Season 1 - Episode 6 (Pedro Kertzman & Aaron Roberts) Artwork

Cyber Threat Intelligence Podcast

Welcome to the Cyber Threat Intelligence Podcast—your go-to source for staying ahead in the ever-evolving world of cybersecurity by harnessing the full potential of CTI.

In each episode, we dive into the latest cyber threats, emerging trends, best practices, and real-world experiences—all centered around how CTI can help us defend against cybercrime.

Whether you’re a seasoned CTI analyst, a CTI leader, or simply curious about the digital battlefield, our expert guests and host break down complex topics into actionable insights. From ransomware attacks and insider threats to geopolitical cyber risks and AI-driven security solutions, we cover all things CTI.

Join us biweekly for in-depth interviews with industry leaders and experienced professionals in the Cyber Threat Intelligence space. If, like me, you’re always in learning mode—seeking to understand today’s threats, anticipate tomorrow’s, and stay ahead of adversaries—this podcast is your essential companion.

Stay informed. Stay vigilant. Tune in to the Cyber Threat Intelligence Podcast.

All Episodes

Cyber Threat Intelligence Podcast

Season 1 - Episode 6 (Pedro Kertzman & Aaron Roberts)

May 13, 2025 • Pedro Kertzman • Season 1 • Episode 6

What happens when you combine the precision of open-source intelligence with the strategic focus of cyber threat intelligence? Aaron Roberts, founder of Prospective Intelligence and author of "Cyber Threat Intelligence: The No-Nonsense Guide for CISOs and Security Managers," reveals the powerful intersection where these disciplines meet.

Aaron's journey from aspiring football coach to cyber threat expert provides a fascinating backdrop to our conversation. After starting in IT support and gradually moving through cybersecurity roles, he discovered the power of OSINT in identifying threats before they materialize. This evolution shaped his unique perspective on threat intelligence - one that values both commercial tools and grassroots solutions from the OSINT community.

The most compelling insights emerge when Aaron discusses the practical realities of threat intelligence on a budget. Rather than viewing financial constraints as limitations, he demonstrates how they can drive innovation. From leveraging free GitHub repositories to repurposing marketing tools for security, Aaron reveals how small and medium businesses can build sophisticated threat detection capabilities without breaking the bank. His mention of C2Tracker - a free tool that can identify command and control infrastructure before many commercial feeds - highlights how open-source approaches sometimes outperform their expensive counterparts.

Perhaps most valuable is Aaron's framework for attack surface intelligence. By examining credentials exposed in data breaches and stealer logs, identifying vulnerabilities in internet-facing systems, monitoring brand sentiment, and detecting typosquat domains, he creates a comprehensive view of organizational risk. This methodology helps companies understand how attackers perceive them - vital intelligence for preemptive defense.

Throughout our discussion, one theme remains constant: effective threat intelligence requires more than technical prowess. Understanding business context, establishing clear intelligence requirements, and communicating findings effectively transform raw data into actionable insights. As Aaron puts it, "You can spend all day writing reports about ransomware groups, but if you don't understand what the business is trying to do, you can't really protect it."

Want to strengthen your organization's security posture through practical, intelligence-led approaches? Connect with us on LinkedIn in the Cyber Threat Intelligence Podcast group to continue the conversation and discover how these principles might apply to your unique security challenges.

Send us a text

Support the show

Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!

Aaron Roberts: 0:00

And that's how the corporate credentials are breached.

Rachael Tyrell: 0:04

Hello and welcome to Episode 6, Season 1 of your Cyber Threat Intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional, or simply curious about the digital battlefield, our expert guests and host will break down complex topics into actionable insights. On this episode of Season 1, our host, Pedro Kurtzman, will chat with Aaron Roberts. Aaron is a cyber threat intelligence expert specialized in open source intelligence with experience across the UK public and private sectors, the military, and founding member of the UK OSINT community. Aaron, thanks so much for coming to the show. It's great to have you here.

Aaron Roberts: 0:50

Thanks so much, Pedro. It's great to be here.

Pedro Kertzman: 1:00

Awesome. And I usually start asking the guests about their journey to CTI. Would you mind walking us through that, please?

