Ctrl+Alt+Defeat: Using Threat Intelligence To Navigate The Cyber Battlefield

awesome so thank you so much for coming to my talk I'm sopia to speak for on if anyone still need that um and today we're going to be talking a little bit about threat intelligence so this talk is going to be really good for those that maybe don't know much about thre teligence or haven't worked with people in that field before or maybe you're a business owner or a Senor manager wanting to use intelligence to your defenses in your organization so a little bit of an introduction to me um I'm a strategic threat intelligence team lead and I'm currently a Crest certified threat intelligence manager um so I was actually previously a pentester I graduated university did about two

years of pentesting got a little bit Bo started hacking cars got a little bit boor and now I working intelligence so you see I get bored quite easily but thankfully I'm still interested in this stuff so I hope you will stay put for a little bit longer and I'm also the admin for the ladies of Shel hacking Society and a security Queen's co-founder so lchs are a nonprofit technical Fe top in Cham which is actually where I'm from or where I live I'm actually from Devon so I keep trying to say that I I do deserve to be in this space feel before J um so I do actually live in Charon in my ad the lchs and we just

provide a space for a woman to meet up um up school as well or they're interested in cyber security trying to get a job in that industry too and security Queens is something I've founded my friend during Co we were basically really bored we wanted to create a platform to promote diversity and inclusion in the cyber security industry um so hopefully by the next event I won't be the only female speaker at the conference um so I study be an undergraduate degree at cyber security management at B University so I do know that b where they've gone I'm team captain for T at the European cyber security challenge which is basically a massive International CTF which is quite

fun um w a bunch of in the meantime um and you might have seen me on TV as well I'm one of the Cyber Hunters um on channel Force hunted certified security expert for to trans um so a little bit of the agenda today what we're going to be going through so a very brief introduction to cyber threat intelligence we also to talk a little bit about a snapshot of what sort of threats we face in the UK s landscape what businesses are worrying about um the benefits of implementing CTI into organization and making sure it's embedded into all the different teams and processes and how organizations can use CTI to fight those cyber battles so advancing CTI programs

with technology um combating some of the problems we fac in CTI and also using things like Ai and machine learning to embrace CTI for the future and then have hopefully we'll have some time questions at the end too so um what is threat intelligence so I actually haven't been in threat intelligence that long um I've only been sort of working specifically in this field for two to three years and when I first looked into Tri intelligence I got loads of scary diagrams like this and it was quite offputting was a lot of words a lot of things and sort of slang and that I didn't sort of here before um so I thought it' be really good just to

kind of take a step back and talk about what really is th intelligence minus sort of fancy diagrams so um th intelligence is basically data that we collect we process and be analyze to try to understand as through our actors so what kind of objectives they might have what capabilities they might have and hopefully that intelligence will help us as a sort of cyber Defenders make um more fast and better informed decisions when it comes to implementing defenses and different sort of strategies so changing that behavior from sort of reactive to oh no we've been hacked what do we do to proac what can we do to try and protect ourselves and this is um

what one favorite diagrams I know I'm just sort of said I don't like diagrams but this is my favorite diagram of CTI and it's all the different levels of intelligence that we fac in sort of a day-to-day cyber operational World um so strategic is where I kind of St very high level and we've got operational and tactical tube so the currently some strategic for intelligence industry we want to know who is doing that bad stuff and why they're doing it um so if you're in the Rams M this morning a lot of the time you have that very Financial motivated they want some extra cash in their pocket we might have an AP group that

wanted to commit s sort of es surveillance like we mentioned in the previous talk um or you might just have a script C you that just wants to mess around and kind of claim their Fame on on the dark webs on my and but what we want to try to gain from the Strategic level of threat intelligence is an overview that sort of bird ey view that very sort of high level view what's happening and particularly specifically to your organization so this will help those Z stres that this decision makers kind of make decisions around budget policy resource allocation all that fun stuff and there primarily non technical so people that perhaps don't have a cyber

