Future of Threat Intelligence

Fortinet processes telemetry from 50% of the next-generation firewall market, giving Aamir Lakhani, Global Director of Threat Intelligence & Adversarial AI Research, and his team visibility into a looming shift: threat actors moving from exploiting a small subset of proven CVEs to weaponizing the entire vulnerability landscape through AI automation. While defenders currently concentrate resources on commonly exploited vulnerabilities, Aamir warns AI will soon enable attacks across everything "just as efficiently and as fast," requiring security teams to rethink patch management strategies when they can no longer rely on focused defense. Aamir also touches on how The World Economic Forum's Cybercrime Atlas program operates through weekly sessions with 20-40 researchers who deliberately build intelligence packages using only open-source methods. This avoids proprietary data so law enforcement can recreate findings and successfully prosecute cases. He shares how his leadership approach rejects the traditional climb: stay at the bottom of the ladder and push your team up, because their public accomplishments improve both team performance and your career trajectory more than personal competition ever could.Topics discussed:A 50% next-generation firewall market share providing visibility into state-sponsored attacks and ransomware-as-a-service operations dailyAI-driven threat evolution from narrow CVE exploitation to automated attacks across vulnerability landscapes requiring new patch strategiesThreat actor professionalization, including recruitment events, training programs, and internal conferences for cybercrime operationsAdversarial AI capabilities using local LLM training with tools like Ollama to bypass jailbroken model dependencies like WormGPTNetwork-centric threat hunting using metadata and netflow analysis over full packet capture due to bandwidth and analysis constraintsWorld Economic Forum Cybercrime Atlas program methodology using open-source intel to build prosecutable law enforcement intel packagesPrioritizing team advancement over personal climbing by publicizing subordinate accomplishments to improve retention and performanceAI alert fatigue emerging from comprehensive attack cycle tracking where 10% incorrect information invalidates 90% accurate findingsKey Takeaways: Prepare for AI-enabled threat actors to exploit the entire CVE landscape simultaneously.Prioritize metadata and netflow analysis over full packet capture for threat hunting due to better manageability and analysis efficiency.Deploy open-source tools to baseline network behavior and marry telemetry data with threat intel platforms for pattern recognition.Identify your organization's critical pain points that would force ransom payment rather than focusing solely on perimeter defense tech.Join collaborative threat research initiatives like World Economic Forum's Cybercrime Atlas.Build intelligence packages using open-source methods to ensure findings can be recreated and prosecuted.Conduct CTF-based interviews focused on problem-solving approach and persistence rather than expecting candidates to know all answers.Spotlight team by publicizing accomplishments and research contributions to improve retention, morale, and your own career advancement.Mandate regular video check-ins to monitor team mental health and prevent burnout in high-stress roles.Listen to more episodes: Apple Spotify YouTubeWebsite

PayPal's fraud team catches credential stuffing before money moves by watching business intelligence signals that most organizations overlook: explosive traffic growth to legacy endpoints, mismatched phone numbers against account creation locales, and anomalies hidden in raw uncleaned data. Blake Butler, Senior Manager & Head of Fraud Threat Intelligence, applies infrastructure analysis techniques from offensive security to fraud investigations. This fills the gap most organizations face: anti-fraud teams understand scam mechanics but lack technical depth, whereas infosec practitioners know infrastructure but not how criminals monetize accounts at scale.Blake breaks down how phishing kits now bypass MFA through real-time automation. His detection philosophy: counting and explosive growth patterns beat machine learning for uncovering fraud. Data scientists clean away the signal. Topics discussed:Applying offensive security infrastructure analysis methods to fraud threat intelligence investigationsDetecting credential stuffing and account takeover campaigns through anomalies in account creation regions, phone number locales, and explosive traffic growthUnderstanding how modern phishing kits automate real-time OTP theft by integrating directly into legitimate platform APIs during password resetsTracking massive fraud operations emerging from China and South America through business intelligence signalsIdentifying fraud indicators in uncleaned data: extra spaces, unrenderable characters, and AI-generated webshop metadata artifactsBuilding security communities to enable monthly collaboration with local practitioners on emerging threats and tool developmentBridging the critical talent gap between anti-fraud teams lacking technical infrastructure skills and infosec practitioners without fraud monetization expertiseEvaluating phishing-as-a-service platforms and encrypted communication tools that lower barriers to entry for criminal actorsKey Takeaways: Monitor explosive traffic growth patterns to legacy endpoints and unusual account creation regions to detect credential stuffing.Analyze raw uncleaned data for fraud signals including extra spaces, unrenderable characters, and metadata artifacts.Apply infrastructure analysis techniques to fraud investigations to identify phishing domains and criminal tooling.Track mismatches between phone number locales and account creation regions as indicators of automated account generation.Investigate anomalies in business intelligence metrics through simple counting before deploying MLMs to uncover emerging fraud trends.Build fraud threat intelligence teams that combine offensive security backgrounds with fraud monetization expertise to fill the critical industry talent gap.Attend security community meetups to collaborate with local practitioners on emerging threats between annual conferences.Implement MFA while recognizing that advanced phishing kits now automate real-time OTP theft through direct platform API integration.Hire candidates with infosec infrastructure knowledge who understand how criminal actors use tooling to automate credential stuffing and account monetization operations.Listen to more episodes: Apple Spotify YouTubeWebsite

