Ctrl+Alt+Defeat: Using Threat Intelligence To Navigate The Cyber Battlefield

um so hi my name is safia today we'll be talking a little bit about threat intelligence um I must admit that was partially created by chat gbt because I'm not a very creative person so I do apologize for the cringiness and cheesiness of that title um so the whole reasoning behind this talk was um I'm fairly new to threat intelligence so I started in pentesting I moved over about 2 years ago and I didn't really know what it was or what I was getting myself into all I knew was I was really bored at testing apis so I needed a change of pace and that's how ends up in threat intelligence so hopefully today we'll

take you through a journey of just what is threat intelligence how it can be applied in different use cases and cyber security and if you are in a position in the organization to make those decisions um how it could potentially benefit your organization too sick um so who am I so my my name is sphere um I'm the Strategic threat intelligence lead um for a company local to the area and as I said I was previously a pentester so my kind of generic career was I finished uni I did two years of pentesting um I then moved into hacking cars for a bit that was a bit of a weird Spiel um but then ended up going back to

pentesting and then ended up in threat intelligence so I'm also the admin for the ladies of tram hacking Society so if you haven't seen us already um we are in a community stand in the hall um we I don't know if you've got any Harry BOS left here so you might have missed out on that but we do have lots of stickers so we can we can give you some stickers and the ladies of chelham hacking Society are a nonprofit Meetup that we run quarterly around chelham is primarily for people that want to upskill their technical skills but it's also a place where you can just sort of meet have a chat and network with

like-minded individuals um I'm also the security Queens co-founder so security Queens was something I founded back in lockdown which seems like an age ago um I was just bored so I decided to create more work for myself and created security Queens with another fellow woman in cyber where we regularly blog and we also do conference talks around the UK I studied cyber security management at Bournemouth University and I know there's some some Bournemouth people here so thank you for traveling um I was team captain for team UK at the European cyber security challenge which was basically a massive CTF um so represented the UK three times as well um I won a bunch of stuff along this

whole career journey of mine since I started back in I dread to think 2016 when I started uni um and also TV certified cyber Security Experts you might have seen me on channel Force hunted as a cyber Hunter as well so a little talk through what we're going to do today so brief introduction to cyber threat intelligence this is quite a high level talk um so if you don't know what threat intelligence is you're under right place if you do you might get bored I'm really sorry well so we're actually going to go through a snapshot of the UK cyber threat landscape so what we're sort of concerned about particularly in the UK the benefits of an established threat

intelligence program in an organization and how you can start to use sort of CTI to fight those cyber battles so things like advancing technology combating different problems embracing things like AI machine learning to improve those Solutions and it's a little closing Q&A so I'll try to drag this out as much as I can so you don't have to ask me too many questions um so first of all what is threat intelligence so when I first started threat intelligence I I literally Googled like cyber threat intelligence and it came up with like all these really scary things I was like oh my God like why are there so many diagrams why are there so many numbers why are there

so many words and I kind of got scared and thought I was like making a terrible terrible mistake moving away from pen testing so we're going to break it down a little bit more than that and we're going to talk about what really is is threat intelligence so this is one of my favorite definitions of threat intelligence and one of my favorite sort of sayings is there's no intelligence without data so threat intelligence is basically data that is collected processed and analyzed to try understand your threat Acts or adversary um so you're thinking about their behaviors and motivations their type of objectives um threat intelligence enables us to hopefully make more sort of data driven

decisions and more actionable decisions based on those findings so if you think about sort of the cyber security attack life cycle we're trying to sort of be proactive against those threat actors rather than reactive to when something happens so there's three levels of cyber threat intelligence so in my current role I sit kind of high up so I do a lot of executive summaries I talk to a lot of scary seos and I do a lot of translation of technical data into actionable things for an organization so when we talk about strategic for intelligence we want to know The Who and the why we want to know an overview of that organization's landscape and we

don't want to make it too complicated we want to keep it really high level and we want to keep it very kind of away from the ones and zeros and the indicators to compromise that kind of thing so this kind of intelligence might help a business inform their decisions around budget policy resource allocation it is primary non-technical so if we think maybe your seite who don't have a technical background we need to create that intelligence so it'd be consumable by someone like them um shared in the form of reports or briefings so I live my life in word which is absolutely fantastic um and it focuses on the longterm so we're thinking about long-term strategy where