or technical background we're trying to translate all that cool information into something about AB to use in their everyday sort decisions usually sh the form FL presentations course has to be short no 300 Page reports here um unfortunately lot of C managers don't have time to go through 300 Page reports so it's our responsib to compress that information for them and it focuses on the longterm as well kind of creating that defense in the medium to longterm and creating that robustness so operational intelligence we want to focus on something called ttps um so ttps is called tactics techniques and procedures and it's basically how the threat actor is doing that so identifying what their cability

is what kind of tools they're using what's their intent what opportunity they're using as well um the method timing and nature of their attack do they want to cause disruption are they trying to steal stuff are they trying to modify things this is kind of B we're trying to identify in operational intelligence so we want to identify indication of compromise um as known as ioc to try respond to threats so a lot of the time instant response teams and sock analysts might be using this type of intelligence to help better their defenses um and it's the key thing about this s intelligence it can help us attribute certain attacks and certain campaigns to thout actors to again try

to make that defense and strategy a little bit more tailored to your organizational throughout landscape so intelligence may include detailed ttb information um and it focuses on sort of that medium-term so we talk about the long-term being strategic medium term being operational so anyone in sort of insta response any threat Hunters it managers um sock as well and finally we'll talk about tactical intelligence what is it basically what's going on this is the raw data that's happening this might be Network logs this might be captured data wire shock these are the things that are literally happening in the now um that we need to try to figure out what's going on with that so it's usually sort

of machine readable which is really good because we can use tactical intelligence to try feed that into automated systems and platforms um and it might be shared in form of API so there's different standards and threat intelligence called sticks and taxi um which I won't go into now because I myself don't understand too much beyond the documentation um and it's basically the raw data that hasn't been analyzed why I mentioned so we want to focus on Real Time alerts if we found something bad happening in the network we want to alert people to make sure we can try contain that and it focuses on the immediate future so again by involved IR or the stock um it might

involve working with any seam Solutions you have your organization um or working with any Solutions as well and as we go back through the sort fundamental threat intelligence talk a little bit about the life cycle which is kind of the the backbone of what we do in threat intelligence so with any threat intelligence exercise or activity we kind of focus on this little cycle sometimes it's five steps sometimes it's six steps it depends which vendor you go to but we'll focus on this one today so the first step is planning you need to plan what want to get out of this exercise identify what your requirements are your objectives for the exercise what do you want want to get

out of this you might want to identify the stakeholders in this exercise to who do you want involved do you want the IR involved do you want the CEO involved if you really want to this is kind of where you can start to set out those ideas to try and get the most out of your [Music] program data collection so there is no intelligence about data so you need to be able to capture that data and this could either be from internal sources so your own network logs perhaps um you've captured something on email or official campaign that you can analyze or it could be external sources such as um news articles white papers automated

feeds or using open source intelligence as well and now we've got to process the data so we've got all this wonderful data floating around but it's no good to us if we can't really analyze it and have a look at it so by processing it what we're trying to do is sort of trim it down from the raw data so we can get some actionable stuff out of it this might be removing irrelevant information so let's say we've downloaded a massive spreadsheet of um Network logs but we're only interested in one IP address we'll get rid of the rest this might include getting rid of cost positives looking at that data trying to extradite anything

that we think might be valuable to our sort of strategy and our program um but basically it's just making the data more manageable a lot of the time we're over encumbered of data we have too much fit so it's good to try and get it down so we can have closer look at it [Music] too so analysis and production once once we have our nice sort of package ready to go data we want to try analyze it and extract that actionable intelligence so what doesn't this intelligence tell us how can we use it to inform our sort of decisions and inform our future sort of behaviors and then we want to produce it somehow for our stakeholders so so if

we've identified our stakehold being a CEO he's not going to want a 200 Page technical reports if we've identified it as the sock maybe they would just want a TI alert so they can just take that information and then put it into their defenses so this goes back to the first phase of the parent childood cycle being as long as we've identified those requirements that we've met those requirements and we've included all the stakeholders we should be good to go and finally it's no going to be tell anyone about all this wonderful work you've done so if you've done all this wonderful work you've made the reports you've like done the briefings presentations just don't keep it on your

desk share it with them um so maybe you know cup phones aren't essential if you want to use cup phones I'm not going to blame you but um we can we need to be able to share that data because that's what the is about is sharing that data as well and finally feedback so it's just kind of looking back at the TR exercise what went well what didn't go so well did we miss any requirements or objectives and how can we meet them in the next part of the exercise too so a little bit about the evolution of Str intelligence it's obviously been been around for a while as for most cyber specific sort of activities so

