Future of Threat Intelligence

Team Cymru
  • 4.5 (11)
  • BUSINESS
  • UPDATED BIWEEKLY

Welcome to the Future of Threat Intelligence podcast, where we explore the transformative shift from reactive detection to proactive threat management. Join us as we engage with top cybersecurity leaders and practitioners, uncovering strategies that empower organizations to anticipate and neutralize threats before they strike. Each episode is packed with actionable insights, helping you stay ahead of the curve and prepare for the trends and technologies shaping the future.

  1. Scott Scher on Why CTI Teams Forecast Instead of Predict

    APR 9

    Scott Scher on Why CTI Teams Forecast Instead of Predict

    Scott Scher, Cyber Threat Intelligence Lead, makes a distinction that reframes how intel teams should think about their own value: they are forecasters, not predictors. That shift in framing has concrete consequences for how CTI programs justify themselves internally, and Scott argues that the most meaningful metric isn't alert volume or report count, but the decisions intel has actually influenced.  Scott also addresses where he sees the threat landscape heading, and his read on ransomware cuts against how many teams are still oriented. He argues that encryption-focused ransomware has largely peaked in value for attackers; the real shift is toward pure data exfiltration. He also touches on AI in CTI with a grounded take; it’s useful for accelerating manual analyst tasks like data gathering and link analysis, but only if intelligence teams define how it gets used before the organization does it for them. Topics discussed: Why CTI teams operate in the forecasting space rather than the prediction space The practical implications for how assessments are communicated to stakeholders and leadership The challenge of quantifying CTI value through decision-driven metrics rather than output volume Mapping each stakeholder's workflow outputs and the triggers that drive them, then injecting intelligence at the right point in that chain The evolution of ransomware toward exfiltration-only models, and why this reframes the defensive priority from backup to data loss prevention  How CTI teams can use strategic intelligence to drive organizational decisions on edge device hardening and third-party risk The role of AI in intel workflows as a force multiplier for manual analyst tasks, and why teams need to define that use case proactively The collective defense model emerging at the state and local government level Why making analytic assessments scientifically defensible is what separates credible CTI from noise Key Takeaways:  Reframe your team's value proposition around decisions influenced, not products delivered.  Map each stakeholder's workflow before defining your intelligence requirements.  Conduct monthly stakeholder cadences specifically to capture feedback on delivered products.  Ask stakeholders about their biggest obstacles, not just their intel requirements.  Reorient ransomware defensive priorities toward data loss prevention. Use sustained trend analysis to build strategic intelligence cases for resource allocation.  Get ahead of how AI is used in your CTI workflows before organizational pressure defines it for you. Treat qualitative stakeholder feedback as a scientific input, not an afterthought.  Document the reasoning behind every intelligence assessment, not just the conclusion.  Pursue an interdisciplinary lens when building CTI programs and hiring.

    45 min
  2. You Can't Trust Your Zoom Call Anymore. Deepfakes, DPRK & the New Attack Surface

    MAR 26

    You Can't Trust Your Zoom Call Anymore. Deepfakes, DPRK & the New Attack Surface

    Deepfakes have moved well past the uncanny valley and into active threat operations, and Tom Cross, Head of Threat Research at GetReal, has the client-side case studies to back it up. Tom explains how North Korean IT worker infiltration campaigns have transformed HR and video conferencing from administrative functions into active attack surface, albeit one that most security teams aren't monitoring, logging, or ingesting into their SIEM. Drawing on a long-running collaboration with a former West Point professor and intelligence officer, Tom also applies the military framework of tactical, operational, and strategic intelligence to cybersecurity, arguing that most CTI programs are really just lists of burned indicators. The actual value of IOCs, he contends, is retrospective: discovering you were communicating with a known-bad actor means you may still be compromised. He makes the case for connecting adversary intent models, red team findings, and vulnerability data into a unified predictive picture.  YT Thumbnail title: Your Zoom Call Is an Attack Surface Topics discussed: How North Korean IT worker infiltration has converted HR processes and video conferencing into an active, unmonitored attack surface Voice-cloned peer impersonation via messaging apps, followed by deepfaked video calls and malware delivery Why deepfake audio attacks on IT help desk credential reset processes are among the most likely near-term vectors Biometric indicators of compromise and the significant false-positive risks that distinguish them from traditional IP or domain IOCs How the military intelligence framework of tactical, operational, and strategic analysis applies to CTI programs The strategic importance of retrospective IOC analysis versus forward-looking ingestion Why DPRK's financial motivation model expands their target set far beyond what traditional nation-state threat modeling would predict Key Takeaways:  Ingest video conferencing logs into your SIEM. Audit your remote credential reset process for social engineering resistance. Map red team findings and vulnerability data to specific adversary profiles rather than treating them as a generic remediation backlog. Implement retrospective IOC analysis alongside forward-looking blocking. Treat DPRK's financial motivation as an equalizer when assessing APT exposure. Build threat intelligence at the strategic layer by modeling adversary intent and objectives, not just cataloging observed TTPs. Apply extra care to biometric IOC sharing. Monitor employee working-hour patterns against claimed time zones as a behavioral indicator of potential employment fraud. Extend IOC taxonomy to include multimedia and biometric formats. Listen to more episodes:  Apple  Spotify  YouTube Website

