Cyber threat intelligence: Getting to know the adversary

Secure Talk - Mary D'angelo

Justin Beals: Hello everyone, and welcome to another episode of Secure Talk. As always, I'm delighted to have you join us today. We have an exceptional guest to chat with, a topic area that I'm, deeply interested in and wanting to learn more about. Today we're joined by Mary DeAngelo. She is a cyber threat intelligence lead for Searchlight Cyber.

Mary is a deep expert in connecting the dark web with threat intelligence, and today we'll be exploring both. Mary, welcome to the podcast. Thanks for joining us today. 

Mary D'Angelo: Yeah, thank you so much. So happy to be here. 

Justin Beals: Excellent. You know, Mary, we have some early and career listeners and a lot of the questions that we get quite a bit is how people that we interview got into the positions that they are.

 And I am always a little interested in kind of early in life influences, maybe before college was threat intelligence part of your interests prior to college or was it something you learned about later? 

Mary D'Angelo: It's kind of interesting. I kind of stumbled into this. I actually had no idea what threat intelligence was.

I had no idea I would be in cyber security as a whole, but I think it was just something, I guess, in the way that I grew up, technology just seemed like something I would never be at. But fortunately, you know, just how things unraveled and generally my first job getting out of undergrad, working at dark trace was I exposed to, you know, cybersecurity.

Mary D'Angelo: And that's when I really fell in love with, you know, the community folks and just the entire landscape. 

Justin Beals: What did you study at in college? 

Mary D'Angelo: Oh my God, I kept changing my major. So I was, psychology. I was, shoot, I think it was biology. And then I ended up doing. But for me, my,  I didn't really know, you know, it's just so hard when you're an undergrad, you have no idea what you want to do for the rest of your life.

So I spent the majority of my time on campus actually being involved with different leadership activities.  I was really, really big in, in that part and connecting with like, he created this pipeline between Deloitte and Accenture to do network recruiting with university students at the time.  

Justin Beals: Well, you're in good company. I'm a theater grad. So, but a 25 year career in building software and startups. Yeah. So it was a big shift. Darktrace is a pretty amazing company. I'm still growing quite quickly. And it was your first job. It must have been an incredible exposure to all aspects of the industry security. 

Mary D'Angelo: Oh, I didn't know.Yeah. So I started with Darktrace right after undergrad. So I moved from Seattle, Washington to Washington, D. C. to help open their office in D. C., Northern Virginia at the time. It was, this was way before they went public. They were so much smaller at the time. Very, very startupy.

I think there was only about five of us that opened up the Washington, D. C. office by the time I left. There was around three of us, and that got me, and this was also pre pandemic too, so we were flying around meeting customers. You know, CISO, CIOs, Director of ITs, um, and going to all sorts of conferences at the time.

And that gave me that first exposure to cybersecurity. And so I was with them for about five, five years, five or six years until they IPO'd. And then one of my mentors, you know, recommended I work for Searchlight where I'm at right now in Dark Web Threat Intelligence, and I absolutely had no idea what that was.

I knew it abstractly what Dark Web Threat Intelligence was, but really didn't know it from like a practical level. And then I think sort of what was more pivotal in my career was when I was invited to speak at a think tank in Germany. It was around cognitive vulnerabilities and social engineering. They wanted someone to talk about dark web threat intelligence and how threat actors are using it to, you know, facilitate.Their, their operations.

Justin Beals: Yeah, let's start on the dark website. So I want to say I have a little bit of experience playing around, but I'm a naturally curious person about, especially technology and the Internet, which I spent most of my career trying to build. Let's just start with the mechanics. What is the dark web?

Why would we even separate it from the rest of the internet in our mind? 

Mary D'Angelo: Yeah. So like how I like to sort of define the dark web. So basically the dark web is where you can gain access into the internet where it's anonymous, right? And you don't have to secure anonymous private. But you can't, you have to download certain software to get access to it.

