In the latest episode of WE’RE IN!, Selena Larson shares insights into malicious hackers and scammers she’s tracking as senior threat intelligence analyst for Proofpoint. Business email compromise, ransomware, sextortion, multi-factor authentication bypass techniques – dealing with the onslaught of modern cyberthreats “is very much like playing whack-a-mole,” she said. By unpacking attackers’ motivations and psychological profiles, defenders can train themselves and their teams to avoid falling into common traps.
In the latest episode of WE’RE IN!, Selena Larson shares insights into malicious hackers and scammers she’s tracking as senior threat intelligence analyst for Proofpoint. Business email compromise, ransomware, sextortion, multi-factor authentication bypass techniques – dealing with the onslaught of modern cyberthreats “is very much like playing whack-a-mole,” she said. By unpacking attackers’ motivations and psychological profiles, defenders can train themselves and their teams to avoid falling into common traps.
-------
More reasons you should listen:
* Hear Selena discuss what makes threat intelligence actionable, versus extra noise for a SOC
* Find out about an alarming cyber espionage campaign that recently targeted journalists
* Learn why Selena despises evil TOADs – “telephone-oriented attack delivery” attacks
[00:00:00]
Bella: So first of all, Selena, it is great to have you here. We're really excited to talk to you. Um, talking about the threat intel community, you once said that being kind is more important than being technically correct. I was wondering if you could sort of unpack that quote, give us a little context and kind of explain what you mean by that.
Selena: Yes. First of all, thank you so much for having me stoked to be here. Um, second of all, great question. And I had forgotten that I said that, so I had to go . I had to go search myself on Twitter. I'm like, I, I remember tweeting that so, In my opinion, the, um, threat, intelligence and cybersecurity community in general can be very opinionated and often, um, snippy or maybe not very nice on the internet, especially when people, uh, Write something or tweet something that someone disagrees with.
In my opinion, uh, as an outsider kind of following these, uh, [00:01:00] conversations, it creates a very toxic environment if the conversation and interactions aren't really nice, right? Like if we're trying to encourage people to come into this community, encourage people to speak up and share information, um, and really recruit and bring in.
People from different backgrounds with different experience levels, then I think it's really important to cultivate a community of inclusion, of kindness and whether or not information is correct or incorrect, there's a way of communicating information, um, or really just communicating anything in general, um, that is positive and reinforces, um, good vibes in the community.
And I just think. You know, the world in general needs more good vibes and CTI and cyber security overall definitely needs more good vibes. So that was kind of one of my hot takes. I think Katie Nichols had tweeted something like, what are your hot takes? What are your complaints about, [00:02:00] um, the CTI community?
And mine was like, everyone should just
Bella: I think like I have, yeah, I have a background in penetration testing and one of the things that I like, One of the first, I think lessons that I learned working as a pen tester interacting with customers is that like, if you are not communicating with like empathy and kindness, no one's gonna hear what you're saying.
And, and I think like, that quote is really interesting to me because I think it, it goes beyond just the threat and tell community of course, but it is so important in cybersecurity because we're talking about like, I don't know, sometimes, uh, hurtful and d. Conversations and, and I think, I don't know, it really spoke to me.
I, I think I, I, I read that and was like, oh, I've, I've been there. I've experienced this
Selena: for sure. Yeah. I think you hit on a really important note that empathy is so important, right? Like in the industry that we work on at the end of this, it doesn't matter what the malware is, who the threat actor is at the [00:03:00] end of it, there is a. On the other side of the computer that is experiencing a crappy thing happening to them.
And it's so important to be mindful of that and think about that, um, even as we are, you know, focused on like malware or TTPs or whatever. But at the end of it, there's always a person.
Blake: When you talk about vibes, I do think it's so difficult sometimes in Twitter to reflect, uh, that we are all people. I think sometimes people sort of hide behind anonymity and maybe take Snipes at each other, and it's a little bit of a difficult platform. That's why honestly it's so impressive that you're able to maintain such a positive Twitter presence.
And I, you know, one thing that I wanted to, wanted to pivot into threat intelligence a little bit from Twitter. I feel like it's such an, I. Tool. You know, it's like I, I, I've heard that many threat intelligence researchers often Twitter's sort of the first place where they find out about some new thing happening, whatever it may be.
Uh, I, I guess, stepping back a sec, I was wondering if you could just help us understand how you keep track of the latest threats and I feel like there are so many different threat actors flying [00:04:00] around and names and just a vegetable soup of cyber security. How do you, how do you stay on top of it?