we can spend our money how to make an organization security defense s of more robust so when we talk about operational cyber security we focus on something called ttps so ttps which some of you may have heard before is called tactics techniques and procedures and we want to know how they're getting into an organization so you want to know what kind of capability they have what what their intent is what opportunities they're using um the method of their attack are they using a particular methodology are they using particular tools that kind of thing so on this level you might identify things called indicates of compromise to respond to threats so you might be working with other sort of

departments in organizations so instant response defense SE that kind of thing seeing what intelligence they might collect and this particular sort of level of intelligence will help you attribute an attack to threat your adversary so instead of seeing like oh no we're breached we want to know how we've been breached we want to know who's breached us so we might use things like indicators of compromise to sort of stitch together in a attack path or an attack pattern to try to attribute them to that so intelligence might include TTP information but most importantly focuses sort of on the medium- term and brings in sort of more technical staff of that organization so as I said inst the

response um sock analysts threat Hunters it managers people able to implement that kind of level intelligence in their day-to-day job and finally we're going to talk about tactical so the what is it what's actually happening so this is usually in the form of um sort of automated intelligence so you might collect feeds from different sources you might collect loads of ioc's or you might get a different set of data from the instant response team or the sock team that will just come as an indicator of compromise or literally sort of like ones and zeros IP address file hashes that kind of thing um it might be shown in the form of apis um or sticks and taxi which are

different standards for threat intelligence information and it's usually raw data that hasn't been analyzed yet so we have to think about things like oh I guess well sorry a little bit there we go we have to focus things around all real time alerts so anything that's been captured by the instant response team or the sock team or perhaps your theme solution we can use in this kind of level of intelligence so now we're going to talk about the threat tence life cycle and I feel like a teacher here so I'm really sorry if I'm teaching some of you to suck eggs but um the threat intelligence life cycle is basically kind of a framework that helps shape those threat

intelligence activities in an organization um so it it's very sort of it depends which source you go to it's either five or six steps or sometimes seven steps but we'll focus on this one today so the first step of the threat intelligence life cycle is planning objectives and Direction so before you do any collection of data or analyzing of that dat you want to basically identify your intelligence requirements why you're doing this intelligence exercise the different objectives you want to get from it um and you might do things like resource allocation putting people in the job that kind of thing um so then we've got to collect the data so we've got to collect data

and that could be either from internal or external sources so if we think of internal sources it might be like Network logs or it might be packets from your wire shark instance or whichever when we think about external collection we want to things things about like open source intelligence Media news blogs white papers all that fun stuff so once we have all this fantastic data and you may and will have a lot of it we want to try process that data so try to make it into a bit more consumable formats so things like removing false positives um if we've got a huge amount of data trying to pick that data that actually useful to us for

getting rid of irrelevant data for our objectives of the program um just to make it a bit more pable and easier to kind of analyze later in the in the threat intelligence life cycle and then we go to an analysis and production so once we have that data and it's the exact data we want and it's not just lines and lines and lines of excel we can then analyze that data and produce it somehow so when we analyze that data we want to create that actionable intelligence from it we're identifying how we use that in the decisions we want to make and then with producing that data we need to think about our end user so are you producing

that data for a SE Suite so it might be better in the form of a briefing or report are you producing it as a TI alert for maybe your stock which might be better handled in a stick or Saxy format maybe an indicator of compromise alerts so it's important to kind of think at this stage who you want to deliver that information to and making sure that you match that requirement as well and finally dissemination it's no good going through all this trouble if you don't share it so making sure that you share it to the people that will benefit from that if you've identified in the first part of the threat intelligence life cycle who's going to

be involved in that threat intelligence exercise making sure that it gets to the correct people um cut phones not necessary but if you want to use those I won't judge and finally feedback so we look back at all the amazing work we've done we identify what didn't go so well maybe things that we missed and use that information to go back into the life cycle so it starts all over again it's like a never ending cycle I do love my work I promise so a little bit about the evolution of threat intelligence and some sort of important things that kind of shape and threat intelligence as it is today so um there's obviously lots of

things have happened in the world of computers and cyber but I picked out a few sort of Milestones here so in 1988 um the computer emergency response team is established so people kind of realize that we need to start thinking about how to react to events and how we can protect ourselves so the 90s to the 2000s you kind of see a rise in generic cyber crime so things like fishing ransomware dos attacks and organizations sort of start to realize that oh this is a thing we need to start preparing ourselves for it and we need to have those the correct intelligence to try protect ourselves from these attacks as we move into the 2010s we see

