Future of Threat Intelligence

Team Cymru
  • 0.0 (0)
  • BUSINESS

Welcome to the Future of Threat Intelligence podcast, where we explore the transformative shift from reactive detection to proactive threat management. Join us as we engage with top cybersecurity leaders and practitioners, uncovering strategies that empower organizations to anticipate and neutralize threats before they strike. Each episode is packed with actionable insights, helping you stay ahead of the curve and prepare for the trends and technologies shaping the future.

  1. Coalition's Daniel Woods on What Cyber Insurance Claims Reveal About Security Controls

    5D AGO

    Coalition's Daniel Woods on What Cyber Insurance Claims Reveal About Security Controls

    Daniel Woods, Principal Security Researcher, and his team at Coalition analyzed forensic reports across their 100,000-policyholder base and found 50% of ransomware incidents begin with VPN or firewall exploits. But here's the twist: 40-60% of those aren't vulnerability exploits at all, they're stolen credentials bypassing perimeter devices entirely. Organizations running Cisco ASA devices show 5x higher claim rates than peers, with similar patterns across Fortinet, SonicWall, and Citrix SSL VPNs. When threat actors do exploit vulnerabilities, they're scanning and deploying shells within 24-48 hours of public disclosure, making your 72-hour patch SLAs dangerously obsolete. Daniel also surfaces the gap between security control theory and organizational reality. Microsoft claims 99.9% MFA effectiveness for individual Azure accounts, but insurance claims data shows no measurable risk reduction at the organizational level because that one service account without MFA, that legacy API integration nobody knew was enabled, or that exec who refused to enroll gives attackers everything they need. Organizations deploying threat-based training focused on social engineering tactics beyond phishing see measurably lower claim rates, suggesting we've been training for the wrong threat surface. Topics discussed: Analyzing cyber insurance claims data from 100,000 policyholders to identify which security controls actually reduce incident rates Understanding why perimeter security devices like Cisco ASA, Fortinet, and SonicWall VPNs show 5x higher claim rates in insurance data Examining the 40-60% of edge device breaches caused by stolen credentials rather than vulnerability exploits Closing the gap between Microsoft's 99.9% individual MFA effectiveness claims and zero measurable organizational risk reduction Revealing security awareness training effectiveness through a study showing 2% phishing failure reduction versus threat-based training  Comparing email security platforms where Google Workspace shows lower claims rates than Office365 due to included-by-default security features Implementing a zero-day alert service that notifies policyholders within hours when vulnerable perimeter devices need immediate patching Rethinking security awareness training as role-specific, finite courses targeting job risks rather than repetitive generic phishing exercises Key Takeaways:  Audit your external perimeter for exposed Cisco ASA, Fortinet, SonicWall, and Citrix SSL VPN devices. Implement hardware-based MFA enforcement across all services including legacy APIs and service accounts to close credential theft gaps. Reduce patch SLAs from 72 hours to under 24 hours since threat actors scan and deploy shells within 24-48 hours of vulnerability disclosure. Migrate email infrastructure to cloud-hosted platforms like Google Workspace that include security features by default. Replace repetitive generic phishing training with role-specific threat-based courses focused on social engineering tactics. Scan your policyholder or customer base for vulnerable perimeter devices using external scanning services to notify before exploits occur. Build identity management architecture around centralized services with hardware token enforcement. Evaluate security control effectiveness using multiple data sources rather than vendor claims alone. Listen to more episodes:  Apple  Spotify  YouTube Website

    38 min
  2. Stripe's Vincent Passaro on Fraud Taxonomies & Generating Red Team Testing Roadmaps

    FEB 12

    Stripe's Vincent Passaro on Fraud Taxonomies & Generating Red Team Testing Roadmaps