Aaron Roberts: 1:08

Yeah. So back in the land before, I'd say ubiquitous internet, I'd always been interested in like computers and stuff growing up, mostly because of video games, probably like a lot of CTI analysts. And then as I was growing up, trying to figure out what to do with my life, I decided that I wanted to be a football coach, which is not very cyber, is not very intelligence analyst, is very far removed from that. I guess there was some data analysis involved, but like very different world. So I went to university and started studying about sports and coaching and thinking this is a a good route to go down and there's like a good career in something I'm interested in down the road until you find out particularly in the UK and probably in most developed nations where like football is a big deal or soccer which you might call it in the US it turns out it's more who you know rather than what you could learn like through like a formal degree and I think that's something where a lot of people probably make this realisation as they're growing up and an idea of I've got a degree in this thing, so therefore I can now be a person over here doing this subject is very, very different from like perceptions versus reality. So whilst through university, I was not really enjoying the course. It wasn't really what I'd anticipated it being anyway. And it eventually came down to a point where I'd seen local government department had advertised like for vacancies and I always assumed like and growing up watched a lot of 24 and you know bad quality action movies and thinking I could do that I want to be a spy let's don't do that and I'm thinking out of curiosity how far could I get in this process thinking I would you know probably not even get paper sifted to an interview let alone anything else but long story short is I somehow managed to talk myself into a job and So I was working in sales service in the UK initially as an IT support analyst. So, you know, eventually like level one support, answering phone calls, diagnosing problems and either, you know, using like known fixes or trying to work the issue out and then either subsequently resolving the problem or passing it on to like deeper technical support. And that gave me a really good foundational knowledge around like, you know, like operate systems and computers and, you know, to a lesser extent, I would say networking, because most of the network issues you just have to pass on because you either don't have the right access to tools or you just, you know, you don't have that level of knowledge to be able to resolve them. And from there, I sort of came to the end of that post and was looking for the next move. And then I transitioned into like more of a cybersecurity role, which was less technical in terms of like resolving issues and understanding like day to day what was happening in different situations. But it put me in a much more customer facing role. So I would interface with different government departments, private sector as well, and understand and anticipate the questions they would be asking about things. A lot of that would come down from like essentially like government guidance or things in the news. So if that's like, you know, new vulnerabilities or, you know, a rampant form of malware. And, you know, we're talking back in like 2012. So the biggest things really were like, you know, banking Trojans and things like that at the time, Game Over Zeus and stuff like that. So that role was really interesting to me because I got to be sort of sit in the middle between a relatively senior, but non-technical audience, which were mostly like the people I've considered to be customers versus they, the technical goblins behind me where i'd be going to like kind of get the real answers from them to understand the issues and then taking like the technical aspects of what they had to say and then trying to put it into language that the others could understand um and then from there that's kind of i did that for a couple years and then the opportunity to pivot into a different team uh where to focus on open source intelligence so and i think that's really where like my sort of cyber journey really, I would say really kicked on. So I got to use combination of all those skills. So, you know, relationship management, interfacing with different partners, internationally and like nationally, bit of like project management and stuff. So over long-term piece of work, but also working across like such a broad range of different subject areas. So effectively learning how to do what I call nowadays called OSINT. And that would be, you know, could be, we could be talking about individuals. We might be talking about, you know, infrastructure might be specific websites or it might be, you know, certain platforms and sort of understand, try and A, figure out what information can we find out about them? How do we turn that into like a useful intelligence product for the end customer? And invariably a lot of that was, you know, sensitive work but geared around how can we leverage data from the internet to inform other decisions and a lot of that work involved like looking at different you know groups and different organizations some of it involved you know what we now call like like apts and things like that and that could be anything from like infrastructure that they had used in cyber attacks versus, you know, potentially like individuals that are suspected of being in those groups. So at the time, I think the term cyber threat intelligence hadn't really been like coined as such. It was effectively just a new type of information that was pretty much derived from open source information. So even OSINT as a term was probably maybe not even like common lexicon to say.

Pedro Kertzman: 7:39

Interesting.

Aaron Roberts: 7:41

And then after doing that for a few years, I made a decision to leave the government and move to the private sector. So that was like a big decision. But I think it was only with hindsight, it was only really a big decision to move because the market like the CTI space was pretty, pretty new then and pretty misunderstood, I think. You could go from one company to the next and they would have very, very different ideas about what CTI is and what CTI analysts do and how they should work. And I think that's probably still true today to some degree. But that sort of decision there was when I started looking at what opportunities actually exist outside of this public sector bubble. And the UK market is definitely significantly smaller than the US. And I'm also sure about other like Western nations, but I think the UK is definitely like, always seems like we're lagging behind in terms of like the number of opportunities, the breadth of the roles or the necessary demand for certain specialisms, which is always frustration as part of the reason why we form like the UK OSINT community as well. last year, but to bring us back to your initial question about CTI. So I made that decision to move to the private sector and when I was looking at roles, I was looking for anything that sort of mentioned like open source intelligence research, like investigations and yeah, invariably like you'd see roles looking for like cyber analysts and cyber intelligence, or it would be like SOC analysts, but you're really good at Google. Because the market was pretty immature then, I think. So I ended up working for a company called Eclectic IQ, which are a Dutch threat intelligence firm that have their own platform, threat intelligence platform. And I joined what was called at the time the Eclectic IQ Fusion Center. So... our role as intelligence analysts was to collate information from all the different sources that we could ingest and turn that into like structured intelligence using sticks sticks one at the time okay and effectively turning that into useful intelligence that you could then send to a customer and then they would be able to sort of understand like the whole picture of things from all the different vendors they subscribe to.

Pedro Kertzman: 10:29

Like, you're reaching the information that you got in the first place.

Aaron Roberts: 10:33

Yeah, so it was a combination of, like, you might do your own research on something, whether it's, like, you know, an incident that's occurred, or you might just be researching, like, certain types of infrastructure or a certain factor. Or you might be going, right, okay, well, what do, like, let's say CrowdStrike say about this actor? What do Mandiant say about this actor? And then what other sources do we have? You might pull from something like AlienVault or URL House and you correlate this information together and enrich it and pivot from those different bits of information to then provide a report and say, well, this is what each vendor has to say about this. This is our assessment on this. And then it's up to you as a customer what you want to do with that information. And I feel that was a really, it was a different way of approaching the situation from my experience, but it was also, I think, really, really useful because, A, it was a great exposure to different cyber vendors, like, and seeing, like, how they provide information, how they report on things, insights into, like, their visibility, and also from a different range of customers as well, you can sort of see, like, try and figure out what their priorities were and the things they cared about, and also just, you know, like, how much money they had as well a little bit. I think that was really interesting baptism of fire a little bit into what CTI is in real life. And I think the vendor space is always interesting because unless you've been in that environment as a defender or blue team or part of a cybersecurity function, you wouldn't necessarily understand what the customer wants. And I think this always comes down to that thing where not having a priority list of intelligence requirements is one of the fundamental things you should do as a threat intelligence team, regardless of the organization, because you need to understand the people that read your reports, what they want to be reading about.

Pedro Kertzman: 12:41

Yeah.

Aaron Roberts: 12:42

And I think especially At that time, I think you would occasionally get a bit guilty of researching something that we thought was cool. We'd be like, oh, have you seen that? APT28 did this. Oh, it's great. What about that? Oh, it's amazing. And then invariably, we'd be like, yeah, but we read about that on Bleeping Computer already, so why do we care? It looks pretty in your little graph, and the visuals are nice, but invariably, it hasn't really helped us further our security any further. So I think after doing that for, I think it was about 18 months I worked there. That's where I moved to a telco in the UK and sort of went in with the idea of like, you know, critical national infrastructure, very interesting environment, getting attacked daily basis. And sort of like, sort of having this exposure to real like, tete-a-tete cyber operations, like attack, defend, attack, defend. And whilst that didn't really work out for me, to be honest, I was only there for about six months. I think it just ended up with, they basically bought into a platform that needed a lot of management and a lot of oversight. And unfortunately, just the way it worked was, you know, like our support team was like on one part of the world. The vendor was on the west coast of the US. We're in the middle and we're just like trying to get either somebody on a call or trying to understand something. And it was just so very difficult. And it sort of went into this space where like you're kind of doing like project management and IT support without any of the right tools to really enable that.