    43 min
  3. Two Minds. One Reframe. A Shift That Won't Wait.

    MAR 19

    Two Minds. One Reframe. A Shift That Won't Wait.

    Vincent Passaro, Engineering Manager at Stripe Security, didn't get there through a slide deck or a company mandate. He got there through a shower thought that followed a conversation with a friend, and it broke how he'd been thinking about building, leading, and even measuring his own team. The reframe was simple and did not start with "we're all going to be software developers. Rather, "we're going to be product owners." That single pivot changed everything downstream, including how he approached prototyping, how he set success criteria for agents, and how he coached his team out of chasing bugs and into defining outcomes. In this episode, Will and Vince trace both of their "pin drop" moments: the specific conversations that shifted their mental models, then try to articulate what that shift actually means for CTI analysts and security engineers working real problems today. They talk about what it felt like to stop asking "how do I wire this" and start asking "what does success look like," and how fast things moved once that happened. They're honest about what breaks, like the siloed tools that don't talk to each other, the governance vacuum that opens when every analyst is shipping products, and the dopamine trap of adding features instead of finishing work. And they're equally direct about what becomes possible when outcome velocity: not headcount or tooling budget, and what becomes the competitive edge. This isn't a conversation about AI hype. It's about what happens when two practitioners who've spent years operating the plumbing realize the plumbing has been commoditized and what that means for where human judgment actually matters now. If you've been waiting for the right moment to pay attention, this is probably the episode where you stop waiting. Topics Discussed "Product owner" vs. "developer" mindset and why it changes how analysts build toolingDefining outcome criteria upfront as the core discipline for AI-assisted developmentHow AI collapses experimentation costs and eliminates dev team dependencyAnalyst-owned toolkits and outcome velocity as a competitive edge for small teamsThe governance risk: product silos, duplicated tooling, and inconsistent standardsFT3 as an open-source framework built to lower the community contribution barrierWhy CISO/board resistance to AI on security grounds will backfireThreat actors are scaling the same way — analyst adaptation is the necessary responseKey Takeaways:  The unlock isn't learning to code: it's learning to think backwards from the outcome.  Define what success looks like, set the criteria the agent has to meet before it moves on, and stop micromanaging the implementation. That's the product owner shift. Slow down before you build. Spend more time in planning than in execution using deep research across multiple models, comparing outputs, stress-testing the concept before a single line gets written. Drop the subscription and treat the model like a teacher, not a tool. Start with a problem you already understand. Ask it to walk you from zero to fluent. It will tell you to stop thinking like a developer and start thinking like a product owner.  If you have a backlog of problems you gave up on because they weren't staffable, go find them. The feasibility question that used to take months to answer now takes an afternoon. Start there. Before your next team planning cycle, map what everyone is building. The duplicate tools are already being written in parallel by people who don't know about each other. Get ahead of it now, because it only compounds. If you're involved in open-source threat intel frameworks, the contribution problem was never motivation, it was friction. The tooling gap is closable. Build the on-ramp and the community will use it. Listen to more episodes:  Apple  Spotify  YouTube Website

    42 min
  4. TIG Risk Services' Duaine Labno on How Remote Hiring Became an Opening for Infiltration

    MAR 12

    TIG Risk Services' Duaine Labno on How Remote Hiring Became an Opening for Infiltration