lots of big scary breaches in the news and the media um and then that kind of underlines the importance for monitoring and analyzing for ttps by certain threat actors so that organizations can try proactively defend against those so a few things around that we just got the Tony pictures breach in 2014 ironically we did talk about voting elections this morning so we've got the supposed interference with the 2016 election and we've also got the one cry rans epidemic which obviously underlined the importance in trying to prevent and defend against ransomware and finally I guess this is this sort of current a lot of organizations consider sort of CTI essential in some way or form whether that be gathering that

information analyzing or using external contractors to help them with that um and making sure they're sharing that information as well either within that organization or within the industry [Music] sector so there's like loads of different ways and I do like a good graph so thank you CR strike for this um so there's loads of different ways that threat intelligence are used in three sort of levels we talked about so as you can see tactical with thinking about threat feeds and real time alerts you might look into sort of Mal analysis that kind of thing operational we're looking at threat actor profiling kind of trying to figure out what's happening in the real world um who doing these bad

things and then strategic but again looking at that long-term strategy reporting into the SE Suite reporting into the EXA um and going on with research that kind of thing and I'll just talk talk a little bit about the UK cyber threat landscape and what we kind of worry about nowadays very very minimized there's lots going on obviously so the key threats that we see in the UK come down to these sort of three things just really simplified it's actually quite a complex picture but here we are um so cyber crime nation states and activism so cyber crime there's lots of things going on um there's some statistics in the middle there from NC group where you have the

top 10 most targeted sectors so we're seeing a lot more ransomware attacks in industrial and this is kind of driven by the digitalization of a lot of those processes um but interestingly there was a bit of a weird spike in sort of total Rance work cases so you can kind of see it was a little bit higher but it's evened out um but there's been a lot of this in the news obviously there was the British Library attack JD Sports Manchester police unfortunately it's something that's ongoing and continues to kind of worry Us in the in the threat landscape got lots of online fraud so things like fishing business email compromise the tnder swindler and

romance scams that kind of thing and also the use of AI um and machine learning so a lot of people getting their voices cloned um in those kind of fishing attacks so that's something that's a key worry for a lot of the public as well so there's Facebook Marketplace scams where you have to sort of pay in advance that kind of thing um we as to have something called access Brokers so these are sort of adversaries which might compromise an organization and and then try to sell that access into the dark web so this is kind of making sort of cyber crime a little bit more accessible in a way you don't have to kind of do that hard work

and you just buy the access off someone and and go with your objectives that [Music] way um we've got a lot of activism going on especially with the turbulence within sort of Ukraine and Russia there's a lot of um activist groups waning to sort of back certain States so this is kind of a post where unfortunately with everything going on in Russia and Ukraine they were trying to Target any allies of Ukraine so there's loads of things like UK Health institutions on there there was lots of Education Targets on there too and just sort of demonstrates that kind of over overreaching kind of high level overview and we've also got nation state sort of worries so we've got a real

concern around sort of nation state actors the difference being a lot of nation state actors might have a lot more prepositioning to do they have a lot more resources a lot more allocation that they can put into their attack so it's usually quite a longer sort of attack frame rather than someone just trying to like pop your your business and try to get some data um there was obviously a lot of worry around sort of China Russia um their involvement in trying to improve their human intelligence and online profiling as well but it's not all team incling my promise the benefits of threat intelligence so there's loads of things that threat intelligence could help with

and some of those will address those key issues we worry about in the UK cyber threat landscape so things like empowering organizations so organizations feel more confident in themselves being more confident in anticipating and reacting to threats but also their mitigation and defense capabilities particularly if they can interact with things like instant response teams orer team sock analysts that kind of thing it helps people kind of enrich their knowledge about threat actors so by improving their knowledge and attribution capability and attributing those attacks and campaigns to certain ad Aries it then also allows that collaborative knowledge that they can share with other people or industry Partners it supports instant response programs and strategies and it also

promotes control culture of continuous learning to match the evolving landscape so something I find not difficult but keeps me on my toes is that I'm constantly having to learn constantly having to keep an eye on new things and that's something that can definitely help but you can also track things like new vulnerabilities and bugs but it also enables in-depth threatener to and I had to do the whole strategic spill of it might save you money if you can if you can proactively react to trying to prevent those breaches U fewer breaches more efficient response might in might in the long term in an Ideal World save the company a bit of money too so how do we actually integrate

threat intelligence to fight those cyber battles one of the ones that I've mentioned quite a few times now is um the use of the security Operation Center and instant response I'm really sorry I did grab this um diagram from somewhere but I completely lost where I got it from so if anyone wants to let me know or they want credit for that please let me know um so threat intelligence teams can help the sort of analysts and the people in those sock Center and the instant response um inform their decisions so hopefully triing alerts reducing false positives making sure their time is better efficiently used so alerts can be proactively is issued to socks in instant response so

