code or get some feedback as to what a piece of malware is doing. You know, we saw these indicators. We can dump it into AI and get some ideas and output. It's great at saving time. I think that's probably where we use it most. So, yeah, no, it's definitely going to shake up the industry and it's going to on both sides right, good and bad. But you know, it's definitely something we haven't like officially baked into, like workflows and things like that. But it's baked into workflows, I guess you could say, and things like that, but it's baked into workflows, I guess you could say I think it's one of those systems that's not systems, but I guess one of those entities that's just, whatever industry you're in, you know it's-.

Speaker 1: 31:30

You're going to start using it, right, you're going to start using it. It is a tool that is useful for many things, right? So we're going to just start naturally using what they make most sense Absolutely, and that we're going to just start naturally using what they make most sense Absolutely. That brings the other side. As you mentioned, what are we seeing in terms of threat actors using AI and what do you think they will start doing with AI in the near future?

Speaker 2: 31:56

It's tricky because it's hard to identify. You know, if we're talking maybe malware, right, code that's generated by AI or those type of things, and you know we always kind of go down that route first of like, oh AI generated malware, right, can be a thing, and it probably is a thing. What it's going to do, I think now, and what it's probably already doing, is allowing threat actors to be a bit more rapid in their deployments Right or their campaigns, for instance, I mean, ai can be tricked to do evil things. If you try hard enough. Whether you're going to build ransomware, perform benign functions, you know within a file that it doesn't understand that what the scope of the whole product is, but it allows them to deploy quickly. You know if they're building, say, like a rat or something you know that allows remote access onto a system, you know they're able to generate these at a much quicker rate.

Speaker 2: 33:01

So how that'll shake up the industry is right is on our reaction side, like, wow, we're seeing, say, oh, pick your favorite rat Remcos. You know we're seeing a lot of different new variations within Remcos or more functionality within Remcos Right At a more increased rate, and so that by itself makes it a bit more of a concern because we're gonna see anytime we see rapid life cycle increases with malware. That makes things either more difficult or it's more disruptive to the industry as a whole, whether you're on the antivirus side, whether you're on the SIM side. So just that rapid production of just code in general.

Speaker 1: 33:44

Yeah, I think speed and scale right, I think kind of we. I think there is a lot of fantasy around right, kind of very crazy ways that they can use AI, but in the end, right or immediately, kind of in the short term, what do affect us mostly is the speed and scale right.

Speaker 2: 33:59

Exactly. So, yeah, I mean, while it's like I mentioned earlier, it's going to allow us to be more rapid with our analysis and our you know just detections in general. It's going to do the same there. So I think we're just going to see this snowball of constant changes now because of it, react, reaction, those types of things, Interesting time to be in the field right.

Speaker 2: 34:25

Really is yeah, no, it's absolutely a shakeup, but it comes with the territory. I mean, you've been in the industry long enough. The cybersecurity industry just doesn't ever really slow down anyways. So I think we're picking up speed a little bit more, but you can't get comfortable in this industry, it seems.

Speaker 1: 34:43

Right, and you touched kind of the point that I also kind of I like to bring up in all episodes here as an industry what do you think we do well? Like we are very good in criticizing right, and say, oh, we're not detecting fast enough, we are not covering everything that we want, et. Etc. But I always like to ask people what are we doing well in this space?

Speaker 2: 35:09

I think that thread intel is fantastic. I think we are very good at gathering and then turning that thread intel into something tangible, that threat intel into something tangible and from what I do here is it bakes into many different aspects. Right, whether we're taking that threat intel and we're turning it into a detection that our product can now use or we're publishing it, I think as a threat researcher, I think we're in a position where we can leverage our product first and all of our capabilities and turn all of that threat intel into things that just help everybody, whether those are our customers directly, whether that's the cybersecurity space in general, and I think that's probably what I get most out of it, and I think that's probably what I get most out of it. So I guess you could say the production and categorization is probably not the right word, but what we do with that threat intel, I think is very, very good.