Unknown: 14:34

Aaron Roberts: 14:34

I ended up like talking to a friend who was hiring And he talked me around over a beer, which is probably quite easy to do, in all honesty. He was like, come work with me, come work with me. I was like, come on, let's have a chat. But then, so I moved from Vodafone to Sky, which is a predominantly a television media broadcasting company. But they also do, like, they also run their own broadband service. They run landlined telephones. They have a mobile network operator as well. Um, which it's a very like interesting environment. So they have everything from like content, piracy, user account fraud. Um, you know, the fact that they're a big company as well with, you know, lots of money go into like things like sports rights. So they're a very clear target for like ransomware groups and stuff like that. Very interesting environment. Um, really exciting place to work as well, because there was always like stuff happening, which. Like whilst not directly part of your job, like just seeing like, oh, the company's just done this, or we've announced this and we've got this thing going on. And then you're like, just walking around like the, the office, you know, you see people like from the TV, just like having their lunch and stuff. It's very like weird in a lot of ways, but that was a really interesting setup as well. Cause the CTI team was kind of new. So I sort of went in as. the principal threat intelligence analyst at that point. So that was enabled. So I worked directly with the head of threat intelligence to kind of mold and shape where the team was heading. So while she did all the boring admin stuff, I got to look at the technical bits and try and figure out how we could make the best use of our budget and what tools we probably need to enable us to get the right answers. And that was really fun because I got to work across so many different subject areas, which as a traditional CTI analyst, you might not think about. So things like fraud, content piracy, and being able to sort of embellish and enable those teams by effectively making really good use of open source intelligence. So looking at piracy on forums and then being able to bring that extra knowledge of okay, well, if you have these bits of information about this person that's selling accounts, we can do these bits of research to potentially find out who they are. And I think some of that was really, really well received. And it sort of helped the piracy team sort of kick on a little bit as well. And enabling those relationships and sharing tradecraft and occasionally we'd do little workshops where this is how we do this. And they're able to sort of take that away as well and use that information. So I think that's always been really interesting. And then by that point, being in a fairly senior role in terms of the threat intelligence team, also being able to do that mentoring piece with newer analysts. And that was great. We'd get a lot of interns and apprentices.

Pedro Kertzman: 17:52

Okay.

Aaron Roberts: 17:53

trying to figure out what what they may may want to do with the rest of their career

Pedro Kertzman: 17:57

nice

Aaron Roberts: 17:58

or at least you know at least in the shorter term what they'd like to do once they finished all their placements and been able to sort of like give them those skills and that understanding and sort of help shape them and help them grow from like what is the computer not quite that bad but like if you go like what what is google to i and now and osin ninja was always really really rewarding

Pedro Kertzman: 18:21

nice So,

Aaron Roberts: 18:24

yeah, it was a really long way into how I end up in CTI.

Pedro Kertzman: 18:29

And I think it's fair to say that you have a fair amount of exposure to both paid Intel, but also into your Synth tools and frameworks and mindset.

Unknown: 18:45

Yeah.

Pedro Kertzman: 18:46

How would you describe like the main differences between OSINT and traditional paid Intel, for example?

Aaron Roberts: 18:54

Yeah, sure. That's a really good question. And yeah, so I guess over the last two, last like seven or eight years, having worked across quite a few different teams and in different roles and functions as well. So when I left Sky ended up being a CTO team lead, a tech startup in the UK and That was a very different area of focus. And I think it was kind of, I'd already sort of done that intelligence requirements piece I mentioned earlier whilst working at Sky and trying to figure out actually what's the business really care about. Because if we're spending time writing reports that we think are interesting and nobody reads them or takes no value out of it, then we're just wasting our time. At least this way, if they tell us, you know, weirdly when I did that the first time, ransomware wasn't that important. on the list. People were like, oh yeah, I guess it's interesting. But it was like, there was other things that they seemed to really want more information on, which took us by surprise. And I think even today I'd be like, no, ransomware's number one. Like, come on. Calm yourself down. But sort of taking that Intel requirements work and fleshing that out, then running into a completely different role in a tech startup and working in an interesting space. They have a quantum encryption solution, which is an interesting space with very interesting and varied set of potential threat actors. And that was using, collectively, probably quite a different range of tools as well because the company was kind of small. and budgets were restricted. We had to be really selective about what tools we would make use of to sort of enable that work. And invariably the thing we wanted to know most about as a company was effectively like what's being said about the company online and how can we sort of monitor that and how do we leverage that information to help us understand where potential risks lie or potential threats. So it was really interesting. And you start using social listening tools, which usually you'd use in a marketing context, right? Because I want to know about what people are saying about our brand. How's our current campaign doing? Do people like us? But using that with an intelligence angle is now something that I actually offer through my own company. I was like, this is actually... a really interesting way of doing brand monitoring. And I think it's something that you probably should be doing as a company when you're looking at threat intelligence. So with that in mind and having a fairly small budget for tools, so we couldn't go in and buy threat feeds for six figures. The money wasn't there. I think in total, our budget was definitely way under $100,000. significantly smaller um but we had certain databases and accesses that we needed so you talk um we talked to moody's who have the bureau van dyke the business data set uh that was one of the things we ended up buying access to which is a phenomenal resource like um it was it was certainly not cheap and i think for an individual researcher it's way out of budget but when you compare it to trying to find information about companies and ultimately who owns them and things like that. It was a phenomenal resource to have access to. We also leveraged multi-go enterprise as it was then. That was really powerful as well, because not only do you have access to a phenomenal link analysis tool, but data allowances that came with that as well. So you can enable investigations and have access to some of these premium data sets without having to interact really with the vendor and like pay them X, many thousands of dollars a month for a year to get access to some of that data, which when the number of inquiries and sort of bits of research we were doing, it was just, yeah, you couldn't justify that expense. It was like actually these 10 lookups a month for our use case here is actually sufficient, which, which is quite an interesting place to be. Compared to being in those environments where, oh yeah, this client has bought everything. If there's a vendor, they bought them. And then it's like you're inundated with data versus now we're doing very tailored and bespoke reports that are very laser focused around particular topics or particular threats. So that was really interesting. And with that, you come to sort of rely on a lot of the open source tools and techniques that you can leverage from any number of GitHub repositories where somebody has a tool that you can make use of. A lot of the stuff I would use now, whilst I probably have a commercial solution for a lot of them, but there was tools like Holohy, which would take an email address and then find account associations that were linked to that email address. But now you have tools like OSINT Industries, Epios, Predictor Search, Castriclues. There's a bunch now where you can do those same things. And the tools, because they're commercialized, and they've taken what effectively was that idea, put it on steroids, and now it's not only a case of I can say, oh, this email address has a Google account. It's now, I can see that these are the details for that Google account