Whereas ClearWeb and DeepWeb, you don't need to download any type of software. Most commonly used software is Tor, you know, T O R spells the onion router. There are other types of software, but it's not quite commonly used. And so I think just to define, define the three, just so there's an understanding of the context as a whole, surface web is anything you can find on your standard, you know, Google browser, right?

Deep web may not necessarily be not indexed, right? But it's, doesn't require a Tor browser to gain access into, but it's. Incredibly hard to find, and that's where the majority of the internet is. I think it's about 90 percent of the internet is deep web, and that would be medical files, sites in Reddit, AppChat, Telegram, Discord, 4chan, those types of areas.

And then dark web is where the Zotero browser comes into play. And so how that sort of works is, so it stands for the Onion Router. It’s basically volunteer run nodes, like an interlay of nodes. Where traffic is runs through the entry, middle and exit nodes and between each layer it goes, it drops a layer of decryption so that each node that you're in the traffic will not know the entry and the exit only one.

And so that allows it to be fully anonymous and fully secure and private for those who want to get access to it.

Justin Beals: Yeah. Okay, so this is really helpful. In my mind, a kind of clear web is a site that I would want indexed. And obviously we know so often I engage the Internet through a search engine to find some piece of information that I'm looking for.

But I can remember back in the day, a long time ago, what you termed deep web would have been maybe a site or a server I set up with just an IP address. Non indexed, right? So it's not going to come out in a search. But if I share the IP address with someone, they'd be able to go hit that server and communicate with it.

Mary D'Angelo: Yep, exactly. So if you think about medical files, you know, or financial, files, most of that time it's very secure, hard to gain access into, but you don't need special software to gain access into it. 

Justin Beals: Right. So included in the deep web would be things that are behind a login or some form of encryption that you have to access to get into Is that right? 

Mary D'Angelo: Yes. 

Justin Beals: Then, if I remember correctly, I think Tor was originally developed to get around the great firewall. Is that right? We were looking for anonymous access to information around kind of political regimes. Right. Trying to reduce access to information. 

Mary D'Angelo: Yeah, so it's funny, it, the foundation of it or the genesis of it was really to, it was for a good thing, right?

It was to help those in, you know, stricter regimes to have a voice, especially for journalists, but really it was founded by the U. S. Navy. So it was the naval research labs created in the 90s to help to protect their intelligence agents. Right. So they had a public and private and seZcure, but of course, obviously since then it's devolved from then on, but there is still good components of it.

I think I will say though, sadly, I think only less than 1 percent of the dark web is used for whistleblowing and journalistic activities, but that is, that is a main use case of why it was created. 

Justin Beals: Yeah, absolutely. And to help that work, right? You mentioned tour the onion router, which is a route, almost like a peer to peer network, a shared system, so you can bounce your activity off of other people and and reduce the ability to understand what data is being asked for, where it's coming from and where it's going.

Justin Beals: Right?

Mary D'Angelo: Yeah. 

Justin Beals: And there's no search engine for the dark web, right? Like, you have to know exactly what server you want to hit to hit that server. Like, you have to understand the URL or whatever that the right name is for that. There's, 

Mary D'Angelo: there's some types of search engines, like, that people have created within the dark web that it's not like what you would think with Google.

But yeah, for the most part, in order to gain access to a certain site, you have to know, and the sites are called onions, you have to know the dot onion sites. To get to gain access into it. So even then, if you have access, then you also have to know where to look for to get if, you know, for whatever activities you're trying to do.

Justin Beals: Yeah, it's been a clearing house for a while or things that were illicit, non legal, I remember back to the Silk Road. Days and the Silk Road take down, it seems like just like other places in the web where we might have a community or a forum or places where people connect. We're doing that on the dark web with a set of content that we don't want exposed or we want to be deeply anonymous.

Justin Beals: Is that right? 