    Stripe's 3-person intel team created FT3 (fraud tools, tactics & techniques), a framework modeled after MITRE ATT&CK but purpose-built for financial fraud, to eliminate the communication breakdown where "fraud" required constant reverse engineering. The structured taxonomy now powers both analyst workflows and automated fraud systems operating at transaction-millisecond speeds, with technique-based tagging that gives fraud engines the context to make informed decisions without human interpretation of vague "fraudulent" alerts. Vincent Passaro, Engineering Manager at Stripe Security, walks through their shift from reactive blocking to building infrastructure targeting packages for law enforcement prosecution. By mapping card testing, account takeovers, and money movement techniques across the full attack chain, the team now produces actionable intelligence packages. The framework drives LLM-powered classification of legacy incident reports, threat-informed red team testing by automatically mapping techniques to API capabilities, and standardized intelligence sharing with financial institutions.  YT Thumbnail title: Technique Tagging at Scale Topics discussed: Creating FT3 framework modeled after MITRE ATT&CK to establish standardized fraud technique taxonomy Transitioning from AWS tier-3 incident response to financial fraud intelligence while applying cloud security methodologies Building infrastructure targeting packages that map adversary infrastructure roles for law enforcement prosecution Scaling small teams through technique-based tagging that enables fraud systems to make decisions at millisecond transaction speeds Leveraging LLMs for automated classification of historical incident reports and mapping fraud techniques to API endpoint capabilities Integrating threat intelligence with red team and fraud operations to create threat-informed testing roadmaps prioritized by business impact Key Takeaways:  Build fraud-specific taxonomies to eliminate communication gaps where "fraud" requires constant reverse engineering. Map fraud techniques across the full attack timeline for complete adversary behavior visibility. Create infrastructure targeting packages that identify adversary server roles and network diagrams for prosecution-ready intelligence sharing. Leverage LLMs with fraud technique context to automatically classify historical incident reports and identify new techniques. Use API documentation and fraud frameworks together with LLMs to generate threat-informed red team testing roadmaps. Prioritize threat actor tracking based on business impact and platform prevalence rather than defaulting to nation-state actors or compliance checklists. Integrate threat intelligence, red team, and fraud operations under unified leadership to enable rapid validation of observed techniques. Design fraud frameworks with extensive contextual documentation to enable adoption by non-security teams and facilitate machine-readable intelligence sharing across organizations. Listen to more episodes:  Apple  Spotify  YouTube Website

    1h 9m
  3. Fortinet's Aamir Lakhani on Mapping Business Pain Points Attackers Exploit

    FEB 5

    Fortinet's Aamir Lakhani on Mapping Business Pain Points Attackers Exploit

    Fortinet processes telemetry from 50% of the next-generation firewall market, giving Aamir Lakhani, Global Director of Threat Intelligence & Adversarial AI Research, and his team visibility into a looming shift: threat actors moving from exploiting a small subset of proven CVEs to weaponizing the entire vulnerability landscape through AI automation. While defenders currently concentrate resources on commonly exploited vulnerabilities, Aamir warns AI will soon enable attacks across everything "just as efficiently and as fast," requiring security teams to rethink patch management strategies when they can no longer rely on focused defense.  Aamir also touches on how The World Economic Forum's Cybercrime Atlas program operates through weekly sessions with 20-40 researchers who deliberately build intelligence packages using only open-source methods. This avoids proprietary data so law enforcement can recreate findings and successfully prosecute cases. He shares how his leadership approach rejects the traditional climb: stay at the bottom of the ladder and push your team up, because their public accomplishments improve both team performance and your career trajectory more than personal competition ever could. Topics discussed: A 50% next-generation firewall market share providing visibility into state-sponsored attacks and ransomware-as-a-service operations daily AI-driven threat evolution from narrow CVE exploitation to automated attacks across vulnerability landscapes requiring new patch strategies Threat actor professionalization, including recruitment events, training programs, and internal conferences for cybercrime operations Adversarial AI capabilities using local LLM training with tools like Ollama to bypass jailbroken model dependencies like WormGPT Network-centric threat hunting using metadata and netflow analysis over full packet capture due to bandwidth and analysis constraints World Economic Forum Cybercrime Atlas program methodology using open-source intel to build prosecutable law enforcement intel packages Prioritizing team advancement over personal climbing by publicizing subordinate accomplishments to improve retention and performance AI alert fatigue emerging from comprehensive attack cycle tracking where 10% incorrect information invalidates 90% accurate findings Key Takeaways:  Prepare for AI-enabled threat actors to exploit the entire CVE landscape simultaneously. Prioritize metadata and netflow analysis over full packet capture for threat hunting due to better manageability and analysis efficiency. Deploy open-source tools to baseline network behavior and marry telemetry data with threat intel platforms for pattern recognition. Identify your organization's critical pain points that would force ransom payment rather than focusing solely on perimeter defense tech. Join collaborative threat research initiatives like World Economic Forum's Cybercrime Atlas. Build intelligence packages using open-source methods to ensure findings can be recreated and prosecuted. Conduct CTF-based interviews focused on problem-solving approach and persistence rather than expecting candidates to know all answers. Spotlight team by publicizing accomplishments and research contributions to improve retention, morale, and your own career advancement. Mandate regular video check-ins to monitor team mental health and prevent burnout in high-stress roles. Listen to more episodes:  Apple  Spotify  YouTube Website