Selena: Yes. That is a great question. And to be honest, I don't stay on top of everything. It's impossible to, there's so much going on that one human being cannot be an expert on everything, . Um, so certainly in my role at Proofpoint, I'm very focused on ecri cyber criminal threat actors, and then even within that scope, Um, much more focused on, um, targeted, uh, cyber crime.
So while we do track, you know, like the, the researchers and analysts on my team will track, for example, like Qat, ici d emote, these large, uh, malware families. I, um, try and keep up as best I can. Right. Like I read public reporting, I follow researchers on Twitter. I'm in a variety of different information sharing slacks.
Um, but it's, it is really a lot to. To try and track and take in. And I think that knowing [00:05:00] your limits and understanding like what do I need to know to do my job and to inform my customers, um, then you kind of focus on that and maybe deprioritize the rest. I think it's, it's naive to think that we could keep the pulse on everything and, um, certainly from, um, if, if you're thinking about it from, um, a customer perspective, right? So if you are recipient of threat intelligence, um, you kind of rely on whatever, you know, vendor, whatever people that you kind of follow to say, Hey, you know, this is the stuff that you should care about.
We've collected it and prioritized it for you, and packaged it in this nice, you know, readable format. Um, but yeah, there is so much, um, and it is really hard. And, you know, I, I'm impressed by people who seem to like, keep track of every single thing that goes on,
Um, I did wanna ask, uh, you, you, you mentioned a couple specific names that I think emote Cuba. Uh, do you have any, any favorite, and I'm putting favorite in quotes here because [00:06:00] of course all of these malicious actors are bad, uh, that you, you know, favorite threat groups that you keep tabs on?
Blake: Maybe the most intriguing or the most dangerous or some other thing that I'm not thinking of.
from my own personal perspective, one of my favorite actors is TA 27 22. This is an actor that regularly spoofs, uh, Philippine government entities, um, whether that's the Department of Health, um, or
Blake: The
Selena: customs department, um, and they send out emails to a small kind of, uh, A number of entities, but largely focused in, um, Southeast Asia, Europe, north America, um, lots of of manufacturing food and bev, um, uh, shipping and logistics.
But they, uh, are regularly spoofing the Philippines government and they send malware. It's very much commodity malware, right? So it's nothing, um, super tricky. Their TTPs aren't necessarily, um, all that sophisticated. They sometimes switch it up with credential fishing. . But, um, I've been tracking this actor for, [00:07:00] uh, for a bit and I find them to be very interesting.
Um, another actor that I think is pretty cool is, um, TA 5 58. It's a actor that targets hospitality and hotels. Um, largely Portuguese, Spanish speaking, uh, lores. And they have actually switched up their TTPs a ton. Um, but they always kind of fall back on this theme of like, reserva and reservations and I'm trying to change my hotel.
uh, booking and, uh, I think they're pretty fun. So both of those, we've actually published, um, details on, uh, through our blog, but I find these kind of oddball, uh, targeted cyber crime threat actors to be really fun to track.
Blake: Bella, do you have any, any travel to Portugal booked or, or Spanish-speaking countries?
Bella: Currently, no.
Selena: I wish
Bella: the
Selena: I
Bella: that, like, I, I'm going through my mind right now. Like what, what emails have I like, just mindlessly clicked related to like upcoming travel, upcoming whatever,[00:08:00]
Selena: Well, yeah, it's really great. I mean, that's, that's why I think it's kind of interesting, like their lawyers, they have maintained it since 2018. This reserve a theme cuz it's like, you know, it's, it blends in with legitimate traffic. Like what do you know the. Uh, hospitality industry usually receive like, booking related emails and kinda like blend in and you're like, all right, like, I'm just gonna click on this.
I expect this to, to be relevant to my job. Um, but yeah, they're, they're consistent, um, in terms of their lures, but their TTPs change up quite a
Blake: When, when you say targeted, how targeted are we talking here? Is this like, should I be worried or is it casting a, you know, thousands of people or just like a couple people that they want to go after it? Is it, I suppose it varies.
Selena: Yeah, it really varies, but we're talking like, you know, thousands of messages per campaign. Um, so it isn't necessarily targeted to individuals. Like if we're talking about like a p t targeted, that is like, you know, they, they tend to be very highly targeted to certain in individuals for a. Uh, uh, a specific purpose.
