Welcome back to another interview and thanks as always for popping in.
I had the chance to speak to someone I really like and rate highly and is one of the really good guys, I am lucky to interview loads of great people and have yet to come across anyone that I haven’t really got on with but I have to say Will is up there with the top top nice people so you should really check him out.
He has done some really good talks like:-
Gone Phishin’ / Attack of the phish (something something phishing).
And more like this one which is a great watch (you can find the links to the others on his website 😉)
Using Intelligence to Defend Against Ransomware.
This was a fantastic interview and really hope you like it as much as me.
You work in cyber threat intelligence and have done now for a few years, how did you get there, what was your path into cybersecurity?
Oddly enough I’ve basically always wanted to do cybersecurity since I was about 15, if I had to say it was probably due to playing too many online games (mainly Halo 3) and getting beaten by hackers.
That’s where I basically first learned about cybersecurity I guess.
ICT was my favourite subject at school, getting an A* grade at GCSE and A-Level. As soon as school finished, I then went straight to the University of Plymouth for three years and graduated in 2019 with a 2:1 BSc (Hons) in Computer and Information Security.
Right out of university I was headhunted to work for Cyjax, a small UK-based CTI vendor who trained me up and allowed me to work with some very well-known UK-based organizations and Fortune 500 firms.
I have seen you talking about malware, OSINT, and cybercriminals, is there a section you lean more into or do you just like all aspects of cybersecurity?
Cybersecurity is an extremely broad field as we all know, but I find myself being most interested using OSINT to learn about and countering the latest tactics, techniques, and procedures that are being used in the wild by either organized cybercriminal groups or state-sponsored advanced persistent threat (APT) groups discovered around the world.
OSINT is a huge part of my work and I have also leveraged it to do good in the world, such as participating in multiple TraceLabs CTF competitions to find missing people or occasionally volunteering some time to work cases with the National Child Protection Task Force (NCPTF).
OSINT is such as powerful tool and skill that I would be pretty happy to do any job which involved using OSINT techniques to do investigations.
It was through your site I first became aware of you doing the OSINT challenge and I believe it was in Scotland so being Scottish that will be why I started reading but after reading more it was quickly added to feedly blog reader. I love ‘Lessons from the Conti Leaks’ & ‘Gamer Cheater Hacker Spy’, what articles you most happy with?
The OSINT Blog series is always fun, those are basically just little write-ups from geolocation challenges I’ve come across. I find that the community does enjoy it when you show them your workings and, more often than not, each analyst has their own method for finding the answer, so its fun to compare notes.
I think the Lessons from the Conti Leaks blog is one of my favourites, especially because as a result my friends at the Nordic Financial CERT invited me to their annual conference in Denmark to present my findings in a live talk (which was an unforgettable and brilliant event).
I am also fond of my blog where I reviewed Andy Greenberg’s Sandworm book.
I asked my friend Hayley from university who does illustration to do the artwork for it and it came out perfectly.
It’s still my desktop background to this day.
That blog, however, was basically a challenge put to me by my old boss at Cyjax, Nick Watts, to help me improve my writing abilities.
I very much enjoyed it and still think a book review is a great challenge for analysts starting out.
How are you keeping your skills sharp, you reading on TryHackMe, taking any certs?
As a CTI analyst, you never stop learning.
You are always keeping up with the latest emerging threats, which forces you to learn about how certain techniques work or what certain techologies are being exploited.
I am currently spending more time learning about threat hunting and actually applying that threat intelligence myself.
I don’t really do things like TryHackMe, HackTheBox, and don’t have any certifications at the moment.
I prefer to just do threat research on my own time (which I affectionately call internet dumpster diving because it often involves public sandbox submissions) and collaborate with other analysts in communities, such as Curated Intelligence which I help run.
You can go back to starting out and give yourself some advice on what to learn and read up on, what do you say?
I’d probably say to myself to learn more about scripting, such as using Python to make tools that automate tasks for you e.g. IOC enrichment.
