Threat Intelligence Is the Centerfold

January 13, 2020 • Monica Todros

Our guest this week is Steven Atnip. He’s a senior advisor for Verizon’s threat research advisory center and the dark web hunting team.

Steven shares his early career experience in the U.S. Navy and explains why he believes the military provides unique opportunities for people looking to launch their careers. We’ll hear his views on the importance of company culture, being a lifelong learner, how to step up to challenges of an organization running at scale, as well as his insights on security and threat intelligence.

We caught up with Steven Atnip at Recorded Future’s RFUN: Predict 2019 conference in Washington, D.C.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 141 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest this week is Steven Atnip. He’s a senior advisor for Verizon’s threat research advisory center and the dark web hunting team.

Steven shares his early career experience in the U.S. Navy and explains why he believes the military provides unique opportunities for people looking to launch their careers. We’ll hear his views on the importance of company culture, being a lifelong learner, how to step up to challenges of an organization running at scale, as well as his insights on security and threat intelligence.

We caught up with Steven Atnip at Recorded Future’s RFUN: Predict 2019 conference in Washington, D.C. Stay with us.

Steven Atnip:

Well, what sparked my interest in this, it starts all the way back in high school. I graduated early from high school and then graduated from college. It was an associate’s degree, but it was something to hold onto, and just wasn’t finding exactly what I was looking for, so I joined the military. I did well enough on the ASVAB, and they asked me what do you want to do with your career and I said, “Nuke, nuke, I want to do nuke, because that’s where the money’s at.” And they go, “Well, tell us about yourself.”

It was one of the first times that one of the military branches said, “Well, tell me about you. What do you want to do.” I said, “Well, I’m a decent public speaker and I’m a problem solver. So there’s no problem … It might not be a great answer, but I can get you the answer.” And they said, “What about intelligence specialist?” And I had no idea what that was. I would love to go find that man who recommended it. I became a Navy Intelligence Specialist and I left because I was sick of school and then the Navy put me in school for a year.

Dave Bittner:

Of course.

Steven Atnip:

Yes. So I became an Operational Intelligence Analyst, which is your all source, just your all-around general intel analyst. I later became certified as a Geospatial Analyst. But the biggest thing I can say to anyone listening to your podcast who wants to get into this career, first of all, if you’re 18 years old and you’re listening to this podcast, you are way ahead of the curve. But even an 18 to 34 year old person, if you’re looking at getting into the intelligence community in general, especially the cyber intelligence community, I would say that one of the biggest launching points, at least looking around our team, is military intelligence. I think 100 percent of the Verizon dark web hunting team had prior military intelligence careers, most of which then launched into agency careers.

But going back to myself, I went through intel school, came back home, I actually signed as a reservist, one of the big things on our first day at the command, and I really took this to heart, the Command Master Chief said, “It doesn’t matter if you do one tour, whether you’re active or reserve, you signed a four year, six year, eight year contract, if you don’t leave this military or this Navy with a degree, this was a waste of your time.” I really took that to heart, so I started going back to college and went while I was a reservist. I was taking orders everywhere I could go, Office of Naval Intelligence, National Geospatial-Intelligence Agency, and then over to Africa for about a year, east Africa.

And all throughout the time taking college courses and got my bachelor’s in Intelligence Collection. I would highly recommend, if you’re wanting the intelligence field, going directly for it or for a degree that’s related to that. But, by contrast, some of the best officers I met, one of the most brilliant officers I’ve ever met, had a degree in Geology. It’s something that is very essential and think of it as a symptom of an imperfect system. Get your degree in something. No matter what it is, if you’re wanting to get into the intelligence field, it’s definitely going to help you out in getting the job. Then you can prove yourself once you’re on the job.

Dave Bittner:

Now, what are some of the things that the military brings to the equation? What are some of the things that they offer that give you that leg up?

Steven Atnip:

I love the Navy. I have a leaning towards that. So let’s say you’re a young kid and what is the military going to give you that the private sector isn’t? Well, if you’re 18 years old, they’re going to trust you with more, they’re going to give you more responsibility than any other place in the private sector. You’re 18 years old, you’re 19 years old, you might be 25 years old, if you’re an Intelligence Specialist, a Cryptologic Technician Networking (CTN), Cryptologic Technician Interpreter (CTI), well you’re going to get a TS/SCI. So now you have your clearance, you’ve got formalized military training and intelligence, which, in the Navy is very robust. All the branches have their own specialties, the Navy does a good job all around. It’s very well rounded intel training.