[00:09:00] Um, but for, if we're speaking about like, um, industry targeted, like, right, like so, so in a specific industry, they will focus on that as opposed to in the, um, very highly targeted like four or five people type of
Bella: So you mentioned earlier, like in, in, when we were talking about kind of how you stay up to date and that there's an element of, you know, prioritizing things and I'm wondering how do you balance. Prioritization in terms of, you know, looking for things that are potentially most harmful or most negatively impactful versus like what we've just been talking about, the things that are most interesting to you, or, you know, like, what's the magic secret?
Like, you know, like formula for prioritizing things,
Um, I don't think there is a magic secret, so, uh, On threat research in in particular, we're very much, um, told to do stuff that interests [00:10:00] us and to kind of follow our noses and follow our guts and find things that are very interesting.
Selena: Certainly you do have intelligence requirements from whoever your customer base is, right? So, um, we obviously have to keep the pulse on a lot of the priority threat actors, right? So if it's Qat right or TA 5 70 70 t TA five 70, um, certainly the iced id, um, the emo tes, like the big mal. , um, campaigns that we see on a regular basis.
Uh, certainly initial access brokers, right? So you have a lot of very large crime threat actors that are distributing malware via email that could potentially lead to, for example, ransomware infections as they are, um, sold or facilitated. Uh, infections are sold or facilitated to other actors for follow on exploitation.
So we definitely wanna make sure that we are covering down on those key threats. But their threat landscape is so big. So we are very much empowered to be like, what do you think is interesting? What is weird? Like [00:11:00] what is this malware doing that you've never seen before? And why? And I think a lot of times you can proactively identify new threats that will become prevalent on the threat landscape.
If you are curious and if you are sort of. given the ability and flexibility to, um, to kind of. Uh, I, this is gonna sound so funny cuz I'm quoting my yoga instructor, but like, find what feels good, you know, like , like, find that, um, and it'll kind of help you sort of navigate and prioritize, um, in that direction.
But yeah, it's, it's a mix of like intelligence requirements from your customers. Um, certainly covering down on what is big in a threat landscape, but also making time to, um, find and follow stuff that you think is
Bella: Yeah,
Blake: I love that drawing cybersecurity lessons from the real world experiences, whether it's, whether it's yoga, whether it's, you know, I, I feel like a lot of ideas come to us in those moments, you know, out on a run perhaps. I, I did [00:12:00] wanna talk. Yeah, exactly. I did wanna talk about a uh, episode of your discarded podcast, which by the way, is a, a really helpful for any listeners to stay on top of, uh, a lot of the threats that we're talking about today.
Uh, but there was a really interesting one that, that definitely caught my attention, where you talked about some a p t threat actors posing as journalists. Uh, and, and I know you discussed that with a few Proofpoint subject matter experts, but can you share a little bit more about what happened in that case and, and why threat actors are bothering to target journalists?
Selena: Yeah, so that was really fun research that was published by our apt, advanced Persistent Threat Team. So they focus on actors that are, um, state associated, um, sponsored by, by a variety of different countries. For example, China. Uh, D P K, Iran, Russia, et cetera. But that research was actually really fun cuz it looked at a bunch of different actors across the a p t threat landscape.
so one of the ones that I thought was pretty interesting, only because I have an unhealthy addiction to Twitter, [00:13:00] like many. Um, was TA 4 82.
Selena: So this is an actor that, um, targets, uh, like Twitter and social media accounts.
They're likely line with a Turkish state. They very much target, um, social media, so that was really interesting. Um, there was a TA 4 0 4, which is, uh, a North Korean threat actor that was targeting US based media with
Blake: but that TA wasn't found. TA 4 0 4.
Bella: A
Blake: Sorry.
Selena: Oh, uh,
Blake: sorry. I had to, I had to jump in. I'm sorry. Please continue it just, just, just mute me.
Selena: you know what? I've never heard that joke before, and I have written slash tweeted slash talked about TA 4 0 4. And, um, that is the first time that anyone has said this to me, so
Blake: Don't encourage. Don't encourage me,
Selena: it's not often I hear a new pun, so well done. Yeah, so, so this actor targeted US space media organizations with this sort of like job opportunity, very much, um, fishing, um, benign conversation starter type of thing.
And then [00:14:00] we had, um, some China aligned APTs as well that we reported on TA four 12, for example, uh, which is broadly more known as zirconium. Um, and, uh, throughout 21 and 20 20 22, we did see a lot of these campaigns that. Kind of benign or including web bugs to, um, essentially validate the targeted emails were active.