let's say in my dayto day job I do research about like new cves what's being popped and if I find something really interesting I can then tell the sock team and they can proactively implement the correct firewall rules or whatever they want to do to try to prevent that so it might include things like attack behaviors or indications of compromise so we want things things of like file based indicators so oh this file hash it's a bit dodgy or this file name network based indicators so we know that this IP address is being used by this Thor Behavioral indicators so like weird Network traffic or system activity um or things like artifacts so configuration files registry keys that might be left

by that threat AER so threat intelligence platforms those known as tips can be used to help inform these teams with the latest threats and ioc's what's really good about tips it kind of pulls in loads of different sources and curates as a single feed so you can all see it in one place which is quite handy and the most important thing being I's can help security teams again protect protect detect and prevent cyber threats and attacks more efficiently so they can be try to be that one-step head if they know that this particular file or mal is being used in the wild and they can attribute a file hash to that particular attack they can then use that

in their own defenses too so threat intelligence platforms and feeds so as I said it combines intelligence from different sources and feeds and through this you can actually automate some sort of form of generating alerts too which is quite handy so what's really good about these feeds is they're constantly moving they're constantly pulling real time data in and it enables a continuous flow for all those organizations as well tips can also be integrated with seam Solutions and benefits include sharing that intelligence and data so anyone can sort of read that information and be able to consume it quite easily it also centralizes that data so you don't have five different pools of data or five different folders where

data is sitting you can actually just all focus on that one centralized location that you can analyze it from it allows collaboration and information sharing during incidents as well in a very high pressure kind of event where you might be breached or have an incident something like a tip might be valuable in trying to keep a track of that different data flowing and the most important thing being that constant stream of data so it allows you to have access to the real-time data a constant flow um and you're not having to worried about constantly like updating yourself so this is something that I do quite a lot so as coming from a pentest background um I moved in sort of threat

intelligence L pentesting creating that threat intelligence to give to the red team or the pentesting team so they can better design their attacks to simulate real world adversaries so as I said it kind of helps leverage threat intelligence to emulate adversary behaviors so anything that we find is a recent Trend or maybe a recent tool the red team or whoever can take that away to try mimic that oh so two tasks achieve when doing threat intelligence lead testing so we're able to do threat per filing so when we write up our reports of our findings we can then do a little bit of threat modeling so the tester can not only profile the organization but then

identify different critical assets and resources just like an adversary would we can also design that attack strategy to mimic that adversary that we've just profiled so applying the different ttps to attack in an organization um so simulating micr Tech and things like that but discussing with the organization if they've perhaps had a previous breach or they've been targeted by a previous adversary trying to copy over those tactics again to try simulate a more informed pen test or um attack there we go so regular pen testing um does not consider sort of TI it's very sort of methodology based um you might have standard Frameworks processes tooling that you Ed and it does quite rely on test efficacy so if

you're more experienced in active directory versus someone that's perhaps new to the industry it might mean that you pop more boxes it might mean you have different methodology that kind of thing and the great thing about threat Ence Leed pen testing is it relies on the ti output to shape those scenarios and different attack vectors so every phase of that CTI sort of activity is then fed into the assessment creating a more holistic sort of assessment that mimics that real world that a lot of organizations worried [Music] about so the the big one being here it focuses on real world attack scenario intelligence Le testing also allows organizations to have good adversary perception um which helps them combat

adversaries that they are particularly worried about so a lot of the time we do things like threat Landscaping um we do a lot of workshops with stakeholders see what they they worry about if they have any defenses that they think are a bit lacking and if we know any um adversaries that focus on those and it provides that sort of holistic understanding of where they sit and their cber stance [Music] so information sharing so it's great doing all this work but again it's not any use if you don't share it with anyone so there are something um that there are communities and different networks that gives organizations access to sort of real-time data about what's

happening in their industry so different things like threats and Trends new cves that kind of thing and and it brings together which is really good industry Academia and government which I think a lot of the time tend to sit in their own pool particularly Academia um so it's really good to be able to be able to chat those different organizations so there's something called an information sharing and Analysis Center which allows industry specific sharing of information for threats so you've got like Aviation automotive and financial and that nice little graph is provided by Ana kind of shows the split of Isaacs across Europe too um you've also got threat hunting activities so I am not a threat hunting

