Future of Threat Intelligence

• Silverado Policy Accelerator’s Dmitri Alperovitch on Hunting Intruders After They're Already In

  In this episode of The Future of Threat Intelligence, Dmitri Alperovitch, Co-founder & Executive Chairman at Silverado Policy Accelerator and Author of World on the Brink: How America Can Beat China in the Race for the 21st Century, delivers a stark warning about the second Cold War with China that's unfolding, from military and nuclear arms races to space competition and technological rivalry.  Dmitri also shares how the Volt Typhoon intrusions represent deliberate "preparation of the battlefield" for potential conflict. He explains why Salt Typhoon could represent one of America's greatest counterintelligence failures. Topics discussed: The evolution of Chinese cyber operations from noisy, sloppy techniques in 2010 to today's sophisticated threats that represent unprecedented counterintelligence failures. How the Volt Typhoon intrusions into critical infrastructure serve as "preparation of the battlefield" designed to impede America's ability to defend Taiwan during potential conflict. The concrete evidence of China's Taiwan invasion preparations, including specialized bridge barges designed to land armored forces directly onto Taiwan's highways. Why Taiwan's 40% share of global semiconductor manufacturing creates catastrophic economic risk that could trigger a 5% compression in global GDP if disrupted. The fundamental flaw in prevention-focused security models and why CrowdStrike's hunt-focused approach better addresses persistent nation-state threats. Why the concept of "deterrence by denial" fails in cyberspace, unlike in physical warfare where anti-ship capabilities and other tactics can effectively deter invasion. The organizational dysfunction in US government cybersecurity, where even CISA lacks operational control over civilian networks and agencies operate in silos. Key Takeaways:  Implement a hunt-focused security strategy that assumes adversaries will penetrate initial defenses, allocating resources to rapidly detect and eject intruders during their post-exploitation activities before they can accomplish objectives. Evaluate your organization's target value to nation state actors rather than simply comparing your defenses to industry peers, recognizing that highly valuable targets will face persistent campaigns lasting years, regardless of defensive measures. Acknowledge the inherent tension between security and availability requirements in your industry, developing tailored frameworks that balance operational resilience against the risk of catastrophic compromise. Diversify semiconductor supply chains in your technology procurement strategy to reduce dependency on Taiwan-manufactured chips, preparing contingency plans for severe disruptions in global chip availability. Incorporate geopolitical risk analysis into your security planning, particularly regarding China-Taiwan tensions and the projected window of heightened vulnerability identified by intelligence experts. Revise incident response playbooks to address sophisticated nation-state intrusions like Volt Typhoon that target critical infrastructure as "preparation of the battlefield" rather than immediate data theft. Establish clear security governance across organizational silos, addressing the dysfunction that plagues even government agencies where CISA lacks operational control over civilian networks. Shift security metrics from prevention-focused measurements to detection speed, dwell time reduction, and ability to prevent objective completion even after initial compromise. Challenge assumptions about deterrence by denial in your security architecture, recognizing that unlike physical defenses, cyber adversaries have virtually unlimited attack vectors requiring fundamentally different defensive approaches. Prioritize protection of your most valuable digital assets based on adversary objectives rather than spreading resources evenly, recognizing that nation-state actors will specifically target strategic information regardless of general security posture. Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime.  Apply now at http://www.cymru.com/rise.   Listen to more episodes:  Apple  Spotify  YouTube Website

  --------  

  28:00
• Directions on Microsoft’s Wes Miller on Harmonizing Microsoft's Security & Identity Tools

