Build Your Own Threat Intel Platform (No Budget Required)

All right, thank you all so much for not leaving early because your brains are fried and uh coming to the session today. So uh in case you're worried about this being another Genai session, the exercises are take-home at the very end. This is refreshingly was initially put together before the apocalypse happened. Uh so enjoy that or I'm sorry. So this is just a tip. DIY your first thread intelligence platform. I will pause for a moment in case anyone accidentally attended the wrong session and would like to leave. All right, I'm not going to read all of that, but this is an idea of what we're going to be going through today. Uh this is that very awkward moment in my life

where I recreated the wheel because I didn't know somebody else had done it. Um, so way back when, um, before I transitioned into cyber security, I actually worked with a local, uh, Salt Lake City found, um, headquartered, uh, IT and cyber security vendor and I kept losing the NIST password paperwork. That report I have had to look up on NIST. I can't tell you how many times in order to properly read the report inside it because every time I downloaded it, I immediately lost it within files. And yes, I was diagnosed with ADHD at some point during this. And so I was like, darn it. Okay, I'm going to make a file. I'm going to make

a folder and I'm going to put every PDF I ever freaking download into that folder and then I can't lose it again. which was about as organized as my tax receipt shoe box was this past January. So then I thought, okay, how can I make sure that I can find the information I need, be able to quickly contextualize it for the different communications, reports, other pieces that my stakeholders internally needed and how can I keep this updated and do it without dying because my role is not actually a librarian as much as I really wanted it to be. And so when I first went into thread intel and I I pivoted into cyber the very first one-on-one meeting with my

boss uh was like you realize you built a tip right like okay so what is that he went okay it's a threat intelligence platform and a lot of different people and a lot of different vendors want to tell you a lot of different things you guys can disagree with me on the definitions but since I'm talking this is what we're going to go with today happy to hear debates later. But if you look at what a tip is, it's less of a platform and more of a thought process. And so what I had ended up doing was putting together a tip that followed this thought process because I didn't know other things existed and I had

goals that I had to do. And what I would suggest to all of you today is that all of you can do the same process. You don't have to use the same tools that I did. You don't have to use the same skills that I did. You don't have the same reasons or emphases that I did. But the process, the framework is what I want to offer to you guys today. Oh, and by the way, we are going to get to several slides in this where I give resources and a whole bunch of stuff. I swear to you, I have uploaded the PDF to the conference folder. You can download that to your heart's content. Also, you

can take pictures if you really want to, but I promise you I will make this available. It is already available to the conference. But if we think about what a tip is or a tip process rather, you've got uh a reliable source that you personally think with moderate confidence knows what the hell they're talking about and might have useful stuff. They're going to produce new information. It'll enter, you know, a channel of some sort. in this case, an RSS feed. You're going to triage that from a dashboard because there's going to be a lot of noise from the signal. Anybody who's worked in stock knows exactly what I'm talking about. Then you're going to pick out the

important bits. You're going to store it someplace. This is your library. Hopefully not a folder. I tried that. And then really at the end of that process, you need to take the contextualized information or the intelligence that you end up producing out of this process and get it to the people or tools who most need it to take action. And believe it or not, no action is still an action. you have still succeeded as a threat intelligence analyst if your stakeholder and executive looks at that and goes I appreciate the context based on the other business needs the other organizational goals resources etc I accept the risk you have done your job even if that

happens but you've only done your job if they've actually process the information not just glazed over right and so this is a really important part of that tip process and this is one of the things that you pay half a million dollars a year for if the last receipt I saw was correct. And you can do it in a lot of different ways. Uh to briefly uh talk about these ways, I'm not going to go double microphone on that one. Uh you could send it in an email, you can send it on Masttodon and social, you could send it on Medium. This was all automated, by the way. You could accidentally reformat it into a threat profile with no one on your

team actually knowing what a threat profile was or that that existed. We're talking about recreating the wheel here because that was the best way to translate the information.

Or you can continue the same process with a different maturity level and actually build it into something you can sell. And that's part of what my company is currently trying to do right now with parts of this process.