Mary D'Angelo: Exactly. So it's most of the time. I mean, I like to think of it as like a criminal hub underground, right? So they have secure communications, totally private, anonymous. And they  can chat with one another, you know, take part in marketplaces. Things like that. 

Justin Beals: Yeah. It's the dark alley of the internet.

Yeah. That's the word. The dark web. Yeah. It's, it seems that especially for criminal activity, it's, it's gotten a lot more activity. What are some of the types of things that criminals, threat actors are using the dark web for? 

Mary D'Angelo: Yeah. So I can say the top three things that we see, so we track this, but it's always, it's always changing.

It's always evolving and changing. But as of right now, the first is drugs, guns and drugs. And so, I mean, you probably already know that, you probably hear that all the time. It's famous for selling drugs. And then, you know, it makes, it's very lucrative, makes a lot of money with that as well. The second most important thing is honestly, is data theft or identity theft.

So you can think of it, social security numbers, credit card information, like irrelevant recently with AT& T leakage, that was like 70 million, I think it's like customer's information, private information. I think it was, Current customers and former customers combined attack that happened 5 years ago that they used to recently leaked on to the dark web.

Those types of things. And that's extremely lucrative on the dark web. And then 3rdly, it would have to do with hacker services or ransomware as a service. Or, you know, fines, different types of exploits, things like that, that really have increased, grants there within the last couple of years or so.

Justin Beals: Yeah, I can think of a number of different recent major breaches where we learned about it from activity on the dark web, like 23andMe. It seems like there was the sale of data there, and that's how we learned of the breach. 

Mary D'Angelo: Yeah. 

Justin Beals: Yeah. Do you ever help organizations understand kind of what the market value is of, of, of themselves?

And is the dark web a part of understanding that, that value? 

Mary D'Angelo: Yeah. So I think in terms of. Or we mean the value of their intelligence or 

Justin Beals: Even the data itself, right? It seems quite surprising sometimes to realize that there's a going rate for a record. 

Mary D'Angelo: Yeah, I think that's also kind of hard to a lot of times when you're dealing with customers or those who are just in getting into intelligence, they have a hard time understanding.

Okay, so yeah, I know. I don't care if it's five years ago, right? But there's, it's so much more to that. And it's about, you know, for us, it's about the pre attack side. So, if this is the criminal underground, these are where the ransomware groups and their actors are hanging out, they're discussing, you know, maybe new vulnerabilities they https: otter.ai

And they might not be saying explicitly what organization they have, maybe the industry as a whole. But if you're able to monitor and track all of those different indicators, then you are, you are able to know as an organization, okay. I need to be, this is where my weakness is, this is what I need to prioritize is where I need to fund in terms of like security aspects.

Justin Beals: Yeah, let's talk about that phrase pre attack a little bit, because I think in our work, certainly like security posture management has been important, but you guys are much more focused on actual emerging threats. In your work, is that right? 

Mary D'Angelo: Yeah, so we do both. So we do pre attack intelligence and also post mortem.

Obviously, we prefer to do the pre attack, but basically, so if you, you know, if you feel familiar with the minor attack framework and the cyber kill chain, you know, the different steps is what it actually takes to complete their objectives. And usually you, companies don't get alerted until I think it's like stage 3, stage 3 or stage 5 within the cyber attack framework or kill chain.

And with, you know, dark web intelligence, we're really trying to shift left of boom. So I usually have to reconnaissance phase. Threat actors are doing their research when they're exploring, when they're trying to find vulnerabilities, when they are selling different credentials, different types of access that they have.

Having all of that visibility is then, really can help stop the threat actors that they would have to start all over again from the beginning. Cutting it off right there and then and then also on the post mortem side. So if I consider response, let's say you were, you know, unfortunately you were hit with an attack.

Mary D'Angelo: Okay. Well, what was the genesis? How did this start? Was it credentials that were leaked? Were there any sort of indications of discussions that would be related to this? So things like that, that you could. You know, that you'd be able to investigate afterwards and to build a better, like more context understanding around how the attack happened.