    43 min
  4. PayPal's Blake Butler on Finding Fraud Signals in Uncleaned Data

    JAN 29

    PayPal's Blake Butler on Finding Fraud Signals in Uncleaned Data

    PayPal's fraud team catches credential stuffing before money moves by watching business intelligence signals that most organizations overlook: explosive traffic growth to legacy endpoints, mismatched phone numbers against account creation locales, and anomalies hidden in raw uncleaned data. Blake Butler, Senior Manager & Head of Fraud Threat Intelligence, applies infrastructure analysis techniques from offensive security to fraud investigations. This fills the gap most organizations face: anti-fraud teams understand scam mechanics but lack technical depth, whereas infosec practitioners know infrastructure but not how criminals monetize accounts at scale. Blake breaks down how phishing kits now bypass MFA through real-time automation. His detection philosophy: counting and explosive growth patterns beat machine learning for uncovering fraud. Data scientists clean away the signal.  Topics discussed: Applying offensive security infrastructure analysis methods to fraud threat intelligence investigations Detecting credential stuffing and account takeover campaigns through anomalies in account creation regions, phone number locales, and explosive traffic growth Understanding how modern phishing kits automate real-time OTP theft by integrating directly into legitimate platform APIs during password resets Tracking massive fraud operations emerging from China and South America through business intelligence signals Identifying fraud indicators in uncleaned data: extra spaces, unrenderable characters, and AI-generated webshop metadata artifacts Building security communities to enable monthly collaboration with local practitioners on emerging threats and tool development Bridging the critical talent gap between anti-fraud teams lacking technical infrastructure skills and infosec practitioners without fraud monetization expertise Evaluating phishing-as-a-service platforms and encrypted communication tools that lower barriers to entry for criminal actors Key Takeaways:  Monitor explosive traffic growth patterns to legacy endpoints and unusual account creation regions to detect credential stuffing. Analyze raw uncleaned data for fraud signals including extra spaces, unrenderable characters, and metadata artifacts. Apply infrastructure analysis techniques to fraud investigations to identify phishing domains and criminal tooling. Track mismatches between phone number locales and account creation regions as indicators of automated account generation. Investigate anomalies in business intelligence metrics through simple counting before deploying MLMs to uncover emerging fraud trends. Build fraud threat intelligence teams that combine offensive security backgrounds with fraud monetization expertise to fill the critical industry talent gap. Attend security community meetups to collaborate with local practitioners on emerging threats between annual conferences. Implement MFA while recognizing that advanced phishing kits now automate real-time OTP theft through direct platform API integration. Hire candidates with infosec infrastructure knowledge who understand how criminal actors use tooling to automate credential stuffing and account monetization operations. Listen to more episodes:  Apple  Spotify  YouTube Website

    42 min
  5. Tidal Cyber's Scott Small on Operationalizing MITRE from Intel to Validation