I've just sort of picked out a few Milestones that's happened in the past few years so in 1988 the first sort of Compu emergency response team is established which is good fun and then between sort of the '90s and 2000s people kind of think oh know things are going wrong with tech we start to see things like fishing ransomware um denial service attacks and organizations begin sort of considering cyber risk for them and their technology assets it's so of the 20110 we get we start to see pretty big thing things happen in the world so there's several highper um breaches in attacks and this kind of highlights the importance of monitoring those ttps and those ioc's as

well so we think about a few things that have happened we had the s pictures breach in 2014 um there supposed interference in 2016 with the US election and the what Ransom academic as well so this is when people kind of start to wake up and they think okay this is actually a thing now and hopefully in an Ideal World moving forward in the 2020s C is considered essential in organizations to Gathering that intelligence and better it into their processes and making sure they're sharing information about those typs too so a little bit of the snapshot of the UK landscape the reason I've decided to sort include this I mean probably do a whole talk on this by yourself um it's

just so we can understand what organizations might be thinking about um what particular sort of entities might be think about government public sector private sector and how those could influence the decisions we make in our security strategies so I've completely dumbed it down and I know there's probably way more than these three key key Concepts but today we'll talk about cyber crime nation states and so cyber crime um so these are some statistics from NCC group that have been pulled out about the different sectors that have been impacted by ransomware and then ransomware does continue to obviously be a concern for most organizations so you can see the industrial sector was the most targeted in q1 2024 and um even though we we sort

of start strong in 2024 with the number of cases um it's have leveled out and I'm yet to pick up the data but it'll be interesting to see how that levels out for the rest of the year so a few big things I've happened is obviously the British Library it's that happened earlier this year that's actually the um the listing for the data so they wanted 20 Bitcoin you can see they could put a countdown po there as well um there was JD Sports as well that was hit um so again looking at that sort of um financial data the customer personal identif valuable information and so and we even had the police as well hit

by Ransom so it just shows that the variety of sort of targeted set and organizations that happens with cyber crime it's not just specific to one we also have online fraud so a lot of the time we see sort of I guess horror stories about people getting scammed on like Facebook Marketplace um there's a lot of people unfortunately going for fishing campaigns as well um you've got this guy here this h sendler so there's been like the rise of romance scams as well so creating that relationship and asking for money over time um and you've also got things like deep fakes and AI helping those kinded online Ford activities um so in that particular instance Ford has managed to

clim a directed voice in a $35 million an Heist so it kind of shows how technology is altering those activities how we should be I guess a little bit worried how we can try to turn them and you've also got initial access Brokers so if you don't know what an initial access broker is these are basically people or groups that um breach a company or an organization and then they sell that access on onto the dark web um so usually this is good for criminals that maybe don't have that technical expertise and they still want to commit that crime they can just buy the access of someone and they don't have to worry about that first bit and

mostly these actess Brokers are financially driven and it kind of keeps them one step removed from the crime itself so they're just having the access what happens after after that is up to to that person um but there has been sort of a rise and a lot of the time Ransom attacks go hand in hand with Neal access Brokers too so when we have random attack where is a double exhaustion so maybe they company they seal your data they let us sell access to your company it's a very very nasty sold from and then we'll talk a little bit about activism so activism's obviously been a little bit on the rise particularly with geopolitical tensions

going on in the world um so on the sort of right hand side there you can see a listing where there was um a Russian nation state that was actually targeting hospitals in the UK and they actually listed the victims they wanted to Target um you see it's all the NHS there Chelsea military hospital and um a lot of the time it is sort of supporters of these hostile Nations wanted kind of like to back their sort of nation um to show I guess their um what's the word I'm looking for their sort of loyalty I guess without having to have those official ties to AB groups and such um so a lot of the time it is sort of tied