So you’re going to get the training, you’re going to be paid, and they’ll pay you more as an 18 year old than anyone else will. But it gives you a home and it gives you structure. And that is, what I would say, is one of the simplest launching platforms, where you can go from a high school graduate one day to a year later you have a TS/SCI, you have active orders, or even if you’re a reservist, you can beg, borrow, and find orders. It’s the greatest launching stone. It’s also, joining the military, it’s one of the biggest alleviators of poverty. I grew up in a very small town where the saying was, “You could get a minimum wage job or you could get two.” So this was a great way out.

Then, say you’re 23 years old, you’ve done a couple of tours, you’ve done orders overseas, and to stay in the game, you’ve really got three options. You can re-up in the military and continue your military career, you can go into the government sector, work for the three letter agencies, or you can go private sector. From our team, the dark web hunting team and Verizon threat research advisory center, a majority of the people on our team have had full military careers. We’ve got enlisted officers, warrant officers, a blend of every single branch, and they have 25 years doing cyber intelligence for the Army. Then, after that, 15 years in the NSA or the ATF, a lot of DIA, DEA, and then other three letter agencies.

I’m actually the baby on the team, compared to these guys, where you take a dozen guys from our team or even 10 guys from our team and collectively, you have 200 years of experience, where these guys have been doing this since long before I was born. So, it is a great launching platform. I went directly from the military over to the private sector. I spent a few years working doing cyber intelligence within the financial industry and that really is something that we can bring up later. During that position, we were trying to organically create our own self-sufficient cyber intelligence team from within. And we can talk about that later, should you buy it or should you grow it internally?

But, after three years, I was looking for a new home and then found Verizon. And this is something, too, about the intelligence community, you can almost compare it to stock trading. It is hyper competitive. You’re dealing with people who have, especially, we’ve been at war for about 18 years, and then we’ve also got guys on our team who were in Desert Storm. So you have people with massive amounts of credentials. Obviously, they have higher than average IQs. There’s an experience, and intellect, and a drive.

So to give you an example, when I was looking for a new home out of the financial industry, and actually ended up in Verizon, I dropped 350 applications. This is something, you need to be determined and not be deterred. So looking for a new home, I dropped 350 applications. Of that, I got about 60 calls for interviews. And this was ranging from cyber intelligence to counter IED analytics, back to being a piracy analyst, which was my bread and butter for the Navy. Of that, I got about 45 second interviews, 20 third interviews, and ended up finally with eight offers.

And what really drew me to Verizon, compared to the other places, was I wasn’t interviewed by managers, I was interviewed by the actual analysts on the team. It was very interesting, because everywhere else it was the management team would come in and interview me. At Verizon, and this is structured for everybody, but it was my actual coworkers now just blasting me for three hour interviews asking every question in the book, scenario-based, sometimes it’s a no win factor. I guess they gave me the thumbs up, because Verizon was one of the places that offered me a job and I jumped on it. That was about 20 months ago and Verizon’s definitely been the highlight of my career.

Dave Bittner:

And that’s interesting to me that … Because what it sounds like is that as you were weighing the different opportunities that you had, that culture was an important part of it for you?

Steven Atnip:

It was, as far as Verizon, it was the way it was explained to me is, it’s going to be a very dynamic environment, it’s going to be very fast-paced. We’re going to be protecting a lot of different companies and every day is something different. They may have similar problems, but you’re dealing across industries, across problems. Some days they’re going to be very simple, you’re going to be aiding incident response, other days, it’s going to be, we’re doing surface deep and dark web research on APTs and this is a project that is going to take months in order to culminate into the possibility of a prosecution package someday, where we can actually put somebody, as opposed to just going after the code, we need to find that somebody who’s creating it and either issue a travel advisory, if they’re in a country that’s noncompliant with the United States.

It was a lot more kinetic than other places. Where it sounded like, we are actually going to take the fight to different people, as opposed to just reacting, doing incident response. When something bad happens, we will react to it and write up a nice report. This was, we’re going to take a proactive approach, we’re going to be educating other companies. And, as opposed to, before where I would just protect. When I was in the financial industry, you just protect your company. This is dark web as a service and it is threat intelligence as a service. It was robust enough that it sounded interesting, and it made me uncomfortable. Where, if it’s making you uncomfortable, it might not be worth your time. To where, are you going to have to step up to the job or are you going to settle into a position. And I can definitely say, through Verizon, there’s no settling. It’s been continuously progressing.