Well, I'm going to stop there for a second. If you take away nothing else from this presentation, if you leave, if I have suddenly not engaged your attention properly, I want you to remember these three things. The first is that information is not intelligence. There are a lot of intelligence vendors and feeds out there who give you IoC's and data, but they don't give you the context. They don't identify what's actually relevant for your organization, your priorities, your random stakeholder who randomly hates IBM. They will never know that bit. That's part of what intelligence is. It's contextualizing it for the organization that you are trying to protect. And it's using your critical thinking and not

outsourcing that to automation to be able to project a forecast, a recommendation to give guidance. And whether that's an IOC or something else, but that's intelligence. Don't mistake everybody who's like, "Yeah, I can scrape together every feed ever known and I got 20,000 things in a genai that's doing the thing." Dude, one, you're getting you're poisoning your data set if you have that many things and you have an agent in there that you're not monitoring. And second, that's not intelligence. That's information, which is important. But a tip is not an information hoarde. And this is something I personally struggle with. Just because you downloaded the report does not mean you actually know what's in it. You cannot claim the

authority of knowing how Genai works if you don't actually read the report that explains how that works. Uh, more to the point, just because you downloaded that NIST password recommendation, but then you didn't actually get it to anybody else doesn't mean your uh password and secrets are compliant. You have to transmit that information in such a way that it actually is able to move the organization forward. So just because you collect it doesn't mean it's actually worth anything. which is why the later parts of this, the distribution, which is something a lot of people forget, is really important. Third, please check your egos at the door. It doesn't matter what tools you use to accomplish the end goal. You are not

being paid to be w master wizard tech hackers who can, you know, manipulate code and and do all of the things. Yeah, that's personally impressive. You might get a Defcon talk at hacker science fair right? But if you don't actually do the thing you've been paid to do by the organization, you don't actually protect anybody with what you're doing. Doesn't matter how fancy the inards are. So stop being preoccupied with using an official CTI tool or that, oh, I didn't actually code. I used a wizzywig. Yeah, but I got done and convinced people to spend millions of dollars on they needed. So there are three exercises, two that we'll do here in this presentation. The

first is choose your tip. Why do you guys even want to do this? I'll let you read those for a second. And I'm going to warn you. I want you guys to get really, really specific with this. So consider these questions for a second. You cannot be everything to everyone. That's gonna be fun. You cannot be everything to everyone. And you will catch more attention from a broader audience if you actually narrow it on purpose. This is one of those you got to trust me bro moments. I have proven this over and over in the past 15 years internally and externally in marketing, in sales, in cyber, in thread intel, in briefings. If I narrow

who I'm talking to and what exactly I choose to be expert in, more people are willing to believe what I say and I reach more and different types of important people. Likewise, when you're building something like this, you can't try to do everything at once. Pick one piece of information. Pick one stakeholder, one tool that you really want to get right. This is minimum viable DIY first baby tip, guys. I'm not trying to recreate recorded future. That's a little ambitious. So, just pick that one process that you want to try and do this on. And my biggest failure actually, the first time I tried this, I was really excited. Like I was really I want to help people. Um, and a lot of

my mentors in cyber struggled like they liked it when I came to them with the latest news or have you seen this research report? So, I was like, "Oh, what if I auto I put together an email list and I can automate last like five things that I thought are really cool that I uploaded to my database. They were cool to me. they were not cool to anybody who subscribed or read. And so it was kind of like a g- whiz nice to have. It wasn't actually useful or important or impactful for anybody's actual operations and that's why it fuzzed out. So it was, you know, they were really nice about it, but it didn't

actually get used. So, if you want this thing to actually be used, you got to figure out more than just what you think is important or you think is cool. What does the tool or person you're trying to talk to think is cool or important, relevant, or impactful? All right, your turn. Open up a notes app. Write on a notebook. Think really, really hard till I can smell smoke. But if you were going to do this, right, what's your first tip going to be? What would you want to do this process on? A very specific person. It can be a muppet of a developer archetype. It could be someone very specific internally. It could be your boss who's asking you to

