<p>When <a href="https://www.linkedin.com/in/matt-mcknew-7310a686/"><u>Matt McKnew</u></a>, Senior Manager of Incident Response at <a href="https://www.thermofisher.com/us/en/home.html" target="_blank" rel="noopener noreferer"><u>Thermo Fisher</u></a>,  tracked down the Nimda worm in 2001 by analyzing packet captures to identify NetBIOS saturation patterns, threat actors weren&#39;t trying to get paid; they were causing disruption. Today, he&#39;s defending against ransomware groups that operate like businesses, complete with service models and affiliate networks. </p><p>Matt explains why Clop&#39;s acquisition of six zero-days puts them in APT territory regardless of financial motivation, how attackers now hide in the noise of criminal operations making nation-state activity harder to detect, and why the North Korean IT worker scam succeeds by exploiting weak hiring processes rather than technical vulnerabilities. </p><p><strong>Topics discussed:</strong></p><ul><li><p>Responding to the Nimda worm using packet capture analysis to identify NetBIOS saturation patterns across satellite ISP infrastructure</p></li><li><p>Building trusted peer networks for crowdsourcing threat intelligence during active incidents rather than relying solely on formal feeds</p></li><li><p>Analyzing Clop ransomware&#39;s acquisition of six zero-days as evidence of APT-level sophistication despite purely financial motivation</p></li><li><p>Implementing structured incident response documentation and processes to enable faster recovery and more nimble response</p></li><li><p>Evaluating nation-state threat actors by understanding their 5-year strategic plans and objectives rather than mapping everything to MITRE ATT&amp;CK</p></li><li><p>Deploying agentic AI to standardize analyst work products and maintain consistent intelligence delivery across global security teams</p></li><li><p>Examining North Korean IT worker infiltration campaigns that exploit weak HR and recruitment processes</p></li><li><p>Differentiating financially-motivated ransomware operations from nation-state APT campaigns while recognizing blurred lines in TTPs</p></li></ul><p><strong>Key Takeaways: </strong></p><ul><li><p>Document incident response procedures upfront with standardized policies to reduce response time during active security incidents.</p></li><li><p>Build trusted peer networks across industry for crowdsourcing threat intelligence when formal feeds lack critical real-time information.</p></li><li><p>Evaluate ransomware groups for APT-level capabilities when they acquire multiple zero-days regardless of their financial motivations.</p></li><li><p>Research adversary 5-year strategic plans and national objectives to understand nation state threat actor targeting.</p></li><li><p>Deploy agentic AI systems to standardize analyst work products and maintain consistent intelligence delivery formatting.</p></li><li><p>Strengthen HR and recruitment processes with technical screening questions to defend against North Korean IT worker infiltration.</p></li><li><p>Maintain curiosity and interrogate suspicious indicators until they make complete sense rather than accepting surface-level explanations.</p></li><li><p>Recognize that attackers leverage the same automation and AI capabilities defenders use, requiring equivalent adoption to maintain defensive parity.</p></li></ul><p><strong>Listen to more episodes: </strong></p><p><a href="https://podcasts.apple.com/us/podcast/future-of-threat-intelligence/id1631947902" target="_blank" rel="noopener noreferer"><u>Apple</u></a> </p><p><a href="https://open.spotify.com/show/0671lFjPIgX6k2jYRrWrf4?si=c728ebaa3cb44095" target="_blank" rel="noopener noreferer"><u>Spotify </u></a></p><p><a href="https://www.youtube.com/playlist?list=PL6DKwSSbBu7uAbek0EyOYNBiVXVbYIc7_" target="_blank" rel="noopener noreferer"><u>YouTube</u></a></p><p><a href="https://www.team-cymru.com/podcast" target="_blank" rel="noopener noreferer"><u>Website</u></a><br></p>