Fortunately, in my line of work I’ve always been on a team with some talented programmers who can make these tools for me (and the team), but I should probably learn how to do it myself one day.
The problem is there’s too many vendor tools that can do it for you, so you get lazy I guess.
Another thing I wish I spent more time learn about would be Splunk, for threat hunting. I quickly learned I need to learn SPL to be able hunt effectively through event logs.
Bit of a random question but how do you keep up to date and current with all the ransomware/malware attacks, as mentioned I use feedly with a bunch of blogs as well as twitter but still feel like I am missing something?
RSS readers are pretty good but I always felt something was missing with them, commercial vendor tactical intelligence reports are great too, I also appreciate the free newsletter by CyberWire and RiskyBiz, but, the thing I actually prefer the most is to use a project I made where I turned a Discord server into my own little threat intel portal (TIP), I’ll also give a shoutout to my buddy Kurt who developed http://ThreatABLE.io as an alternative to commercial TIPs.
His project is great for keeping up with the current news as well, and, of course, Twitter and Tweetdeck are superb resources.
It took me a while to add the sufficient muted keywords and muted a lot of noisy accounts but I think I have hit the sweet spot, another pro tip: I recommend to turn off notifications from people you don’t follow – this shuts off a lot of the noise on Twitter too.
I watched a couple of your talks and in particular really liked ‘Gone Phishin’ / Attack of the phish (something something phishing)’ but you also blog, podcast, you’ve contributed to the Mitre ATT&CK framework, you discovered OZH RAT and more, how do you fit all this in, I feel like I am seriously lacking haha?
I guess that I am at the right stage in life (mids 20s) where I am ready to do my best work and have the freedom to do it.
It may sound cliché, but cybersecurity is my work and also my hobby, I continue to love doing what I do, year after year, I take regular breaks and know when to pump the breaks if I think burn out is around the corner.
Achieving what I have in a relatively short amount of time took a lot of effort and focus, I guess I would actually credit the pandemic, forcing me to stay at home and just buckle down and get really into the wide world of threat intelligence.
At my past job and current job I had/have brilliant colleagues that made working a delight as well, the community in Curated Intelligence has also been a wonderful resource where you can vent and laugh with a group of likeminded people who understand everything you say – as family and friends have never heard of IOCs, TTPs, or APTs!
The reason for starting the site I have was to have something visual for employers so see what I had been up to as well as somewhere to keep track of what I had been up to, I know have an amazing job at Sophos I love and could stop the site but I love doing these interviews and just getting to pick people who I respects brains, what is your main reason for blogging just now?
The reason I started my blog was to improve my writing, then it became somewhere for me to share my research.
I think my main reason for blogging now is basically to give back to the community by offering my observations, research, and sometimes start discussions on pertinent topics.
My Ransomware Decryption Intelligence blog is a good example of the latter, which led to some great discussions on how to handle sensitive information and impose cost of the adversaries.
Another reason I find myself writing blogs is so that I have something to reference when someone keeps asking the same question.
For example, I wrote a blog on Threat Group Naming Schemes in Cyber Threat Intelligence on the Curated Intel blog, this topic came up a number of times in our CTI community, as a result, I put together one resource to refer back to whenever the subject arises – and it’s surprising how often this comes up!
One course, one book, one podcast and one blog/training site is all you can choose, which ones are they?
One Course: BSc (Hons) Computer and Information Security at University of Plymouth
One Book: Sandworm
One Podcast: Darknet Diaries
One Blog: The DFIR Report
What the plans for the rest of the year?
2022 has been pretty good so far, I am pleased with how things have gone.
I started at Equinix in December 2021 and I have been really enjoying helping to build up the Equinix Threat Analysis Center (ETAC) team, I aim to attend a couple more security conferences this year, including SteelCon in Sheffield and BSides London.
Meeting up with friends there should be a really good time, there’s only so much enjoyment you can get out of Teams, Zoom, and Discord calls, and, keep you eyes out for a couple more interesting blogs, podcasts, and projects on the horizon from me and the Curated Intel community!