do this because they think it's cool. Then I want you to think about specifically what type of information. And I don't mean all cyber security headlines ever. I mean like okay, you want to collect patch information on what tech stack? Uh the threat feed that I curate right now in addition to a couple of for internal security purposes at Fable includes specifically exploited people. I don't report on major breaches. I don't report on patches. I don't report on supply chain stuff unless a person is explicitly being exploited or a bad habit risky behavior is being exploited later in the attack and I can identify that within the resource. I have narrowed the scope of my feed to

that bit because there are other tools that do it better etc. Who will this resulting analysis go to? Because remember I'm not just sending raw information. I'm sending intelligence. So who do I want them? Who do I want to read it? And this could be something as basic as a SIM, right? Maybe maybe you just want an IOC scraper to for controls for automated blocking and Zcaler firewall. Maybe that is it. This can do that, but that is explicitly what it's for. You're not going to be uploading Finnish intelligence reports from uh the latest thesis stuff, right? Maybe maybe this is for you. Maybe you don't want to miss a CF deadline so that you can be the one

standing up here next time. That's a valid use case. And then ideally as a result of the intelligence that you sent to them, how will your organization be more secure? What action would you like them to enable them to take? Think about that. Really true. This is not a fluff thing because it guides every decision you make after that.

My BA is in English. Sourcing is a fun fun part of this. Lots of people ask me, "So, what do you follow?" And I'm like, "Can I send you like five screenshots to my phone because a lot and I'm constantly adding new sources to it." The way I do it is by going and drilling down to primary sources from secondary. And I'm going to define those here for you. Secondary sources are all of the media outlets and headlines that your executives are reading and freaking out about that have been spun up into clickable, newsworthy, newsb summarizing very technical things into impact statements, etc., which can be helpful. So, they're worth following, but they're never going to be your primary sources.

They're often several days delayed. So, what you can do instead is in all of these, find their source. Even if they don't have hyperlink and most reputable outlets will hyperlink their original sourcing. You'll be able to type in researchers from checkpoint said about whatever that is. Type it into Google or your geni or whatever you want to do and it'll find you the original source. Then you add that original source to your feed moving forward so you don't miss it. I usually add about anywhere from three to five new primary sources a week to my It's gotten big. The point here, primary sources do not necessarily need to be research. They can be people who say things that are

worth following. So, somebody has a talent for uh explaining a difficult concept that you would like to make sure that you don't. If somebody has a knack for curating important things that you would have missed otherwise. So personal profiles and resources.

It does not have to be original security research or finished intelligence. It's whatever most fits what you're trying to do and packages it in such a way that you can follow it and use it in this process. Finally, if you're worried about whether or not a source is worth following, I'd like you to follow these two rules. I forgot to put a slide in here, but it's important. First one, if your teacher in high school would not have accepted that source in an essay, I would like you to reconsider whether or not that is a valid source or at least come up with secondary sources that support it. So, if your only source for a breach or an assessment is a Reddit

thread, please enough corroborating information that that Reddit thread becomes an example of the whole pattern, not your sole one source you're about to hang your professional reputation on. Second, not that I've done that. Second, what is the bias? What is the drive? Why is this person posting this information for free? What is their motive? Everyone has a bias. Every single one. The reason we don't trust news media is because we know that they're there to get clicks. The reason we don't always trust pundits on LinkedIn is because they want to be seen as authority. So what are they exaggerating? What do they get out of doing that? What does the researcher independent get out of

releasing a public proof of concept before the company releases a pack? Is it really because they didn't actually hear from that company or do they want to get the headline because they just made a whole bunch of people less safe because they did that in order to get their own credibility. At the same time, what is the motive behind the company not releasing that? What's the motive behind the company that is coordinating and has suddenly decided right now that this is an issue when before last week it was hashtag a feature notabove. Now does that mean that you discount them as credible sources? Not necessarily. It just means that you read that information with that context.

which is why information is not intelligent no matter what you feed into it. Or you ask yourself why a cyber security vendor paid for someone to come give a free talk to all of you. How does that impact how you hear?