Justin Beals: Yeah. I love that phrase left of boom. That's really a great turn of phrase. 

Mary D'Angelo: Yes. 

Justin Beals: That's good. Well, I've talked with a lot of guests and I think that especially when you're dealing with threat intelligence or intelligence broadly. . There isn't a military aspect of the work, isn't 

Mary D'Angelo: There? Yeah. 

Justin Beals: Yeah. 

Mary D'Angelo: Oh yeah. I noticed that too.

Mary D'Angelo: A lot. Most of my writing, I, I most, I think a lot of, I think it's 'cause a lot of the folks that come from their intelligence come from a military background and so they bring that with them. It's really interesting actually, and it's. It's very interesting. 

Justin Beals: Yeah. Um, so do you guys ever, is it strange to be behind enemy lines on some level, you know, you're operating in the spaces where the attack is perhaps being decided upon or what, what the, what the vectors of attack might be, or what the surface area to go after it's got to feel a little.

I just imagine the hairs on my skin standing up. I'm sitting in this space. Yeah. 

Mary D'Angelo: Yeah, it is a little scary in the sense that, because so you can set, so for, I set up different alerts within the platform to basically, you know, collecting the dark web threat charges into the platform. And so I set up alerts to see, you know, what, what initial access brokers are selling.

And it's crazy what initial access brokers are selling on there and how, and there's also a lot of insider threat as well. So people trying to poach. You know, employees from different organizations to give up some type of credential access that they have, um, but they have, you know, their TTPs and they all have their own.

It's very similar. It says it hasn't evolved too much in how they request for this information or how they're selling this information. So you can kind of. And that's where it helps us, right? So usually an initial access broker. Selling, let's say they're selling credentials. They won't, they know people are monitoring the dark web, so they're not going to name the company that they have credentials for, but they'll say the revenue size and the industry, and maybe the type of access they have to whether or not be RDP, you know, VPN, or maybe it's fully vulnerability. And then with that information, then that's how we could be that we can kind of narrow down, okay, who's the company they're targeting, but yeah, it's, it's insane.

There's, there's a lot, a lot of filtering out as well. Yeah. 

Justin Beals: Yeah. It's a lucrative business, right? That's why we see so much continued increase in activity around it. 

Mary D'Angelo: Yeah. Yeah, definitely. I think last year, I think the ransomware groups made in terms of payments around 1. 1 billion ransomware payments, which is the highest ever, which is really scary though, because if you think about it, oftentimes when you're on the dark web, There's millions of different exploits that are being sold, or there's many credentials that are being sold.

Now that these ransomware groups have this large sum of money, bigger budget, how much more can they purchase, right? Like, how many more, how much more can they recruit? And so it is a very booming and very scary business. 

Justin Beals: When we think about the data being sold, one of the things that I think too often we think about these things in isolation, isolation.

But let's say I wanted to pull, I wanted to buy a record or a series of records that's very private information. I think that this leads to other hacks that are available, right? Social engineering type hacks, this, this type of private information gets me that. That ability, right? 

Mary D'Angelo: Oh, yeah, it's all it's all related.

So I think, it's like the MGM attack the scattered spider that is both related on is I think mostly fishing, but then some sort of credentials that might have been taken sold on the dark web that then they gained access into then to do the fishing attempt. So it's all in a line with each other. And that's how The market works though.

Mary D'Angelo: So there's no longer just someone doing, you know, you have ransomware as a service, you have initial access broker. And so you understand the market well, then you're able to really profit from it. 

Justin Beals: I think early as things like this were emerging, there was a lot of blaming of nation States is going after infrastructure, but it's turned into much more business.

I think lately than this idea that. You know, it's a funded nation state wanting to attack another nation state or the commercial interests of a nation state. 