Tidal Cyber's Director of Cyber Threat Intelligence Scott Small reveals how his knowledge base now tracks almost 25,000 procedure-level instances across nearly 800 MITRE ATT&CK techniques and sub-techniques, capturing the command-level detail that exposes the false promise of "100% coverage" when working at technique abstraction alone. He argues that the pre-attack reconnaissance phase remains the most essential yet most ignored portion of the framework, including the recently formalized technique for purchasing and selling victim data on stealer marketplaces. Scott's AI workflow treats LLMs strictly as structured data processors that reference MITRE's written technique examples to parse unstructured threat reports, refusing to use them as intelligence sources themselves. He's seeing threat intelligence and detection engineering roles merge as individuals develop hybrid skill sets. His methodology for mapping TTPs to vulnerabilities gives security teams a data-driven rationale to deprioritize patches when strong post-exploitation defenses already cover the attack vector.Topics discussed:Tracking almost 25,000 procedure-level instances across 800 MITRE ATT&CK techniques to expose the false promise of technique-level coverage aloneDefending pre-attack reconnaissance phases including the technique for purchasing victim data on stealer marketplacesClassifying scanning activity by threat type to prioritize C2 infrastructure linked to APTs over fraud-related domainsBlending threat intelligence and detection engineering roles as analysts gain EDR skills Using AI as structured data processors that reference MITRE's written technique examples to parse unstructured threat reports without generating intelligenceMapping TTPs to vulnerabilities to create data-driven rationale for deprioritizing patches when post-exploitation defenses cover the vectorVisualizing attack narratives through the MITRE ATT&CK matrix to tell leadership about defense gaps and justify resource allocation decisionsKey Takeaways: Track adversary procedures at the command and protocol level to identify real defense gaps.Monitor stealer marketplace activity and automated dealer platforms for credential exposures tied to your domain, then reset credentials.Prioritize threat intel alerts by focusing first on APT-linked activity over fraud campaigns.Develop hybrid skill sets where CTI analysts understand EDR logging capabilities and threat hunters consistently consult adversary behavior reporting for hunt hypotheses.Implement AI workflows that use LLMs to extract structured technique data from unstructured threat reports, not as intelligence output itself.Map TTPs to specific vulnerabilities to build data-driven cases for deprioritizing patches when post-exploit defenses provide coverage.Create visual attack narratives using the MITRE ATT&CK matrix to communicate defense gaps and resource needs.

When Casey Beaumont's entire CTI team departed just before new analysts started, she found herself running threat intelligence solo for months while directing incident response, threat hunting, and red team operations. That trial by fire taught her exactly what separates tactical intelligence from strategic value, and why the best analysts invest significant personal time building trust networks that enterprise tools cannot replicate. Casey's teams at Marsh McLennan, where she’s the Director of Advanced Cyber Practices, received warnings about Scattered Spider infrastructure 20 minutes after domains registered, before threat actors sent a single SMS phishing message to employee cell phones. That early intelligence enabled blocking domains internally and preparing communications before the first report came in. These private intel networks, built through years of trust and after-hours engagement, consistently deliver the warnings that matter most for large enterprises facing sophisticated, targeted attacks.   Beyond tactical response, Casey explains how her CTI program produces strategic intelligence that drives architectural decisions. She also shares her framework for vendor breach assessments that cuts through legal wordplay, why attribution matters far less than response speed during active incidents, and how to scope CTI mission appropriately to prevent analyst burnout in organizations with massive attack surfaces.   Topics discussed: Managing unified teams of CTI, threat hunting, red team, and incident response to eliminate resource allocation friction during active incidents and supply chain events. Building private intelligence networks that deliver infrastructure warnings within 20 minutes of threat actor activity. Transitioning from tactical incident response to strategic CTI leadership and learning analyst tradecraft through necessity when running solo. Conducting vendor breach assessments using four critical questions about control gaps, persistence, data exposure, and remediation plans. Evaluating intelligence relevance at large enterprises with complex environments where shadow IT, acquisitions, and distributed technology create unclear exposure. Why vendor breaches should not automatically disqualify partnerships and how strong vendor relationships enable influence over authentication improvements and security controls. Producing strategic CTI that drives architectural investment decisions by documenting systemic risks across technology ecosystems rather than isolated incidents. Understanding CTI stakeholder needs through deliberate interviewing to prevent analysts from producing reports that leadership ignores. Sharing unattributed intelligence with law enforcement that enabled warnings to seven or eight fully breached companies with no awareness of compromise. Why leadership overemphasizes attribution during active incidents when tactical response and containment should take priority. How great CTI analysts invest significant personal time building professional brands, attending conferences, and earning trust in private intelligence communities. Key Takeaways:  Consolidate CTI, threat hunting, red team, and incident response under unified leadership to eliminate resource allocation friction during active supply chain incidents and targeted attacks. Conduct vendor breach assessments using four critical questions: what control gaps enabled the breach, does the actor maintain persistence, what client data was exposed, and what remediation plans address root causes. Identify vendor evasiveness during breach discussions by listening for careful language around product names that insinuate limited scope while obscuring broader organizational compromise. Produce strategic CTI reports that document systemic risks across technology ecosystems rather than isolated incidents to give executives justification for architectural investment decisions. Interview CTI stakeholders systematically to understand what intelligence formats and content they need before analysts waste time producing reports that leadership ignores. Scope CTI team mission to specific focus areas like tactical threats and supply chain rather than attempting comprehensive coverage of vulnerabilities, geopolitics, and fraud with limited staff. Share unattributed threat intelligence with law enforcement partners when legal and privacy teams approve to enable warnings for other breached organizations unaware of compromise. Deprioritize threat actor attribution during active incident response unless conclusive evidence enables tactical pivots, focusing instead on containment and remediation before forensic analysis. Listen to more episodes:  Apple  Spotify  YouTube Website

