The current state of Cyber Threat Intelligence.
Rick Howard: Hey, everybody. Rick here. So far this season, we've done a gut check on the current state of XDR, Extended Detection and Response, IAM, Identity and Access Management, and the MITRE ATT&CK Framework. Since we did ATT&CK last week, I thought it was only appropriate that for this week we take a look at CTI, Cyber Threat Intelligence. If you're following along with our First Principles book, you know that CTI is a key and essential tactic to the intrusion kill chain prevention strategy, and in order to deploy and maintain prevention controls for known adversary campaigns across the kill chain, your CTI team will likely be using the MITRE ATT&CK Wiki for a good portion of its inbound intelligence. See what I did there? Do you see how everything is connected? We don't do random stuff here. We've got a plan. So hold on to your butts.
Samuel L. Jackson: Hold onto your butts -- butts --
Rick Howard: We're going to take a deep dive in the world of Cyber Threat Intelligence. [ Music ] My name is Rick Howard, and I'm broadcasting from N2K Cyber's Secret Sanctum Sanctorum Studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old US of A, and you're listening to "CSO Perspectives," my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. [ Music ] John Hultquist is the Chief Analyst at Mandiant XDR, a training and incident response company, now part of the Google Cloud organization, after the acquisition in 2022, but he's been doing intelligence work for going on two decades now, first with the U.S. government, then with a commercial cyber intelligence company called iSIGHT Partners, and then with Mandiant, where he has been working for over seven years. So John and I are both cyber intel guys from way back, and when I ran into him at the NYS conference in DC last October, he and I got to talking about the old days and how far CTI has come. So we have a history, right John?
John Hultquist: Yeah.
Rick Howard: Because I ran a cyber intelligence shop many years ago called iDefense.
John Hultquist: That's right.
Rick Howard: Founded by John Waters.
John Hultquist: That's right.
Rick Howard: That was owned by Verisign.
John Hultquist: Yeah.
Rick Howard: And then when he left the company, he started another commercial intelligence company called iSIGHT.
John Hultquist: iSIGHT.
Rick Howard: Right? Stole half my people.
John Hultquist: Loved the I.
Rick Howard: Kept the I
John Hultquist: Kept the I, yeah.
Rick Howard: And then you joined that --
John Hultquist: That's right, yeah.
Rick Howard: So explain what happened after that.
John Hultquist: So I joined out of, I guess, I was working at a DIA at the time. I didn't stay -- mostly, I spent most of my time at State Department, and then military -- the Army way back in the day, and they had -- they were like -- they were focused on cybercrime at the time, and it was just like, can we find anything besides cybercrime out there in the ether, and at first, we could not. [ Laughing ] For a long time we could not, and then, you know, slowly we figured out how to track certain actors, you know, certain espionage actors. It took us a while, and, I mean, it was a very, you know, slow process, but, you know, over time we built out the ability to hunt for cyberespionage outside of the government, which is something, frankly, if you told me it was possible when I was in the government, I would say that's ridiculous.
Rick Howard: Yeah, that's exactly right.
John Hultquist: Yeah.
Rick Howard: So you've been involved in all the changes of hands of the iSIGHT stuff, right?
John Hultquist: Yeah.
Rick Howard: It went from where to where to where?
John Hultquist: So we were at iSIGHT, and then we got acquired by FireEye, which had previously acquired Mandiant, and then FireEye sort of became Mandiant.
Rick Howard: Yeah.
John Hultquist: So --
Rick Howard: Which nobody could figure out, but that was --
John Hultquist: Yeah, it was a strange sort of thing, and then we became Mandiant Intelligence within Mandiant. And then Mandiant was acquired by Google Cloud, and that's where we are now.
Rick Howard: So --
John Hultquist: I've been through the -- all of it.
Rick Howard: And you've seen all -- you know where all the skeletons are, right?
John Hultquist: Yeah, yeah, oh, I -- yeah.
Rick Howard: But we're talking today because we're at the NYS Conference here in Washington, D.C., right? The -- I don't know. What would you say the theme of the conference is this year overall? What were we trying to get across?
John Hultquist: You know, I've spent a lot of time with customers, and that's, honestly, it's super enlightening because I have my thoughts on what I think matters.
Rick Howard: Yeah, me too.
John Hultquist: And then you go into the room, and they're like, this is what actually matters to me, and it's always great to sort of find where those two parts kind of connect. And, you know, I think, obviously, the situation with the casinos in Las Vegas is like the talk -- the talk of the town or whatever you want to call it right now.
Rick Howard: Which is crazy, right?
John Hultquist: Yeah.
Rick Howard: I mean, okay, it's a big deal for them, but are we -- why is that more important than, I don't know, something else?