But if you want to freeze the source list and again I have uh gone ahead and I add to this all the time. This is just kind of what I started with when I first did this presentation. There's more here. Your favorite one's not up here. I'm really sorry. I know it's not. Um and I cannot guarantee the veracity, the security, anything of anything I recommend here. Please use your own common sense. This is just for you guys to get started. And I promise the slides are available. There's a bunch of slides like everybody take a picture that wanted it. Bless y'all. All right, so my fun part. Let's find the feeds, right? So, we

found our sources that we think are reliable. I gave a few. You guys have a couple in mind, I'm sure. This is your primary source, right? Primary source has a bit of information that you'd like to find, but you'd like to do it more than just this one time, right? you'd like to be able to get ahead of it, especially when you could using this method anticipate what headlines are coming down the pipe. So, you could have an email ready to go there because your executive says, "Hey, are we covered?" That was useful. But there's a couple different ways you can find this because you need to find the RSS feed because oh, sorry about

that. Forgot the order of speech operations there. The problem with a lot of primary sources, it goes back to bias. They want you to go to their website to then sell products and services to them. So, they hide anything that could possibly take you off of that site onto something that you control like an RSS feed, a uh and other pieces. However, I used to write this stuff. I'm in charge right now at the table of helping us roll this out. Blogs, bulletins, notifications, that kind of thing. Guess what? The back end's made of ours. We just hide them. I'm not going when I get control of that particular part of the website because if you hide them, you have to

come to the site to see the information. You have to come to my own site where I control the narrative as opposed to letting you contextualize it. So, they're there. And there's a couple of ways I eventually found to create or find RSS of very utility. First, Google has a really really lovely feature where you see the little Wi-Fi symbol right there. That's actually an RSS feed link. So you could set up very specific boolean searches, very specific boolean searches and create RSS feeds for free and have that link happen and then you feed it into whatever dashboard you decide on later in the presentation. Will it catch way more than you'd like? Probably. Does it work? Yes.

Also, you will want to periodically check and make sure that all of your SSDs are still working. Um, at least once a week, I find a feed. I'm like, "Hey, didn't I have a feed of this already?" And it stopped working and I have to redo it. So, just double check. U, this is not a set and forget process. Next, you're going to view source code on a laptop. Right click a page. Uh, do line wrap because otherwise you're going to be scrolling all the way over here. and control F4 RSS atom application XML. This will help you find source feeds on the source code because again that's how it gets published on the site. So it's

just hidden. We just show it off. Note here there's actually two different feeds that were found in this one from Microsoft. One says Microsoft security blog. The weird error you always get when you use amperand that feed The other one is blog and comment feed. My friends, how many of you have had a comment about Microsoft? How many of those comments like the same thing we all say in hallways? If you're trying to make sure you're getting signal, do not subscribe to the comments. That happened exactly twice. All right. You can also brute force it. Go to the main website of blog and do slashfeed rss whatever that blog category is. So like Microsoft for

example doesn't always do thread intelligence. They do product updates. They do raw raw whatevers, right? That's a blog category tag that you can put in. Try that. Sometimes you get lucky.

This one sucks. It gets you much mess, but it does get you the information. If you go to the robot sector or the site map, you can actually start navigating your way down to get to that RSS feed. It just takes a lot of going around your elbow to get your butt. So, this is kind of a last resort, but it does work and works quite well because remember part of the reason, part of the motive, part of the bias of these vendors putting out this free online for all of us to collect is for marketing. They want to be found and known as the purveyor of this information. The way they do that is by

creating metadata which we'll exploit also later in this and they have coded it in such a way to give maps literally to the search box to say this is how everything is interrelated and work which means the RSS feeds in there. Again it looks nasty. This is the end you end up getting these parts again. It sucks. It's not your first resort, but it does exist. Which comes to my favorite part of this whole presentation, and we haven't gotten halfway through the activity. People who have laptops, please try and find. You might get lucky and pick a website that actually has an RSS button. You might not get lucky. You might have to do any one of these. I'm literally

turning off my mic. Would you please keep me on it for five minutes? Thank you. And I will be walking around and letting everyone take a moment because I know all of you will be very well intentioned and be like, "Hey, I'll totally do this at home and then you won't." So, let's actually practice while we have other people who are me and people smarter than me who are sitting next to you to give you a hand if you have trouble. Also, if anyone can try this on a mobile device and then tell me how that goes, I'd be very curious. I personally didn't all on a mobile

You want to move on or you like a little bit more time? Move on. All right.