Unknown: 25:04

or,

Aaron Roberts: 25:05

you know, a LinkedIn account and Strava and whatever stuff. So when you're doing like people focused research, that can be super powerful. And one of the things I do a lot of is person of interest investigations. So those tools are really, really helpful for that, but they come back to the paid and paid versus like I guess OSINT tools, the trade-off is always about the legwork that you have to do, right? So whilst some of the tools that you can leverage will have like a multigo transform. So you can still use like your commercial tools and then that you might have access to a multigo and you can bring in that open source solution and you can still sort of use that data together. Most of them don't. So invariably it's always the case, the trade-off is, right, I can bring this data in, but it's either going to be messy or it's going to be up to you as an analyst to identify what's useful in there, what aids your investigation or helps you answer the intelligence requirement versus I've just got all the data and here it is.

Pedro Kertzman: 26:17

Aaron Roberts: 26:18

think the trade-off you get there, obviously, with I'd say something like CrowdStrike, for example, they might do an investigation based off some, either an instant response they'd done or one of our analyst teams has done like open source research on. But when you get that report and you get the associated data, it's already been curated for you, right? So it's like, ta-da, here's what happened. Here's the analysis. This is what we think. Here's all the supporting information that you can then take and you can do your own research and verify or pivot from. And that's, you know, a huge time-saving, especially in like in a high paced environment where you might have like a team that, yeah. Anytime you see about ransomware attack, we get like an instant response report or something like just send it. And that's, you know, that's you as an analyst and don't have to do all that research. So I think the trade-off really is the time, but at the same time, I think you can also learn a lot from the tools. So. And I think where I mentioned those like email, phone number lookup tools. I think before like the first like one was on GitHub, not many people would knew like what the extent of how much of that you could do. There were definitely like within the OSINT community, there was definitely, you know, like trade craft and knowledge sharing about, oh, you can do this on this account. You can do this on this account. but we're talking maybe three, four, five accounts or platforms that you knew this trick would work on. And you get a tool that gives you 30 plus and you're like, oh, this is actually a really viable technique that we should probably make better use of. And not only that, at least four or five years ago, you'd be able to potentially find other bits of information to do that. A lot of the platforms I've now changed that with like privacy and security laws and stuff, but you could like put in a username and then sometimes you'd get the email address or you can use the email address and you'd get the username or the phone number that was like associated with one of those accounts. And now you can still kind of do that. Um, invariably it's not very often that you get like from an email address directly to a full phone number. but you might get a partial number. And if you've already got another bit of information that might help correlate something for you or not, or also, oh, that's an interesting thing that we didn't know about. So now we have to go and research that. So I think the power and the beauty of those open source tools is you get people that are creative or curious and they build something, share it with the community. And then people are able to take that and then develop it further and, you know, turn it into something which now is like an industry, right? There's a handful of these tools that exist. They all have pros and cons. And as analysts, we're blessed that we now have this choice as well of where we might go.

Pedro Kertzman: 29:40

Yeah. It feels like the... because the community is kind of actually doing the hands-on work, ends up seeing like a need or a necessity to have something to automate part of those manual processes, and then create something more rudimentary or something like that. And then if it gets popular, then probably a company or somebody with deep pockets, we'll pick that and try to develop into a more sophisticated paid platform. So it feels like the community aspect can actually bring the need first and then just release something because it's a day-to-day need for somebody or for a type of role. And from there, the industry might keep an eye on it to expand it to a paid platform. uh intel platform or something

Aaron Roberts: 30:41

that's not for sure and likewise there's um like when you think you take like a bleeping computer report or something from the record or zednet if they still do cyber reports um but quite often like you find like researchers particularly on like i'd say twitter but probably less nowadays um more of like blue sky, maybe LinkedIn a little bit, but research is taking like what you get in one of these reports that you'll read on one of the news sites, pivoting on some of that information and finding more information as well. And it's one of those things that sure a lot of people have their opinions on Twitter as a platform now versus what it was a couple of years ago, but you still have to rely on, you still have to use that platform because there's still a wealth of information being shared there that can be very, very useful in our, you know, intelligence context. And, you know, there are some guys out there do a lot of research around like command and control servers and things like that. And you can just like see like on a daily, almost daily basis when they post something like, oh, this is a good report. I've pivoted from here and here's a bunch of more of like indicators that, you know, weren't in the report and probably haven't been like identified yet as malicious. And I think that And there's a tool by a guy called Monty Security called C2 Tracker, which is available on GitHub. It's a Python script, which effectively queries, I think, Shodan and Census. But it's got almost the methodology for identifying the command and control servers. So every time you run a script, you can get a list of, effectively, indicators of attack. that you can be pretty confident are linked to something malicious.

