Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an Analyst and Advisor with KuppingerCole Analysts. Today, my guest again is Alexei Balaganski. And always when he joins me, we have really interesting and really topical topics to talk about. And that's really something that's true for today as well. We want to talk about cyber threat intelligence. We want to talk about attack surface management. And we want to talk... tiny bit about the darknet, the deep net, the deep web, and how that can contribute to strengthening your cybersecurity posture. But first of all, welcome Alexei, good to see you.
Hello, Matthias. Thanks for having me again. And yeah, let's get into another philosophical discussion.
Right, but not that philosophical. First of all, why are we covering that topic right now? You did some research on that topic, right?
Well, cyber threat intelligence is indeed definitely not a new topic by any means. I mean it has existed for decades, perhaps. But what I have observed in my recent market research is that it is evolving, just like every other field within cybersecurity is becoming sophisticated to address the new scales, the new challenges, the AIs, the multi-clouds, whatever, all the recent trends in cybersecurity. Threat intelligence is also evolving and in a very interesting way, which I believe deserves a separate discussion.
Right. So first for the basics to lay the baseline, we are moving away for a long time already or have been moving away for long time from this traditional castle and mode on premises, cybersecurity, my home is my castle, cybersecurity approach. We are getting much more towards real time threat detection and response and cyber threat intelligence is part of that. But in general, What has changed in the recent time? You've mentioned AI. We've talked about the threats that AI poses when it comes to getting more agile, more fast, much more volume in the text. But what key factors have contributed to making cybersecurity different from as it has been, say, two years ago?
Well, in fact, would even suggest let's start not two years ago, but like 20 or even 20 something years ago, because it's really fascinating to see how the whole history of cybersecurity, just like the history of mankind, if you will, evolves in a spiral. There is like a long existing theory of like the real world history that everything evolves in a spiral. Things keep repeating, but under a new... challenges and the new modern issues. They are at the same time same but different, if you will. So yes, we all started back in the like 80s or 90s with this Castle and Mort approach where basically the only goal of cybersecurity was to never let the malicious outsider into our castle. It worked for some time, but as the internet appeared, as we had cloud services and mobile networks, we just found out that our castles have too many gates and openings to exchange the data, to communicate with our digital customers and partners, what not. So the mod disappeared, the castle wall was eroded and basically almost removed, the firewalls stopped being there. even sensible, and we have reached this kind of new era of cybersecurity where everyone says, well, we cannot prevent threats anymore. But at least we should be able to detect them quickly enough. So if something bad happens in our no longer safe and secure environment because there is no wall anymore, at least we have to be able to identify those threats immediately. So we had all those themes and... source and socks, the security operations centers of this world looking for something bad happening and alerting your security team to basically investigate and eradicate the threat as quickly as possible. And of course, this is when cyber threat intelligence emerged as a discipline because well, cyber threat intelligence is same as like signals intelligence in the real world. You have to know what's going on. in the world outside of your castle, outside of your country even. This is what the spies, the intelligence agencies have been doing for centuries and this is what cybersecurity vendors are doing now. They observe the entire digital world, they look for known bad actors doing something new, they look for signs of something unknown but malicious activity happening. And they basically collect, analyze that information and they sell it to various kinds of customers. Because when you are looking for a threat within your environment, it helps a lot to know what other similar threats are happening around you. Or just to know, this particular IP address is associated with a known North Korean advanced persistent threat group. So if you are looking for this particular IP address in your logs, you're just basically saving time. You know what to look for and identify the potential activities of that group, for example. And this is basically what threat intelligence vendors have been doing ever since. It's kind of a dirty job because they have to dig through tons of mud and other unsavory things in the kind of deep belly of the darknet, as they call it. But in the end, they're producing a valuable intelligence, the signals for us to act upon and to look for threats.