expert so I definitely think that's something for a different talk perhaps but threat intelligence could help um input into those activities so obviously when you're threat hunting you're proactively trying to find threats into in your network um but providing that intelligence into that can help um form around their collection of data what they're looking for um and how perhaps adversaries are evading existing security controls and as always I've got to bring up AI I think it's the AI theme this year so it has to be mentioned so machine learning and artificial intelligence can also help I guess cyber threat intelligence and can help different processes and solutions Advance themselves so it could help improve CTI analytics so they could

faster respond to threats using both supervised and unsupervised models um a lot of the things we worry about as cyber intelligence analysts is biases especially with human analytics when you have confirmation bias maybe some group think um it helps kind of reduce that bias that could be Associated to humans you can Implement all sorts of wonderful things like Predictive Analytics reducing false positives on human errors is a big one especially with large data sets but you can also use bulk data analysis to find different pns and it could help with automated processes when we talk about alerts and detection not only that but it can also help improve information sharing so helping identify what key information

can be used to be shared the Le I can't speak the legal and ethical implications of sharing sensitive data and helping establish the trust between two parties so we'll bring back the little threat tance life cycle and um we can sort of see here the different ways Ai and machine learning can be sort of Advan the different parts of that life cycle so helping collect um intelligence is a big one helping passing and normalizing that data so that humans can understand it helping analysts prioritize um their different sort of scoring that they might use in their analysis um personalizing different end results to trying to create those reports with those briefings or those presentations and then using customer feedback to try

tailor future collection efforts as well but there are ASO a lot of challenges with cyber threes as with anything in cyber security we have to consider things that can go wrong as well so a lot of things has happened in cyber security and and of course things will continue to change it's quite a dynamic place so another thing that we do worry about is the evolving threat so the evolution of cybercity attack methods and trying to keep up with that trying to keep up with what the bad guys and girls are doing and trying to make sure we're one step ahead as per say so as you can see in the 1980s we we obviously had some like rantar we had

some worms malware worms hackers all that scary stuff but then that morphs into a much more complex cyber threat landscape as we move into the 2010s so we think about um supply chain how critical third parties might affect um an attack campaign against an organization ransomware as a service when we move towards sort of double triple extortion rather than we've just locked out your systems spear fishing business email compromise we've got a lot more things to think about as new things are happening every day too much data happens quite a lot I just end up drowning in in Excel spreadsheets so we can usually end up with way too much data and then it's really hard to analyze it and pick out

what's useful to us and our objectives so this is something that arguably machine learning and AI could potentially help but it goes back to those defining the requirements making sure that we're collecting the right data in the first place and then tailoring that data during the analysis phase to make sure we're getting the right actionable stuff from it St colder Buy in I do love a good corporate buzzword so making sure that we have stakeholder buyin from the organization making sure we have that support that resource that allocation to allow us to do our [Music] jobs and once we know what we're doing kind of trying to mature that program to be more embedded in our organization um

so not only thinking about preventing and detecting but also around strategy around those insights and advanced warning too so how we can kind of go from cool we found the thing we're going to implement the defenses to profiling strategy trying to prevent it in the long term rather than the reac in the short term and there's loads of things we can do or organizations can do with cyber threat intelligence so integration with security operations again to enhance threat detection response and mitigation capabilities continuous monitoring and Analysis so we can use sort of CTI to establish mechanisms to try continually watch out for those emerging threats vulnerabilities attack patterns again we have to try to think about being that

proactive rather than reactive stance making sure we're sharing that information I can't sort of emphasize how valuable it is to share that information particularly with industry Partners Academia because everyone's going to have a different perception on it but also they might have something new that you might not have thinks about so fostering that collaboration to try not only share that intelligence but different insights and best practices and how they differ automation are using things like AI machine learning to help improve improve the mundane processing and dissemination of threat intelligence um customizing threat intelligence so as I said there's going to be different sort of end users that receive that intelligence making sure that the same bit of intelligence can be

tailored to match that end user to make sure they understand it and they're able to take it away and action that and also tailoring threat intelligence to the specific risk profile of an organization so a big bank will be having different sort of worries versus a automotive company for example they will have different priorities and different sort of intelligence requirements and risks they are worried

about instant response planning so threat intelligence analyst can help instant response teams um improve their plans improve their sort of reaction plans especially if we know something's being abused and used by adversaries they can then be more prepared for that regular threat hunting Within organizations Network um there are unfortunately more and more regulations and standards as we kind of venture into the world of cyber security so threat intelligence can also help with that um keeping up to date with loads of technical technological advancements and all the the new things happening so artificial intelligence machine learning behavioral analytics all those things that can be used in threat intelligence to help improve that and I think I've spoken way too