  What happens when Microsoft's on-premises security falls behind while cloud innovation accelerates? In this episode of The Future of Threat Intelligence, Wes Miller, Research Analyst for Microsoft Identity, Security, and Management at Directions on Microsoft, pulls back the curtain on Microsoft's fragmented security landscape.  Having survived the historic Windows security push during his 7 years at Microsoft and spent the last 15 years analyzing their enterprise strategy, Wes delivers an insider's perspective on why vulnerable legacy systems like Exchange Server, Certificate Services, and Federation Services have become prime attack vectors while Microsoft focuses its innovation almost exclusively on cloud services.  He also walks David through why organizations are struggling with critical misconceptions about Entra ID, reveals how Microsoft's release notes contain hidden threat intelligence, and shares tactical approaches to influence Microsoft's security roadmap through strategic stakeholder relationships. Topics discussed: The critical security gap between Microsoft's cloud-focused investments and neglected on-premises systems like Exchange, Certificate Services, and Federation Services. How analyzing Microsoft Defender update notes provides a "hidden" threat intelligence feed that reveals emerging attack patterns targeting enterprise environments. The misconception that Active Directory and Entra ID are similar systems, when they require fundamentally different security approaches. Why entitlement management represents the essential intersection between security and identity teams, connecting HR processes directly to access lifecycles. The strategic challenge of harmonizing legacy and cloud identity systems while protecting non-Microsoft workloads in increasingly Microsoft-centric environments. Practical methods for large enterprises to influence Microsoft's security roadmap through targeted stakeholder relationships and coordinated feedback. How certificate servers often operate as "forgotten infrastructure" within organizations, creating prime attack vectors that Microsoft's Defender for Identity is specifically designed to detect. The threat of Microsoft potentially limiting third-party identity provider integration capabilities, and strategies for maintaining ecosystem diversity. Key Takeaways:  Monitor Microsoft Defender release notes to identify emerging attack patterns that Microsoft is actively detecting across their customer base, providing valuable threat intelligence without additional cost. Implement entitlement management systems that connect HR processes directly to identity lifecycles, ensuring proper access provisioning and deprovisioning throughout employee transitions. Audit your on-premises certificate servers and federation services which often operate as "forgotten infrastructure" and represent prime attack vectors. Develop a comprehensive strategy for synchronizing Active Directory and Entra ID, recognizing their fundamental architectural differences rather than treating them as interchangeable systems. Establish strategic relationships with Microsoft stakeholders to influence their security roadmap, leveraging coordinated feedback when features don't align with real-world enterprise security needs. Harmonize legacy and cloud identity systems by mapping complete workflows and identifying potential integration gaps between Microsoft's on-premises and cloud-based security tools. Evaluate third-party identity providers for critical non-Microsoft workloads, addressing the potential limitations of Microsoft's tightening control over Entra ID integration capabilities. Prioritize Exchange Server security through rigorous patch management and enhanced monitoring, as Microsoft has effectively "abandoned" on-premises Exchange according to Wes Miller. Integrate security and identity management teams through shared workflow processes, recognizing their interdependence rather than maintaining traditional organizational silos. Document architectural limitations of Microsoft's identity systems, particularly in hybrid environments where cloud and on-premises systems must interoperate securely. Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime.  Apply now at http://www.cymru.com/rise.  