Dave Bittner:

Well I have to wonder, too, I mean, when your first stop along the way is the military and that is an organization that has scale, and then you move the financial industry, still big, but my perception of Verizon, certainly, another organization that has scale. How much of your experience with being able to wrap your head around challenges at scale, of scale, how much of that, what you learned in the military, has served you well with an organization like Verizon, another organization that deals with problems of great scale?

Steven Atnip:

What I would say, it’s almost not answering your question, but it’s how did I get to where I was worthy of working for Verizon? Or how did I take this … One of the biggest things is, as far as advice that I would give to my younger self, or to anybody who’s interested in this, is to consume everything. It’s one thing that I do whenever I apply for jobs, that I send the book list. I started keeping track of the different books that I’ve read and I started tracking it in 2015, minus all the fluff books like Game of Thrones, you know what I mean. It’s books relevant to the security field, whether it’s intelligence, threat intelligence, even some fiction.

I can definitely say, if you’re wanting to get started in this field or if you’re wanting to advance yourself in the field, you’re not a sponge, you don’t just sit there and absorb by osmosis what is around you. You are a vacuum with an endless bag. Start with the big names, Bruce Schneier, Brian Krebs’ books. Again, Bruce Schneier. But even moving into anything security-minded, it’s not just about reading C++ manuals. You’re doing threat intelligence, which means you’re dealing with people. So you need to start reading things. Go back to the older books. Gustave Le Bon or Viktor Frankl or even going into Gavin de Becker’s books, I found them very enlightening. Or Greg Schaffer, he published a book in 2019, which is a security mindset. It’s consuming absolutely everything you can get, all the way to going to fiction, Cory Doctorow’s books, I think it was called Little Brother, anything that’s getting you more of a security mindset. Consume absolutely everything that you possibly can.

I keep a tally on the books. Right now it’s … I forget pre-2015, because the first book I started with, one of my managers handed me the book @War and it’s the at symbol war. And he said, “Read it over the weekend.” And this was like my first week of work. He says, “Read it over the weekend and we’re going to have a deep discussion on Monday.”

Dave Bittner:

There will be a quiz.

Steven Atnip:

Yes. And I was addicted from the start. In fact, one of the books that I read every single year, I make it a point to, my wife actually she’s not in the security community, it was Data and Goliath by Bruce Schneier. These books become addictive to you as far as security mindset. They do lead into intelligence. But any books on big data aggregation, it doesn’t have to be boring manuals. I’m not a coder, but what I do have is a security mindset. That was probably there pre-military, who knows, but it was fostered through military intelligence and the training that I received and the commands I served under. But the hunger really came post-military, once in the private sector because the competition was even bigger. There was someone with more experience ready to take your job in a moment’s notice, you need to stay competitive.

Whenever I turn in a resume, I turn in my book list, which is about 283 books, and I say this is from 2015 to 2019, this isn’t my lifetime. You should be consuming, if you have a drive … I’m on a budget, I’m sure a lot of your listeners are on a budget, it doesn’t have to be Audible. Your local library has apps where you can get free books, but start consuming relevant topics, whether you’re learning about people or you’re learning about everything from sociology to technology to psychology. Grab everything you can get your hands on, but there have been many times when a quote or something from a book that I’ve read five years ago, that dealt with like Le Bon’s The Crowd, is relevant today. And I actually put it into a threat intelligence report where there are demonstrations or there are riots or where a crowd gets out of control, in order to protect a client, you’re using this information that you stored up. You’re putting it away in your tool box.

Dave Bittner:

Let’s dig in and talk some about threat intelligence specifically. I mean, how do you define it? For folks who may not have a clear understanding of it, what is it and what it is not to you?

Steven Atnip:

Security intelligence or threat intelligence, it’s the refinement of information. This is an answer that you’re probably going to get from a lot of people, you’re refining data from raw data, which is absolutely everything around you. It’s disorganized, once it becomes organized, then it becomes information. But then once it goes through a refinement process and you weed out all the information that is not relevant, that doesn’t support what you’re moving towards. What security intelligence is, is you’re looking at trends and figures and you’re trying to put everything together, hopefully, prior to a bad thing happening.