Mary D'Angelo: Yeah, I do like to be very clear with the distinction between state sponsored nation state actors and criminal ransomware groups. Because They have very different goals, different agendas, and their tactics are different as well, because their resources are different. You know, nation state actors tend to have much larger budgets, better pool of people to recruit from, whereas, you know, your criminal, your average criminal ransomware group, you know, they're just going to do anything to get a quick buck.

So, whatever is easy, they would go after the low hanging fruit. That's not to say, though, that. A nation state actor, you know, is moonlighting and doing criminal ransomware groups, you know, at nighttime, like we're not, not quite sure how deep that relationship is, but I wouldn't say it's completely separate, but there is, I do want to acknowledge the difference between the two.

Justin Beals: Yeah. We saw the Lockbit, for example, you know, it seems more like a commercial enterprise, but incredibly resilient. They were back quite quickly. 

Mary D'Angelo: Yeah, that was, yeah, I don't want to talk about that too much, but yeah, it was, it was, an interesting series of events. 

Justin Beals: Yeah. One of the things that I think has compounded the, the growth of the dark web or its utilization has been cryptocurrency availability.

Do you agree like the ability to transfer funds has been critical to, I think the criminal element being successful? 

Mary D'Angelo: Oh, yeah. Undoubtedly. I think it's been really. Well, for the first part, it's decentralized, right? So authorities have a hard time freezing accounts or going after certain accounts. And so when you're dealing with threat actors, they're all about amenity and privacy.

So that, that helps them. And just the more, the nature of it being global, right? You don't have to exchange any sort of, what is it? Currency rates. It's used all over the world. Um, and the barrier of entry is pretty low now, especially as the technology for crypto gets improved. It's easier for people to gain, get access into it and start using it.

So yeah, it's definitely, definitely amplified startup activity. 

Justin Beals: It's funny because I think with a, like an exposed ledger, like I think about things like Bitcoin and things like that, you'd think, Oh, there's a lot more traceability of the funds. Yeah. But everyone's so anonymous on the other end on either end of the payment receipt situation that just because you can see the fund transfer doesn't mean you can actually enact some law enforcement.Right? 

Mary D'Angelo: Yeah, it's incredibly hard. It's really, really hard to enforce, especially layering that on top of. With, you know, threat actors using the anonymity around dark web. 

Justin Beals: What do you think about the future of the dark web itself? Where do you see the utilization of this technology going and how do we prepare for those changes?

Mary D'Angelo: Yeah, so I can see it's kind of in some ways it's kind of, it's good when law enforcement. You know, if, say, they take down a blockade, law enforcement will kind of say some of the reasons as to why they would take it down. Mostly it has to do with terrorist activity, with the threat actors. You know, maybe they left just to become some clear sign of who they were, right?

But these threat actors follow all that, you know, they're watching all of this. And so they're looking at the reports, they know they're being watched. And so it makes, then they change their tactics. And so it makes it more difficult to find them and as they're under, you know, more and more scrutiny, they're, they're getting really smarter of, you know, trying to evade law enforcement.

So, a lot of times you see a lot of push to telegram as well. A lot of criminal activity happening. Within telegram, just because of that, of course, that secure communication.But I guess, I mean, really just to be on top of it. It's just to really, I mean, my biggest thing is intelligence driven organization. Right. And I mean that as in not just from company to company, because that’s important to write. So if I am oil and gas, I want to make sure I'm sharing my Intel with other oil and gas sectors.

Because everyone is so siloed, now you just keep your intel to each other. But then also within the organization. So threat intelligence shouldn't be strictly with just cyber threat intelligence, the CTI team. It should be with, you know, the pentesters. It should be with incident response. It should be with the SOC folks.

Sharing that intel, because that's, that's how to make threat intelligence. Most effective, so I think sort of in how we could combat this with some of the changes that we're going to be seeing, especially as these groups become more profitable, more successful is really, really being on top of it and being very threat intelligence driven.

Justin Beals: Yeah, it's, I think it's really an emerging practice for cybersecurity professionals in a way. I mean, I think it's certainly been around for a little while, but it's been so hard to recover from attack that I do think more of the emphasis being put on your point, the pre attack work, you know, and the threat intelligence.