  --------  

  24:28
• Wikistrat’s Jeffrey Caruso on New Methods in Cyber-Physical Attacks

  In this episode of The Future of Threat Intelligence, Jeffrey Caruso, Senior Analyst at Wikistrat & Author of Inside Cyber Warfare, shares examples of how teams with minimal budgets achieved kinetic effects through OT system manipulation — from destroying missile research facilities to compromising subway systems and burning down FSB-affiliated banks. His findings, based on two years documenting Ukrainian cyber operations, demonstrate how deep supply chain understanding and innovative attack methods are proving more effective than conventional nation-state capabilities.  Through methodical vendor system compromise and strategic engineering documentation exfiltration, he tells with David how these teams have developed techniques for creating cascading physical effects without entering Russian territory. Notably, they've demonstrated that successful cyber-physical attacks don't require massive resources; instead, success comes from understanding system interdependencies and supply chain relationships, combined with the ability to interrogate key technical personnel about specific system behaviors.  This research challenges traditional security models that emphasize tool stacks over team composition and suggests that adversary categorization (nation-state vs. criminal) may be less relevant than previously thought.   Topics discussed: How Ukrainian teams executed cyber-physical attacks by compromising vendor systems to obtain engineering diagrams and documentation, then exploiting OT vulnerabilities to create kinetic effects. Why commercial security tools face limitations in addressing these attack methods due to business model constraints and design approach. Technical examination of supply chain compromise techniques enabling physical infrastructure attacks, with examples of vendor system exploitation. Evidence supporting an "adversary agnostic" approach to defense rather than traditional threat actor categorization. Practical insights on building security teams by prioritizing mission focus and institutional loyalty over technical credentials. Analysis of how OT system trial-and-error testing creates new risks for critical infrastructure protection Key Takeaways:  Implement an adversary-agnostic defense strategy rather than focusing on threat actor categorization, as demonstrated by Ukrainian operations showing how even small teams can achieve nation-state-level impacts. Prioritize supply chain security assessments by mapping vendor relationships and identifying potential engineering documentation exposure points that could enable cyber-physical attacks. Establish comprehensive OT system monitoring to detect trial-and-error testing patterns that could indicate attackers attempting to understand system behavior for kinetic effects. Transform security team building by prioritizing veteran hiring and mission focus over technical credentials alone, focusing on demonstrated loyalty and motivation. Design resilient backup systems and fail-safes for critical infrastructure, operating under the assumption that primary defenses will be compromised. Evaluate commercial security tools against their fundamental design limitations and business model constraints rather than feature lists alone. Document all subsystems and interdependencies in OT environments to understand potential cascade effects that could be exploited for physical impact. Build security team loyalty through comprehensive support services, competitive compensation, and burnout prevention rather than relying on high-paid "superstar" hires. Develop verification checkpoints throughout automated security processes rather than assuming tool effectiveness, particularly for critical infrastructure protection. Create architectural resilience by assuming breach scenarios and implementing multiple layers of manual oversight for critical system changes. Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime.  Apply now at http://www.cymru.com/rise.   Listen to more episodes:  Apple  Spotify 

  --------  

  25:20
• Rapid7’s Deral Heiland on Why Your Network Segmentation Strategy Overlooks IoT Risk

  Deral Heiland’s research has uncovered critical vulnerabilities across the IoT spectrum, from office printers to medical devices, revealing how seemingly isolated devices can compromise entire networks. In one investigation, he discovered active credentials for five major hospital systems still present on secondhand medical equipment.  With extensive experience, including his current role as Principal Security Research (IoT) at Rapid7, Deral breaks down why IoT security requires examining entire ecosystems rather than individual devices, and shares practical frameworks for testing and securing IoT infrastructure at scale. On this episode of The Future of Threat Intelligence, Deral walks David through how his team's testing methodology examines the full attack surface: embedded device firmware, cloud APIs, management interfaces, and critically — the often-overlooked inter-chip communications.  Topics discussed: The development of an IoT testing methodology that maps complete device ecosystems: examining firmware extraction points, analyzing unencrypted inter-chip communications, evaluating cloud API security posture, and testing management interface access controls. A technical analysis of inter-chip communication vulnerabilities, where internal busses like I2C and SPI often transmit authentication credentials and sensitive data without encryption, even in devices with strong external security. An example of lateral movement through a state government network via unsegmented security cameras, demonstrating how default credentials and shared infrastructure bypassed department-level network isolation. A framework for building IoT security testing capabilities, progressing from web/API/mobile security foundations to hardware-specific skills like firmware analysis and bus protocol monitoring. Research findings on medical device disposal practices, identifying active directory credentials, Wi-Fi PSKs, and other sensitive data retained in second-hand equipment across five major hospital systems. Practical strategies for securing unpatchable legacy IoT devices through network segmentation, behavioral baseline monitoring, and access control reconfiguration. Integration of AI tools to accelerate IoT security testing, focusing on firmware analysis automation while maintaining human oversight of test methodology and results validation. Implementation of coordinated vulnerability disclosure programs specifically designed for IoT vendors, including practical mitigation strategies for devices that cannot be immediately patched. Key Takeaways:  Map IoT device communication pathways by monitoring all traffic types and documenting API endpoints, cloud services, and management interfaces to understand the complete attack surface. Implement protocol-aware monitoring for inter-chip communications to detect unauthorized data access at the hardware level, even when external interfaces are secured. Deploy VLAN segmentation with explicit access controls for IoT devices, using separate networks for different device types with monitored cross-VLAN communication. Create device behavior baselines using network flow analysis to identify normal communication patterns and detect anomalous activities that could indicate compromise or misuse. Establish IoT asset disposal procedures that include secure erasure verification, credential revocation, and documentation of all removed sensitive data before decommissioning. Implement network access controls for legacy devices based on known-good behavior patterns, restricting communication to required services and monitoring for deviation from baseline. Deploy protocol-specific IDS rules for IoT device traffic, focusing on device-specific anomalies rather than traditional network attack signatures. Develop hardware testing capabilities by starting with API/mobile security testing, then progressively adding firmware analysis and hardware protocol monitoring skills. Create incident response playbooks specifically for IoT devices, including procedures for evidence collection from embedded systems and cloud service logs. Structure vulnerability disclosure processes around providing configuration-based mitigations when patches aren't available, focusing on network isolation and access control recommendations  Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime. Apply now at http://www.cymru.com/rise. 