Now, If you're having trouble actually finding the feeds yourself, you can actually create them. There are apps. As usual, I have not tried all of these. Some of these were recommended to me by buddies and I told them about what I was doing. Some of them I have tried and then not used lately. Please use at your own risk, etc., etc., etc.

Remember how I said that this isn't an information horde and you actually have to read the stuff? How do you do that quickly? So this is my feed dashboard or screenshot of one of them. You can see that it gets overwhelming quickly. So I recommend that you keep on top of this. This will take about 15 minutes a day if you get into the habit of it. Don't let it pile up. Have a backup in case you get sick. So for me, I sort things into a couple of different categories because if I sort it into a specific board, I'm able to actually connect that as an API hook that triggers automation connection sequence and it becomes a

variable. So I have a whole bunch of sources that are in niche media which is all of my researchers cyber security people individuals of value mid media that's your dark readings that's your hacker news that's your wired the stuff that legit tech outlet could be then you have big media which going to be your mainream. So if it gets there, I can pretty much guarantee you your executive is seeing it at that point. So your Wall Street Journal cyber security stuff, which is weird enough option about GRC and Ford stuff. Uh you've got um is register registered with the media I think actually. Um politico, this is just how I have organized it. You guys can organize it

however you'd like. Then newsletters has this cool option if you pay just like eight bucks a month that you can put your into an RSS feed so they don't get lost in your inbox. Uh I subscribe to a lot of newsletters. There's a lot of subst. Uh might be an option you guys want to consider. I'm not sponsored #notspawn. I just that's what I have found to primary resource drill down. This is usually when I identify a good piece of whatever it is, but it's citing a bigger PDF that I want to keep for later. Something A lot of these smaller niche cyber security researchers get bought or they leave or the company folds. And when

that happens, all of their old stuff goes away. So if you just keep the URL and they're like, "Yeah, I can go check this later. I remember seeing something about this like two years ago, it's not there. So whenever you have a resource, a PDF, something, you're going to want to save that artifact in some way." And then have a natural decay mechanism, which we can get to later. And then I have boards here that are something to security database. This is an automation trigger and whatever that something is becomes a tag that I can use then as a variable within the database to allow for extra filtering later. Here are different feed collection options. These are places where you can

put all of those RSS feed to then review them. Lots of people do it in Slack and Teams already, right? Like, oh, let me get the latest and whatever, right? That is a perfectly legitimate thing. And bonus, one of my favorite things to do in Slack Teams is to hook up a bot that when you react to a certain emoji, it does another thing. So maybe that's how you guys end up organizing where things go once you decide something is of value. That is perfectly legitimate and sane with the bonus that it has visibility to other people when you share the channel. So they know that you're actually working. Half of intelligence is not doing

something. So it looks like you're not working when you have very very actively worked very hard not to do something. All right. Automation because otherwise I would die. Plus um but I've often been confronted with people who look at my entire source list and go yeah but I'm paid to actually work. I get it. Automation is where this is not something different. Automation came before Genai. Get your head out of the Genai gutter. Metadata. These are the basic variables that you're going to want in order to actually synthesize what the hell is going on with whatever information is collected once you decide it's please note data sensitivity labels are here. This is your friendliest thread

analyst telling you and reminding you labels are important. Please make sure you label who's allowed to see what. And maybe your version of data sensitivity isn't actually sensitivity. Maybe your version of data sensitivity is, "Oh boy, howdy. We don't want to show this to this other person because then they'll freak out and think we have to work that into." Maybe that's it. You can adapt this however you want, but I want you to remember whatever you put into your database and whatever you give people access to and then later tools in whether that's genai, whether that's automated distribution, you have to give your automation in your genai some trigger to know what's appropriate to go

where. Most of the work that we do with this system is open. I also don't get into dark uh I don't need to I don't pay for any thread intel fees right now because we're a startup. But a lot of those thread intel teams that you pay for if you try to put it into something like this get real snippy real fast if you put in TLP which is only need to know people like people who pay for maybe an executive. If you like our service engineer and share TLP Amber research uh with the latest stuff into a public service channel, you may or may not get sanctioned by your company and by that vendor. This

happened to a friend of mine had a very large vendor recently like in the last two months. Please don't do that. How do you get this metadata? HTML. Remember how I said all of the on the back end is tuned for how search work. This is the language that search bots like specifically schema.org will give you all of the different ways in which they like this information formatted and you can find more types of information that I'm giving you here. Highly recommend you go and research that and then curse at all the different ways developers bastardize what the official version should be and now you have more deviations of different types of tags you need to figure out. But this

is where you start and this is a great place to begin.