John Hultquist: I mean, I think those actors are sort of challenging a lot of the, you know, ways that we do security, right? And I will tell you --
Rick Howard: What John and I are talking about are the ransomware attacks against two Las Vegas hotel chains in September of 2023, just prior to this conversation by the hacking group, Wicked Spider. The group compromised Caesar's and the MGM resorts, including the Bellagio and the Cosmopolitan, and sent them back to the Stone Age. MGM had to stop using their computers for 10 days entirely, and instead, checked in hotel guests manually and provided customers with cash payouts from the casino. Caesar's reportedly paid Wicked Spider a $15 million ransom, and MGM estimated that the total recovery cost for them was about $100 million. According to Josephine Wolff at Slate Magazine, casinos have a reputation for excellent security, but it seems that security may be more focused on physical vulnerabilities than online ones.
John Hultquist: And I will tell you that casinos, I've worked -- spent a lot of time working with casinos through the years --
Rick Howard: Sure.
John Hultquist: -- and they are mature players, right? They are --
Rick Howard: They know what they're doing.
John Hultquist: They have been doing security since day one at casinos, right? It's not an afterthought. It never was, and so, you know, it's really interesting to see, you know, an actor, you know, hated more than one of them, and, you know, where we've been essentially trying to distill some of the lessons learned from that actor.
Rick Howard: Is there something we can just point to here? Like, you know, we've been doing cybersecurity for 30 years.
John Hultquist: Yeah.
Rick Howard: They took advantage of something that we have not been paying attention to?
John Hultquist: Well, you know, it's funny. It's like everything old is new again, right? There are things that I think we thought about a long time ago, and maybe we didn't just keep watching because adversaries change.
Rick Howard: Right.
John Hultquist: And we, maybe, had not have kept our eye on the ball on certain things. Just like, by the way, there was a talk about USB malware, right? Which was like the bane of my existence when I was in the government with, you know, the Agent BTZ situation.
Rick Howard: Yep, all of us, yep.
John Hultquist: But -- so that, everything old is new again. I think, you know, these are things that we thought of before, but there's been a refresh, you know, they sort of refreshed a lot. Remember we had a lot of these problems, and it's good because we're going to start, you know, attacking some of these problems. So the biggest one is their ability to social engineer. It's exceptional. They're English speakers. I keep talking about, it's not just that they're English speakers. They're native English speakers. They're able to sort of develop a real familiarity with the people they talk to and sort of emote in the language, right? There are differences between how people in Western Europe discuss things, right? You know, like they're very -- and how they emote on the phone, right? And these guys are locked in and able to really convince somebody to help them. And what that means is that your help desk will not only sort of, you know, allow them to get through these gateways that we've set up, but it'll almost pull them through because I think they like them. You know, they want to help them and --
Rick Howard: So it kind of, we've gone back to more social engineering as a skill set, right?
John Hultquist: It's a huge skill set, and I think that it exposes the vulnerability in just, you know, the way that we set up these help desks, and probably how we incentivize them, right? They're incentivized to be helpful. That's how they're reviewed, I'm sure.
Rick Howard: That's right, yeah.
John Hultquist: Telling somebody no may not actually be in their interest, you know, economically, you know, if you work on the floor, and we've got to make sure that's not the case.
Rick Howard: I heard a story by Mitnick talking about the help desk, right? The Mitnick I'm referring to here is the late, great Kevin Mitnick, the infamous world-class social engineer, author of two wildly popular books on the subject, The Art of Deception and Ghost in the Wires, and who you could reasonably say put the skill set of social engineering on the cybersecurity roadmap when he went to prison for five years back in the mid-1990s for, "various computer and communications-related crimes." When he got out of prison, he went straight, set up a consulting business, and became a beloved character in the InfoSec community. Sadly, in 2023, when he was just 59, we lost him to pancreatic cancer.
John Hultquist: He was saying that the way he would social engineer a target was that he would call in and help the help desk solve a problem, okay, like a contractor, like he faked to be a contractor.
Rick Howard: Oh, wow.
John Hultquist: He'd solve the problem, and then a week later, he would call the help desk again and say, hey, I need you to fill out this --
Rick Howard: You remember me.
John Hultquist: Remember me? Fill out this paper.
Rick Howard: Oh, wow.
John Hultquist: Right?
Rick Howard: Yeah.
John Hultquist: And it's like, yeah, so maybe we're coming back to those kinds of things.
