OSINT, Influence Operations, and the Dark Web: Our Top 5 Podcast Episodes From 2019
December 23, 2019 • The Recorded Future Team
As a cybersecurity professional, it’s easy to become siloed into your own specialist area. After all, it’s a huge field, and nobody could ever hope to become an expert in everything.
Nonetheless, it’s valuable to have a broader understanding of the cybersecurity landscape – that’s where the Recorded Future podcast comes in. Each podcast episode runs approximately 30 minutes and covers a specific topic related to cybersecurity. At this point, we’ve released 138 episodes, and we’re proud to say that we have a strong listenership.
So as 2019 comes to a close, we wanted to highlight some of our favorite episodes from the year, and give you a quick overview of what they covered.
1. Intelligence for the OSINT Curious
Open source intelligence (OSINT) has huge potential to inform cybersecurity programs. Threat intelligence solutions like Recorded Future use countless open sources — such as forums, social media, and the dark web — alongside proprietary and closed sources to build a full picture of the threat landscape.
But what exactly is OSINT? And how can it be used to inform an organization’s security program?
To find out, we spoke to Micah Hoffman, principal consultant at Spotlight Infosec and co-founder of OSINTCurio.us, an online resource and community for students of OSINT gathering and analysis.
Hoffman defines OSINT as including any data or information that is in the public domain. That includes anything online that doesn’t require special access or payment, television and radio broadcasts, and anything a member of the public can apply for at a courthouse. For most OSINT enthusiasts, the most important source is the internet — particularly things like social media, domain history, and the dark web.
There are many practical applications for OSINT:
- Law enforcement agencies use it to identify and track targets.
- Companies use it to investigate possible M&As.
- Organizations use it to track their online presence.
- Criminals use it to research possible targets.
During the podcast, Hoffman explained how an organization could use OSINT to protect itself. The key is to understand exactly what is being searched for (e.g., leaked email addresses) and what questions need to be answered.
2. The grugq Illuminates Influence Operations
The grugq is a well-known hacker and information security expert. A mysterious figure who prefers to keep his real name concealed, he’s a well-known speaker at security conferences and has a large social media following. In this podcast, we spoke with the grugq about influence operations, including their history, why they work, and how recent influence operations might set the tone for years to come.
Influence operations — what the grugq calls “info war” — are nothing new. They have been used by spies for years, and as the joke goes, spying is the second oldest profession. What has changed, however, is the way we communicate. The internet has enabled mass-scale, micro-targeted info war, making it possible to tailor messages to the individual while touching whole populations.
The grugq explained that when you develop a message for info war, you must try to see from the perspective of your adversary. Much like a social engineering campaign, the message has to be something the target understands and resonates with — it’s about them, not about you.
During the podcast, the grugq went on to talk about the influence campaign carried out by Russia during the 2016 presidential election, and the current info war in the Middle East. The Russian campaign, while not very technical, used a 24-hour cycle — they tracked what worked one day, and made changes the next. This made it difficult for government agencies in the U.S. to react.
Meanwhile, the attack on Qatar News Agency in 2017 was far more technical, involving simultaneous compromise of the agency’s television feed, website, and Twitter account. The grugq believes this attack could provide a template for future info war tactics.
3. Making the Most of the NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF) has developed into a valuable tool for evaluating security across a range of industries. Originally designed for — and developed in collaboration with — the critical infrastructure industry, the framework is continually evolving to meet the changing needs of organizations around the world.
In this episode, we spoke to Ken Durbin, senior strategist for global government affairs and cybersecurity at Symantec, and Allan Liska, senior solutions architect at Recorded Future. They walked us through the NIST CSF and explained how organizations can get maximum value from it.
As Durbin explained, the NIST CSF helps organizations determine what their current cybersecurity capabilities are and whether they are adequate for the business and its objectives. If they aren’t adequate, the framework also helps organizations decide what changes should be made and monitor their progress.
The framework is divided into three parts:
- The framework core, which covers five functions: Identify, protect, detect, respond, and recover
- The profile, which is the current and desired status of an organization’s cybersecurity capabilities
- The four tiers, which measure an organization’s overall ability to measure and manage cyber risk
Durbin and Liska also discussed where threat intelligence fits into the NIST CSF. The answer is, it permeates the entire framework. As an organization progresses through the four tiers, it becomes better at integrating threat intelligence into its security workflows across the five core functions.
4. Darknet DDoSer Does Damage to Dread
Dark web marketplaces usually aren’t the most interesting things. For the most part, they are built using cookie-cutter templates and are home to little more than drug dealers and peddlers of second-hand code.
However, earlier this year, something interesting did happen on the dark web. In this episode of the podcast, we spoke to Daniel Byrnes, senior threat intelligence analyst with Recorded Future’s Insikt Group. He told the story of a Russian-speaking hacker who attacked several high-profile dark web sites and successfully extorted a major market.
The hacker, who goes by the names Ruskin and Here You Go, found an exploit in the circuit building mechanism for Tor. Using it, he was able to DDoS dark web sites using only their public onion address. In effect, this discovery gave him the “keys to the kingdom” — he could simply point his weapon at a target and down it would go.
Ruskin initially attempted to extort the administrator of the popular market Dream, who decided to permanently close the site instead of paying. He went on to attack a prominent dark web forum, and ultimately was successful in extorting the administrators of Wall Street market for an alleged $40,000.
Perhaps most interesting of all was Byrnes’s assessment of Ruskin’s motives: “He reminds me of the Joker from the Dark Knight. He is much more interested in spreading chaos than he is actually getting paid … He’s got that Joker mentality of just wanting to watch the world burn.”
5. A Fresh Take on Defining Threat Intelligence
Threat intelligence is still widely misunderstood. In this episode of the podcast, Recorded Future’s own Levi Gundert and Allan Liska sat down with host Dave Bittner to talk about:
- What threat intelligence is, and what it isn’t
- Who threat intelligence is for
- How threat intelligence can be used to reduce risk and improve security
In simple terms, threat intelligence is about studying what adversaries are doing, how they do it, and how that will affect an organization. This information is used to inform the organization’s security program and defend against the adversaries being studied.
That last part is critical. In order to be useful, threat intelligence must be actionable. For example, if an organization receives intelligence that a popular exploit kit now includes a new exploit for a zero day vulnerability, they know they need to set up compensating controls or patch any affected systems.
In addition to being actionable, threat intelligence must also be measurable. Unless a quantifiable benefit (e.g., risk reduction or security enhancement) is being realized, there’s no value to the program.
Gundert and Liska also discussed how strong threat intelligence programs combine the strengths of machine learning and human analysts. Powerful threat intelligence relies on prompt collection and correlation of data points from thousands of disparate sources, often in different languages. Machine learning is an ideal tool for this process, enabling Recorded Future to create a threat alert within five minutes of something appearing online. Ultimately, though, it’s human analysts who make the final decision on how to act.
Never Miss a Podcast
All of our podcast episodes are shared right here on our blog — and that’s not all we have to offer.
Sign up for our free Cyber Daily newsletter and you’ll receive the top cybersecurity intelligence direct to your inbox each morning, including:
- Top targeted industries
- Most active threat actors
- Most exploited vulnerabilities
- Trending malware
- The latest suspicious IPs
- And much more
Subscribe today and use this intelligence to keep your organization safe from cyber threats.