Especially threat intelligence, we have to look at a company the same way a threat actor would. You can only guard your castle so long before you need to send somebody out to look at it as an outsider and say, “Well, how would I attack this?” And, “What would be the most efficient way to get inside?” Once you see it from a different viewpoint, especially threat intelligence, because a lot of companies already have robust perimeter security, network security, a lot of them are working on getting better incident response. But the problem is, the enemies are already inside your walls, they are already trying to attack you. I mean it’s rule number-

Dave Bittner:

So somebody’s already tunneled under your moat?

Steven Atnip:

Yes. It’s rule number one, especially on the internet, if you have something of value, someone wants to take it from you. So whether you’re a small company, and we’ve seen that recently with Magecart, where they just sporadically sprayed a few hundred thousand or a few million websites. A lot of these were small and medium businesses that weren’t even really bringing … These weren’t major companies, but it was a smash and grab of anything we can get in order to commit financial fraud. So the enemies are already at your gates. You need to learn, how would you attack it? You need a pack of wolves in order to see how to get to the sheep.

Dave Bittner:

It seems to me like also a component of it is as much knowing what they’re out there trying to get from you or the methods that they’re using, is knowing what they’re not doing, knowing that they’re coming to the back of my castle not the front to use an imperfect metaphor. Knowing that nothing’s going on is, for sure, is intelligence, as well.

Steven Atnip:

And also recognizing, and a lot of people outside of the security world don’t … They almost take offense to it whenever I say it, but whether it’s financially motivated fraudsters or APTs, they have a business model. They have to expend resources, they have to spend time, money, effort, they have to put intelligence into this, whether it’s a gas skimmer, someone in the physical world putting a skimming device at a gas pump or it’s somebody trying to do a point of sale attack, they have a business model. So in security, and this goes to what Bruce Schneier, his words really rang with me, is make yourself not the lowest hanging fruit. You want to raise their costs.

It’s no different than a deadbolt, you have a door, and if you didn’t have a door, anybody can come in, so you put a door in. Well, if you want to spend a little bit of extra money, now you put a deadbolt in. Well now the thief not only has to pick your lock, he has to pick your deadbolt. Well, what if you want to put a chain across the door? Well, now he’s either going to have to kick your door in and make a lot of noise. Threat intelligence, in a lot of ways, or if you have a robust security, it’s almost like an ADT sticker outside your window that says, “Just move onto the next house. There are other vulnerable houses, it is not worth your time to attack me.” Posturing would be the wrong word for it, but it is making yourself a hard enough target that it’s not worth their time to come after you.

Dave Bittner:

Let’s dig in, I want to touch on something you mentioned a little earlier in our conversation, which is this notion of whether companies should buy threat intelligence or create it within their own organizations. What are your thoughts there?

Steven Atnip:

Now, full disclaimer, my company sells threat intelligence to thousands of companies all around the world. So my answer to this is, both. And let’s look at, first of all, let’s look at growing organic intelligence teams within your own company. A lot of companies say they want to get to that capacity, and they should. But a lot of the time it just means, overtaxing your network security team or giving unreal expectations to what you already have. So I’ve worked with companies trying to form a self-reliant cyber intelligence team from the bottom-up approach. Skip to the end of the story, it didn’t go well, but let’s go through it.

After five years the stars didn’t stay in alignment. First, you have to have a plan for what mission you’re going to accomplish, after that you have to get the tools needed to complete the task and show the benefit to your company. If your leadership isn’t completely on board, both mentally and financially, it’s just not going to work. So you have to recruit intelligence professionals willing to start from stage one, start pulling more from your startup budget to get proper tools. Find the right blend of researchers and report writers. The important part being the ability to give consumable intelligence on the strategic level so that the C-level management can then use that information. You have to show value very quickly.

You have to recruit these people, you have to find the right tools for it, you have to set up what mission they’re wanting to accomplish, and it takes a long time to turn a big ship. So whether you’re a small or medium company. If you’re not in the Forbes 25, I would say, it is very difficult and it will take time and a lot of resources building your own cyber intelligence team. Now it can be done and it should. But, on the flip side, there’s a reason that your company, any company, doesn’t make their own urinal cakes, they don’t make their own toilet paper. There are professionals who handle this for you, like Cintas. I think I’m pronouncing it right, it’s Cintas?