And again, this was, um, targeting, uh, uh, a lot of US based journalists. Um, certainly in political national security, white House privacy security space. another one was TA 4 53. This is, you know, publicly known or tracked as, uh, by other security organizations as charming kitten. Um, this ACT's pretty interesting. Um, uh, we actually assess with high confidence that they support the Islamic Revolutionary Guard. Core intelligence collection efforts and these, uh, uh, examples that we shared in the reporting, they were actually posing as journalists, right?
So we have both the targeting journalists for intelligence collection as well [00:15:00] as pretending to be journalists that were, um, in this case targeting, um, uh, journalists really around the world, but with a, a large focus on academics and policy experts that were working on Middle Eastern Foreign Affairs. So you have.
This really interesting, um, theme, right, of journalism that is both, you know, an area of interest and intelligence collection, but also a sort of masquerade that threat actors might adopt in order to gather information from additional targets.
Bella: I have to imagine that this particular threat was interesting to you because I know you have a background in cybersecurity and technology journalism. Was it like, how did, kind of learning about this, how did it make you feel, maybe reflecting on your background.
I think it's interesting, but not surprising.
Selena: Journalists have access to a lot of information, a lot of sources, um, because, you know, while the things that are published, [00:16:00] uh, kind of represent the tip of the iceberg, there's also, you know, all of this non-public information that's just kind of under the surface that they have collected and the conversations that they've been having and the things that they know.
So from.
Blake: Off
Selena: the record. Yes, yes. On background even. Right. Some that doesn't always make it into the, into the publication. So you have a lot of, of, you know, interesting conversations and things that, that journalists know, right. So from an intel intelligence gathering perspective, that definitely makes sense.
Um, from a posing as journalist perspective, that is, I wasn't, I wouldn't necessarily say I was surprised, but I was definitely. Intrigued that they recognize that the persona of a journalist is compelling to a target to get them to. Or to get them to engage with something or to get them to click on something.
Right. Um, I mean, who doesn't wanna be in the media, right? I mean, probably a lot of people actually, but
Bella: work in security, actually, I think your answer to that changes
Selena: Yeah. [00:17:00] Right. But like, say you're an academic and you just publish something and you want people to read about it, you want to talk about it, right? It's like, oh, great, this like, Per this journalist is interested in talking to me. So it's really that kind of rapport building and that trust building, um, that could potentially, uh, uh, increase the likelihood of someone engaging with something malicious.
So it's an interesting, um, character right of, of journalism and it's not exclusive to a specific, um, Uh, uh, subject either, right? Like we, we really talked about all of the different targeting in the different subject areas, whether it's politics, cybersecurity, academia, you know, world news. Um, so it is, uh, I definitely recommend checking it out and it does kind of show the different ways that threat actors will socially engineer, um, both, uh, intended recipients as well as, um, pretend to be those journalists, uh, in their
Blake: It's so fascinating. I just find that so pernicious. Also, coming from a journalistic background, it just, [00:18:00] there's already been such an erosion of trust in media institutions and to have bad actors latch on to this persona and start targeting people either targeting journalists who already frankly, let's be honest, have enough to worry about these days or impersonating them.
Do you ever just sit back on your desk and go like, this is, you know, outrageous and just shake your fist? Or what, how do you navigate the, uh, emotional side of some of this work?
well we talked about good vibes at the beginning of the podcast, and nothing harsh is good vibes like threat actors. Um, true and from, from my perspective. So I don't actually work on, um, on tracking a p t actors. I think that there are for, certainly, like the journalist thing was very, , you know, kind of rub, obviously rubbed me the wrong way, right?
Selena: Like, oh my gosh, like this is like, I'm fine. This personally offensive, right? Like, my friends aren't journalists. Like this is like, like, what the heck? But I have to say that the, some of the threats that make me the most like [00:19:00] upset and angry are, um, , very much like fraud focused, um, business email compromise.
Um, people use just really cruel things in their messages. Um, things like, um, you know, death threats, um, things like, I know that you have illegal content on your computer. Um, And I'm not gonna describe what they say on this podcast. Um, and these very like, just evil things that these actors will, will say and write to people and to get them to try and send them money.