Rick Howard: Yeah. I mean, the long play, by the way, is something we've actually seen from the other players, more in the like the text, you know, like email message situation, like the Iranians and the South Koreans. And you'll see them social somebody for like a month now before they ever bother to send that link or that, you know, that attachment. So but they're pulling people through. They're hitting these business process outsourcers that are like third parties that manage a lot of our data and sort of going after third parties to get into their targets, and the other thing that's really important that they're doing is there's a focus on telecoms and SMS, and particularly the ability to overcome second, like two-factor, right? Or the ability to get somebody to send a reset code or something directly to a phone that they control, and it really proves that we have to really rethink, you know, how much we rely on phone numbers as a reliable way to sort of authenticate somebody. Because we're still trying to get people to use two factor on phones, right?
John Hultquist: Right? We're still on this journey, and I will say that I still, you know, I still think it's a speed bump, right?
Rick Howard: Yeah, yeah.
John Hultquist: But it's just not an enterprise -- like it's -- a speed bump is not like a doorway, right? Like it's not enough for an enterprise. Maybe for certain things it's enough. But if, you know, if you are trying to protect an enterprise, it's just -- it's probably not going to -- it probably won't do it. [ Music ]
Rick Howard: So you were on this panel at the NYS conference, okay? It's called Cyber Intelligence in a Rapidly Changing World, and some big-time luminaries on that panel. I'm not saying you are.
John Hultquist: No, yeah.
Rick Howard: But you know, other people there.
John Hultquist: There were other people there.
Rick Howard: Right?
John Hultquist: Yeah.
Rick Howard: Did this kind of stuff come up on the panel, or what was the -- what were you talking about in all of that?
John Hultquist: Well, you know, we had some really interesting people on the panel who had spent a lot of time looking at crime from various aspects. Jackie from Chainalysis, I thought, had a really interesting sort of view into the problem. She looks at the blockchain, and she watches a lot of this movement. [ Music ]
Rick Howard: For those of you not familiar with the company Chainalysis, it figures prominently in the Cybersecurity Canon Hall of Fame Book, Tracers in the Dark by wire journalist, Andy Greenberg, in my opinion, the best cybercrime book in the last decade. If you had any lingering doubts about whether Bitcoin's blockchain technology would protect your identity, Greenberg completely blows that out of the water, and Chainalysis, along with a feisty IRS agent and a university grad student, are the ones that figured out how to do it. The Jackie that John just mentioned is Jacqueline Koven, the head of Cyber Threat Intelligence at Chainalysis. [ Music ]
John Hultquist: And one of the things she said is she's seen sort of a drop off in some of the many criminal actors, and she attributes this to maybe some success. And, you know, we're seeing zero days in the crime space now. And there's a thought that maybe some of -- there is actually an increasing barrier to entry. So some of our defenses may actually be working. That's why we're talking about innovations here, right? Or like meeting problems instead of talking about, oh, it's the same old thing we've seen a thousand times. We're actually just talking about zero days and new ways to social engineer, and people are defeating the second factor things, and that's good. That means that some of the things that we're doing may actually be working, which you never, ever hear in this business.
Rick Howard: Well, you said Jackie's from Chainalysis. I heard about Chainalysis from Andy Greenberg's book, Traces in the Dark.
John Hultquist: Yeah.
Rick Howard: And up until that point, I think most of us thought that, you know, blockchain was anonymous. I mean, we knew it probably could be broken, but they blew that idea completely out of the water.
John Hultquist: Yeah. It's a really strange concept.
Rick Howard: I know.
John Hultquist: Because I think it was the first thing you heard about blockchain is that it would be anonymous, and that doesn't seem to be the case at all.
Rick Howard: Well, I mean, if you look at the design specs, it's supposed to be transparent.
John Hultquist: Yeah.
Rick Howard: It's a transparent ledger.
John Hultquist: It's the opposite, right? It's a transparent measure, and it's given us a tremendous amount of insight into a lot of adversaries, not just the criminals. Well, not just the regular, the good, old-fashioned criminals, but we also have like the North Koreans now. And we could see the scale of their program, and it's in the hundreds of millions.
Rick Howard: It's amazing, yeah.
John Hultquist: Yeah, and it's going right into a nuclear weapons program.
Rick Howard: I think you and I are in the wrong business, okay? We're in --
John Hultquist: Yeah, clearly, yeah.
Rick Howard: All right. So we are two old intel guys, right?
John Hultquist: Yeah.
Rick Howard: What I want to talk to you about is kind of the state of the art of cyber intelligence, and I know there's lots of haves and have nots.
John Hultquist: Sure, yeah, yeah.
Rick Howard: So let's talk about the haves. Okay, because those guys are probably on the bleeding end.
John Hultquist: Yeah.
Rick Howard: You have been involved in one of the leading thought leaders in how to do cyber intelligence. So what's the current state of cyber intelligence? What's the -- how do we do this today as opposed to the way we were doing it?