  --------  

  29:31
• IDC's Frank Dickson on Moving from Reactive to Proactive Security Strategy

  What happens when you combine market research expertise with cybersecurity strategy? On this episode of The Future of Threat Intelligence, Frank Dickson, Group VP of Security & Trust at IDC, shares his journey from market research to leading a team of 20 cybersecurity analysts advising organizations on security strategy.  Frank walks David through the industry's shift from reactive security to proactive threat management, discussing why traditional metrics need to evolve and how security leaders can better communicate risk to business stakeholders. His unique perspective on the CISO role's evolution, the impact of organizational complexity on security, and the strategic importance of data management reveals why technical expertise alone isn't enough for modern security leadership.  Topics discussed: Moving from reactive security to proactive threat management through strategic metrics and improved risk communication approaches. The evolution of the CISO role from technical expert to business leader, including critical communication and customer service skills. Impact of organizational complexity on security effectiveness, particularly in environments with legacy systems and acquisitions. Strategic approaches to managing and leveraging threat intelligence data while avoiding unnecessary complexity and redundancy. Balancing necessary and unnecessary risks when implementing AI and machine learning in security programs. Importance of translating cyber risk into business risk for effective communication with executives and board members. The evolution of security leadership reporting structures in response to changing business technology dynamics. Building strategic security programs that focus on simplification and clear business alignment. The challenges of regulation in driving security adoption while maintaining agility and effectiveness. Developing security metrics that meaningfully communicate value and risk to business stakeholders. Key Takeaways:  Implement mean time to detection and mean time to remediation as core metrics to measure security program effectiveness and efficiency. Transform threat data into actionable intelligence by aligning it specifically with your environment's outcomes and requirements. Streamline security infrastructure by consolidating tools and platforms to reduce complexity and improve manageability. Establish direct CISO-to-CEO reporting structures to effectively manage security across line-of-business technology initiatives. Develop customer service capabilities within security leadership to support sales processes and stakeholder relationships. Structure security communications around business risk rather than technical metrics to improve executive understanding and support. Create standardized taxonomies using frameworks like MITRE ATT&CK and OCSF to make security data more homogeneous and actionable. Evaluate AI implementation risks by distinguishing between necessary innovation risks and unnecessary implementation risks. Build security leadership skills progressively through compliance, business acumen, and executive communication capabilities. Maintain comprehensive data inventories to prevent orphaned data and reduce unnecessary security exposure. Join us for a milestone celebration as RISE marks its 15th year of bringing together elite cybersecurity professionals, law enforcement, and enterprise teams.  Apply now to be part of RISE USA 2025 April 8 - 9th in San Francisco: https://www.team-cymru.com/rise-usa. Space is limited.

  --------  

  31:51

Więcej Biznes podcastów

Trendy w podcaście Biznes

O Future of Threat Intelligence