Um,
Bella: I've heard, a lot of the folks, and maybe you can tell me if this is correct cuz I do not know a lot about this area, but from what I've heard, the folks that often fall for this kind of stuff are folks that are like older or not familiar with technology. And like that to me is so heartbreaking.
Imagining like my grandparents receiving this kind of email.
Selena: Mm-hmm. . Yeah. Well, so for sure, but I [00:20:00] bought text messages from my friends, right? Like I'm in my thirties. I've had a girlfriend text me and be like, oh my gosh, some guy is saying that he has compromising photos of me, and if I don't send him this like Bitcoin, then you know he's gonna publish them and link them, and it's.
Bella: Wow. Yeah.
Selena: And she, I mean, and she's like texting me, like freaking out, being like, please tell me this is a scam. Right? Like so it's not even that, it's just sort of like uneducated or people that are not digital natives that are getting targeted or falling for this stuff. It's like people, it's just anywhere, right?
Because fundamentally, the point of social engineering, well not the point, but one component of social engineering is to get your target to have a certain frame of mind so that they are increased the chances of engaging. The threat actor clicking on something, sending them money, um, like downloading something bad, right?
And, and if they put you in a frame of mind that's scared or, um, concerned or like, you know, afraid for yourself or your family, [00:21:00] then the human response, right? Like your body's response or mental response is to be like, oh my gosh, I have to care about this. This is important. Like, how do I fix this? . And oftentimes, right, you have the sort of like big bots, like, like, you know, like QBO does thread hijacking, right?
There's no sort of like emotion, like not a lot of emotional manipulation there, right? It's like, okay, we're gonna pretend that this is coming from a trusted email, um, that you, the conversation that you already had. Um, and that's like uncool. But in my, in my opinion, the things that like make me the most mad are these really just malicious.
Evil messages that people try and send to people to get them. It's mostly like fraud, right? Like send them money. Um, but we've seen, for example, um, telephone oriented attack delivery. We call them toads. People being like, did you buy this? If you didn't buy this, call me. And to like, to, to refute this like, charge.
And then it's like, Oh no, you didn't spend all this money like, oh, here, like, click on this and download this malware, or give me [00:22:00] remote control of your computer. Like, it's very just, I don't know, it's just, it's really gross. It grosses me out and I
Bella: guess I like, I didn't think about the fact that like, even, I think like sometimes I, I like to imagine myself as very like able to recognize these types of issues because I work in cyber security, but like, I'm thinking about it now and like there are definitely, and I won't admit to what they are, but there are definitely things where like if someone said certain things to me, I don't know, like it would be really difficult to work like quickly work through that emotional instant fear response and get to like, wait, wait, wait, let me like logically pick this apart.
Um, and like everyone has stuff like that.
Blake: I'll admit to one being a, uh, you know, being in cyber security still. But, uh, I will say, you know, if somebody were to pray, and I know this happens on, for instance, natural disasters, you know, so my childhood home, sandal Island was hit hard by hurricane in, and I think if a, if a carefully. Crafted Phish message or new video in from, you know, from the Ian's devastation or whatever.
I [00:23:00] would've been very tempted to click on that at the time, in the immediate aftermath when we're all just hungry for this information. You know, threat, threat actors who, who do that sort of thing. I'm with you, Selena. It is, it is evil. I mean, you're up against some really no holds barred, leave everything out, you know, just, just do whatever it takes to, to get to your target and it's
Selena: Yeah. And then losses that people suffer, like tons of thousands, millions of dollars, like, like individual losses for these types of things. Um, sextortion is another one, right? These like love scams where they're like pretending to to, to fall in love with you and, and saying all these things that you wanna hear, and then just cutting and running and taking all your money.
Like it's just, you know, there's, there's different sort of like psychological behaviors that, that actors. Like show, um, and I mean, they're criminals, right? It's crime. They're, they're criminals. And it, Dr, it's, it's like sometimes I'm like, you know, our, our, our BCR fraud, um, researcher, I, he sends me these things.
[00:24:00] I'm just like, how do you, like every day these things, it's just like, oh gosh, just. Really bums me out. And, and, and I think that, you know, that's part of why I do this job right, is because like, I want to be able to protect people from receiving those horrible things. And I want to make the space, um, better and I wanna make it better to exist online and be a human being with an email that like, you know, you're not like not having to suffer these fools constantly.
Like, it just, oh, uh, yeah, some, some of the stuff I'm just like, Why
Bella: So we've talked about a lot of like different kind of examples of some of the, you know, online threats that you're seeing or that you have seen a lot of. Is there some sort of emerging threat that you see in cyber security that we should be thinking about?