    JAN 22

    Tidal Cyber's Scott Small on Operationalizing MITRE from Intel to Validation

    Tidal Cyber's Director of Cyber Threat Intelligence Scott Small reveals how his knowledge base now tracks almost 25,000 procedure-level instances across nearly 800 MITRE ATT&CK techniques and sub-techniques, capturing the command-level detail that exposes the false promise of "100% coverage" when working at technique abstraction alone. He argues that the pre-attack reconnaissance phase remains the most essential yet most ignored portion of the framework, including the recently formalized technique for purchasing and selling victim data on stealer marketplaces.  Scott's AI workflow treats LLMs strictly as structured data processors that reference MITRE's written technique examples to parse unstructured threat reports, refusing to use them as intelligence sources themselves. He's seeing threat intelligence and detection engineering roles merge as individuals develop hybrid skill sets. His methodology for mapping TTPs to vulnerabilities gives security teams a data-driven rationale to deprioritize patches when strong post-exploitation defenses already cover the attack vector. Topics discussed: Tracking almost 25,000 procedure-level instances across 800 MITRE ATT&CK techniques to expose the false promise of technique-level coverage alone Defending pre-attack reconnaissance phases including the technique for purchasing victim data on stealer marketplaces Classifying scanning activity by threat type to prioritize C2 infrastructure linked to APTs over fraud-related domains Blending threat intelligence and detection engineering roles as analysts gain EDR skills  Using AI as structured data processors that reference MITRE's written technique examples to parse unstructured threat reports without generating intelligence Mapping TTPs to vulnerabilities to create data-driven rationale for deprioritizing patches when post-exploitation defenses cover the vector Visualizing attack narratives through the MITRE ATT&CK matrix to tell leadership about defense gaps and justify resource allocation decisions Key Takeaways:  Track adversary procedures at the command and protocol level to identify real defense gaps. Monitor stealer marketplace activity and automated dealer platforms for credential exposures tied to your domain, then reset credentials. Prioritize threat intel alerts by focusing first on APT-linked activity over fraud campaigns. Develop hybrid skill sets where CTI analysts understand EDR logging capabilities and threat hunters consistently consult adversary behavior reporting for hunt hypotheses. Implement AI workflows that use LLMs to extract structured technique data from unstructured threat reports, not as intelligence output itself. Map TTPs to specific vulnerabilities to build data-driven cases for deprioritizing patches when post-exploit defenses provide coverage. Create visual attack narratives using the MITRE ATT&CK matrix to communicate defense gaps and resource needs.

    32 min
  6. Marsh McLennan's Casey Beaumont on Vendor Breach Assessments That Cut through Legal Games

    JAN 15

    Marsh McLennan's Casey Beaumont on Vendor Breach Assessments That Cut through Legal Games

    When Casey Beaumont's entire CTI team departed just before new analysts started, she found herself running threat intelligence solo for months while directing incident response, threat hunting, and red team operations. That trial by fire taught her exactly what separates tactical intelligence from strategic value, and why the best analysts invest significant personal time building trust networks that enterprise tools cannot replicate. Casey's teams at Marsh McLennan, where she’s the Director of Advanced Cyber Practices, received warnings about Scattered Spider infrastructure 20 minutes after domains registered, before threat actors sent a single SMS phishing message to employee cell phones. That early intelligence enabled blocking domains internally and preparing communications before the first report came in. These private intel networks, built through years of trust and after-hours engagement, consistently deliver the warnings that matter most for large enterprises facing sophisticated, targeted attacks.   Beyond tactical response, Casey explains how her CTI program produces strategic intelligence that drives architectural decisions. She also shares her framework for vendor breach assessments that cuts through legal wordplay, why attribution matters far less than response speed during active incidents, and how to scope CTI mission appropriately to prevent analyst burnout in organizations with massive attack surfaces.   Topics discussed: Managing unified teams of CTI, threat hunting, red team, and incident response to eliminate resource allocation friction during active incidents and supply chain events. Building private intelligence networks that deliver infrastructure warnings within 20 minutes of threat actor activity. Transitioning from tactical incident response to strategic CTI leadership and learning analyst tradecraft through necessity when running solo. Conducting vendor breach assessments using four critical questions about control gaps, persistence, data exposure, and remediation plans. Evaluating intelligence relevance at large enterprises with complex environments where shadow IT, acquisitions, and distributed technology create unclear exposure. Why vendor breaches should not automatically disqualify partnerships and how strong vendor relationships enable influence over authentication improvements and security controls. Producing strategic CTI that drives architectural investment decisions by documenting systemic risks across technology ecosystems rather than isolated incidents. Understanding CTI stakeholder needs through deliberate interviewing to prevent analysts from producing reports that leadership ignores. Sharing unattributed intelligence with law enforcement that enabled warnings to seven or eight fully breached companies with no awareness of compromise. Why leadership overemphasizes attribution during active incidents when tactical response and containment should take priority. How great CTI analysts invest significant personal time building professional brands, attending conferences, and earning trust in private intelligence communities. Key Takeaways:  Consolidate CTI, threat hunting, red team, and incident response under unified leadership to eliminate resource allocation friction during active supply chain incidents and targeted attacks. Conduct vendor breach assessments using four critical questions: what control gaps enabled the breach, does the actor maintain persistence, what client data was exposed, and what remediation plans address root causes. Identify vendor evasiveness during breach discussions by listening for careful language around product names that insinuate limited scope while obscuring broader organizational compromise. Produce strategic CTI reports that document systemic risks across technology ecosystems rather than isolated incidents to give executives justification for architectural investment decisions. Interview CTI stakeholders systematically to understand what intelligence formats and content they need before analysts waste time producing reports that leadership ignores. Scope CTI team mission to specific focus areas like tactical threats and supply chain rather than attempting comprehensive coverage of vulnerabilities, geopolitics, and fraud with limited staff. Share unattributed threat intelligence with law enforcement partners when legal and privacy teams approve to enable warnings for other breached organizations unaware of compromise. Deprioritize threat actor attribution during active incident response unless conclusive evidence enables tactical pivots, focusing instead on containment and remediation before forensic analysis. Listen to more episodes:  Apple  Spotify  YouTube Website

