ITSPmagazine Podcasts

Harnessing Dark Web Insights to Understand Risks from the Attacker's Viewpoint | A Brand Story Conversation From Black Hat USA 2024 | A Resecurity Story with Christian Lees and Shawn Loveland | On Location Coverage with Sean Martin and Marco Ciappelli

Episode Summary

Join Sean Martin as he hosts Christian Lees and Shawn Loveland from Resecurity at Black Hat USA 2024, diving into innovative threat intelligence strategies that offer an attacker's perspective on security. Discover how Resecurity's unique approach and advanced AI capabilities empower organizations to proactively mitigate risks and enhance their cybersecurity posture.

Episode Notes

At Black Hat USA 2024, the spotlight is on redefining and rethinking security, as discussed in this Brand Story episode with Resecurity. Sean Martin, Christian Lees, and Shawn Loveland share the mic to explore the cutting-edge innovations shifting paradigms within the cybersecurity domain. Christian Lees and Shawn Loveland from Resecurity dive deep into the substance of their work and its impact on modern security teams. The primary focus is Resecurity's approach towards threat intelligence and how it aids organizations in proactively mitigating risks.

The discussion kicks off with an overview of Resecurity's approach to threat intelligence. Unlike conventional models that operate from within the firewall, Resecurity adopts an outside-in perspective, helping clients understand what attackers might know about their infrastructure. Shawn Loveland emphasizes this unique viewpoint by illustrating how Resecurity helps organizations identify potential breaches and vulnerabilities from the attacker's perspective, well before any threats materialize.

One intriguing point discussed by Lees and Loveland is Resecurity's comprehensive data sourcing from the dark web. Resecurity does not simply rely on common threat intel from visible websites but digs deep into exclusive, invitation-only forums and other obscure corners of the web. This meticulous venture results in a much more profound understanding of potential threats, minimizing blind spots and the risk of data inaccuracies or AI hallucinations. By drawing on diverse data sources, Resecurity promises more significant and accurate insights into the motives and methods of cybercriminals.

Moreover, Loveland highlights the technologically sophisticated tactics employed by Resecurity, combining AI to convert unstructured data into structured, actionable intelligence for security teams. This automation not only boosts efficiency but also empowers analysts to make more informed decisions swiftly. AI in Resecurity's arsenal is not a standalone entity but integrates deeply with the human-driven aspects of threat intelligence, enriching the overall analytic experience with contextual understanding and tangible evidence.

The guests also touch on Resecurity's AI capabilities, illustrating this through scenarios where AI accelerates threat detection and response. By transforming vast amounts of data into comprehensible formats, and even summarizing complex situations into actionable insights, AI significantly reduces the ordeal for security analysts while enhancing precision.

In conclusion, Resecurity’s state-of-the-art threat intelligence solutions, emphasized by the knowledgeable insights from Christian Lees and Shawn Loveland, represent a proactive and innovative approach to modern cybersecurity.

Learn more about Resecurity: https://itspm.ag/resecurb51

Note: This story contains promotional content. Learn more.

Guests: 

Christian Lees, CTO, Resecurity [@RESecurity]

On LinkedIn | https://www.linkedin.com/in/christian-lees-72886b3/

Shawn Loveland, Chief Operating Officer, Resecurity [@RESecurity]

On LinkedIn | https://www.linkedin.com/in/shawn-loveland/

Resources

Learn more and catch more stories from Resecurity: https://www.itspmagazine.com/directory/resecurity

View all of our Black Hat USA  2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas

Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story

Episode Transcription

Harnessing Dark Web Insights to Understand Risks from the Attacker's Viewpoint | A Brand Story Conversation From Black Hat USA 2024 | A Resecurity Story with Christian Lees and Shawn Loveland | On Location Coverage with Sean Martin and Marco Ciappelli

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

[00:00:00]  
 

Sean Martin: Alright, here we are. And it's time to, uh, to redo some stuff. Rethink security. Redefining security is the name of my show. So I like the name of your company. Resecurity. It's a strange correlation. So here we are. We're coming to you from Hacker's Summer Camp. It's, uh, the final moments of Black Hat here in Las Vegas, USA 24. 
 

And I've had a great time. Great time talking to some cool people. And I have the pleasure of talking to two cool people in this episode from re security, Christian and Sean. How are you guys?  
 

Shawn Loveland: Pretty good.  
 

Sean Martin: How are you doing? Doing great. Doing great. I don't know about Cool. You are a cool, cool. We're all cool. 
 

Like nerd about nerd nerds are cool. I can call you a nerd except that, so if we're all cool nerds, I'm, I'm a cool nerd. I'm new. Oh, I'm a nerd. Anyway, but, uh, I want to, I know you, you have, you've released some new things we're gonna get into that we're gonna talk about. What you do and how that helps, uh, security teams identify and respond to things [00:01:00] more effectively and efficiently. 
 