But in general, the perspective has changed. I like the transition when I tell the story from reactive to detective to proactive. So we are really trying to even predict what might happen. And that is what you've mentioned. If we know what happens next door in a similar company, we might want to already prepare for this. So it's really a different kind of notion how to address these threats. So it's really, yeah. being prepared and not just waiting for things to happen.
Well, this is where we are coming to the next revolution, the next kind of radical change in cybersecurity that's happened fairly recently and that's actually still going on as we observe it. So yes, first we evolved from the passive protection towards detection and mitigation of threats. But what we realized pretty soon that there are just so many bad things happening that. Just detecting them all leaves us very little time to actually do something meaningful. If your SOC generates thousands of alerts every day, no matter how large your security team is, you just won't have any time to respond to all those alerts. And this is where, by the way, the AI, first the machine learning and then the generative AI came into play. They have kind of prolonged the active life of all those detection solutions because they helped those tools to be more relevant, to be more efficient. instead of basically alerting you on every occurrence of a bad IP address in your logs, a machine learning model would basically look for anomalies and outliers and would only alert you if that IP address is actually doing something suspicious. That was kind of one. Stepping stone in that evolution. Then of course now we have generative AI, which brings a lot of its own risks, worth discussion in a separate episode, but it also helped a lot to basically help you to know how to respond to those threats. So instead of running around screaming and looking for your long forgotten incident response plan, you can just ask an AI assistant a question, it will immediately tell you what to do next. Awesome. Great. Unfortunately, I mean, the complexity of the world is still growing. We are now having multiple cloud environments. We have multiple machine learning world that's running in our environments as well. We have tons of SaaS applications and partnerships and APIs and whatnot. The whole software supply. chain risks to deal with. So basically we are still drowning in this noise, in this security swarm of alerts. And finally, part of the history is repeating itself. Now we are trying to look back and say, hey, protection failed, detection is failing. What do we do now? Maybe we try to go back to proactive protection, but on a different level. So instead of trying to build a wall, Let's observe our entire digital footprint, our entire infrastructure, which is of course spread across multiple environments and it's impossible to surround it with a wall anymore. let's at least position some sensors carefully, which would monitor all the directions, the attack vectors, which are relevant, which are dangerous, which we know will be attacked with the highest priority and the highest probability by the potential threat actors. And let's focus on those and let's try to make those areas more proactively safe. This is what is now called attack surface management. So we all know that our proverbial Dutch dam has too many holes. Thousands, tens of thousands, but not all are actually dangerous. Some are just never leak because there is no water behind it. But some are huge and they are known and dangerous people are already targeting those holes. And we need someone's help to find those holes, to identify them and then to monitor them as carefully as possible. And again, this is where CyberSat Intelligence comes to our rescue again. They are observing the behavior of all those malicious actors, so they know... the way of their thinking. They even can anticipate the next move by observing their daily activities. For example, we know that if someone steals your passport, it will probably bring it to those darknet marketplaces to sell to the highest bidder. So if someone is actually monitoring those marketplaces, they can identify that it's actually a password stolen from your company, which has been sold now. And if they tell you quickly enough, you would be able to disable that stolen account before it's actually being abused by someone. Just one tiny example of how you can actually benefit from this kind of modern next generation third intelligence. So it's no longer just identifying random bad things. It's first of all identifying things which are bad for you specifically, for your company, for your industry, for your geography, if you will, basically for you. And second, it's actually making sense of those bad things in advance. So they just don't tell you, you have to watch for this specific IP. You just say, hey, you know what someone has stolen your account belonging to one Matthias Reinhardt? You have to disable it immediately. It's a totally different level of customer service, if you will. So it's still CTI, still threat intelligence. But it's threat intelligence with a lot more or business context, lot more user-friendliness. again, it's specifically for what you are looking for, to stay proactively protected. So that, I believe, is the fundamental difference between the quote-unquote old school threat intelligence vendors, which were only peddling in thousands, if not millions of bread signals. Now... they're actually turning those signals into valuable products.