to AP groups or or nation states but as we have people like Anonymous and we have people that are politically charged that want to do an ideology kind of objective to and go Nation St so nation states there obviously been a quite complex thre that we've had for a while um again particularly the geopolitical tensions with Russia and Ukraine um and around of Israel as well um a lot of the nation states have been sort of stepping up and trying to to kind of increase their activities there so um at the cy24 this year gchq are particularly worried about China which you actually come from will talk makes a lot of sense because all the stuff they've been

getting on with but you can see there there's also Russia um and people are just generally concerned about sort of surveillance um trying to track that data and pick up that research and also um sabotage as well influence Ops so if they are able to use open source intelligence to Target individuals online um to try and get information that way and also a lot of supply chain stuff as well so um if they're able to Target the supply chain of Cal National infrastructure and then that could potentially CRI for nation in the long run so all scary stuff that luckily we have to kind of help the so there's loads of benefits um of trence I'm just

going to go through a very non-exhausted list um so the main one for me and I'm I'm going to sound really cheesy here is it empowers organizations it helps them feel like they are able to do something so it improves their ability to kind of anticipate those strs and be a bit more Forward Thinking so instead of worrying thinking oh God we're going to get hacked they can actually say okay we might get hacked but this is what we can do and this is how we can defend ourselves it can help improve their mitigation and defense capabilities so going back to our discussions around sock and sort of instant response if they're able to identify a certain ioc

they can then proactively add that to their file or their team solution to try get one step ahead so that they can at least hopefully stop being for act before they're getting too far into the network or at least flagging before they get into the network so as a cyber secur professional you can use thre intelligence to Rich and knowledge about actors coming from a pentest background I usually had that sort of attack and mindset which is great because I just wanted to break over things get roote hack everything but actually knowing through intelligence has kind of made me understand that bigger picture a lot more um so knowing why they do it how it

kind of contributes to a bigger sort of campaign um but also promoting collaborative knowledge so then sharing that information with other professionals or maybe other organizations and there's some really good collaboration between private and public sector too so it supports instant response programs and strategies so again trying to just making make sure those defenses are a little bit more sort robust and it promotes the culture of continuous learning so the threat landscape will never stay the same things are always happening people are finding new Zer people are getting angry different things people are changeing their motivations I think every other day there's a new Ransom group so it's always good to keep tabs on that and I

think make sure you sort of adapt that continuous learning and trying to keep informed of what's happening in the real world um it enables sort of in-depth threat analysis so instead of looking at from sort of like the tip of the iceberg by looking at it as an in-depth sort of piece you can understand that threat a little bit more and hopefully by understanding that threat a little bit more you can implement the correct strategies to deal with it and I guess arguably fewer breaches more money saved maybe so um using threat intelligence with the long-term goal of saving costs so if you can respond more efficiently to threats or if you can even stop that

threat before it even reaches your organization you're you're saving that in in an Ideal World so I guess this is partially why some of you came here is how can we integrate threat intelligence to fight those C battles so we've talked a lot about stock and indust response and the reason I say this is it's so important to share um that data and work with other teams in the organization um FR intelligence shouldn't be isolated to just the techies or just the FR intelligence team it should be sort of shared and worked with everyone that would benefit from that so um I found this image and I can't remember where I found it from so

if anyone recognizes it you tell me so I can credit it but I really liked it so I'm going to keep it there um but this kind of shows the type of thre intelligence um that flows through the stock and what kind of things they can use so you can see there's like Source IP indest IP they can use like firewalls they can use IC detection rules um they might use automa feeds um I've had instances where we could share alerts straight to the the sock team as well um but the most important thing is threat intelligence teams can help these teams they can sort of Empower these teams so by triaging alerts and kind of

ironing out those false positives we're alleviating that pressure of the stock and we're also allowing them to do more with that intelligence too so as I said alerts can be issued for new adversary behaviors so a lot of the time in threat intelligence we spend a lot of time researching going through translating documents trying to find information that we can sort of take forward um so a lot of that sort of hard work we can then just sort of package into something like tier so then it can be easily used and recycled throughout the organization so types of IES might be a file name or file hash um IP addresses or domain names that we we know are