Uh, before we do that, maybe, uh, who wants to kind of give the overview of what reSecurity does? Kind of set the stage with that. You're closest, go ahead Sean.  
 

Shawn Loveland: Alright, so reSecurity, we are a threat intelligence company. We help customers understand are they being targeted, are they breached? But we do it from a different perspective. 
 

We don't do it from inside the firewall out. We are helping our customers understand what criminals know about their infrastructure, about their employees, why they're attacking, when they're going to attack, and how they're going to attack. So we are outside the firewall walking in, giving the perspective of the threat  
 

Sean Martin: So, just to pull on that a little bit more, because there are certainly Intel, OSINT, we can look at where some, some of that might be out there, right? 
 

Some of that information might be out there. And then there are just [00:02:00] general weaknesses, like you might have SHODAN information that might say this particular device has this hard code password. You use that and you can use it to conduct some attack. Sounds like you're pulling a bunch of that stuff together, or what are some of the, how do you get the data that you're  
 

Shawn Loveland: So we get the,  
 

our data  
 

originates from the dark web. 
 

So we, for example, we know a PC used by an employee of a company infected with malware because we have access to the botnet record that was exfiltrated from the machine at time of infection. Uh, we scrape between 30 to 50, 000 sources a day in the dark web. So it's not. And the other thing is, is we do not buy data from anybody. 
 

We self source all of our own data. So what makes our stuff different is a lot of companies have threat Intel. What are threat Intel is different is that we [00:03:00] give you the perspective of the attacker. We say literally literally perspective of the attacker. Uh, you know what toolkits they're using, what they planning on doing, why they're doing it. 
 

If they have access to data within your network, what data do they have access to? Um, so think of it as a ground truth. So, for example, like I said before, you know, we have the botnet record of the machine. We know by definition, because the machine was infected with malware, it was not detected by any of the security products or processes. 
 

So, what we have is ground truth. We know it's infected because it's in the criminal's inventory.  
 

Sean Martin: Yeah, hard to, hard to contest that. So, yeah, much better than a general indicator or compromise within, you have proof. Um, do, do you find that companies leverage that to, well, I guess what, what do they do with the information? 
 

Shawn Loveland: They do it to be able to determine are they being targeted? Will they [00:04:00] be targeted? You know, are the criminals talking about the planning of the attack? You know, have they breached you? But they have not victimized you, so you're breached, but you don't know you're breached. Because you normally don't know you're breached until you're victimized, or the threat actor elects to let you know that you're breached. 
 

In the form of a ransomware request? In the form of a ransomware request, extortion, um, any number of ways.  
 

Christian Lees: Or, well, they're there, and you have no idea.  
 

Shawn Loveland: Yep. And a lot of companies are breached. They just don't know it because they have not been victimized yet.  
 

Sean Martin: So, one of the things that, uh, I was looking at before we started chatting is, is, I mean, the dark web. 
 

This isn't just U. S. English based stuff. Probably, probably more so the other. Maybe you can tell me in our audience. But, but multiple languages, multiple tool sets, [00:05:00] multiple objectives, right? Yeah. Tell me about what you're seeing there.  
 

Shawn Loveland: Yeah, so the first thing to think about is the definition of dark web. 
 

Because every vendor has different definitions. A lot of threat intel vendors say we have access to dark web, but what they really mean once you peel back the onion on how to, asking them how they get access to the data, how do they maintain access, what you really quickly find out is their definition of dark web is websites on Tor that have little to no barriers to entry. 
 

Our definition of dark web is different. We are in the surface web, we're in the dark web, as just defined, but we're also in the vetted invitation only forms. And in the vetted Now they know. Now they know. It's a huge marketplace though. So the main thing is, is the higher you go up that pyramid, the more professional the criminals are. 
 

So if you're in the open [00:06:00] Tor web communities, Um, that's where a lot of the script kiddies hang out. The unprofessional criminals still effective, still effective, still impactful. But just because a threat actor claims X doesn't mean it's true because he has no skin in the game. Because if he claims X, he ends up ripping off another criminal. 
 

There's no barrier to entry to add to create another account and regain access where if you're in the vetted only forums. There's a good chance that if you steal or lie within those forums, you're kicked out of those forums. And it can take one or two years of effort to get invited back in.  
 

Christian Lees: Potentially along with the individuals that vetted you. 
 

Yes. Right? So now you're in trouble.  
 

Shawn Loveland: So, as far as cyber criminals go, there's as honest as a criminal can be when you go up into the higher forums.  
 

Christian Lees: Thick as thieves.  
 

Shawn Loveland: Well, loyal anyway. Loyal.  
 

Christian Lees: Loyal. There is definitely a loyal [00:07:00] following. Agreed. That's important.  
 