So I think benign conversations is something that more and more threat actors are using. it seems benign, but it really isn't. Right? Like, it's. Coming from a [00:25:00] place of malicious intent, but the actual content of the conversation itself doesn't have anything.
Selena: Um, that's, that's outwardly, um, explicitly malicious. We see that with, um, I mentioned to threat actors, right? So they, um, these emails are, are in quotations, benign, right? Because they don't have, um, any, uh, malicious links or attachments, but they do have this bad phone number, right? Like this is an indicator that's very clearly.
But, um, it isn't anything like, oh, I should be, you know, cautious of this. For example, my mom's neighbor fell for one of these because she's like, I knew that I shouldn't click on a link. I knew I shouldn't click on an attachment, but it was a phone number, like you're always told to call the number. Um, And I think that's something, um, that's pretty interesting.
We see it, uh, increasingly with, um, ecri cyber crime actors too, where they'll try and start a conversation with the subject before sending something bad. Um, and this sort of builds trust. It increases the, um, the, uh, social, uh, [00:26:00] contract between the recipient and the sender and increases the likelihood that they'll engage with something malicious.
So,
Blake: How? How do you fight something like that? I feel like you're almost doing battle with human
Bella: Yeah, and I was just thinking like we, especially lately, like we're in a pandemic, there are people that are like making friendships where they're first and maybe only interactions are all happening online and I can't imagine like, how do you tell the difference?
Selena: Yeah. I mean, so that's the thing, right? Like we as a security community,
Blake: community
Selena: Ha basically have to educate people on the, the tactics and techniques that these threat actors are using. Very similar to, for example, mfa, right? Like if we're telling people to use multifactor authentication because the threat actors are trying to steal your password, and if there is no second factor that they need to be using, then it's a lot easier to gain access to your account.
And so we have basically trained people be suspicious of things, don't click on links, don't click on attachments. Like, you know, and, and in [00:27:00] response the threat actors are like, I have to set a baseline, maybe I have to try a little bit harder to get somebody to engage with this. Um, BC actors do it as well.
Like, oh, hey, I have a request. Can you ping me back? Like, you know, it's your boss. Can you, can you hit me back on this, um,
Blake: B E,
Selena: oh, business email compromise? Yeah. Sorry.
Blake: business email compromise.
Selena: it's very much like, you know, I have this thing, can you, like, can you gimme a call? Can you, can you shoot me an email back? Um, and it's, and it's, you know, they're, they're res in my opinion, right?
They're responding to the growing, um, education of the generic, you know, internet user base. And so I think it's, you know, all on us as security practitioners to, um, ensure that we're informing people. These, um, new techniques that, that third actors are using. Um, and also like, I don't know, like platforms that are, are like social platforms, um, email platforms, like, you know, there's, there's a lot [00:28:00] of tools and technologies out there as well that have to kind of respond to and try and keep up with that.
I know it's very much like playing whackamole, but it's also to say with playing Whack-a-Mole with domain registrations, right? Like, it's like very much. It's always this constant like back and forth between like, oh, you know, the, like people are, are increasingly secure. So how do we respond to that? Like, how can we change our behavior?
And it's, it's like, I don't know, I think it's interesting from like a, like a psychological or sociological perspective of like the ecosystem changes in response to the organisms that are living in it. And, um, I think that, you know, we're. We're seeing that a little bit with benign conversations. We're seeing that a little bit with macros, for example, like Microsoft blocking macros by default, that actors are like, oh, okay, you have to figure out what to do now.
Like, what am I gonna use, uh, as an attachment instead of macros, like, gotta test out these new, like, um, TTPs to sort of bypass these security protections. So it's very much like a, a, a constantly evolving [00:29:00] ecosystem that we have to just try our best to, to make people secure and aware of.
Bella: I wanna draw sort of like parallel between threat intelligence and pen testing. I think like a. A sort of. Maybe critique, but also like an important thing that I've often seen in pen testing is this idea of like reporting or information being actionable.
Like something that I've run into a lot is like in pen testing when we're giving information to a customer or whoever. If we're not giving kind of like next steps or why this is important or, or what to do about it, it feels kind of pointless. And I'm wondering, I I, I know that that's something that has been talked about with threat intelligence as well, and I'm wondering what your take is on, like what makes threat intelligence information actionable?
Um, and is that important?