attributed to threat actor um or behavioral indicators such as unusual Network traffic and or things like register Keys being changed there usually a big pointer as well so as well as that manual process you can also use something called a TR platform that can be used um to help I guess accumulate all those information and threats um through curated feed so they'll be picking it up from loads of different sources and theying out into a feed for you um but most importantly these can help these security teams attack to prevent these threats um efficiently hopefully minimizing that damage to oranization so now we can talk about um FR intelligence feeds so a threat intelligence platform basically combines

intelligence from different sources different things this could be from Twitter this could be from social media it could be from a news Outlet it could be from I think I know some I think the NCC might have a feed that you can actually pull things from as well um so it just helps do all that kind of initial hard work I guess getting the information it just kind of curates it for you so you can also ask these platforms and these feeds to help also generate those alerts as well so again alleviating some of that human pressure being able to do that um but the most important thing it enables Continuous Flow because it's an

automated feed even if you go to sleep it's still capturing that data for you um so you can sort of review it in the morning and see which one's best suit for your your purposes um tips can also be integrated in other sort Technologies like steam Solutions and there's loads of benefits so it's it makes sharing intelligence and data really easy you can sort of allow access to that tip from all the different teams um it centrally collects that data and there's some tips that can actually start analyzing it for you so it might pull out key wordss or if it sees an ioc across three different articles it can group them for you that

kind of thing um it enables collaboration during inance so everyone panics during an incident everyone's kind of got you know bigger things to worry about but by having a tip it allows that information CH to be more sort of fluid and be more controlled in the sort of sign of chaos as well um so this is a really nice sort of way to describe it is a fees can be really important kind of bolstering so it won't be the be all end all solution for threat intelligence but it can help provide that constant stream of data about potential attacks potential threats to keep it going and flowing throughout an organization so this is actually an area

that funny enough I were being because I was a pen tester now in intelligence I do a lot of intelligence pen testing now um and what's this is really good with French England Le Pen testing it allows us to do sort of the pen testing but even better to emulate real world adversaries so Attell Le testing essentially helps us leverage current intelligence about an organization to mimic what an adversary potentially might do um and two tasks are achieve so one we can threat profile from this activity so we can use acti report and the threat model to then for what kind of strategy the pentest might do to try break into that organization and Target what kind

of assets um so let's say we have a bank we know they use this one main frame and they rely on it for literally everything we can take that information tell that to the tested and then they can Target that exact main frame to see what kind of damage a have is a good course um it's tax strategy as well so let's say we're really concerned about anare as we all are um and we know that the groups use certain tooling or certain zero days to try compromise an organization we can then use those tooling and those ttps to attack the organization to simulate a specific adversary or a specific campaign um so regular pen testing sort

of doesn't really consider TI it sort of um I guess re Rel relies on standard framework so if I was doing a web app I'd probably just do OS top 10 as a minimum then I'd sort of play around to see if I can get into it anywhere else um and a lot of the time it focuses on sort of standard framework so maybe an organization or consultancy focuses on a specific framework and they sell that on as a package um and unfortunately it ISO depend on tester efficacy someone fresh out of uni versus someone that's pen testing 20 years might have a slightly varing efficacy in in how they might be able to breach an organization or a web

app or network uh but intelligence Le Pen testing relies on TI output for every phase of app test so for the Recon phase when you want to do some for scanning against Network um we might use a specific tool or a specific method to do that emulate an adversary when we look into targeting someone we might use a specific social engineering Tech that we know a nation state uses that kind of thing um so all of this TI is fed into that assessment and the whole sort of objective of that is to try align it and be well tailored to that specific organization and the threes that they are facing um so the real good benefits of

this it kind of tries to realign it with more real world attack scenarios um it allows the organization to have good adversary perception as well um and because we go through that exercise and then we have that debrief at the end it also helps them feel more confident in combating those adversaries and providing them with a more holistic understanding of their cyber stance so this one this one's a big one and this is why I guess um a lot of us have a job with in intelligence and it is sharing and collaborating when we find out this new information so it allows um sort of communities and networks to share um perhaps they wouldn't talk to each other in everyday