John Hultquist: That's a really good question.
Rick Howard: Thank you.
John Hultquist: So I told you about a time when we were outside of the government and we couldn't -- like, and I didn't believe that like you could track cyber espionage outside of the government, and we learned that that's not the case. And along the way, there were a lot of innovations that got us there, right? I think one of them was some of the ways that we track DNS and some of the ways that we track malware, for instance. I know that VirusTotal is a Google company and it's going to sound a bit much for me to like plug them right now, but VirusTotal changed, you know, like changed the business for a lot of us, right? And --
Rick Howard: I think it's fair to say you guys were outside of Google when it started.
John Hultquist: Yeah, well, I mean, for us, it was huge.
Rick Howard: Yeah, yeah, yeah.
John Hultquist: Like that was one of the reasons we learned we could do this.
Rick Howard: Yeah.
John Hultquist: From there, I thought it was magic. Would somebody explain it to me?
Rick Howard: Well, I'll explain it for people that don't know what -- what is VirusTotal?
John Hultquist: Well, I mean, what VirusTotal does is people, you know, submit malware, and it allows us just to aggregate all of this -- these signals from -- essentially from the criminal space and the state-actor space and start looking for patterns and behaviors that like -- that resemble certain groups, right? And so over time, we can see groups change based on the, literally, the submissions to VirusTotal, and it's -- that's super powerful. It's like a --
Rick Howard: It's like a change in real time.
John Hultquist: Yeah, it's like a community security model, and it's been really effective. And so that has been, you know, a massive change. I will say that, you know, the adversary is getting better. And I think, you know, we're really excited, for instance, about being, you know, being part of the larger Google family because, you know, an adversary changes. You're going to need more data, and it's going to be harder to find them, and we're, hopefully -- you know, hopefully, in a better position to do that because they are not the same adversary I faced off, you know, decades ago in the government when they were coming out of, you know, like Shanghai, for instance, right? Now they come through these complex proxy networks, and they're hard to track.
Rick Howard: Well, you and I ran into each other at RSA right after Google acquired you guys, right?
John Hultquist: Yeah.
Rick Howard: And then we were saying, this should be good, right? You get to plug into the Google data stream.
John Hultquist: Yeah, yeah.
Rick Howard: Because before you had to kind of either be invited in.
John Hultquist: Sure, yeah, yeah.
Rick Howard: Right? And you didn't really have any sensors on the network in bulk.
John Hultquist: Yeah, yeah.
Rick Howard: But now, you know, Google's a giant collector of --
John Hultquist: Yeah, I mean, it's a good marriage. I think even for everybody, even their side, you know, one of the interesting things, it depends on your placement in the network, right? And so you could be at the -- sort of the front end where you're like the mail, right? And you could see the adversary moving towards the mail, and -- but you miss a piece of that, right? You don't know what they do after the fact.
Rick Howard: Right.
John Hultquist: Because oftentimes you're just defending that piece of the attack surface. So I'll put it the other way is that what's really cool that we can bring to Google is we're starting to fill out the other side of that because we're going into the IRs, and we get to see the entire attack life cycle, right?
Rick Howard: IR stands for?
John Hultquist: Incident responses, right? And so we're going to these incident responses as Mandiant, and we get to see what the actor did after they sent the mail. And so, were -- you know, I think both sides are going to, you know, are already benefiting from that view.
Rick Howard: So like I mentioned before, you and I are both old government intel guys, right? Do you operate your intel shop the same way we did back in the government days? Do you follow the intelligence life cycle?
John Hultquist: Yeah.
Rick Howard: Do you build --
John Hultquist: Yeah.
Rick Howard: Critical information requirements, priority information, requirements, collect --
John Hultquist: Yeah. We have requirements. We have a collection -- collections apparatus. What's interesting --
Rick Howard: The intelligence life cycle is a framework that has been around intelligence circles since the end of World War II. It explains how the U.S. military collects raw information and turns it into intelligence for decision makers to use. You basically ask the boss for the kinds of questions she needs answers for, like what hacker groups are most likely to choose our organization as a target? Once you have that, you devise a plan in the form of critical information requirements, IRs, to go get the information that will allow you to answer the question. Like you might point your intel team to collect all the data in the MITRE ATT&CK Wiki. See our previous episode on MITRE ATT&CK. Once you have the data, you try to answer the boss's questions with it. Like based on the type of organization we are and the kinds of assets we have, the intel team might decide with 90% certainty that the hacking group Wicked Spider is the most likely groups that will target us in the next three years. You take that back to the boss and see if she likes what you did. She may modify the question or ask you some follow-on question, like do we have prevention controls in place across the entire kill chain to block the most likely Wicked Spider campaign? And then the entire process starts over. That's why it's called the intelligence life cycle.