    What happens when a DPRK IT worker operation lands inside one of your clients, and the three-letter agency you call says they can't show up? Duaine Labno, Director of Special Investigations & Threat Intelligence at TIG Risk Services, walks through exactly that case: his team built a ruse to recover the compromised laptop, staged a physical handoff at corporate HQ, filmed the courier, ran his plates, and traced him to multiple properties.  This produced the kind of ground-level intelligence the FBI told him they'd never seen before in a US-based DPRK case. Duaine explains why digital and physical investigations have to run in parallel from day one, not handed off sequentially, and what that looks like operationally when federal resources don't materialize. He also breaks down how post-COVID remote hiring processes that are speed-optimized gave adversaries a repeatable entry point, and why an untrained recruiter doing a soft document check is now a meaningful attack surface for corporate networks. YT Thumbnail title: Remote Hiring Broke Your Security Perimeter Topics discussed: How post-COVID remote hiring processes relaxed identity verification standards and created repeatable enterprise network entry points  Running parallel digital and physical investigations simultaneously when tracking identity fraud and insider threats Using open-source intelligence and proprietary threat monitoring software to scan millions of data points for suspect behavioral patterns Executing a live DPRK IT worker case using physical surveillance, a document ruse, and plate runs to identify a U.S.-based operator Why untrained recruiters conducting soft document checks have become a meaningful attack surface in corporate hiring pipelines How adversaries are weaponizing AI for voice alteration, deepfakes, and document manipulation to bypass hiring and KYC verification processes The case for vetted, secure cross-industry intelligence sharing platforms to close gaps that individual organizational silos leave open Where cyber threat intelligence trails end and physical investigation must pick up to produce actionable, court-ready evidence Key Takeaways:  Treat remote hiring pipelines as an active attack surface by pulling security, legal, and HR into the process. Train recruiters to recognize fraudulent identity documents as a first line of defense against adversarial infiltration of corporate networks. Run digital and physical investigations in parallel from the start rather than waiting for cyber analysis to conclude. Build contingency plans for federal non-response into any investigation involving foreign threat actors. Deploy threat monitoring software capable of scanning open-source data at scale to surface behavioral patterns and connections. Establish vetted, secure intelligence sharing relationships with peer organizations and law enforcement to close the visibility gaps. Pressure-test AI-assisted hiring tools against deepfake and voice alteration scenarios before deploying them. Listen to more episodes:  Apple  Spotify  YouTube Website

    31 min
  5. Thermo Fisher's Matt McKnew on the Evolution of Ransomware as a Service

    MAR 5

    Thermo Fisher's Matt McKnew on the Evolution of Ransomware as a Service

    When Matt McKnew, Senior Manager of Incident Response at Thermo Fisher,  tracked down the Nimda worm in 2001 by analyzing packet captures to identify NetBIOS saturation patterns, threat actors weren't trying to get paid; they were causing disruption. Today, he's defending against ransomware groups that operate like businesses, complete with service models and affiliate networks.  Matt explains why Clop's acquisition of six zero-days puts them in APT territory regardless of financial motivation, how attackers now hide in the noise of criminal operations making nation-state activity harder to detect, and why the North Korean IT worker scam succeeds by exploiting weak hiring processes rather than technical vulnerabilities.  Topics discussed: Responding to the Nimda worm using packet capture analysis to identify NetBIOS saturation patterns across satellite ISP infrastructure Building trusted peer networks for crowdsourcing threat intelligence during active incidents rather than relying solely on formal feeds Analyzing Clop ransomware's acquisition of six zero-days as evidence of APT-level sophistication despite purely financial motivation Implementing structured incident response documentation and processes to enable faster recovery and more nimble response Evaluating nation-state threat actors by understanding their 5-year strategic plans and objectives rather than mapping everything to MITRE ATT&CK Deploying agentic AI to standardize analyst work products and maintain consistent intelligence delivery across global security teams Examining North Korean IT worker infiltration campaigns that exploit weak HR and recruitment processes Differentiating financially-motivated ransomware operations from nation-state APT campaigns while recognizing blurred lines in TTPs Key Takeaways:  Document incident response procedures upfront with standardized policies to reduce response time during active security incidents. Build trusted peer networks across industry for crowdsourcing threat intelligence when formal feeds lack critical real-time information. Evaluate ransomware groups for APT-level capabilities when they acquire multiple zero-days regardless of their financial motivations. Research adversary 5-year strategic plans and national objectives to understand nation state threat actor targeting. Deploy agentic AI systems to standardize analyst work products and maintain consistent intelligence delivery formatting. Strengthen HR and recruitment processes with technical screening questions to defend against North Korean IT worker infiltration. Maintain curiosity and interrogate suspicious indicators until they make complete sense rather than accepting surface-level explanations. Recognize that attackers leverage the same automation and AI capabilities defenders use, requiring equivalent adoption to maintain defensive parity. Listen to more episodes:  Apple  Spotify  YouTube Website

    35 min
  6. Tokio Marine HCC's Alex Bovicelli on the SMB Ransomware Wave the Industry Isn't Talking About