Are there communities that are forming in certain industries to share this type of intelligence? Is that movement being successful? 

Mary D'Angelo: Yes, I do see it. I do see it with certain sectors that they'll have Slack channels or sort of miniature conferences that they get together to share some of this. But I think it could definitely get better.

Mary D'Angelo: It's something that I'm 

Justin Beals: trying to 

Mary D'Angelo: hopefully help within the next four months or so. 

Justin Beals: Well, that's excellent. Well, when you think about threat intelligence as a practice, obviously, there are all different sizes of organizations, and we're seeing more, more organizations of maybe a sub 1000 employee be impacted by something like ransomware.

Where do you think threat intelligence kind of belongs in the maturity of an organization? Is it? More important when you're big enough to be, you know, a real target, you know, or are there things that smaller organizations can do to be aware earlier on? 

Mary D'Angelo: Yeah, that's that's a really good question because it's true.

Like, if I mean, if I was just looking through some of the initial access broker things, uh, so the credentials they were selling and most of the time, the revenue size was way less. Billing. You're really thinking like mid market. Also low as mentioned, they like to go after the low hanging fruit.

It's easiest., and so there's certainly a need for that market to have threat intelligence, right? Because it's important for them to be aware if someone has domain access control credentials being sold. You know, for your organization, you would, you would want to be aware of that, right? Or if someone in your organization is like insider risk or insider threat associated is giving up, you know, gets an ad from someone trying to request information about their organization.

That's important to know about. Because then at the same time, it's, it's, you know, security teams are already so strapped and it's so hard to manage. Everything that they have to do, you know, we talk about alert fatigue, is on top of all that. Managing threat intelligence as well. Because that does require, I mean, we kind of make it as, as automated as possible, right?

Mary D'Angelo: So that when you are receiving alerts, they are relevant, you know, timely, and they're actionable. But it does require work. And I think sophisticated teams have a much better understanding of it. Very much. They have folks who have done, you know, several threat intelligence, it's rather new and they've had, get, you know, they're able to recruit people that have been experienced in threat intelligence as opposed to, you know, if you're just, you know, Oh, you've done a SOC and now you're being pulled into tracking these different transfer groups, you know, um, indicators, it becomes difficult.

So there's definitely a need there. I think, I'm not sure if maybe that might need to be outsourced a little bit, you know, into MSPs to help them out. But certainly I think the, and I think that I think of hospitals in general, they really need this type of, this type of visibility. Thank you. 

Justin Beals: Yeah, those records, we had a customer at StrikeGraph that was in the health services space and they did an analysis of the value of their records.

And I think, you know, they weren't doing more than 10 million in revenue, but they, they're just their small record footprint that they had, which wasn't very big at all. They priced that about 70 million by looking on forums of the dark web for what the going rate for a record. Yeah, which really surprised them that they did not have an idea of how valuable that data was.

I think it's one of the first misconceptions, right, Mary? 

Mary D'Angelo: Yeah. 

Justin Beals: Yeah. 

Mary D'Angelo: Well, it's, it's super, it's super lucrative. So, I mean, that's the number, I think that's the most, the number two thing that's being sold, most profitable on the dark web is those types of data sets. 

Justin Beals: Yeah. Um, when you, when you think about threat intelligence broadly, I like the idea that you could work with a managed security services provider to help you, What is some of the things that a customer of Searchlight Cyber or anyone they're going to engage around threat intelligence, what do they need to know about themselves to have a really effective engagement with a team like yours?

Mary D'Angelo: Yeah, so it's, I think, so we do like monitoring, right? So we're trying to do, again, when it comes to pre attack, basically, so we, you know, we have an understanding of some of the, you know, the TTPs of CISRA actors, you know, their tactics, techniques, procedures. And so if they can just let us know, you know, their industry is really important for us, the name of the organizations, domains, email addresses.