John Hultquist: What's interesting, I think, about our collections apparatus, it's literally like the same -- like part of the group that essentially services the IRs is part of the collection apparatus.
Rick Howard: Sure, yeah.
John Hultquist: So you -- essentially what you'll have is a group that is sort of specialized on supporting IRs directly with intelligence, and they're pulling stuff out and sort of atomizing it and turning it into like a -- databasing it and sort of turning it into a -- modeling it is what we really say. And then the next IR comes, and they have all the data to feed back. And then they're feeding that back in towards -- along with more collections from, say, the underground or towards an analysis shop. And the analysis shop is essentially, you know, trying to maintain a visibility of a whole host of threats across the world.
Rick Howard: Right. So if I was building my own brand-new intelligence team, is it worth telling people to think about the intelligence life cycle?
John Hultquist: Yeah, I think so. I think it's still absolutely matters, right? Building or starting with requirements is a good -- is a great place to start.
Rick Howard: Do you separate like critical like commanders' requirements, like big-picture stuff that don't change that often?
John Hultquist: I have -- I've found that like, you know, we've done this a million different ways over the years as we could probably imagine, right, that you have to kind of come up with a process that works for your organization, right? And I would say that we ended up with a process that's sort of a version of the classic version, but more appropriate to our mechanisms and, you know, what we can expect to find and takes that into credit. I'll also say that it's a really good place to start, though, if you are going at -- like we're a vendor, right? We sell intelligence. Do we even -- like are they going to service like these requirements, right? And that's a great place to start because you end up with a lot of people that just go out and buy something and they don't necessarily know --
Rick Howard: They don't know what it is, yeah.
John Hultquist: Or how it's going to help, right? And that's a really important part of the process, right?
Rick Howard: Yeah. Subscribing to a news feed is not really --
John Hultquist: Exactly.
Rick Howard: -- you know, intelligence, right.
John Hultquist: Or, you know, like a list of IP addresses.
Rick Howard: Yeah, yeah, yeah.
John Hultquist: So you really want to get to a position where you're getting answers to the questions that you really need. And you need to judge, you know, these contracts on the basis of that, right? There are going to be contracts. There are definitely, you know, intelligence providers out there who will not answer the questions that are, you know, important to you. And some organizations, and I've been in a bunch of conversations, you know, last three days with clients. Some have very specific needs, right? They have very strange business models or threats that are rare and hard to -- you know, hard to service. Like you have to come up with a plan for that, a collection plan.
Rick Howard: You mentioned before, we we're talking about different groups, right? And one of my pet peeves is we conflate attribution of adversary campaigns.
John Hultquist: Yes.
Rick Howard: Because we're really good at that.
John Hultquist: Sure.
Rick Howard: Everybody, we have many security vendors that track adversary campaigns.
John Hultquist: Yeah, yeah.
Rick Howard: We're pretty sure we know what the attack sequence is after a time, right?
John Hultquist: Sure, yeah.
Rick Howard: But we also attribute groups to, oh, we think this is the Russians or this is the Chinese. Yeah, yeah.
John Hultquist: And we suck at that, but because we're good at one, we conflate that we're good at the other.
Rick Howard: Yeah, yeah.
John Hultquist: And so, in fact, most of the reports --
Rick Howard: It's a lot harder to do the second one.
John Hultquist: Yeah, and we probably -- do you think we need it for most of them?
Rick Howard: Oh, that's a first -- great question.
John Hultquist: Yeah.
Rick Howard: So I teach a class at Johns Hopkins. So I think they call -- I think maybe Rob Lee [assumed spelling] is the first one I heard say this. I can't remember who said this first, but there's like little "a" and big "A" attribution, which I really like the idea of.
John Hultquist: Yeah, I like that.
Rick Howard: So little "a" would be like the campaign or the actor, but we don't know anything about it, and I always use like Jack the Ripper, right? Like, this is Jack the Ripper. We know he did all these crimes. We know his techniques. We know his victims, right? To a certain extent, where he's operating, tools, weapons, or whatever he had, but we don't know -- we don't know who Jack the Ripper is. We actually don't even know why he's doing it, really.
John Hultquist: I like that analogy. So in that analogy, do we care?
Rick Howard: Well, so here's why I would say it does matter. So two years ago, or yeah, it was two years. What was it last year? Whatever. On the eve of the invasion to Ukraine, right, which we were all anticipating, I had clients asking what to expect, including, you know, including like the people we were working with in Ukraine. And we were able to take an entire world of threat and melt that down into a handful of actors who had absolutely turned out to be the ones to worry about. For instance, like the one that I have tracked historically has been the one called SandWorm. And we said Sandworm will be the apex predator, the number-one threat. It will go after the critical infrastructure in this country. That is absolutely what happened. Well the reason we knew, and the reason we were able to do that, so we were able to take all the threats in the world and tell them, this is the actor that you need to focus on.