Speaker 1: 36:12

You make it actionable right and using it as well. That's true, right, and you know that's a very good point, because one thing that kind of some of the probably kind of the more pessimistic people in the space like to mention is kind of the amount of unknown, unknowns out there Again, kind of the famous Rumsfeld kind of quote, and it seems there's a lot of activity going on that kind of we're not even aware that that type of activity, etc. But from your answer I would say it's probably not that much, because the amount of visibility that we have, with all the threat researchers around the world doing such a great job, that unknown may not be as significant as some of these people think of right.

Speaker 2: 36:58

Oh, absolutely, I think we absolutely know more than we don't know. But you know, it's the discovery of those unknowns, you know what we do with them, I think is great and that's, you know, as a threat researcher, I think that's what makes this job fantastic, you know, is that whole discovery aspect and then taking that discovery and turning it into something helpful and you know which could end up saving an industry at some point. The discovery aspect, the threat intel aspect, yeah, I think that's.

Speaker 1: 37:35

It is what makes us keep doing. It's cool. I think most people end up getting into this space because it's fun, and I think one thing that I really like is we keep having fun Sometimes after you do all the fun work and you have to write a report. You may say, oh, this is not fun, but in essence, if you look at everything that you do over time, it is fun. I still really enjoy the field and I'm really happy that I've been, uh, working on this for so long absolutely.

Speaker 2: 38:07

Oh, no, yeah, I, I find fun in it every day. I mean the, the reporting. It is a lot of work, but you know, I think, uh, sitting down, building them, building detect, you know, while there's always the administrative side of anything you do, yeah, no, it's great overall.

Speaker 1: 38:28

Yeah, I always like to tease my friends that are working on the identity and access management space, right, Unless you work with identity, that's boring right.

Speaker 2: 38:36

It's very important. My auditing friends yeah, auditors Same with my auditing friends.

Speaker 1: 38:39

Yeah, auditors identity GRC compliance oh my Compliance.

Speaker 2: 38:46

there's the word.

Speaker 1: 38:47

Yeah, it is all important. Right, it's boring, but it's important.

Speaker 2: 38:50

Oh yeah, they like to joke about it too. They love to say things like there's a fine line between cybersecurity and compliance.

Speaker 1: 39:01

Right, okay, tim, we are kind of hitting our time here. I wanted to drop just the last question for you, for someone that is just starting now and they want to do threat research. What would be your single advice for them?

Speaker 2: 39:20

Ooh, never stop learning. I mean, it's man. The skill sets involved, I think, are pretty broad. So understanding, programming knowledge, understanding even things like diving into, like assembly language and things like that. I think it's basically gonna be just a matter of gathering as many skills as you can, whether you're going down official certifications there's a lot of great ones out there or you're self-studying. I'd say just never stop soaking up that knowledge because that's gonna help you.

Speaker 2: 39:56

Because when it comes to probably any research position, it's like you discover something and you don't know where it's going to lead Right, and what skill sets you have are kind of going to determine your success with understanding that thing you found. Better, as dynamic as you possibly can. In regards to, like the entire cybersecurity scope as a whole, I think those are going to be great. You know tooling is going to be a huge one. You know, play around with like open source frameworks, like Havoc or Sliver or things like that, understanding how bad guys get into systems and how they move laterally you know it's such a massive field but it can be done. I honestly I could tell you right now I definitely don't know everything. It's a very humbling field a lot of times because you end up like Googling more than you feel comfortable doing it.

Speaker 1: 40:58

How many tabs you have open right.

Speaker 2: 41:01

Absolutely. I think the other thing is to start a hack lab or a cyber range, Whether that's on a single host or a server. Stand up some hosts and just go crazy. Whether you're starting down malware analysis, you know that's kind of the only way to do. It is just getting hands-on dirty and uh, just google like crazy. But you know it can be, learned it's and put into practice. It's just it's. It can be a daunting field, but you know it's the reward in the end is always worth it.

Speaker 1: 41:39

cool, perfect tim. We we're hitting the time limit here, so really kind of appreciate you coming to talk to us right about the trash research and everything you've been doing here with Securonix. Thank you for doing all this for Securonix. It really makes my life easier on the product marketing side, I should say, and really can appreciate all that work. And for you listeners, thank you for listening to one more episode of the podcast and stay tuned. You're going to have more very entertaining conversations in the next few episodes that are already coming out. Thank you and have a good one. Thanks, tim. Thank you.