My automations get real complicated. This is just one of them. Uh and most of it as you can see if I can go through this tree real Oh, I should probably get that's my son's class, not mine. He's 500. Uh so feedley to air table which is my database with chat gpt summaries I start up there I see what type of item it is and if I have to pull a resource out of it it doesn't go through this cycle because I want to pull do the the cycle on the resource itself not the summary of it then I see how long it is and if the summary is over at risk 100 characters which not every metadata

summary is it'll go into left side does exist and then it will sort this automatically into pull the different metadata variables into the database for me based on HTML. If it does not exist, I force it to be summarized.

The primary thing that my automation does is actually sort it into my library in my air table. So this is how

this is what your automation typically should do out of the outset. Whatever you decide to automate, however you decide to do the triggers and the pulling and the coding, this is what it can do. So extract metadata. It'll preserve the relevant data which includes how you get there, what it's like, uh the description, any sort of additional variable tags you can put on it like boards, etc. like I do. And then it'll on your chosen database for you.

This is next level. So this is easy things that automation can do next. This is secondary to your Tik Tok. So totally possible, totally feasible. Remember what I said, pick one thing, do that one thing, then go add to this process as you find you need to. And it is insufficient. You're not trying to do everything at once. Notice here that I say archive older references. You guys hear the news about IP addresses basically being worked after about 14 to 28 days or networks back flops all that fun jazz. People are rotating through IP addresses really quick. But that's one of our primary blocking mechanisms, isn't it? Thread intel has a decay rate at the same time.

Research will decay. Research will need to be updated. You guys naturally know this because you gravitate toward whatever the latest and greatest research. Remember, I'm building mechanisms that have you pulling for the latest references from good sources, not just your favorite one. She said having two archive at least three threat reports that she really liked and then they updated right before RSA and I got busy. So remember to do that. Here are some automations possibilities. You can see this goes from stupid easy to code your own. And yeah, use cloud if you want. It's all open source. Don't try to do anything stupid. We'll get into that. But remember, the goal is not to be

impressive. The goal is to get done. Pick whatever you can do that gets it done. All right. How are you going to store this stuff? This is my personal database. It's an air table. basically a fancy Excel sheet. There are, you know, you can do Azure, you can do any number of different database platforms. We'll get into those here. Excuse me. You can use an Excel sheet as a table of contents in a whole bunch of file folders. I tried that too hard for about a month. So, no matter what you're working with, you can find something. This one I just happen to like. You can also make your own. This is an screenshot of what's currently in

development in the back end uh at Fable for our thread intelligence space and I'll get into a little bit of how we clean that for DRO uh unofficially. So here's an example of a record of what I think is important. Notice there's a lot of text in this. The reason descriptions are so important as a database, even if you use Genai, it hates PDF. It just does not formatted. You need to make that information modular and um sequential and tagged in smaller chunks for it really like PDF. Plain text is what it loves best, especially if I give it something like a section header of a column of a variable in a database for it to know what the context. I also like

being able to look up things with plain text, but I don't know what plain text words I'm going to be grabbing for. Maybe I want all the latest resources on Scattered Spider. Maybe I just want latest voice fishing attacks. Both this resource Oh, that's Reidia. Oh, well, pretend that's scattered spider for a second. Both of those uh questions would be answered by the same scattered spider noted. But if I only had it with the title and not the description, I would miss finding that within the plain text and rely on the PDF. So being able to pull that out into a plain text summary, which an AI does quite well, is really important. Here's an example of a recent This is a striker