John Hultquist: You might have the one example where it's important to know who it is, right? Right? But even in that case, for a general-purpose defender like me, I had nothing to do with Ukraine, right?
Rick Howard: Yeah.
John Hultquist: But I could say, oh, activity is going to pick up from all these groups that we think are from Russia, even if they're not.
Rick Howard: Yeah, yeah.
John Hultquist: I can say, pay attention. Right, yeah?
Rick Howard: Exactly, and yeah, and it didn't have to be perfect.
John Hultquist: Yeah, it doesn't have to be perfect.
Rick Howard: That's the other thing, right? Like, maybe this probably is Russia, but I'll put it in that grouping and say, these are the ones that are probably coming for us. We don't know for sure. These are the ones we suspect. That's a really important thing is we can be very fuzzy about a lot of that, and we don't have to be perfect, right? Like, it's not necessary. I don't need to know the guy -- the color of the car. Like, I'm sure there's somebody at the fort who knows what color car the guys drive, right?
John Hultquist: I'm sure, yeah.
Rick Howard: And watch them come into work every day. I don't need to know that. It doesn't make a difference. But I like, I just need to have a general idea that these are probably the ones that matter, right? And usually, I need to know what their targets look like because that's where I'm going to start conveying value to certain people. Like, they're likely to target you. You're off the list. You know, this group might be more interested in you. And when I go into these groups with customers, a big part of what I'm doing is like, all right, out of this big cloud, which are the ones that, actually, you guys should really worry about, right? Instead of them having to worry about everything.
John Hultquist: Let's talk about that because I had this running argument with lots of guests, right? Because how many adversaries are actually operating on the internet on any given day? We're talking about nation state and criminal groups.
Rick Howard: Yeah.
John Hultquist: It's not that many, right?
Rick Howard: Well, that's a really interesting idea. So what is funny about this job is like -- is you get into this situation where you -- I remember this movie where they were talking about these mystery novels in the movie, and the gimmick in the mystery novels was this detective was always working two cases. By the end of the mystery novel, he would always find that both of his cases -- Related.
John Hultquist: -- were related, right? And that has happened to me so many times it's not even -- like it's absurd. Like, it really happens enough, and that happens because there is, there's like, we know these actors, right? And the reason we know these actors is because there's only so many of them.
Rick Howard: There's not that many. That's my point.
John Hultquist: And that, it kind of blows my mind sometimes to think about it. But I mean, when indictments have come out, right, and they've said, this actor did this, this, this, and this, and this, and I'm thinking, man, this one, like this one group, I have had this, like so many interactions with this group. It's unbelievable.
Rick Howard: I kind of got -- I sat through the Malcolm Gladwell keynote, and he was talking about radical asymmetric distributions.
John Hultquist: Yeah, yeah.
Rick Howard: And I said, where is this going? All right? And, but he was saying that most of us think that everything is normally distributed, all the bad things in the world.
John Hultquist: Yeah.
Rick Howard: And I've done this for 30 years thinking that I've tried to protect my environment because an attack is imminent from one of these groups.
John Hultquist: Sure. Sure.
Rick Howard: And if you look at the stats, that is not likely at all, right?
John Hultquist: It's so -- it is a really interesting capability. So I've spent a lot of time talking about, maybe because it's related to SandWorm and other players, but focused on the concept of, of cyber war, and it's an asymmetric capability, and there's a couple of reasons. One, it's not really, you know, it -- you know, there's like, it's a lower barrier -- pretty low barrier to entry when you consider like all the other ways you can have, you know, major effects on, say, another like country. And then, and I have to be really careful here.
Rick Howard: Yeah, yeah.
John Hultquist: Yeah, I worked in counterterrorism for a little while, and I worked in the, you know, Army. I was like doing, what do they call it? Like counterinsurgency, right? And so there's a big similarity between the concept of cyber war and terrorism. Now it's missing the violence aspect, which is absolutely crucial to most definitions of terrorism. But what it does have in common is this asymmetric effect where it's not about the incident itself. It's about all the people who saw the incident and their sort of relationship or their like psychological reflection on the incident, right? So if I turn out the lights in Ukraine, you know, in the way they have historically, it's not going to go out for that long.
Rick Howard: Right.
John Hultquist: So the practical effects are minimal.
Rick Howard: Yeah.
John Hultquist: But I just turned the lights out in downtown Kiev, which is one thing they managed to do, and people now know that they can sort of reach out and touch them.