Shawn Loveland: So, uh, so we're in all three layers. Okay. So that gives our data, which powers, you know, our risk platform, our context platform, our fraud protection platform, identity protection, exec protect. 
 

It gives our data, is our differentiator.  
 

Sean Martin: Okay. Don't give away any secrets that you don't want to. How are you getting that data out of those sources and into something that's usable?  
 

Christian Lees: One thing I could say is, like, one thing for sure is the dark web, the threat actor environment, the underground economy, whatever you want to call it, it is a person to person environment, right? 
 

Uh, no matter what you go down to the, yeah, no matter all of the vendors down there with like a formula one spending on a mirror. Uh, there is not technology that can technically penetrate this loyal Thickest Thieves environment, right? It is a human to human environment. Um, [00:08:00] so we, we rely heavily on researchers and human intelligence and that's a bespoke solution, right? 
 

Shawn Loveland: Yeah, it's a, it's a Back to your question, adding on what Christian said is, there's various ways we collect the data. Okay.  
 

Sean Martin: Various ways. Various ways. But, yeah, it's factual. Many. So it's really cool. I mean, it's very human. Um, and so you're, you're, how do you take what's human and put it in a format? Does it remain human? 
 

Mm hmm. To your customer?  
 

Shawn Loveland: Sometimes. Or is it an actual feed? 
 

Christian Lees: Contextual in attribution?  
 

Shawn Loveland: Yeah. So, in our products, where we're able to obtain data logs and stuff, we normalize it. We schematize it so it makes it, turns it unstructured form data into structured data. So it allows for analytics to be done. 
 

Sometimes we do human reports, special [00:09:00] reports for customers who want to those particular things, want to go. Detail in a certain area. That information may be pushed to the portals or maybe in a written report. It depends on what the customer likes.  
 

Sean Martin: Right. Cause I can, I can envision the power of a story here, right? 
 

To really understand what, what's the intent? What's the objective? Because that might also determine what, when and how. Well, you probably have that, but, but the when perhaps, uh, and the potential impact. Okay.  
 

Christian Lees: Um, I think it also like identifies like the need for collaboration between the organization and, um, the collaboration of like this is valid data or, you know, Hey, can you pivot? 
 

You're left a boom. Can you put it on the collections, etcetera? Um, I think that's a really beneficial thing. And knowing something about the organization, um, their compute notes, right? Helps us go towards different, uh, solutions.  
 

Sean Martin: So, some of the new stuff that you, you've announced this week and, and [00:10:00] work you've been doing, uh, leading up to Black Hat. 
 

Um, AI is a big thing, though. Before we started recording, we talked, I think, you know, we've seen posts online as well. Every company has AI in, in their branding. Every company has AI in the products. The definition of that is different for everybody. Nobody, nobody's putting that on their billboards, of course, but, um, What's Tell me the story about the AI that you have and how is it, how are you using it to make what you do better? 
 

Shawn Loveland: So there's a few things that we do. We use AI to help take unstructured data and make it structured. To allow for analytics to be done across the data. We also allow for natural language questions. So in addition to our products where you can do queries and do monitoring, you can also ask context or risk. 
 

Questions in English. Please summarize this. And instead of giving you all the pieces and parts, we'll actually say, [00:11:00] here's an abstract summary, the answer you wanted, based on our data, which sets our solution apart. And, With some backup information. So what used to take an analyst days, weeks to collect and do stuff. 
 

They can ask a simple question or simple questions multiple times to build that report automatically and then they can enrich it with other data providers. Okay?  
 

Sean Martin: Yeah, because I can see a scenario. Ultimately, we want to know what what the intelligence is telling us. Well, if they've been popped, then obviously that's proof that they know what system and applications are being, being used. 
 

But if it's a general, maybe it's a sector based, we're going to target the sector and we are in this sector. I don't know if you do some of this as well, but, um, and we're looking at these types of systems with these types of applications with these known vulnerabilities. And we're going to do a sweep on the sector to target those. 
 

Could an organization say. [00:12:00] We have, I don't know, are we, are we in this target target area? I don't know. Tell me how they might use.  
 

Shawn Loveland: You can ask the system, you know, how, you know, let's say you have a subsidiary in a particular country. You can say, okay, how are threat actors targeting entities in that country? 
 

Because it may be different than entities in other geographies being targeted. And why are they doing it, and how are they doing it, and what are the evolving trends? And you can ask that in AI and we'll provide her. You say, Hey, based on my company, what threats should I be concerned about? And we, you know, and you can say, break it down by region. 
 

Sean Martin: Okay.  
 

Christian Lees: I also think about AI is what are you solving for? Right. Um, having many years of experience in enterprise computing. Um, it kind of makes me think of like, you know, all things are equal, like Cetrus [00:13:00] Paribus. We used to have a problem with Sim, right? Like, can you see the trees through the forest? And every time technology advances, we have to solve for that, right? 
 