hack. No relation. I swear I woke up that morning. Two story striker is my last name. I had it way before this happened. Um, no relation. I have no insider knowledge to that. I found out about that not feed but like 10 ripped striker memes in my signal that morning. I had to post to DSA. But this is actually what our GI summarized in that article based on what our company finds important or it tried to. We'll get into that too. Here are a whole bunch of possible databases you can use. Pick one. Give it a try. Remember that when you take out information, you need to sort some out that makes sense to you and what you can

use. All right. Remember how I said distribution is really important because otherwise you're just sitting on an information horde. And no, you're not allowed to just share a link and go do something. I've seen you all do it. I have done it. It does not work. And I think actually this is a good moment to be a little less. Um particularly in incidents and we finish and finish intelligence work. You spend all of this reading this bulky, heavy, wonderfully resourced, beautifully cited thing. And you go, "Here is my masterpiece. This is all of the things that have gone wrong with this and all of the things that I recommend we do." and then nobody reads it and nobody does anything and

you get popped by the same misconfiguration next quarter or like 82% of your internal instance were the same misconfigurai

spin it up for you is going to be moderately persuasive. It will not be packaged in a way that your tool or your person, whoever you're actually doing this intelligence criteria for, needs it in order to make a decision or an you have to stop considering yourself and consider your audience. And yeah, maybe that's not not your job, but your job is to keep people. And if that's really your job, then your job is to do whatever it takes to make sure that the people who can keep people safe have the information they need to make that decision. So that is your job and you make time to do it well

and you double check your before it goes out. So part first part whenever you decide there's something that's worth talking about you want to synthesize more you want to send it out you double check your work none of this was actually really in that article and it was missing some really foundational things like you know living off the land tactics abuse of a known internal tool um uh eliminating backups for deploying impact any impact ttps. My good has every TTP I could think of from MITER hack. Great resource I recommend. Please do look it up. But it has every one of those attack ingredients that I could possibly think of that a human could have stopped or

helped with. And yet it missed a fairly obvious one because it's AI. You got to fix it. week is not optimal. Don't sacrifice your brain automation. So again, this is my personal distribution. This is all external facing because I wasn't at this time when I first made this actually hired to do any of this. Nobody cared. I liked it. I was playing with it. I wanted to help people. And if people on adjacent team didn't think they needed it, maybe some of my friends So this is all public facing distribution nowadays. We do internal I let people know what we've been analyzing what we have. I have a small emoji code I have a small emoji code in our Slack

channel whenever something new gets added uh to say we have a briefing on this. Have I already covered this tactic? um am I going to make a briefing on it? It gives me a chance to clarify as well in comments and replies. And then I can also take, you'll notice the language is a lot briefer. I take this format and literally give it to our emerging threat team, our briefing team in order to spin up new emerging threats that are contextualized for specific audiences, specific companies, what they need to know and what a user can do to stop it. This is handed because they said they liked this and I didn't have the time to automate the

formatting properly because that's what they wanted and it got people safer faster. Didn't matter what I wanted or what made my life easier. My mission is to keep people more secure and I do that by creating briefings that help people stay more secure. I give the team making the briefing the information in the format they want and I do not waste cycles whining about how I don't like it. So here are a couple of distribution channels. Speak up. Do not be the mysterious wizard in the corner who just waits until being asked. Be proactive. One of the worst things a threat analyst can do is wait until things are on fire to say anything. that you can inform and teach, educate,

and build trust with your stakeholders internally before the sky falls. You'll also find ways to build credibility to move their mission forward. And then they'll trick you when they say that, "No, really, we do have to shut down that production server because this is a bad bad thing.

All right. I have time check. I'm good. Good. All right. Also, no more tend. Sorry, guys. All right. This is the part of the presentation I most fear because I have JI wizards in here who go but actually which fine. You can probably do that. Do not underestimate how much skill that takes if you can do this. And do not expect most people can actually do that, too. So, out of the box, they're really bad at being right. They're really bad at attribution. They're really bad at malware. They're really good at rule hallucinations. And holy cow, attribution. Do you know how many different graphs are? We'll get to that in a second. It will not find all of the

sources of information. It plays favorites. It has what I call the first third problem. It finds the resources that it really likes within your database or your graph or whatever it is and it likes to go back to those. It will not look through the whole thing even when you tell it to. Not only that, it only look at the first of it. Back to the PDF problem. Uh I don't know.