Speaker 01: 32:40

Okay.

Aaron Roberts: 32:41

Because you've got this like curated search, which is high fidelity enough that you'd probably include it as suspect indicators. And you can get those, you can then ingest those into seeing your EDR or whatever. And you can be like very proactive in blocking things before an attack occurs. Right. Which. Bearing in mind, that's a tool you can download for free. And if you've got a Shodan API key, probably not so much census anymore because they've changed their license models. But if you've got a Shodan API key, and they often do the $5 sale once or twice a year, you can use this tool and have this information, which some vendors will charge you through the nose for this indicator feed. And quite often you'll find that you're probably finding things that they're not including for one reason or another. So I think that's where the real power of open source intelligence can come in because if you rely solely on a third party, you're beholden to what visibility they have and what data they have access to. And that's a dangerous ride because when you think, you know, We're all human analysts. And depending on what we're doing on any given day, you get distracted for a moment and suddenly you forget to change a query to look at something else. You might get like a partial subset of data or you might miss something or data could be incorrect for one reason or another. But you'd have no way of knowing that if you're solely reliant on like one list. So being able to leverage that information that we can get from you know whether it's like a twitter post whether it's from reading somebody's blog whether it's from using tools like c2 tracker and you know you can you can review the code in there and you can sort of see what the logic is for the search queries and you can work backwards from that um i'd give a shout out here to there's a researcher called i'm going to butcher his surname uh michael koshavara koshawara i think he's a polish guy does a lot of really, really good research around adversary infrastructure. He has an, he has an online course, uh, for this and it's phenomenal. Like walks you through like exactly how to like pivot and research these things using different tools and looking at it from different angles. Um, so I'd highly recommend anyone sort of checking out. Um, cause it's, it's taught me a lot and I I'd understood like the logic of how you would do this sort of research. But one of the things is always like, yeah, how can you know? It's always like, yeah, I can play around with the IP address and then look at different things, but maybe I'm just clicking and getting somewhere at random. But being able to work through structured examples that are, it's real life. Yeah, the downside is obviously infrastructure comes and goes. So sometimes you'll be working through all the exercises and the IPs don't exist exactly as you're supposed to be following it through. But then you can switch to a different tool which might have the historical data and you can still see the information. I think if you can get your head around doing that kind of proactive OSINT research and investigation, which effectively is all it is, right? Because sure, you might need access to a platform, but most of the IoT internet search engines will allow you to have a free account. will allow you to search using their web interface. So maybe like the API access is prohibitively expensive or is not available, but you can still do this research, albeit manually. And I think if you can do that and then cross-reference that with the data you get from commercial providers, you have a really powerful level of knowledge. And then if you're doing that and you're blocking things before they can be used against you i think that's like that's almost like the gold standard for any for intelligence team really worth and where they want to be

Speaker 01: 37:08

yeah

Aaron Roberts: 37:09

which can be really difficult and also like you can track these things over time as well so you can sort of see right oh last week it was all red line steel it was like the most prevalent thing we were seeing whereas this week that's dropped off and now it's this like bit of malware and being able to do that across like you know Ransomware groups, APTs, different stealer, malware. Being able to identify those trends and things over time can be really powerful. You can then bring that into a strategic report if you do those every six months or something or every year. This is what we saw over the course of the year in terms of trends and numbers. So I think that's a really powerful addition as well into your whole mindset and approach.

Pedro Kertzman: 37:54

Agreed. And you mentioned something, double checking or cross-referencing. Do you think it's fair to say that OSINT would be like a good complement or filling some gaps of the traditional threat intelligence from like traditional or paid vendors?

Aaron Roberts: 38:17

Yeah, I think as a threat intelligence analyst, you have to understand And I think in a lot of ways, how you can get the data, what the data means, and therefore how you can use it in an intelligence product. So I think fundamentally, the idea that OSINT and CTI are different fields is not really the case. There are parts of CTI which aren't OSINT because it relies on like a network sharing group, or it relies on, you know, other information or yeah. Like commercial commercial vendors providing this information. But I think fundamentally what we're all doing is researching things that we're finding on the internet, which, you know, is almost to the letter definition of what OSIN is maybe like, and I think like touched heavily there around like adversary infrastructure and But that's like the approach to that and the methodology for that isn't completely almost the same as what you would do if you were researching where to buy like technology at a cheap price or how to find researching like an individual's online footprint. You know, like the approach, the methodologies and a lot of the techniques are going to be the same. Sure, the subject matter might be different and the platforms might be different but you still need that sort of analytical approach you still need to be curious and you still need to have that investigative enemy set and whilst looking at file hashes and like ipv6 addresses will like melt most people's eyes like which is fine like it's not that different from doing research on other types of data and i think depending on where your skills lie, I think there's so much you can do with some of that technical information to really enable investigations. And if you're really good at like image geolocation, like maybe that doesn't quite fit into like a CTI bucket until it does where, you know, oh, this threat actor has uploaded a picture of something and this looks like this, and then what information could you find? So I think there's so much crossover in different, almost different disciplines. And yeah, so many, like everything that you consider to be like a huge difference, it's probably not really that significant. Like all that really changes is like the subject matter, everything else more or less stays the same. If you're doing research into actors on the dark web, your trade craft, your approach is going to be probably exactly the same. as researching IP address and showdown. And then thinking, right, well, what else can I find out here? I'm gonna query this source and see what information I can get. Or, all right, I'll go to this tool now and see what that information provides. Unless you're just clicking around wildly and hoping for the best and YOLOing to a known malicious server and seeing what happens to your work computer, don't do that. Largely, I think the methodology in your approach will always be the same because we'll always have the operational security obsec in the back of our heads that, okay, we need to protect ourselves for this reason. I'm researching this and I know it's bad. I don't want the villain on the other end to understand that we're looking at them because we don't want them to target us or we don't want them to know that we're aware of whatever they did. So I think All those approaches, they're always the same.