quickly because I think I whiz through that in about 30 minutes which unfortunately means there are time for questions so I think I shot myself in the foot there but um if you did want to keep in touch my name is Sophia I'm you can sort of find various different bits and Bobs there so there the ladies of Cham hiking Society Twitter you've also got the security Queens Twitter my personal account ADM LinkedIn if you feel free to um and there's a ladies hacking society and security Queens as well which we do monthly blog post and a little newsletter if you didn't want to sign up but um yeah thank you very much [Applause] does does anyone have any questions or

can I just run away God damn it Dan [Music] [Laughter]

yes yeah

yeah yeah so that's a very interesting question I don't have an immediate sort of overnight answer for that I think a lot of it is translating it into the business risk and business objectives so if we can try transla into cool you can do this thing um it's going to save you x amount of money or we're going to make sure you pass I um ISO 27,000 in1 that could potentially help with the stakeholder Buy in at sort of the top of the pyramid um I think threat intelligence can be used in different sort of departments and teams as well not necessarily just the it teams or you know um so being able to roll out awareness programs

across the company to then increase the defenses that way is also possibility particularly with small and medium Enterprises that's something that's a bit more easier to kind of integrate rather than an entire intelligence team [Music] yes yeah yeah [Music]

yes yeah so I think from my experience anyways I think it's sort of a nice middle ground that a lot of the time obviously coming across TLP red information or for those people that don't know it's very very you're not supposed to share it outside of the room basically um some of those insights could probably be beneficial for other parties but at the end of the day we're trying to kind of improve our defenses and improve our reaction to that so if the release of that information is going to actually be more damaging than good then it's still good to have those classifications I think we're quite good in the threat intelligence community that we know kind of the limits around

the good and the bad and balancing that um so I don't think it's necessarily harmful having these classifications but it's just sort of being smart about it and making sure you're thinking about your before you're talking um a lot of people do like the prestige as well like oh I found this really cool thing but I'm going to keep it to myself and it's going to be really cool and secretive um and I think we need to sort of break out of that of like the Cool Kids Club can only know about it and but actually sharing that knowledge sharing that information could be beneficial for The Wider Community yes [Music]

yeah yes [Music] yeah

yeah yeah

so I think a lot of it goes back to I think you I you remember me mentioning the information sharing and Analysis centers um a lot of you know private companies aren't necessarily a part of that um but providing that preview of what they could gain from that I found is actually a good way of sort of mildly soft introducing them into that um a lot of the time using case studies as well like oh this company you know did this and it turned out to do this um is actually quite good using sort of hard evidence that collaborating information sharing can actually be beneficial again going back to the oh but it's like the

cool kids club we don't want to share our information because it might give them strategic Advantage it might give them you know a business Advantage it's just being smart about it you know actually thinking like is this going to harm my organization if I share this information or actually is it going to help others yeah any questions before I hit the bar yes yeah yes yeah oh God that is a tricky question and I am not an AI expert but um I think a lot of I'll sort of sort of reiterate that a lot of the time when you know humans analyzing that data we are worry that we're going to introduce our own biases on it I know from my very limited

understanding of AI and machine learning can sort of teach different models to allow that data to extract different things that will be relevant to your organization or your strategic objectives where it'll be in five years I hope it won't put me out of a job and I don't think it will I think a lot of the time it's still having that human element talking to the organization talking to different stakeholders actually sitting down doing a workshop with them talking about their worries and concerns that's something AI can't really achieve so it'll be a combination of both efforts I think yes [Music]

yeah yeah [Music]

no yeah yeah yeah no absolutely valid point so I think with the industry specific sharing initiatives we are thinking of like very Niche things up maybe if we talk about financial institutions maybe specific to Swift for example that someone in in automotive or maybe Industrials won't really care about because that's not something they use but when it comes to kind of things like the ncsc white papers um conferences where you know you can share that very high level intelligence that's actually relevant to a lot more than outside your industry um that is something we should be we thinking about at least um so with the industry specific sharing initiatives I think at least my understanding and my

sort of experience with that it is very very specific to that rather than talking about a generic topic like Ransom where they will be talking about specific iocs or CVS to like an embedded sensor in a car for example um I think we're quite good in breaking out of that and sharing beyond that particularly when it comes to big trends like ransomware um fishing social engineering that kind of thing yeah anything else no can I run away now thank you very much guys