Rick Howard: Yeah, it's psychologically --
John Hultquist: And the psychological effect, like it's massively asymmetric, right? It has a huge effect. So yeah, I think it's an important piece of this.
Rick Howard: So the MITRE ATT&CK Framework, they're tracking about 150 different campaigns. Most of those are nation states. They've got a handful of criminal campaigns, right?
John Hultquist: Yeah.
Rick Howard: Right? And the FBI and Microsoft say they're tracking about 100 different criminal gangs.
John Hultquist: Yeah.
Rick Howard: So that's roughly 250 campaigns on the internet.
John Hultquist: Yeah. That's a realistic number like -- I mean, obviously, there's going to be all kinds of really small upstarts, yada, yada, yada. Groups that --
Rick Howard: Yeah, but maybe you could track that with a spreadsheet. I mean, come on, I wouldn't do that.
John Hultquist: I mean, we have thousands of what we call the uncategorized, but we suspect that many, many, many of them are connected. That's a very realistic number. I think it's in, you know, in the low hundreds.
Rick Howard: Which brings me to the next question where intel will come into play. Governments, Western governments, are now making noises that they're going to start going after bad-guy infrastructure.
John Hultquist: Yeah.
Rick Howard: Right? And what they're going to need is intelligence to do it.
John Hultquist: Yes, absolutely.
Rick Howard: We haven't seen a lot of that in the press yet. I'm assuming that's going on.
John Hultquist: I don't know whether we'll get it -- we're going to see much at all.
Rick Howard: Yeah.
John Hultquist: Yeah.
Rick Howard: But it seems to me it's only 250. I mean, I think we could knock this out.
John Hultquist: So it's a doable -- like it's a doable problem.
Rick Howard: Yeah. I think you and I and a couple of people we know could put a dent in.
John Hultquist: Oh, I -- somebody could stomp on -- stop that stuff, right? And I think -- and that's what I remember at the beginning of the war in Ukraine is like, look, we know who the players are here.
Rick Howard: Right.
John Hultquist: I mean, like they -- I mean, they've released their names, right? This is a very addressable problem.
Rick Howard: It's not a secret. Right.
John Hultquist: Right? Like, you know, focus, and I think it's really, really interesting because we -- until we started thinking about it in that space, it seemed very daunting because it's very asymmetric. You know, one versus many, we don't know where they're going to show up. But on the other side, right, we know who -- if we know who they are, then it becomes a much more approachable problem, I think.
Rick Howard: Well, before the government has made hints that they were thinking about this, law enforcement kind of ran this idea.
John Hultquist: Yeah.
Rick Howard: But they wanted to put people behind bars. And that's --
John Hultquist: And that's -- it's just not possible.
Rick Howard: Yeah.
John Hultquist: Right? And I know it was it was --
Rick Howard: A waste of time.
John Hultquist: It, I think, was a massive waste of our time. So instead of getting ahead on this game for a long time, we're building cases, right? And cases are not -- never going to get us --
Rick Howard: And hoping the Russians will extradite. Come on.
John Hultquist: Yeah, and that's just not -- it's just not going to happen.
Rick Howard: Well, I guess we had to --
John Hultquist: Instead, we can focus on disruption, right, and actually have an effect on the actors. And it's a much better outcome.
Rick Howard: I had an old army boss of mine that said, you know, be careful what you ask for, right? Because don't think that the bad guy is going to give up just because you punch back.
John Hultquist: Oh, and that's a great point, too, right? They're not going to give up, right? So I think they're going to regroup and come back, but we need to add some friction, right? We need to add some friction.
Rick Howard: Back to you. We need to add friction. I'm totally --
John Hultquist: Yeah, and I'll tell you, the other thing is like -- and I really hate to do any kind of -- more terrorism-like things, because it's very different. It's not violent.
Rick Howard: Yeah.
John Hultquist: But -- and not that it's not. I mean, these people aren't bad, but, you know, it's not the same thing. But we have this like, you know, that's -- the concept in terrorism is that no one would ever say we can't act because it's not going to be good enough, right? Like they're going to come back, anyway. You have this like moral obligation to act, and I think we still have that in this space. We have a moral obligation to add friction, even if, you know, somebody is going to replace them or they're going get their operations back.
Rick Howard: Well, we had our own speed bumps, too. Besides law enforcement trying to build a case, we would always say, well, what if we attack somebody --
John Hultquist: Well, that's it. Yeah, that's an interesting question that keeps coming -- kept coming up.
Rick Howard: But I think we've slid past that, right? Right now, the chances of that are smaller.
John Hultquist: Yeah.
Rick Howard: We don't really care, okay?