Michael Moore, CISO for the Secretary of State of Arizona's office, explains how he acts as a virtual CISO for all 15 counties by conducting physical security assessments at election facilities and providing real-time guidance during critical events. His approach treats surprise attacks as learning opportunities that should only work once, immediately sharing adversary infrastructure and TTPs across the entire election community to burn their capabilities. Michael emphasizes that misinformation, disinformation, and malinformation represent converging threat vectors that manifest as both cyber attacks and physical violence, requiring defenders to think beyond traditional security boundaries. Ryan Murray, CISO for the State of Arizona, shares his Cybersecurity Trinity for AI framework: defend from AI-enabled attacks, defend with AI-augmented tools, and defend the AI systems organizations deploy. He explains how Arizona replicated MS-ISAC functionality through AZ ISAC, enabling 1,000+ government personnel across 200+ entities to share intelligence in real time without requiring mature security programs. Ryan stresses that organizations already generate valuable threat intelligence internally through phishing reports and security alerts, and the real challenge is communication and relationship-building rather than expensive commercial feeds. Topics discussed: How physical security gaps at government facilities create tactical vulnerabilities that scale across entire states. Building sector champion models where election security and critical infrastructure specialists act as virtual CISOs for under-resourced local governments. Why misinformation, disinformation, and malinformation represent converging cyber, physical, and reputational threat vectors that radicalize populations into kinetic attacks. Implementing real-time threat intelligence sharing protocols that enable 1,000+ defenders to communicate via platforms like Slack during active incidents. The evolution from receiving threat intelligence to generating intelligence internally by analyzing phishing campaigns, user reports, and infrastructure scanning patterns. Applying the "surprise attack only works once" principle by burning adversary infrastructure and TTPs immediately through broad intelligence sharing. Why the distinction between "intelligence" in national security contexts versus cyber threat intelligence creates executive buy-in challenges. How to prove negative outcomes and communicate near-miss stories where intelligence prevented catastrophic breaches. The collapsing patch window problem where automated vulnerability discovery and exploitation eliminates traditional seven-day remediation timelines. Implementing the Cybersecurity Trinity for AI: defending from AI-enabled attacks, defending with AI-enhanced tools, and defending AI systems from prompt injection and data leakage. Why secure-by-design pledges fail when financially motivated vendors push defensive responsibility to the least capable organizations. Building tabletop exercise programs that prepare election officials for denial-of-service attacks disguised as physical threats. How generative AI enables Script Kitty 2.0, where non-technical adversaries automate reconnaissance, exploitation, and data exfiltration through natural language prompts. The challenge of deepfakes and synthetic media targeting sub-national officials who lack the visibility and resources for sophisticated reputation defense. Key Takeaways:  Build sector champion programs where specialists act as virtual CISOs for under-resourced entities. Implement real-time communication platforms like Slack that enable defenders to share threat indicators during active incidents. Generate internal threat intelligence by systematically analyzing phishing campaigns, tracking top recipients, subject lines, and infrastructure patterns. Apply the principle that surprise attacks should only work once by immediately burning adversary infrastructure and TTPs through broad community sharing. Use tabletop exercises to prepare personnel for converged threats like bomb hoaxes that function as denial-of-service attacks on critical operations. Frame AI strategy using the Cybersecurity Trinity: defend from AI-enabled attacks, defend with AI tools, and defend AI systems from exploitation. Recognize that patch windows have collapsed to zero for critical edge-facing vulnerabilities due to automated discovery and weaponization. Focus communications on near-miss stories that demonstrate how intelligence prevented catastrophic outcomes before executive awareness. Listen to more episodes:  Apple  Spotify  YouTube Website