life like Academia might not talk to the government or I don't I know I don't react um interact with universities and an every day but having these sort of communities can sort of give organizations access to realign data for things that might be able to affect them so there's a little graph at the bottom there um that shows um the different information sharing in analysis centers for different sectors so these are sort of um centers that focus on very industry specific things so I know um Automotive has one and they s focus on Automotive threats I know Financial has one they focus on financial and that kind of thing um so you can it allows

people that have sort of I guess like-minded and like-minded worries that thing to kind of meet in a room and brainstorm and share that information if an organization's been breached and they can sort of share oh they targeted our very specific Financial software we can then pass it on to other Banks so hopefully they can defend themselves too and um I don't know much about Thro hunting they probably people out there that do know about it but it is just an activity that is sort of boled by threat intelligence so um threat hunting is essentially the proactive and iterative identification of threats in a network so you're going out into that Network trying to find sort of bad things or

dodgy things that are happening um and there's loads of ways not me to do that there's loads of ways that we can sort of implement that so we can help them collect the data or a lot of the um hypotheses we face in for you want to try avoid bias so again having that brainstorming session with the threat Hunters to try inform different sort decisions um identifying those threats and neutralizing those threats based on current trends as well that could help foran activities good um and how can we advance intelligence with technology so I have to say machine learning in AI is it really a Tech conference if I don't mention AI um but in all seriousness AI

can actually be really beneficial for threat intelligence um particularly with improving CTI analytics so um a lot of the time we have way too much data like I mentioned and we can use AI on machine learning to help um improve those analytics and reduce sort of human error so using both supervis and UNS supervis um AI models we can look at the different responses and the different outputs from that and it just speeds things up a little bit so rather than me sitting in a room for 12 hours going to a spreadsheet you can then set up a sort of process to help stream like that a little bit um as I mentioned bias is a

huge thing um humans have feelings we have our opinions but unfortunately that can affect the analytics a lot of the time um so we can use Ai and machine learning to reduce that Predictive Analytics as well so using um helping these models sort of learn what could happen um in sort of analyzing what we think might be beneficial to us um reduces false positives and human error um like I said we have way too much data and it'll be good if we can use this kind of technology to identify patterns that maybe the human eye can't identify automated processes so if we give sort of thei model all this data they're able to just extract all of the

relevance and actionable intelligence and then make it to alert for us that would save a lot of time and it also can improve information sharing so again highlighting what is beneficial to share um sort of hopefully alleviates some of the illegal and ethical informations implications of sharing that data and helping establish the trust between the two parties too so this is a really lovely s diagram that I managed to find during my research on how AI can kind of Aid the different steps of the life cycle that we talked about earlier um so we can use it for collection we can use it for I think the biggest one for me would be the processing just passing and kind of

going through that data I really feel like that would really benefit um analyzing um dissemination so giving like a customer profile stakeholder profile to generate the right um sort of products by the end of it and then using things like detection to um hopefully tailor those future um strs and too um so just like everything in in cyber we have challenges and um there are a few challenges we do have for threat intelligence um so one thing being things are always changing and actually this is probably why I've say the intelligence because I get bored really easily so it's good things I always chain do because I'm always learning and I'm always doing something different um

so you can see very sort of simplified version of what's kind of happened in the previous years we started off with sort of very I guess simplish attacks and then we've ended up going into sort of moring malware and multi Mission campaigns software supply chain CEO for um business email compromise every sort of b word you can think Under the Sun so with frenchs it's very important for us to kind of keep on top of that keep ahead of it and keep tabs of what's changing and what's happening in the world too much I've mentioned it a few times because this is me basically every day um so we need to be careful about over encumbering ourselves with too much

data data is obviously very important to what we do and for that intelligence but if we have too much of it it can make our lives a lot more difficult so we need to make sure that we're gathering enough for intelligence exercise but we're not sort of overloading ourselves that we get lost and we start missing things and that kind of thing stay all the buying I had to say it once it's really good to try to get those senior managers in but sometimes they just don't care about what we're doing so it's one of the things I find working in my role is Translating that sort of business R to them um if you