John Hultquist: Yeah, I think we figured our way through that. I don't know what kind of legal jujitsu that took.
Rick Howard: Yeah, that's why I'm not a lawyer.
John Hultquist: Yeah, yeah.
Rick Howard: That's right. [ Laughing ] What should we be thinking about, current state of cyber threat intelligence? What should people be thinking about right now as we close this out? What would you -- any advice? You've been doing this a long time. How do you build an intel team that's worthwhile for you?
John Hultquist: There's two things that I see people kind of make mistakes about. One is they don't start with a strong reflection of themselves, right, or on their own problems and when the most likely scenarios based on --
Rick Howard: What we want them to do, right?
John Hultquist: Really motivate, yeah, and it's a two-piece problem, right? So it's -- it's you start with your organization and then you like what -- you know, what is sort of like a critical and what matters and like what is likely to attract an adversary? Because that's another piece of it, right? Like you could be doing things that attract this adversary, and then you've got to go out into the world. The second part is -- and actually start judging adversaries based on their motivations, right? Like some will be attracted to you based on the fact that you make like chips, for instance, or you -- some will be attracted if you make bombs for a living, of course, right? And you've got to start connecting the dots. The other thing is, is that we get into this world where I have a lot of clients, for instance, in foreign countries or certain sectors who say, oh, well, you're not telling me enough, like, about my sector or my country, and I have to go is you're not paying attention, enough attention, to everywhere, everywhere, or that sector, right? Like I have a tremendous amount of intelligence on China targeting certain countries in Asia, and I will have other countries in Asia, well, why aren't you telling us about them targeting us? And oftentimes, the answer is you need to be looking at who's targeting your neighbor, right? They're not -- a lot of people don't get -- take a world view and start asking why they targeted them because they -- that starts -- you can start deriving a lot of value out of that.
Rick Howard: Well, you can make an argument. I'm not saying it's the right argument, but you could make an argument that the organizations that need to worry about threat intelligence are financials --
John Hultquist: Yes.
Rick Howard: -- government agencies --
John Hultquist: Yes.
Rick Howard: -- healthcare.
John Hultquist: Yes.
Rick Howard: Right?
John Hultquist: Yeah, I mean --
Rick Howard: Everybody else, maybe --
John Hultquist: Well, I think it's like a criticality versus vulnerability problem, right? And when I say vulnerability, like we usually think of, oh, it's just like your ability to get knocked over, but it's also like your -- like the capability of actor is a piece of that and your -- the actor's attraction to you based on like their interests. Like for a while, North Koreans --
Rick Howard: That's what I'm saying.
John Hultquist: North Koreans were targeting health care, massive criticality, you know, massive like now suddenly like the vulnerability has shot up because these actors are out there looking for them. You've got to watch this, that sort of math constantly, right, and do that math to sort of figure out what matters.
Rick Howard: Perfect. Any last thoughts about coming out of this conference?
John Hultquist: Oh, it's been a long one, but it's a good -- it's been a good one.
Rick Howard: Well, thanks, John. I appreciate you coming on and talking to us.
John Hultquist: Thanks for having me.
Rick Howard: Yeah, it's good stuff.
John Hultquist: Yeah, that's great. [ Music ]
Rick Howard: And that's a wrap. I'd like to thank John Hultquist, the Chief Analyst at Mandiant, now part of Google Cloud, for coming on the show and discussing the current state of cyber threat intelligence. CSO Perspectives is brought to you by N2K CyberWire. Visit thecyberwire.com for additional resources that accompany this episode. I've added some helpful links in the show notes to help you do more of a deep dive, if that strikes your fancy. And check out our book, Cybersecurity First Principles, a reboot of strategy and tactics for a deep dive on a lot of the topics covered in this show. And by the way, we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app, and you can also fill out the survey in the show notes or send an email to csop@n2k.com. That's C-S-O-P @n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at N2K.com. Here at N2K, we have a wonderful team of talented people doing insanely great things to make me sound good. I think it's only appropriate that you know who they are.
Liz Stokes: I'm Liz Stokes. I'm N2K CyberWire's Associate Producer.
Tre Hester: I'm Tre Hester, Audio Editor and Sound Engineer.
Elliot Peltzman: I'm Elliot Peltzman, Executive Director of Sound and Vision.
Jennifer Eiben: I'm Jennifer Eibin, Executive Producer.
Brandon Karpf: I'm Brandon Karpf, Executive Editor.
Simone Petrella: I'm Simone Petrella, the President of N2K.
Peter Kilpe: I'm Peter Kilpe, the CEO and Publisher at N2K.
Rick Howard: And I'm Rick Howard. Thanks for your support, everybody.
All: And thanks for listening. [ Music ]