It will not be consistent. Do not mistake for automation. If you expect the same output from a generative AI that is trained on how people speak and present, I have a bridge in Brooklyn I'd like to sell you. Statistically, that is silly. You will come up with different formats, different things, different things uh uh important things that it pulls, different formats. Sometimes it likes bullets, sometimes it wants formatting. I cannot predict it yet. Again, maybe a wizard here can do not expect consistent reliable output. from your geni the same way we have with automation. It's really bad at applying multi-step instructions. I literally am trying to code a quad skill right now to have it

run a second skill as a check before it outputs anything 45% of the time right now and I'm running it on max tokens. I'm being wasteful. It keeps forgetting to do that step. Uh rags are really great if you can build them. There's a lot of really cool work being done right now with some very sophisticated thread intelgraphs as well. I can introduce you to at least three people. Uh hashtag, hey guys, cloud security office hours. Uh there's some very cool stuff that people in there are doing at SAP and IBM and other places that they've shown us pieces of. Uh but that's not out of the box and it will not convert information to

intelligence for very specific reasons. First of all, example. Uh those are some uh other monikers for Linen Typhoon. I asked all three of these different commercial chats to give me identifiers. Yeah. And at least one of these had access to an actual threat profile that had one of them listed and said it had none.

And the reason Jai will never be able never ever ever be able to convert it into intelligence is because anyone who attends this talk will not be outsourcing their brain. They will never ever ever be putting in internal data into a genai machine that they themselves do not control. They do not secure. They're going to be putting in proprietary freaking information into that in any way, shape or form. open source intelligence only. Do not put in your crown assessments. Do not put in your product descriptions. Do not put in your text. Do not put in uh incident reports. Do not put in anything that a threat actor could express because remember what I said about bias

and motive. The people who make these models, at least the publicly available on now, if you want to run your own secure one because you think you can keep it more secure and you can keep risk from happening with the model and you're willing to maintain it, you have an AI science degree. God bless. Go ahead, give it a try. But the publicly available commercial models are not incentivized to do things securely. We've seen that. How many of you have downloaded the cloud and not the malware? All right. They're not incentivized to do things securely. They're not run by people who think securely. They're motivated to build fast and break things and extract every bit of

data they possibly can. That is their motive and bias. They claim to have controls. Do you trust them? That's done. This is what Jenny can usually do pretty well, but again, I showed you the corrections that I had to make within the uh striker uh poll that we did. So, it can usually do some patterns. It can do summarization. And if you already know or are willing to double check against known good sources, definitions of best practices are a great reminder. I lose track of TTPs all the time. So I will often ask it first uh with my quad or chatgpt or co-pilot and it knows by now that I will demand a source. Then I will go to the source and

read more about that with that framing. All right, you have two homework problems if you wish and then we can get to questions if we have time but I'm not sure we do. First I want to point out D. I want you to look at how the outputs change over time. So this is literally my TLDDR summary problem that works pretty well to extract a relatively short summary out of long pieces of go ahead and use that and then use it again and use it again and then use it again. Compare the first output to the last. What do you find? And this is a little bit of a combo if you can actually control the

temperature. So the temperature is the standard deviation from the expected output because remember these are giant statistical models. So if you can modify it so that it stays absolutely right lock step in what you put in in terms of it standard deviation. See what it puts out and then let it go hog wild. Let it run as hot as it wants, as far away from the actual expected as it wants. see what your output is on that and see if this is actually accurate. To be fair, I'm not too sure there are 28 for scattered spire. So, I might be anyway. I wish you the very best of luck coming up with your minimum viable tip.

Please, I hope you've made some friends today or at least traded knowing looks and rolled your eyes at this person that you haven't met before. Feel free to compare notes. My info is around somewhere. Um, I'll be answering questions after, unless I can answer questions now. Do I have time? I have two minutes. One minute. Anyone have a question? It's also okay if you want to close. Cool. Well, thank you all so much for listening to my rant. I really appreciate it. Good luck.