And I do believe in some regards, AI helps, right, you know, write that problem, uh, fast track the analyst to an enriched workflow, and um, potentially early detection of threats. Yeah.  
 

Shawn Loveland: The other thing that says  
 

Christian Lees: Manpower too, reduction in manpower.  
 

Shawn Loveland: Because it makes them more efficient to the common things they can automate, which allows them to focus their energy on new and novel things, being more proactive. 
 

But also our AI is a little different, is you ask a question, you get the answers back, but then it allows you to drill into the details. You know, hey, your PC was infected with malware with these characteristics, click here, look at the buy now record for those machines. Okay. So it's not just a I running by itself. 
 

It's a I running in context of our [00:14:00] data and the capabilities of our tooling  
 

Christian Lees: also. Yeah, I mean, like, in terms of like contextualized data, you know, we have 40 million centric actor records combined with 850 million a billion, right? Um, records. And how does a hunter, you know, hunt through that, uh, efficiently? 
 

And it's also contained, um, isolated. Um, and, and, and that helps, uh, ultimately reduce false positives. Or, uh, I think you also had some interesting thoughts on that, right?  
 

Shawn Loveland: Well, it, because of our data is from the, all the layers of where the criminals conduct their business. It, it helps prevent AI hallucinations. 
 

Right. Or blind spots, because AI can only learn and report on what it knows. It has limitations on, if I know X, can I infer Y? [00:15:00]  
 

Christian Lees: What we've taught it.  
 

Shawn Loveland: Yeah. Where we, our X is much bigger, so it doesn't have to be as much abstract inferring, because it has the data to work with.  
 

Sean Martin: Interesting. So in the final moments we have here, can you give me a scenario or two where I mean, I can see a broad spectrum of, uh, yeah, forensics, uh, response, or recovery and response, and working back to detection before you even have an issue. 
 

Um, and then obviously you have an issue, where is it, where is it rooted? So how does what you do help teams be faster? More effective. I'm thinking about decision making in the organization when they realize something's going on so they can actually respond quickly to whatever the situation is.  
 

Shawn Loveland: But they can also proactively respond. 
 

Right. So, for example, by looking at our botnet logs, they can monitor the efficacy of their security products and processes. And, you [00:16:00] know, is the number of PCs being infected increasing? Therefore, their efficacy of their products and services is increasing. That exist today are becoming less effective. Um, so it just allows them to better understand predictive, you know, am I being targeted? 
 

Am I breached and I just don't know it yet? What are things that should I be watching for? 
 

Sean Martin: It's a different view on  
 

exposure management. 
 

Christian Lees: I would also concatenate, like with this reduction in manpower, with this reduction in compute power, you can also start to focus on different things like say, um. Why don't I watch my affiliates, my, my, uh, supply chain as well, right? 
 

Because there are, there is definitely associations, right? It could be in a financial risk or it could be in an incident management. You know, um, having the ability to actually, you know, spread your wings within this kind of data field is, is a benefit what it's solving for as well.  
 

Shawn Loveland: And Christian raises a good point because a lot of our customers, [00:17:00] when they monitor their digital footprint, digital risk, They understand that they inherit the digital risk of their supply chain. 
 

Christian Lees: Big time.  
 

Shawn Loveland: So, our services also allow them, through AI and through our normal products, monitor the risk of their suppliers. You know, what's the likelihood of them being risked. So, the other thing to think about is our product scale. You know, through MSSP's, offer our services to some other companies. We also large, offer it to large corporations. 
 

Thanks. Also, governments license our services to monitor their critical infrastructure. Are their power plants being targeted? Are their water supplies being targeted?  
 

Sean Martin: Yes, and yes.  
 

Shawn Loveland: Yes. Yeah. Um, but it, but it also allows them to say, okay, this is the normal.  
 

Christian Lees: I don't know why we laugh at that. It's scary.  
 

Shawn Loveland: It is bad. 
 

Yeah, they all say this is our modern, our normal threat index. All of a sudden, it's spiking. Okay, something changed. Something bigger is coming soon.  
 

Sean Martin: Right. Right. [00:18:00] Interesting. I could keep, uh, talking for hours here. Um, so many points I want to dig into. I think we have a nice, nice solid overview and, uh, congrats on all the innovations and the work you're doing at all the levels of the, of the stack there in terms of intelligence. 
 

Yeah. And, uh, yeah, hopefully we can chat some more. 
 

Christian Lees: Thank you to ITSP and the listeners.  
 

Sean Martin: Oh, thank you. Thank you. Christian, Sean, uh, thanks for joining me. Everybody listening, watching, be sure to check out reSecurity. Uh, guys. Get intelligence on how you deal with, uh, your threats and, uh, where you might be targeted. 
 

Thanks for listening.