Dave Bittner:

Your guess is as good as mine.

Steven Atnip:

Okay. I see the truck and I see the labels. But, I’ll give you an example, I didn’t go to medical school so that in the hopes of if my daughter falls off the jungle gym I can fix her broken arm. There are professionals who take care of this for us. So when it comes to buying threat intelligence, what I can definitely say is there’s no shame in it. On the flip side, thinking of buying intelligence for the same reason as … It’s like a coop. My wife is very big into coops, so would you rather buy a bus ticket to get from A to B or would you like to buy a bus, but you don’t have a driver and you also just purchased a bus, and you don’t know where you’re going with it?

With Verizon, think of us as a coop, we have recruited the best people. We have bought some of the big expensive tools that actually work, not the fancy tools, the ones that actually produce results. And we’re able to give, on an industry-, on a company-level, on an incident response level, supplying proactive intelligence. We specialize, we eat, breathe, and sleep threat intelligence. So for the price of, and I don’t know the prices for these things, but for the price of recruiting two intelligence specialists, willing to start your own cyber intelligence team, and they’re not going to be producing from day one, it’s going to take years to cultivate exactly what your company needs. Verizon is a plug and play, you give us exactly what you’re looking for, and we will find a way to meet that demand.

Dave Bittner:

I’ve heard folks say that it’s a good idea, for many organizations, it’s a good idea to have threat intelligence from more than one source. So what you’re describing makes me wonder that if I’m thinking of spinning up my own internal team, is it in my best interest to simultaneously engage with an outside supplier so that I’m watching what they do as I spin up my own team-

Steven Atnip:

That’s exactly, that’s the next stage I was going to.

Dave Bittner:

Ah, okay. Well take us there.

Steven Atnip:

Now we don’t want to … If you enjoy Verizon’s services and they’re doing the job for what you find is fair, as far as financially versus the return on investment of what’s being supplied, and Verizon is the biggest, as far as Verizon, incident response and the threat research advisory center, they handle the most numbers — and that doesn’t matter — but the quality that goes into every single report, like we have to know for every company and every industry that we’re working with and each of our analysts are assigned, who’s the CEO, who sits on their board, what’s their stock price, why is their stock price this way? We have to know their company as well as they do and also the threats they are facing.

But you should be developing your own internal, either internal version of threat intelligence or you should be working towards internally producing exactly what you’re getting from Verizon. Now it’s probably going to take years in order to get to that level, because you’re going to have to have a lot of designated resources. But, I do believe that Verizon is not, it’s not the only answer, you should be cultivating your own threat intelligence. You’re training next to a pro so that someday you can take over and do your own intelligence. Now, while that sounds like I’m trying to sell myself out of a job, I do believe that companies work most efficiently with threat intelligence when they have their own threat intelligence component and they are also receiving aid from a company that specializes in it.

So that’s why I say both. Because starting it internally, you need to have, from the top to the bottom you will never make it work from bottom up where you’re trying to encourage management that we need to start threat intelligence and then they say, the first answer is no, the second answer is, what’s in it for us? And the fourth answer is, well, as long as we don’t look for a problem, we probably don’t have a problem. But-

Dave Bittner:

The head in the sand approach?

Steven Atnip:

Yes. And I’ve worked with companies where that was the agenda, if we don’t look in that dark corner where we know there’s a bad guy, does he really exist?

Dave Bittner:

Let’s talk a little bit about looking towards the future and the horizon. I mean, what do you see the future of threat intelligence being? What directions are we headed and what’s on the leading edge there?

Steven Atnip:

I mean I’m not even 30 years old yet, so I can’t tell you the leaps and bounds that have been made over the last 20 years, but what I can tell you is that threat intelligence in the last, let’s say six years, has come to the centerfold where it’s not just a buzz term anymore. Companies are actually realizing they need threat intelligence. And this is not to knock your incident response or your network security or perimeter security or asset protection. Everybody, the security that is already working within your company, it’s not that they’re doing a bad job, it’s just not enough.