Selena: Yeah, so that's a great question. A hundred percent is very, very important. Um, and it really depends on who the [00:30:00] audience is, right? Like, if threat intelligence is actionable, because I can block all these indicators of compromise, uh, I'm a sock panelist, I can, I can, you know, put this in and block it on my network.
I took an action based on this report. Um, it could potentially be from a, uh, you know, uh, someone who, who is. on the business side, and they're like, I'm trying to grow our company. I'm thinking about opening an office in some country. Russia or something. , right? Like for example. Um, and you know, I received this report that is talking about, um, specific threats that are, um, geopolitically focused.
And this might change the business decision that I have to make, um, for my organization. It really depends, like being able to take action on something really depends on who the recipient of the information is. And that's why as intelligence analysts, if you are, you know, writing reports and distributing reports, you have to think about who is the audience of this?
Who is going to be reading this? [00:31:00] Um, Like if we're talking from a sock analyst's perspective, the geopolitical analysis is like, okay, that might be interesting to me, but how am I, like, how does that apply to me and my job if I am a network defender specifically for this organization? Um, and so it, it varies.
Like, and, and an actionable is like such a vague word, right? Like , it's, I like, I hate it and I. Um, because it's like, yes, it should be, but then how should it be? Really depends on the audience and who's gonna actually be like, like what action do I want you to take upon reading this information? So it is, it is important.
Um, and you know, like sometimes information for the sake of information and awareness, uh, can be, can be useful as well. But so often people don't really know why they need to know something. So, Kind of explaining that and being like, here's an impact that this could have on your organization, on your network, on a host, et [00:32:00] cetera, can really help provide that initial context and insight and help drive decision making based off of intelligence.
So yes, it is really important and depends on the audience.
Bella: Yeah, no, that makes a lot of sense. And I think like there's this like, I think it's a buzzword. I hear it a lot, but it, it's a good one. This idea in cybersecurity of being like risk focused and you know, I think. A lot of times when we're talking about cybersecurity threats, you know, in whatever realm, it's so important to talk about like yeah, like what the risk is.
And I think that is related to whether or not a piece of information is actionable. Like if you don't know the risk or how, how, what, like is there a risk? What is the risk? To me specifically, it's impossible to action on
Selena: right? Like risk based decision making, like,
Bella: It's a buzzword, but it makes sense. It's a good one.
Selena: no, it's totally true. And we do that every day of our lives for the record, like I think that. We don't ever think about that we're living our life, that we are kind of making those decisions. I think the [00:33:00] Covid Pandemic is a terrific example about how we are all living in breathing risk-based decision making, like I am changing my behavior as a result of a, of an existing threat.
I'm like being informed based on reports by experts of how I should be changing my behaviors and how I, um, what risk am I willing to take as a person that exists in a world that has, like for example, for me, I have like, I have asthma that increases my risk of like, Get, getting really sick from something like Covid, um, which I know I did not fun.
Selena: Um, and
Blake: Um, I'm sorry
Selena: I, I know it was, it was, it was bad. So I have increased , my own personal security as a result of, uh, a threat that I experienced. Um, And so we're, we're like, we're doing that every day, like depending on where you are in cyber security, right? Like whether you are a ciso, whether you work in HR and are managing like LinkedIn profile, like recruitment stuff.
Um, whether you are right the network defender or whether [00:34:00] you're just like an intelligence analyst, like no matter where you are, like things can impact you. And it's just a matter of effectively communicating how they can impact you and how you can or should change your behavior in response to um, um, the perceived.
Blake: We've talked a little about the need to educate people to get better at picking up on some of these threats. When you're talking about this notion of risk-based decision making, I. been, you know, a, a, an active member of the cybersecurity community, uh, really engaged in a lot of these conversations.
I guess, like if we wanna step back and give ourselves a little scorecard, how are we doing? Are we, are we getting better? Do you feel like the trajectory is there to really conquer some of these risks? Or is it, is it still just a constant threats are getting worse, worse, worse, et
Selena: Um, I believe we are getting better. I think that there are, there's, uh, a lot more awareness, for example, of the threat landscape. Um, I think that the, um, The Colonial [00:35:00] pipeline. Ransomware attack, for example, was a, uh, a big sort of flash point for general populous awareness of, um, digital threats, specifically ransomware.