Pedro Kertzman: 42:15

Okay, awesome. And so you mentioned a lot about, you know, open source tools, paid tools as well, how they, you know, complement each other or can fill some of the gaps the other will have. And you also gave the example, you know, working with a low budget kind of approach. And I think... A lot of companies will have unique needs. You mentioned branding as well, monitoring. But do you think at any point we could have like one, two, or three must-have tools for any CTI or OSINT teams?

Aaron Roberts: 43:00

That's a really good question. Pick the top three.

Unknown: 43:04

Okay.

Pedro Kertzman: 43:05

World War I, you name it. It could be one. Again, I know every company will have different scenarios, but maybe one tool is like, regardless of the scenario, like you must have for everybody.

Aaron Roberts: 43:20

Yeah, so again, I know that this is in the process of change as well, but I think the one constant that I've always seen has been VirusTotal. That's always... for a CTI team, access to virus total intelligence is, it should be like a God-given right. This is the one thing we actually need. I don't know what that's gonna look like now, because it's in the process of the licenses are changing and the model's changing. It's all going under like the Google threat intelligence banner. But that's always been one of those tools where it's like that we fundamentally need this. In line with that as well, particularly for myself, I've always loved link analysis and the visualizations that enables. So either you need a tool like Multigo or i2 Analyst Notebook, or you need a platform which will give you some of those visualizations. Because I think for me, being able to see those links between different data sources, particularly, and seeing how the information all pans out, I think it's such a powerful and useful visual aid as an investigator that it's almost sinful that you wouldn't have access to that because putting everything in a spreadsheet

Speaker 01: 44:45

doesn't

Aaron Roberts: 44:45

quite have the same impact, I find. At least for me. I know there's probably some geniuses out there that just love looking at file hashes in a spreadsheet, but that's unfortunately not me. And multi-year is one of those tools that, since I've been self-employed, it's been the first thing I've paid for access to. It's because it's just so powerful and it enables me to get to a point with an investigation where I know, A, if I'm looking at something like a scoping exercise or if I'm looking at it, working through it step by step in an investigation, it gives me that full flow of things that I need to see. And then I can leverage all the data source I have access to, to make sure I've got the whole picture to enable that investigation. And whether that's like person of interest work, or if that's like cyber incident response and threat intelligence research, security research, like the fact you can do all this in one place I've found is always really, really powerful. And to bring this back to the topic of open source as well, um there's a uk security specialist called daniel card who's launched he's vibe coding a like he says like a multigo replacement i think he's like kind of adjusted his use case a little bit um but i think at the moment he's stuck with name crime mapper and oh he's five coded the whole thing and it's it's really quite impressive like you know it's like i'm just i'm just telling you what to do and it does it and then when it doesn't work he shouts at it and then once it gets back to where it needs to be. And I think that's, yeah, I think we're all leveraging AI in one way or another at the moment.

Speaker 01: 46:34

Aaron Roberts: 46:35

yeah. Like leveraging large language models for document summaries and all that stuff. But like seeing like stuff like that coming out and again, like if you can't afford a multigo license, there are a couple of options out there where you can still do this kind of research analysis, and particularly from a CTI angle, the tool that Dan has built, I think you can plug in a Showdown API, URL scan, and a couple of others as well. So you can still, if your focus is purely on threat intelligence research, it's probably going to get you quite a long way there for what you'd actually want to be able to query and how you'd want to leverage that data. So it's well worth a look. And especially as like there's a lot on GitHub. I think he's also got like a web version where you can just go and play with it.

Pedro Kertzman: 47:28

Okay. And if we're, you know, thinking about data breaches, for example, any, you know, tools, frameworks, approach to attack surface Intel that you would recommend?

Aaron Roberts: 47:44

Yeah. So it's very much like top of my mind. I think I'm, So my company Perspective Intelligence, we do attack surface intelligence. That's kind of how I coined it. But effectively, it's using open source intelligence to enable companies to understand the external attack surface by effectively taking that point of view of if I was going to target you, what can I see? And what could I use to do bad things? And I think So our focus is at the moment, very much like UK small, medium businesses, kind of where we position ourselves at the moment, mostly because a, I think that's a hugely underserved market when it comes to not just cyber threat intelligence, but cybersecurity in general. Um, mostly because, you know, they don't tend to be big ticket. They don't tend to be like companies that you can spend six months trying to cultivate a six figure deal out of it's. you know, it's a very small, it's a very big market, but very underserved by the major players in like the intelligence space. And I think the approach we've taken there is if you follow like basic cyber hygiene and you do the basic things that the National Cyber Security Center has said you should do, like as a company, invariably it's like use a password manager, use multi-factor authentication, If we do just those two things, we're going to reduce the likelihood of you being successfully exploited significantly. I think Microsoft said it was something like if you use MFA, you beat 99% of attacks. I don't believe their numbers, but it's a high number.

Speaker 01: 49:37

Aaron Roberts: 49:38

you just made it that much harder to get in, then opportunistic attacks become less likely to succeed.