    40 min
  7. State CISOs on Why Cyberattacks Against 1 State Attack All of America

    JAN 8

    State CISOs on Why Cyberattacks Against 1 State Attack All of America

    Michael Moore, CISO for the Secretary of State of Arizona's office, explains how he acts as a virtual CISO for all 15 counties by conducting physical security assessments at election facilities and providing real-time guidance during critical events. His approach treats surprise attacks as learning opportunities that should only work once, immediately sharing adversary infrastructure and TTPs across the entire election community to burn their capabilities. Michael emphasizes that misinformation, disinformation, and malinformation represent converging threat vectors that manifest as both cyber attacks and physical violence, requiring defenders to think beyond traditional security boundaries. Ryan Murray, CISO for the State of Arizona, shares his Cybersecurity Trinity for AI framework: defend from AI-enabled attacks, defend with AI-augmented tools, and defend the AI systems organizations deploy. He explains how Arizona replicated MS-ISAC functionality through AZ ISAC, enabling 1,000+ government personnel across 200+ entities to share intelligence in real time without requiring mature security programs. Ryan stresses that organizations already generate valuable threat intelligence internally through phishing reports and security alerts, and the real challenge is communication and relationship-building rather than expensive commercial feeds. Topics discussed: How physical security gaps at government facilities create tactical vulnerabilities that scale across entire states. Building sector champion models where election security and critical infrastructure specialists act as virtual CISOs for under-resourced local governments. Why misinformation, disinformation, and malinformation represent converging cyber, physical, and reputational threat vectors that radicalize populations into kinetic attacks. Implementing real-time threat intelligence sharing protocols that enable 1,000+ defenders to communicate via platforms like Slack during active incidents. The evolution from receiving threat intelligence to generating intelligence internally by analyzing phishing campaigns, user reports, and infrastructure scanning patterns. Applying the "surprise attack only works once" principle by burning adversary infrastructure and TTPs immediately through broad intelligence sharing. Why the distinction between "intelligence" in national security contexts versus cyber threat intelligence creates executive buy-in challenges. How to prove negative outcomes and communicate near-miss stories where intelligence prevented catastrophic breaches. The collapsing patch window problem where automated vulnerability discovery and exploitation eliminates traditional seven-day remediation timelines. Implementing the Cybersecurity Trinity for AI: defending from AI-enabled attacks, defending with AI-enhanced tools, and defending AI systems from prompt injection and data leakage. Why secure-by-design pledges fail when financially motivated vendors push defensive responsibility to the least capable organizations. Building tabletop exercise programs that prepare election officials for denial-of-service attacks disguised as physical threats. How generative AI enables Script Kitty 2.0, where non-technical adversaries automate reconnaissance, exploitation, and data exfiltration through natural language prompts. The challenge of deepfakes and synthetic media targeting sub-national officials who lack the visibility and resources for sophisticated reputation defense. Key Takeaways:  Build sector champion programs where specialists act as virtual CISOs for under-resourced entities. Implement real-time communication platforms like Slack that enable defenders to share threat indicators during active incidents. Generate internal threat intelligence by systematically analyzing phishing campaigns, tracking top recipients, subject lines, and infrastructure patterns. Apply the principle that surprise attacks should only work once by immediately burning adversary infrastructure and TTPs through broad community sharing. Use tabletop exercises to prepare personnel for converged threats like bomb hoaxes that function as denial-of-service attacks on critical operations. Frame AI strategy using the Cybersecurity Trinity: defend from AI-enabled attacks, defend with AI tools, and defend AI systems from exploitation. Recognize that patch windows have collapsed to zero for critical edge-facing vulnerabilities due to automated discovery and weaponization. Focus communications on near-miss stories that demonstrate how intelligence prevented catastrophic outcomes before executive awareness. Listen to more episodes:  Apple  Spotify  YouTube Website