Um,
Blake: Knocked out half the fuel supplies to the East Coast. For listeners who may not remember that one, hopefully you do. If you were in Georgia, I'm
Selena: yeah. Right. Yeah. And so it's. It's really interesting that, you know, for me personally having covered this and been in this and I'm like, yes, this has existed for years. I'm so glad it was like oil that got taken out that made people realize this and not like the hospitals and city governments and schools.
Blake: Yeah. Jet fuel and gasoline we can find elsewhere.
Selena: right? It was like the meat plaque packing plant and like oil happening is this confluence of like two weeks and it was like, oh, this is bad. Um, but I do have to say, you know, for example, my. Um, and hopefully she'll forgive me for using her as a reference, but she, her life has been disrupted multiple times by ransomware attacks.
Um, she [00:36:00] works in the medical field and she has experienced, um, disruptions, uh, to basically like administrative tools and stuff due to cyber attacks. She, she was impacted by the colonial pipeline attack that she couldn't drive her car basically cuz she couldn't get gas. And um, and it's like these real world impacts of threats I think that have, um, really created this.
Awareness overall. But I also think too that, um, certainly the US government, but I know global, uh, governments as well, are really kind of focusing on this too, right? Um, I know that there's been increasing conversations about regulations, right? Like, okay, if we are driving a car and we're not wearing a seatbelt, or we don't have an airbag, or, you know, like these, these environmental regulations, right?
Like our rivers don't have sewage in them constantly all the time. For a lot of, um, the United States and , it's like we have these like regulations that are put in place to protect people from bad things happening. And I think that that conversation [00:37:00] is, um, becoming increasingly noisy. Um, and people are realizing like, okay, there are very real steps that, um, that organizations, that people can take.
Um, I think from. , um, a cyber insurance perspective as well, right? Like, I know that there's a lot of, of, um, consideration as like should AA is cyber insurance like a thing that should happen? B, should people have like baseline levels of protection before they are insured, um, to ins to, you know, like preexisting conditions except for like , for like businesses, networks, right?
Blake: Well, to continue with the Ian example, it's gonna be a lot harder for a lot of people in my hometown to find insurance after this. You know, it's, it's, it can, similar things can happen, you know, uh, with, with the cybersecurity
Selena: Mm-hmm. . So I think it is getting better. Um, and I think that overall, um, more people are getting aware. And I also think too, that the number of journalists covering cybersecurity has increased, which means that newsrooms are paying attention to this, which means that readers are becoming aware of this.
And I think [00:38:00] overall it's a very good thing and I think we are getting better at effectively communicating threats to the general public as well. There's a lot that we need to do that could improve, but I think overall things are getting.
Blake: So we asked this of all our guests for coming to the end of our time here. What's something that we wouldn't know about you by looking at your LinkedIn?
Selena: Oh hmm. That's a good question. Uh, well, I used to be a dancer. Side note. That was, that's something. But, uh, hip hop actually, um, , um, back in the day and actually used to teach kids, um, teach kids hiphop at an afterschool program, but,
Blake: That sounds
Selena: It was, it was great. It was great. But I do have to actually give a shout out to something that I currently do.
Um, I'm a volunteer with Achilles International and, uh, that's an organization that pairs up sighted runners with, um, visually impaired, uh, athletes. And we run around DC [00:39:00] every week and it's really great and. Yeah. I don't know if people would know that about me, but I, I am a runner. I do talk about that. Um, but yeah, Achilles, I volunteer with Achilles, which has just been the most wonderful thing that I have done since moving to DC
Bella: That is so cool. That sounds really rewarding.
Blake: cyber of crime by day.
Selena: Yes. Running at night. I know that that's like my whole personality is like cyber crime and running. I should expand my horizons a little bit. Maybe
Blake: I, I, that's not the direction I was going there. Yeah. We introduced dance. No. Well that's, that's really wonderful and we really appreciate you coming on the show. It's been great talking with, uh, some of these really important
Selena: Yeah. Thanks so much for having me. This has been super fun.
Oh my gosh, I'm so sorry.
There is a red-tailed hawk
Bella: Whoa. That's so cool.
Selena: I'm so sorry. It just landed in the. Uh, I'm
Blake: No, no, not a
Selena: should probably close my window. My window when I'm
Blake: Oh, wait, the, the window. [00:40:00] The window was open. Don't let it fly in. Yeah,
Selena: No,
Blake: that would be a chaotic interruption.
Selena: I've, I've never seen
Blake: That's cool. I love, that's one of my favorite, that's one of my favorite birds, actually.