Pedro Kertzman: 49:46

Our

Aaron Roberts: 49:47

approach there is very much like if you can do these basic things right,

Speaker 01: 49:51

you

Aaron Roberts: 49:51

know, apply updates, software updates, especially when there's something bad. If you use password manager, use MFA, then if we can find all the things that exist like outside of where you might have visibility. So if you've got a couple of security tools that are doing some sort of monitoring inside your network, if we can find the things that are outside your area of control, then if we can get ahead of those and either mitigate them or clarify that, oh, that's actually not a problem or that, oh yeah, that needs fixing, then I think we're probably going to get you significantly further down the road of avoiding being a victim of cybercrime than where we started. And I think for most companies that really starts with, do you understand what a data breach is? And Secondly, when they say, yeah, I have an idea what that is, we look to have I been pwned once. We then say, have you ever heard of information stealer malware? At which point most companies, most reasonable human beings go, I haven't got a clue what that means. So that, and then it's trying to educate people around what is effectively a fairly subtle difference because for all intents and purposes, your credentials are stolen over here in a breach. Your credentials are stolen here by malware. sounds like the same thing. But getting businesses to understand that stealer malware is much more dangerous because a data breach is always like a point in time, right? So something was posted on breach forums this week and the breach happened three years ago and one of your corporate email addresses is inside it. The likelihood is that person probably doesn't work here anymore. Or if they have, they've probably changed their password by now. You'd hope, potentially. Whereas when you get the Steeler malware, obviously there's a market there in the underground to buy those credentials. And not only that, those credentials regularly get shared for free. I mean, at the moment, as we're recording this, less so on Telegram because Telegram are in the process of nuking a lot of those channels. But no doubt, they'll reappear. or they'll move to a different platform. And those credentials will contain literally corporate email address, Microsoft 365 login, password, or HR portals, business internal systems. And we've worked with clients before where that has been the root cause of a ransomware attack. So understanding that A, as security professionals, we can collect this data too. Secondly, that when we collect the data, we need to be able to process it. And the aim here is as soon as we're able to identify that one of your corporate email addresses appears in something, particularly if it's like Steeler malware or a phishing kit, that's a sign of a real compromise that needs like immediate response because A, somebody's either clicked on a link and submitted their details, and they're probably accurate details, or somebody has a malware infection, which could be on a corporate device, but is most likely on a personal device, which makes it even that much harder for you to detect it using any manner of security tools. And I know in this space, most people know how stealing malware works. But I think getting companies to understand that if you allow people to log into their web browser using their personal account and they're doing that at home, that the corporate credentials are then shared between those two devices and that's how the corporate credentials are breached. It's really like kind of nuanced difference from getting them to understand how data breach works and how a data breach affecting a third party. So it's not them that has to worry about cleaning it up. Like it's a real, it's a really powerful, but nuanced difference. So I think using open source intelligence to enable that investigation and, you know, in fact, you know, we're automatically collecting the data and processing it and checking for customer credentials. I think that that's fundamentally the cornerstone of what the external attack surface really is because sure we could then have a look at like what servers you have their internet facing and you might find that there are some vulnerabilities on them but you know and again invariably when we look at that what do we care about the most it's either is it on is it a vulnerability that we know is exploitable whether that's like the caesar kev list or on other like yeah so vunchek.com has their own like known exploitive vulnerability list which differs from Caesar's in that it's more expansive. So more inclusive of vulnerabilities that have exploits available. So first priority lists are, is it on an exploited vulnerability list or is the EPSS significantly high? Because that often indicates the likelihood of the attack is in the next 30 days that vulnerability will be exploited, right? So if we, we find vulnerabilities on internet facing asset that we think you're either going to be exploited or we know exploits exist and you know especially when there's like code on github that anyone could effectively run um we take that information and now if we find compromised credentials particularly from like a steeler log suddenly we're starting to form this picture of this is how you probably would get an initial access

Pedro Kertzman: 56:01

yeah explosive

Aaron Roberts: 56:02

and So taking that approach and then also touching on those other things. So like brand monitoring piece around brand sentiment is, is there anything about your company, which is causing like negative press, which, you know, if you're, if you're not aware of, maybe you should be, or if you are aware of it, like, let's look at it from this angle and see if there's anything from cyber aspect that we should be aware of. And then also. all the traditional bits like, okay, well, where else is information about your company online? Has your company been mentioned just like, let's say on the dark web, quote unquote, but invariably on forums, which is largely what people mean by that. So can we cover like any dark web results that we do find? Is your company included in documents that are being shared on like ransomware data leak sites or stuff like that? Any information that might be useful to a criminal? And then the other piece we do is around almost like brand protection. So phishing, typosquat domains and brand imagery. So can we find, you know, obviously domains that look to be mimicking like your company or parts of your company. And then subsequently, if a domain is very similar to yours, does it contain your logos or like your favicon icon? so we can be pretty sure that it might be a phishing attack. And obviously with that, there's also, does this website have a mail server running? Because it's always like, okay, this looks like it's definitely targeting you. There's a mail server that's probably gonna be used to send phishing emails. And this webpage is covered in your logos. Good chance that that's going to be used for some kind of spear phishing attack. And sort of taking that approach, to attack surface management, which I think goes beyond what a lot of traditional tools do, where it's around assets and open ports and IPs. And we still do all that because it's fundamentally important. But I think by bringing that open source intelligence piece to it, taking that step back and being a bit more, I'd say, criminal-minded, I guess. like if i take this approach that if i wanted to do bad things to your company this is how i would look to do it and then offering that sort of ongoing monitoring support so the company can sort of feel happy so that if something does get identified and because also like very much in that space of it's human analysts doing the work and it's a human written report so everything that does get sent to a client has been assessed as probably worth your time Or we've disregarded this, even though you'll probably see this, we disregard it for these reasons. So I think being able to give that contextualized approach to looking at the data is really important, but fundamentally what it really does come down to is like, The bulk of this revolves around credentials and if your credentials are being stolen or not.

Pedro Kertzman: 59:21

Got it. Thanks for sharing the story with us. And I often ask that to all the guests. Do you think there's like any skills or anything you know today that you wish you knew back in a day when you decided to pivot to CTI?