It’s too dynamic of an environment. You have way too many threat actors. The barrier for entry to be a threat actor, for $20 a 10th grader can start ripping off banks, with a small investment, and there’s too many enemies at the gate coming from every single direction and your defenses just aren’t enough. That’s why threat intelligence was a buzzword, I don’t know, 10 years ago. And now it’s coming to the centerfold of there’s even … We’re at RFUN: Predict 2019, and tomorrow I’m going to be attending a speech and the summary rang with me of designing your security team around threat intelligence, not as a component of your security team. It used to be where you have your security team and that’s your network security team and your asset protection, and then even your physical security team. And threat intelligence was this auxiliary force off to the side. We’ll throw them some information, but they’ll send us reports and we’ll decide whether they’re important or not.

Companies are starting to remold where the centerfold is threat intelligence and everything else is feeding into that. Because one of the big problems that I’ve noticed, with a lot of companies, is compartmentalization. Where one team’s not talking to the other and one of the big points of cyber intelligence, not just threat intelligence, but the terms get mixed together. But cyber intelligence is to merge what we are seeing today in real time, what we have seen as a pattern of life or who’s attacking the company and why and how. And then putting all of that together so that we can be better prepared for tomorrow. Because the whole point of intelligence, going back thousands of years, it’s the second oldest profession. I just want to say it.

If there’s the oldest profession, intelligence would be the second oldest profession. That’s looking over the hill and seeing what your enemy’s most likely to do. So that is why threat intelligence, it’s not going anywhere, it’s growing rapidly. And I think in the next few years, especially within the next five years, you’re going to have restructuring of teams where threat intelligence is one of the centerfolds and everything else is feeding into it. Because network security, they know what they’re doing. Not at all companies, but a good network security engineer knows black listing and white listing. And he knows how to send cases over to incident response if someone opens up a macro-laden document and now they downloaded Dridex and we handle it, we wipe the machine and it’s over.

But threat intelligence is now finding, this is why you’re being targeted, and these are the most effective measures that are being taken and we can draw this back to this threat actor or this group, because we’re analyzing all of this information. And, Robert Lee, he is, I think he’s the CEO of Dragos Security. I actually met him years ago at a conference. He was speaking … This was even before Dragos. And he was showing a pyramid of cost versus the importance. And, of course, his base layer of the most important thing is good architecture throughout your networks and good topology, setting everything up in a secure fashion. And that is the least expensive thing to do.

The next was good network security and good network security has a moderate expense. And then, threat intelligence was the final peak of it, but threat intelligence also costs the most and that’s in the developmental stages. But, the pyramid is not complete without the top. And the whole point of it was, if you started on the architectural level, everything would be fine. The problem is, your operating system, that’s why we have patches once a month or everything’s getting patched all the time, because the architecture of your apps, from your phone to your PC, is being produced to get to market faster and to be as useful a utility as possible. We’ll fix these things later. So that’s never going to happen. It would have been the cheapest thing to make a more secure architecture, but then you’re going to get beat to market.

So then you need good network defenses, which is going to cost you a moderate level. But then at the peak of the pyramid would be threat intelligence and it does cost more, because you’re expending more resources. But the payoff is, how much is it worth to start implementing either buying or growing your own threat intelligence, versus a major breach? And you can ask any major company who’s gone through a breach and it’s pretty much all of them. Name a company, they have had a major breach, whether it’s been publicized or not. And that’s one nice thing about VTrack is, the enemies are already in your gates. So you don’t have time to start cultivating without any external help, cultivating an intelligence team that will be operational and ready in, what, 36 months. You already have enemies in your walls.

Dave Bittner:

Right. Right. It’s interesting, I mean, something that strikes me as you were describing the increasing role of threat intelligence, how it’s becoming an integral part of many organizations’ defenses, it reminds me how back in the 1950s, if you bought a car, it probably didn’t have seat belts. And then they started making seat belts optional. And then every car came with seat belts. And then we had airbags. And now every car comes with airbags and seat belts. And now every car comes with side airbags. And somewhere along the line, you wouldn’t buy a car that didn’t have airbags and we’re getting to that point, it seems, with threat intelligence, where there was a time it was exotic and expensive, it’s a standard part of operating a motor vehicle.

Steven Atnip:

Yes, and also it’s just like a crash test rating, it depends on where you’re getting your threat intelligence, because there are great firms out there, and there’s also a lot, just like any industry, there’s a lot of pop-up firms that probably won’t be around in five years because they’re not selling great product. But, no different to a crash test rating … I’m not going to throw sparks at a different company. It’s, just like a crash test rating, all cars are coming now with standard airbags throughout the windows and everything.

