Presenters:
Transcript:
And as you have heard, those in the room, one of us is joining by zoom. So I'll go ahead and get this. Started with us here in the room is Bryan Perkola, VP of information security with First Community Credit Union. Joining us by zoom is Michael-Angelo Zummo global director of CTI. Pre-sales for Cybersixgill
They are presenting today for leveraging advanced cyber threat intelligence for a proactive defense. A case study. Thank you. Thank you. Bryan, you got me. I do. Everybody. Sorry. I'll just go ahead and start real quick. I apologize for not being there in person with you all. I'm Michel-Angelo Zummo. As, he just introduced.
I'm currently in Florida. I was planning to be out there in Houston with you guys. But then obviously you. I'm sure you're all tracking this storm, which I just heard a very loud crack in the sky just now. So, if I drop off, I got my hotspot ready to go, so I'll get back in here as quickly as possible. But great to be here. Okay. Oh, did I lose you guys already? No. We're good. Okay.
So, Bryan, I guess, we'll have you. You're. You got the clicker. I do. We're good. All right. We can go ahead and, I'm ready when you are. I guess I introduce myself so you can go ahead and introduce yourself a little bit more. Yeah, sure. Bryan, for going vice president of information security with first Me credit union here in Houston, Texas.
This is kind of our tabletop exercise for dealing with a hurricane and doing a presentation during. It's, we're making the best of it as we can, so it's all kind of experimental. So, anyway, bear with us. Have be a good presentation and hopefully get something out of it here. Yeah, Bryan and I've been working on this for a long time, so it's quite a bummer, the timing of this.
But, maybe next year we'll we'll convince a few seconds and push this to, like, November or something after hurricane season. But, hey, if I drop off, we have some, beautiful people in the crowd, too. Derek. If you guys see him afterwards, he. I made him fly in from Phoenix straight to Houston.
He was out on a trip already for work, and I made him fly in, because I was unable to make it. So, give him a little high five later on. And then Ashley Taylor, probably out in the crowd, as well as Bryan's team, who's a who's a fantastic team. Nicole and ATL. So, make sure y'all give them a high five and a little pat on the back for some of the research that we've done here.
Before we dive into Bryan's piece and how his cyber security team leverages intelligence across the, the organization, I just want to give you a little bit of background about who we are and what we're doing, to give you some context into how Bryan team is able to accomplish all of this. We're Cybersixgil. You could go ahead next slide.
Bryan, and just let the animation animation play. We are a threat intelligence provider that's collecting intelligence from any type of external source. So you could see on the slide here, clear deep and dark web, messaging platforms like telegram. It doesn't matter the type of source. If there is threat actor activity out there, whether it's a dark web forum or a credit card market, or a pastebin somewhere, or maybe even a code repository.
We're out there collecting intelligence. Just kind of agnostic. We don't care who the victims might be. We don't care who threat actors are targeting or what tools that they might be using. We just collect it all, and that allows us go ahead. Next slide Bryan. That allows us to collect pretty much any use case that a threat intelligence team is looking to accomplish.
So whether you're a fraud team or a security team that that, is responsible for, for fraud like you'll learn here very soon. Or your, a threat hunting team, a vulnerability management team, or maybe even, like a cybercrime team that's, working in a law enforcement capacity. Which is why I come from, prior military investigations, law enforcement, forensics.
Because of our collection methodology, we're able to align with any of these use cases because, again, we're not looking for specific types of threats. We're just looking for any type of threat actor activity out there. And any of those external sources. Go ahead. Next slide Bryan. Thank you. And you can let the animation play. So, as it relates to those different use cases that you saw on the previous slide, there's all these different types of data sets, all these different types of threats that we're collecting.
Which you can see here on this slide, anything from leaked credentials to, malware that's being distributed or sold by threat actors. Last year at HOU.SEC.CON., I presented on persona management, and I gave a little sneak peek into one of the tools that threat actors are leveraging every single day, which is, credential stuffing tool like open bullet, all of which we're able to identify in our own collection or or through your own manual investigations like we learned last year.
But again, anything from leak credentials to vulnerability exploits to crypto, you name it, there is a source out there where there are threat actors looking to exploit or target or, or utilize that, that data, for their to their advantage. Go ahead bRYAN. Next slide. Stolen credit cards. Yeah. Crypto. All that stuff. The problem is, the threat there are vast.
There are tons of threats out there. Right. Go ahead. Next slide Bryan. And then you can let this animation play. And no matter what industry you're in, whether your finance or your technologies or your, you know, insurance, health care, whatever it might be, there is intelligence out there that is being dumped by threat actors or is being exploited by threat actors.
Every single day. And you can just see some of the examples for like the financial industry here on this slide where we're collecting everything from compromised accounts to ransomware attacks, to data leaks, all across the world, it's never just to one specific region. These threat actors, as we all probably know here, are willing to take advantage of anybody.
They're able to trick through a phishing campaign or find exposed access, expose RDP or anything like that out there. They're going to take advantage of any of these banks, or organizations across these industries, which is why we try and create a solution to that problem. Go ahead. Next slide. And then you could just go through the next.
There's one where you have all this intelligence, but a lot of it is noise. You know, you can consume a feed, you know, whether it's an open source feed or a premium feed, or maybe you're manual investigators or manual threat intelligence yourselves that are out there on these sources, and you're trying to figure out, well, what do I look at?