Aaron Roberts: 59:39

Yeah, maybe don't. I jest, I jest. Yeah, I think the most important thing I think I look at now and the approach that I tend to take is always around, A, establishing the intelligence requirements and being clear about what it is that you need to deliver, whether that's areas of focus, ransomware, nation state, and this script kiddie in this place who just seems to have it out for us. Or if it's like specific questions that you're being asked by like the SOC, the CISO, the board. And I think the second thing that is really important to me, and I think it's probably one of those things that has to be better understood is that as cyber threat intelligence team, doesn't necessarily have to work solely to the SOC. I think a lot of companies get into this trap where, well, you do cyber, they do cyber, you do the intelligence bit to whatever they want. Whereas the front intelligence team really needs to be working from almost like the board down is where the direction, because the front intelligence team should be understanding what the business is doing and where the business is heading and how When we write a report and we say, oh, we absolutely shouldn't be doing this. This is foolish. There might well be a business reason why we're putting a data center over here in a country that you might think is stupid or like preposterous. You have to understand like what business is doing to then be able to really support the business properly. So you can spend all day writing reports about ransomware groups or, you know, people are posting on forums, but At the end of the day, the job of the CTI team usually is to help protect the business from cyber attack. And you can't really do that if you don't really understand what the business is trying to do, what the business's priorities lie. And I think it's hard because, I mean, getting FaceTime with CISO in a large company is going to be difficult, right, as a threat intelligence team. It's probably hard, especially when it boils down to understanding priorities and, like, the strategic direction of the company. But ultimately, if you don't know those pieces of information, you can't really do the job to the best extent, I think. So I think understanding that, because I mentioned earlier about how sometimes we'd write reports that we thought were cool. And I think it's kind of, when I worked at SkyWay, we ended up establishing the intelligence requirements process because quite often we'd write a report and we'd think like this is really interesting really cool and you know obviously we should be caring about like this threat actor or whatever but that's because we've made that decision and that assessment based on our knowledge and not because we ever sat down and asked like the people that read these reports what what actually is important to them so i think and that's kind of where this really came from for me was if you don't really understand your requirements or the direction of the business and the business's priorities and you can't really provide the best quality reports and you might spend a lot of time writing reports on things that never get read or never get actioned because ultimately the business doesn't care or it's just not a priority because the priorities are in other areas.

Pedro Kertzman: 1:03:29

yeah no that's awesome i think it's fair to say at this point that every single guest uh in one way or the other we touched on the importance of not only having the technical skills but how to communicate that in a way that uh the company understand what it's actually aligned with the company goals and uh needs and and all that otherwise it's just yeah a bunch of uh bits and bytes right so no

Aaron Roberts: 1:03:59

100 yeah i think fundamentally like communication obviously is effectively that's what we do right we are communicators um so we you know we'll take the we'll take the data and we'll gobbling away on like some research and effectively one way or another we end up creating a product and that can be you know it can be a long form report it can be can be a couple of lines in an email it can be a beautiful diagram it can be a slideshow it can be a verbal briefing it can be any of these things even interpretive dance um but yeah i think and i guess that's probably the third thing i would say is like yeah you have to be comfortable taking what can be a deeply technical piece of information and being able to convey that in a way that the audience either a will understand or b can make good that's the word i'm looking for um effectively take good actions from and i think that can be really hard because you often read like and you know i'm not a coder by any stretch so reading like a technical breakdown of like a particular piece of malware i i struggle to read those reports because i think it's it when it goes into the mind minutiae of like, this is what this bit of the code does. And then you can see that this happens and then this and this. And I'm like, I don't see that. I'm taking your word for it. But what I can do is sort of get the gist of what this report is telling me and understand what that means within the business context. And I'm probably not going to send a CISO like one of these malware report, unless I'm trying to get fired, right? There you go, read that. But, you know, or I'm not gonna send that to the board. Like here's a 28 page breakdown about this malware line by line. Because I mean, A, they're never gonna read it. And secondly, you know, it's completely the wrong type of thing to send to that group. So understanding your audience and being able to communicate to them the right information at the right level should be, I mean, it's like intelligence 101 really. And I think I feel lucky because my background coming from intelligence community, it was like always like, that's exactly just how we do business. And I think particularly now, like as junior analysts come in, you might not ever have that exposure or you might not have the like, I guess the seniority in the team that might've had that experience. So I think there's always a risk that that could get missed. Um, I think it was very fortunate. Like I've never really come across that myself today, but I think as the industry has matured and as intelligence has become a, you know, an industry, we still need to make sure that we're doing the right things fundamentally. And I think like with the OSINT space, there's a lot of very engaged and very keen people that are new to this space. And so we talk a lot in training courses at Deliver around understanding what the tools can give you. And you can download a script from GitHub and it will blow your mind with the information it'll bring back. And you're just like, I can't believe that this was free, or this took me two minutes, or it used to take me days. I think we fall into this trap particularly in the chasing like the shiny shiny that we'll use these tools we'll get a load of data back and then we'll call that intelligence and fundamentally what we need to be doing is you know putting the the intelligence part into the OSINT so doing the analysis figuring out like either our hypotheses around what the data is indicating or what it's proving or disproving. And fundamentally, how we answer those intelligence requirements. Because it's always okay to turn back to somebody that's either asked you a question that they think this means this bit of information. Can you prove it? And to turn around to them and say, well, no, because the data says, the data here we've analyzed and it all indicates something completely different. And that can be a really good example of that i think was like the olympic destroyer malware from the winter olympics must be probably six seven years ago now um whereas like when that story broke and like the attack happened yeah everyone's immediately it's like oh north korea did this and it wasn't until something easier you get teams actually sat down doing the analysis and actually working through things and looking at those hypotheses and figuring things through, where you turn and go, no, actually, that's not the case. There are all these other indicators which indicate a completely different scenario. Obviously, I think that was attributed to the GRU in Russia, I think. But that's fundamentally, I think, when we talk about communication and disseminating reports, understanding the audience what they're expecting and being able to pitch at the right level is such a invaluable skill because you could take that you could leave threat intelligence behind forever but if you can still do if you can still do that like i can take this thing i can convey it to whoever and they will get it or they can make use of that information then you can go and probably work in any industry and use those skills immeasurably because that's such an important life skill. And especially if you can take something that's complicated and effectively distill it down to something that like a five-year-old could effectively understand, at least at a high level, then we're doing the right job.

Pedro Kertzman: 1:10:36

Really cool. Aaron, thank you so much for coming to the show. Really appreciate it. All the many insights, really insightful conversation. And I hope I'll see you around.

Aaron Roberts: 1:10:47

Thanks so much, Pedro. It's been great chatting to you and I really enjoyed it.

Rachael Tyrell: 1:10:53

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group, Cyber Threat Intelligence Podcast. We'd love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure.

People on this episode

Pedro Kertzman

Host