Dave Bittner:

You have to shop around.

Steven Atnip:

Yes. Shop around and don’t be afraid to ask the hard questions. Don’t be afraid to at least see what these companies can offer you as far as threat intelligence. And if you are wanting to grow it internally, learn to mimic them. What tools are they going after? One company we worked with, and I can’t give you the name and I can’t give you the name of the tool, but your audience will probably know, we called a California-based data aggregation or intel analytic platform and we said, “How much would it cost in order to get one seat, get the platform within our company so that we can start harvesting information and drawing connections?’ And they said, “Well, what is your security budget?” We told them what it was. They said, “Don’t ever call us again.” They were very polite-

Dave Bittner:

If you have to ask, you can’t afford it?

Steven Atnip:

Yes, it was. As far as what’s coming up, I’m excited to be here at RFUN. What’s coming in the next year, I was hoping ransomware would be on its way out, because cryptomining started to pick up. But it looks like one of the big problems that we’ve been dealing with is ransomware towards schools and municipalities, shutting down entire cities. I think that’s a trend you’re going to continue to see because you have, think of the CIA triad, massive availability, they’re very public facing, handling everything from property to taxes, to transactions, to everything.

And because they have such openness to the public, because it’s a city, I think you’re going to continue to see cities being hit by ransomware and shut down because they’re not funding their security. A lot of that comes down to security awareness training, because a lot of these attacks are initiated where one employee that happened to have administrative privileges received a phishing attack, opened up a document, ushered in ransomware, and it locked up their entire system. So I think that’s a trend that you’re going to continue to see. It’ll stay on the rise, because they’re low-hanging fruit.

Because ransomware before, if you remember just two or three years ago, probably three years ago. Ransomware was affecting individual users and the ransom was usually like $300. And it’s hitting everybody’s PC and you would have to weigh, “Okay, my documents and my pictures are on there, is it worth $300 or should I just throw away the laptop?” But now they’ve shifted towards, we can lockdown a city and demand, what? $500,000, I think some of the ransoms have even been at like $1.7 million for a hospital. And so, we’re seeing a target shift from the individual person to very insecure organizations that have to have constant turnaround.

You can’t shut down a hospital for an entire day, they need constant access to patient information, they’re dealing with the public. They’re also dealing with communications between insurance companies and patients and prescriptions. A lot of that starts on the security awareness level. And that’s something that I do hold dear is, the first level of defense within your company are your employees and untrained employees, and that’s why we offer security awareness training. I think you need to have, within every company, even if your company is 10 people, first of all, security awareness training and then regular testing to make sure that they realize there are bad people out there and they will target you at any given moment and they’re going to do a pretty good job of it.

We all laugh at the Nigerian prince scams, those still exist for a reason, because they still work. Someone out there is falling for this. So you can laugh at a simple phishing attack with a ton of misspellings and it’s sent to the wrong person or in America, it’s broken English and you can tell, someone’s still clicking on it. They will adapt to better spear phishing campaigns when the click rate goes down.

Dave Bittner:

Yeah, it’s a numbers game.

Steven Atnip:

Oh yes. And cybercrime is a business model no different than any other business. And if they’re not getting their return on investment, they will shift tactics to where they will. It’s sad that even with low tactics, apparently they’re making enough to stay in business.

Dave Bittner:

Our thanks to Verizon’s Steven Atnip for joining us. We sat down at Recorded Future’s 2019 RFUN: Predict conference in Washington, D.C.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

A Grab Bag of Pulse Reports

A Grab Bag of Pulse Reports

June 22, 2020 • Caitlin Mattingly

Recorded Future’s Allan Liska is our guest once again this week This time, he brings a collection...

Tooling up to Protect Federal, State, and Local Governments

Tooling up to Protect Federal, State, and Local Governments

June 15, 2020 • Caitlin Mattingly

Our guest is John Zanni, CEO at Acronis SCS, a company dedicated to providing secure backup,...

Broadening Your View With Security Intelligence

Broadening Your View With Security Intelligence

June 8, 2020 • Caitlin Mattingly

Alex Noga is a solutions engineering manager at Recorded Future, and on this week’s show, he...