    45 min
  8. Safebooks AI’s Ahikam Kaufman on Why CFOs Need Company-Specific AI Models for Fraud Detection

    09/25/2025

    Safebooks AI’s Ahikam Kaufman on Why CFOs Need Company-Specific AI Models for Fraud Detection

    Unlike CISOs who work with consistent vulnerabilities across cloud environments, CFOs face company-specific financial processes that change constantly, making automation historically complex to solve before the AI era. Ahikam Kaufman, CEO & CFO of Safebooks AI, explains why machine learning is the only viable solution to detect sophisticated embezzlement schemes that regulatory compliance demands every public company address — with no materiality threshold.  His background building fraud prevention systems at Intuit and Check has taught him how graph technology can link seemingly unrelated financial transactions to expose coordinated internal fraud attempts that would be impossible for humans to catch at scale. The challenge is compounded by the fact that most finance staff are accountants, not technologists, requiring AI tools that bridge data complexity without demanding high technical skill levels. Topics discussed: Sarbanes-Oxley requires fraud protection programs with no materiality thresholds, yet most organizations lack systematic detection across payroll, vendor, and expense systems. Financial fraud detection requires unique AI models for each company using historical data, unlike consistent threats across organizations. Advanced fraud schemes link multiple transaction types requiring graph technology to connect disparate activities that individual monitoring would miss. Fraudsters use AI for parallel attacks, fake invoices, vendor manipulation, and executive impersonation, requiring automated defense systems for real-time processing. Achieving 99.9% accuracy through structured enterprise data and rule-based controls where financial precision is non-negotiable. Financial AI platforms integrate with existing systems without replacements or workflow changes, providing immediate automation value. Key Takeaways:  Implement AI-powered fraud detection systems that monitor vendor account changes, payroll additions, and journal entry anomalies. Build company-specific AI models using 1-2 years of historical financial data to learn unique business processes, data structures, and transaction patterns. Deploy graph technology to link related financial transactions across different systems to identify coordinated fraud attempts. Establish partnerships between CFOs and CISOs to combine external cybersecurity threat detection with internal financial fraud monitoring. Focus on AI platforms that integrate with existing financial technology stacks without requiring system replacements. Create rule-based governance frameworks for financial AI systems to eliminate hallucinations and maintain accuracy levels. Monitor AI-amplified fraud techniques, such as sophisticated fake invoices, manipulated vendor banking information, and executive impersonation. Develop automated systems that can demonstrate reasonable effort for fraud prevention to satisfy regulatory requirements and insurance protections. Listen to more episodes:  Apple  Spotify  YouTube Website

    27 min
See All (105)

About

Welcome to the Future of Threat Intelligence podcast, where we explore the transformative shift from reactive detection to proactive threat management. Join us as we engage with top cybersecurity leaders and practitioners, uncovering strategies that empower organizations to anticipate and neutralize threats before they strike. Each episode is packed with actionable insights, helping you stay ahead of the curve and prepare for the trends and technologies shaping the future.

Information