    FEB 26

    Tokio Marine HCC's Alex Bovicelli on the SMB Ransomware Wave the Industry Isn't Talking About

    Running CTI at a cyber insurance carrier and across more than tens of thousands of companies forces a triage discipline most programs never need to build. Alex Bovicelli, Senior Director of Threat Intelligence at Tokio Marine HCC, describes how his team scaled by narrowing focus to one thing: the initial access vectors threat actors are actually using right now: not CVSS scores, not spray-and-pray alerts, but underground forum activity, access broker behavior, and credential exposure from info stealer logs that most SMBs have zero visibility into. When a detection fires, his team doesn't just notify, they walk the customer through remediation and confirm the issue is closed, because for a company relying on an MSP with no internal security staff, an alert without support is just noise. The more pointed conversation is about what's not making headlines: thousands of SMBs are getting hit by ransomware every year, and groups like Akira have built a business model specifically around it; high volume, low ransom, staying below the threshold that triggers serious law enforcement attention. Alex explains how those attacks succeed not through sophisticated tradecraft but through SSL VPN brute forcing tools left running unattended, returning thousands of valid credentials against organizations that have no account lockout policies, no MFA on remote access, and no way to know their credentials are already in a log collector somewhere.  Topics discussed: Building intelligence-led CTI programs at scale by anchoring detection on initial access vectors, access broker activity, and credential exposure Using underground forum proximity and info stealer log correlation to identify compromised credentials across thousands of organizations Operationalizing pre-claim threat intelligence within cyber insurance to eradicate initial access before events generate claims Closing the alert-to-remediation loop for SMBs by delivering detection, support, and mitigation confirmation as a single workflow How Akira and similar ransomware groups deliberately target SMBs with high-volume, sub-threshold attacks  Rethinking CVSS-based patching prioritization by incorporating criminal exploitability and at-scale attack frequency into triage Separating AI as an intelligence producer from AI as a report summarizer, where automation could realistically drive patching priority Why most external threat feeds leave CTI teams in a retroactive posture, and how incident response data from insurance claims changes that Key Takeaways:  Anchor your CTI program on initial access vectors rather than trying to cover every vulnerability class across your environment. Monitor access broker activity and underground forums to understand which threat actors are actively buying and selling against your industry or infrastructure. Integrate info stealer log analysis into your detection pipeline to identify compromised credentials before threat actors use them for lateral movement or ransomware deployment. Shift your patching prioritization model away from CVSS scores and toward criminal exploitability. Design alerts for smaller IT teams to be remediation-ready on receipt because an alert without a clear next step will not get acted on. Close the loop on every detection by confirming mitigation was completed, not just that the alert was acknowledged. Enforce account lockout policies and MFA on all SSL VPN and remote access entry points as a baseline control. Assess AI tooling for your CTI program on whether it can produce intelligence rather than just consume it through report summarization. Use incident response data from post-claim analysis to validate your pre-claim detection signals. Listen to more episodes:  Apple  Spotify  YouTube Website

    37 min
  7. Coalition's Daniel Woods on What Cyber Insurance Claims Reveal About Security Controls

    FEB 19

    Coalition's Daniel Woods on What Cyber Insurance Claims Reveal About Security Controls

    Daniel Woods, Principal Security Researcher, and his team at Coalition analyzed forensic reports across their 100,000-policyholder base and found 50% of ransomware incidents begin with VPN or firewall exploits. But here's the twist: 40-60% of those aren't vulnerability exploits at all, they're stolen credentials bypassing perimeter devices entirely. Organizations running Cisco ASA devices show 5x higher claim rates than peers, with similar patterns across Fortinet, SonicWall, and Citrix SSL VPNs. When threat actors do exploit vulnerabilities, they're scanning and deploying shells within 24-48 hours of public disclosure, making your 72-hour patch SLAs dangerously obsolete. Daniel also surfaces the gap between security control theory and organizational reality. Microsoft claims 99.9% MFA effectiveness for individual Azure accounts, but insurance claims data shows no measurable risk reduction at the organizational level because that one service account without MFA, that legacy API integration nobody knew was enabled, or that exec who refused to enroll gives attackers everything they need. Organizations deploying threat-based training focused on social engineering tactics beyond phishing see measurably lower claim rates, suggesting we've been training for the wrong threat surface. Topics discussed: Analyzing cyber insurance claims data from 100,000 policyholders to identify which security controls actually reduce incident rates Understanding why perimeter security devices like Cisco ASA, Fortinet, and SonicWall VPNs show 5x higher claim rates in insurance data Examining the 40-60% of edge device breaches caused by stolen credentials rather than vulnerability exploits Closing the gap between Microsoft's 99.9% individual MFA effectiveness claims and zero measurable organizational risk reduction Revealing security awareness training effectiveness through a study showing 2% phishing failure reduction versus threat-based training  Comparing email security platforms where Google Workspace shows lower claims rates than Office365 due to included-by-default security features Implementing a zero-day alert service that notifies policyholders within hours when vulnerable perimeter devices need immediate patching Rethinking security awareness training as role-specific, finite courses targeting job risks rather than repetitive generic phishing exercises Key Takeaways:  Audit your external perimeter for exposed Cisco ASA, Fortinet, SonicWall, and Citrix SSL VPN devices. Implement hardware-based MFA enforcement across all services including legacy APIs and service accounts to close credential theft gaps. Reduce patch SLAs from 72 hours to under 24 hours since threat actors scan and deploy shells within 24-48 hours of vulnerability disclosure. Migrate email infrastructure to cloud-hosted platforms like Google Workspace that include security features by default. Replace repetitive generic phishing training with role-specific threat-based courses focused on social engineering tactics. Scan your policyholder or customer base for vulnerable perimeter devices using external scanning services to notify before exploits occur. Build identity management architecture around centralized services with hardware token enforcement. Evaluate security control effectiveness using multiple data sources rather than vendor claims alone. Listen to more episodes:  Apple  Spotify  YouTube Website