start using the threat turn DS you can then save money because you won't get hacked very simplified conversation of would probably happen over a few weeks or workshops but it's trying to translate that business risk them trying to get rid of all that Technical dring and Buzz words and trying to make sure they understand sort of the figures the risk appetite the financial sort of ties to the things we're doing in intelligence and Cy security and how are we going to prise for the future so what can organizations do and I think we are coming to the EV because I can see just gone moving for the next one sorry okay we've got 10 minutes not

five so I don't have to speak as fast so what can organizations do I can't emphasize enough how much of importance it is to try to get everyone involved um so not just sort of stick within your own teams share that information see how you can help each other so things like security operations trying to enh enhance that threat detection response and mitigation um it's really good to try have that continuous flow of information as well whether that be through your seam solution whether that be you create a TI feed for external sources um it was really good to try continually sort of look out for those emerging threats and patterns and particularly with things

like zero day vulnerabilities it's good to keep tabs in that too collaboration and information sharing um so making sure you're sharing that information outside your organization you know generic Trends Trends threats and Trends um and insights and best practices that could potentially Help The Wider sector and The Wider kind of I guess um automation so implementing automation of generic sort of alert generation or if you want to go in the fancy world of AI trying to sort disseminate that threat intelligence based on particular stakeholders customizing threat intelligence so tailoring threat intelligence to a specific restk profile of an organization so I think a lot of the time it's not a cookie Custer approach and you do have to kind of sit

down think about your threat landscape and think about what can benefit it in the long run um instant response planning so sitting down with the IR team and constantly regularly updating those plans based on L of threat intelligence um Regular threat hunting so supporting those threat hunting teams with their activities in their organization networks and I'm staying informed about relevance security regulations and standards so there are are a few sort of regulations in the financial space that do actually require you to show that You' at least thought about intelligence so keeping an eye on that as well as see how it could impact your organization um and keeping up to date about what's happening in technological

advancements and how it can be used to kind of Empower your strategy or your program and I think that's [Music]

it um so we've got five minutes um if you do run up time please feel free to reach out um so that's Twitter X whatever you want to call it my Link's in as well um and also please check out ladies hacking Society we do have chapters all over the UK not just in chelon and please check out security Comm as well for some really fun accessible Mei content around C security um if not we've got five minutes to take your questions yes two things fantastic abely Lov it and next one um when it comes to C intelligence one of the things I personally experienced is there's so much data and a lot of it is like really

outd it's like 2 three years old what would you say is the sort of like time frame SL life cycle of how long things should be considered relevant yeah I know that's really a loaded question quite I'm sorry no that's absolutely fine so the question was is there sort of a time scale around the relevance of information how we sort of use that going forward with intelligence and I think I think it's very dependent on the organization and what you're trying to sort of achieve with that exercise so if you're trying to achieve maybe you want to understand a generic Trend over the last 10 years obviously information 10 years ago would still be relevant to

that but if you're more concerned about staying up to state with ransomware actors and being more s defensive against them then ransomware actors change their tactics all the time so it might be useful to you know cap it a little bit closer it's really hard to put a definitive sort of date of shelf life on data I think it's really dependent on the objective and the requirements of your program I mean obviously upto-date data is more valuable than something maybe two or three years ago because people change things all the time but again I think it's it's very dependent on what you're trying to achieve yes um as one of the senior [Music] stakeholders um you gave a very long

list

so again it's I think it's very dependent on the type of organization and the the risk appetite and the objectives they have if this was a case that I was sitting down with a client and trying to figure out what we could do to help with them I think workshopping and brainstorming is so important is understanding those client needs understanding their priorities for me there's know we could sell you a multi-million pound threat intelligence program but that might not benefit one organization versus a multi-million pound bank right so it's really important to sit down and understand that and even just taking free sort of materials and free sort of um like feeds and stuff and just slowly implementing

it into the organization that's already better than where we started so it's just kind of starting small building up making sure that we stay aligned with the objectives and priorities of the organization any other questions I can run away now thank you so much guys