And everything that you described, or if we want to focus on the learnings for today, for me it's two terms, two three-letter acronyms, it's ASM, it's Attack Surface Management, that's the overall concept that you described just before that. And CTI as Cyber Threat Intelligence as one component providing the intelligence, the input, the constant stream of information, proactive information that can be leveraged by organizations subscribing to this service. we have ASM, have CTI, and of course I hinted at that at the beginning and I don't want to be too alarmistic or anything more drastic, but we should at least briefly mention the term dark web or deep web. You've mentioned already these marketplaces where illegal information exactly, you've mentioned that username passwords or other credentials are available. This is part of the game. But if we want to have a preliminary definition, what would that look like for dark web, for deep web, apart from the shady stuff when it comes to, I don't know, pictures you don't want to see. But if you get to the dark web as a source of information, what's around there? What do we think is it worth looking at?
Well, first of all, we have to differentiate between all those deep webs and dark webs and whatnot, because people use these terms interchangeably, but they're actually slightly different. And one is basically just the part of the worldwide web of the entire internet you usually don't have access to. For example, the website we are currently using for recording our podcast. I mean, it's not public, right? So it's kind of... Deep web, you will. But it's not darknet in the sense that you can still access it through a web browser. You just have to log in somewhere on the website. Darknet proper is basically an overlay, a hidden overlay on top of the existing internet where you would need to install special tools to just even connect to it. And this is where all the shady people congregate because this is... basically like the black market of the Internet. You have to have special skills and tools at your disposal to just kind of get access to it. And of course you have to know where to go and who to ask about what and stuff like that. It is pretty sophisticated and sometimes maybe even dangerous and at all times dirty job to dig through all this This is why I would never do it myself. I would rather happily delegate it to a professional. Some kind of a private detective, if you will, of the digital world who knows people, who knows stuff, and more importantly, he knows how to find the most important things for me as quickly as possible.
So I think that is one important learning. this is nothing you should try at home. This is really something to be consumed as a service, but also the integration of this information into your overall cybersecurity processes is something that is already baked into these services that you really don't want to create by yourself. And there are of course, we are no lawyers, neither Alexei nor me. And this is always something that comes with some legal caveats when it comes to just looking for information that might be interesting. think this is nothing that anybody wants to do by herself or himself. Nevertheless, there is interesting information. You've mentioned these marketplaces where it comes to leaked data that is sold or just made public because of bragging about it that you made it. What else is there that is valuable for improving your cybersecurity posture for including in the CTI?
Well, again, improving your cybersecurity posture is a very vague kind of term. This is definitely something you have to do. Of course, you have to do daily. But there are so many different ways of doing it. You can start from the very primitive interactions with the world of CTI, by basically subscribing to an automated feed of those indicators of compromise. And every time you know that there is a new whatever botnet group or command and control server pops up somewhere on the darknet or anything else, basically any kind of artifact, domain name, an IP address, a username, anything which is now known malicious, it would help your existing SOC, existing security operations to identify those things if they would start popping up in your internal logs. This is like the foundation. This is what we have been doing for decades already with different rate of success. But this is not something which is kind of interesting to discuss nowadays. What all those CTI vendors, or at least some of the most interesting ones have been doing more recently is again, kind of combining the traditional approach, the known bad stuff with using AI and machine learning to look for... patterns and trends and outliers and identifiable techniques in those fields. And also, of course, applying the human intelligence, the actual people going down there and kind of doing the actual human-to-human interactions and stuff like that. In addition, we'll scrub in all those forms. Basically, they're combining as much effort, human and automated as possible to create enriched digital products tailored for you specifically. So you could just say, hey, these are my most important artifacts. This is my domain name, and this is the list of my employees, and these are the keywords from our intellectual property, like our product names and stuff like that. Any time someone mentions them, please let me know and tell me what's going on. And they will tell you, okay, you know what? It looks like someone is selling a list of stolen credentials, which mentioned your name of your employee. And it looks like it's a CFO. And it looks like whatever his photos have been stolen as well. It can go deeper and deeper because you never know what you'll find on the darknet. The point of it you don't have to do it yourself. They will go there as deep as possible, dig out all the dirt, and convert it into a sensible and actionable report. What do you have to do now, immediately, to stop an incoming breach? Even better, if they can integrate with your existing infrastructure to do it for you. For example, disable that user account in your active directory immediately to stop a ransomware attack. This is all basically marrying all those previously unrelated things, CTI, like service management, security, into a single intelligent, if you will, and automated solution which will do all the job for you, which is kind of cool.