We can track all of that, but then we're also looking, as I mentioned, from an industry wide, the same company, what their, how, you know, their competitors are within the space, their credentials are being sold, or they're being discussed in different forms. Because there's also different layers within the dark web as well.

So not, if one layer that's strictly for ransomware groups and threat actors, And you have to have a certain credentials authorization level to gain access into it. You know, we do have human intelligence team that can go undercover and gain access into these, some of these sites. So to pull that, so just because you have access to the dark web doesn't necessarily mean you have access to everything.

There's certainly a lot of, um, private groups that you would need to gain access into. Um, so basically from organization perspective, it's just understanding, you know, just having an. Broad understanding of their company. Maybe if they want to monitor their C levels, things like that. And you sort of like, usually just like industry and brand.

Justin Beals: Yeah. That's a great thing to bring up is there's a dark, dark web. Some of these spaces are, are invite only practically for that. You can even get into it. Right. 

Mary D'Angelo: Oh yeah. And that, and those are the places where you would want, or the most important highest priority. Because oftentimes, you know, I think, I was working with this organization once, and they were, hacked.

And they were waiting for, they didn't pay the ransom, and they were waiting, just monitoring the archives, just waiting to see when their data would be, um, exposed. And I'm like, well, probably it's going to be a while, because at this point, your data is being sold in these different private groups, right?

It's being passed around these different private groups. And in fact, at that point. That all of those deals have been done, then the leftovers. They would release it out to the public, but sometimes really after we've been attacked, it can take a couple months, maybe years until that data is actually, actually released to the dark web.

And you don't know at that point who else has had access to it as well. So that's, you know, that's, that's kind of, um, a little bit scary to think about, but yeah, it exists. 

Justin Beals: Yeah, I think it's, it's not zero, but it's a pretty infinitesimal sum to create a duplicate of the data and resell it again. 

Mary D'Angelo: Yeah, 

Justin Beals: even a lower amount, and I can see how there are higher profile markets that pressure data gets a higher dollar value.

And as you utilize those markets, you might move into other markets to sell the same set of data. 

Mary D'Angelo: Yeah, and you get a client, we were so excited because it's months since the, since the attack. And they were like, oh, my gosh, nothing's released yet. And I'm like, no, no, no. These criminal groups are not, they're not trying to be gracious here.They're trying to make as much money as they can with that personal, that information now before they leak it out to the public. So. 

Justin Beals: Yeah. Is that true? And they have plenty of time. Once the data is exfiltrated, I was talking with a colleague about Last Pass and we were talking about the time  it took to essentially break into certain vaults and that because the data was exfiltrated, they can play with it for as long as they want.

Justin Beals: They're not on the clock.

Mary D'Angelo: Yeah.

Justin Beals: Well, Mary, all this stuff is a little dark, but I do think that perhaps we as security professionals can be more precise in our responses or what we're aware of by understanding what threat actors are doing. Right? I mean, broadly, I think from a, a building a better society, You're delivering intelligence that can help us be more aware or better prepared for an attack, 

Mary D'Angelo: Right? And it is difficult because there are so many Large ransomware groups out there criminal ransomware groups out there not to mention the state sponsored And so it, you know, it does require effort to know who these are, what their TTPs are, who they try to go after, you know, what industry, what sector they're looking after.

Mary D'Angelo: But if you're able to get that intelligence and sort of like, there's a little bit of over time to start, but once, once that's done with, then it can just be more of a monitoring phase. Then it becomes extremely useful. And that's when I'm like, okay. Now we need to share this and now that CTI has it, now we need to share it with the SOC team, the response team, whatever, leadership.

Justin Beals: Excellent. Well, I'm super grateful, Mary, for you joining us today. It's been a lot for me to learn. I'm really grateful for it. And thanks for coming on the podcast. 

Mary D'Angelo: Yeah. Thank you so much. It's so great being here.