    38 min
  8. Stripe's Vincent Passaro on Fraud Taxonomies & Generating Red Team Testing Roadmaps

    FEB 12

    Stripe's Vincent Passaro on Fraud Taxonomies & Generating Red Team Testing Roadmaps

    Stripe's 3-person intel team created FT3 (fraud tools, tactics & techniques), a framework modeled after MITRE ATT&CK but purpose-built for financial fraud, to eliminate the communication breakdown where "fraud" required constant reverse engineering. The structured taxonomy now powers both analyst workflows and automated fraud systems operating at transaction-millisecond speeds, with technique-based tagging that gives fraud engines the context to make informed decisions without human interpretation of vague "fraudulent" alerts. Vincent Passaro, Engineering Manager at Stripe Security, walks through their shift from reactive blocking to building infrastructure targeting packages for law enforcement prosecution. By mapping card testing, account takeovers, and money movement techniques across the full attack chain, the team now produces actionable intelligence packages. The framework drives LLM-powered classification of legacy incident reports, threat-informed red team testing by automatically mapping techniques to API capabilities, and standardized intelligence sharing with financial institutions.  YT Thumbnail title: Technique Tagging at Scale Topics discussed: Creating FT3 framework modeled after MITRE ATT&CK to establish standardized fraud technique taxonomy Transitioning from AWS tier-3 incident response to financial fraud intelligence while applying cloud security methodologies Building infrastructure targeting packages that map adversary infrastructure roles for law enforcement prosecution Scaling small teams through technique-based tagging that enables fraud systems to make decisions at millisecond transaction speeds Leveraging LLMs for automated classification of historical incident reports and mapping fraud techniques to API endpoint capabilities Integrating threat intelligence with red team and fraud operations to create threat-informed testing roadmaps prioritized by business impact Key Takeaways:  Build fraud-specific taxonomies to eliminate communication gaps where "fraud" requires constant reverse engineering. Map fraud techniques across the full attack timeline for complete adversary behavior visibility. Create infrastructure targeting packages that identify adversary server roles and network diagrams for prosecution-ready intelligence sharing. Leverage LLMs with fraud technique context to automatically classify historical incident reports and identify new techniques. Use API documentation and fraud frameworks together with LLMs to generate threat-informed red team testing roadmaps. Prioritize threat actor tracking based on business impact and platform prevalence rather than defaulting to nation-state actors or compliance checklists. Integrate threat intelligence, red team, and fraud operations under unified leadership to enable rapid validation of observed techniques. Design fraud frameworks with extensive contextual documentation to enable adoption by non-security teams and facilitate machine-readable intelligence sharing across organizations. Listen to more episodes:  Apple  Spotify  YouTube Website

    1h 9m
See All (111)

Ratings & Reviews

4.5
out of 5
11 Ratings

About

Welcome to the Future of Threat Intelligence podcast, where we explore the transformative shift from reactive detection to proactive threat management. Join us as we engage with top cybersecurity leaders and practitioners, uncovering strategies that empower organizations to anticipate and neutralize threats before they strike. Each episode is packed with actionable insights, helping you stay ahead of the curve and prepare for the trends and technologies shaping the future.

Information

You Might Also Like