Exactly. And you've mentioned in the beginning that history evolves in circles or in a spiral. And I think that is something that is quite similar to what we've seen when we moved from traditional seams to SOAR or to next generation seams when it comes to filtering out the noise and identifying the signal. This is the same thing in my opinion, or at least from what I understand as you described it. We are looking at the signals, but we are not looking at the signals individually. we are trying, or the AI or the analysts are trying to identify patterns and provide this as a service. So it's not only information, but adding the additional layer of, here we go, intelligence.
It's not just that you have in a traditional approach, in a traditional thought, you have to do everything yourself, which on its own is a huge waste of time and effort. The problem is basically you are only limited to your own signals. And sure, you can subscribe to all those thread feeds, but that's not enough because those feeds only include the artifacts, but they do not include trends, changes, evolutions, prognosis, whatever. They would only tell you, yeah, this thing is bad. But when you actually delegate this analysis to a much bigger database, a vendor that is running the database, which actually incorporates those signals from thousands, not tens of thousands of companies like yours, this is when the quantity transforms into quality, because only at that huge scale and only being able to combine and cross-reference all those sources, you get a completely different level of understanding of the processes, the evolutions in the entire digital underground, if you will. Because you can try to do it on your own, but it's extremely difficult, it's extremely inefficient, and you would never have access to the amount of data needed to make those decisions quickly. So I would say, just like you probably wouldn't want to generate your own electricity or water, you should probably delegate CyberCert Intelligence to a utility company, if you will. That can just much better suit it to do it at a much larger scale.
Exactly. That's a great summary and I want to leave it with that. So we're really looking at a new type of offering that organizations can subscribe to, integrate, and this is really something worth looking at when it comes to cybersecurity trends. And I've learned a lot from you today, Alexei, so it's really an interesting area that demands more research. You're working on that. It's part of your topics that you're covering. There is some research out there already. So please head over to kupingerkole.com and type in CTI. I think that should lead you to the right documents already. If there are any questions, as usual, please leave them in the comments section on YouTube or drop us a mail wherever you are. We are easy to find, Alexei and me. If you want to have a deeper look at that topic, we want to... Surely catch up on this again in an upcoming episode and get more into detail based on your questions. Just let us know. Any final words Alexei before we close down?
Well, again, I can only say do not try to reinvent the wheel. Just like you should not run your own cryptography, don't run your own threat intelligence. Leave it to people who know better. It will definitely save your time or your resources and even your digital business livelihood, if you will, because if... Everything depends on you being able to respond to a ransomware attack before it happens, as opposed to after. Well you should do that. Stay safe and let experts make sure that it stays that way in the future.
Right, and we've just touched upon the cybersecurity aspects. We did not even mention really the legal aspects of doing this research to adding this information into the overall stream. These are professionals that do this for you, so you don't have to subscribe to such a service, and you're much better off than doing it yourself. Again, thank you very much, Alexei, for being my guest today. That was really interesting, and I hope everybody who's... watched us until now knows what the CTI, ASM, the dark web and a proper way of dealing with these broad attack vectors that we are seeing much better. What really you have learned about that. Thanks again. Looking forward to having you soon again. It's always a pleasure to have you. Thanks Alexei.
Thank you, Matthias, and goodbye.