What do I even care about? Do I care about industry specific threats? And if so, how do I leverage that? Or am I looking for intelligence specific to my organization? How do I find that? So with our solution go ahead next slide. And actually you can go another slide. After that we are able to correlate intelligence based on your requirements and based on any of your digital or exposed assets, anything like your domains, your IPS, your executives.
And so on. So an example here that you see for like First Community Credit Union. This is from one of the ransomware leak sites, where you could see, these are links to the files that the group actually shared. Well, this is a something we're able to correlate and alert organizations on just by simply monitoring for their domains, IPS.
If you go ahead and click ahead, Brian, you'll see here's examples of we're able to take that intelligence and and generate an alert for it in near real time. So you don't have to worry about trying to get access to these sources and manually try and hunt these out yourselves. We can help correlate that information for you and provide you with the intelligence to, to, take action on it as soon as possible.
Go ahead. Next, you can run through the animation. And these are just other examples here. So the most important part why you're all here is you want to learn. How do you how can you do this yourselves? Right. So Bryan and his team, or a fantastic team security department that they have there together where they're able to accomplish all these different use cases even beyond like a typical security team would traditionally be responsible for, by use, utilizing intelligence and all the other tools that they have at their disposal.
So with that, I'll pass it on to, to Bryan, to tell you a little bit about how how his team accomplishes that. And hopefully you guys will be able to replicate that in your environments. Yeah. So we utilize, cyber skill like we do other threat feeds, except this giving us, insight into what's going in the dark web.
It's given us enrichment. And so our indicators compromise or things like that. One of the things we like about it is if you go into a dark web, there's no real way to search the dark web. There's no Google search engine you can look for. The other thing is we're small team. We don't have analysts that can be on the dark web all the time looking for, various marketplaces for our assets, looking through various communication channels for our assets.
So they provide a great service for us and be able to consolidate other information down for us, allow us to find information relevant to our credit union, and then also, you know, be able to allow us to be able to search for other information that might be affecting us. One of the reasons we like to utilize a tool like this to give us visibility is a scene from the original Star Wars, where Luke Skywalker is training with the droid on the Millennium Falcon has to blast shield down, can't see what's coming at him.
That's much like me in a dark web. If you don't know what's out there, you can't defend against it. So having that knowledge about what people are saying about us, what assets might be exposed in the dark web gives us that visibility. So we don't have the blast shield that we have it up. We're able to see what's coming at us.
We're able to deflect those attacks. So some of the ways we do that through it is utilizing, like I said, we feed that information into our source platforms. We also do a lot of fraud intelligence monitoring. With that, we're doing dark web purchases. We take assets offline. We'll make the purchases. We also use attack service management to look for assets or copycat assets that might be online.
And we also do a lot of threat research and provide a lot of information to other individuals in our credit union. Based off the information we're able to pull from tools like this.
So like I said, one of the things we do is we enrich our PSAs and, SIM platforms. One of the things it does, it gives us a very reliable source. So when you see information on the dark web, we've been very confident in the sources, provides that information. So as our source is breaking apart information, whether it's a phishing emails submitted to us, it's able to immediately correlate that information with information that's being fed from the dark web.
So it's finding IP addresses, URLs, domains, anything that might be mentioned on the dark web. We're able to immediately associate it back. A lot of times in our industry we see credential harvesting attacks. So we could potentially identify a credential harvesting site where this email's directing it to a differential harvesting site, which is one of the big things that we have to fight as a credit union.
We also do fraud intelligence monitoring. And this is one of the areas that really separates this product for us and a lot of ones, this is one of the few products we can show a return on investment on, most time with security, it's, cost center because it's a security defense, it's a risk mitigation. We actually are able to, show a return on investment with this product.
The way we do that is this is what you see is a marketplace for credit card information being for sale. When we get the feeds like that, we will typically see it come in much like this. It tells us, hey, here's a credit card. It's associated to your bin numbers. We're looking for that information. What we'll do is we'll actively take that information, go into our member database, start matching that information up.
When my team feels very confident that they've got a match, they will notify our card services Department. Card services will shut that card down and issue the member a new card. It's not a service offering to our customers. We don't broadcast it to, hey, we're out here monitoring your personal information because we're not monitoring for personal information. We're monitoring for credit union assets.
And we see those assets online in the dark web. We'll actively try to take them down or prevent the fraud. And by printing fraud, it allows us to show that return on investment. Because if this credit card, say, had $20,000 credit limit on it, and we're able to shut it down, there's a potential credit savings of, fraud savings of $20,000 against credit union.
We also deal with mutual accounts. Mutual accounts are typically for sale online as well. And the bad actors will use these accounts to launder money through them. They will also use it to move money through there to give it more of a legitimate look. So they'll move money through there and move it back out to another account. It kind of washes it away.
They'll also use it at times to be able to make fake deposits into those accounts, to will create fake checks or whatever it is, make deposits in those accounts and then try to move it out of that account as quickly as possible before our traditional fraud detections can pick up on it.
We also still see this type of scam. We'll find checks for sale online. It's check washing. It's an old time scam, but the US Postal Service is not very good. With their security mail stolen all the time, checks are taken out of it. What they'll do typically in these type of scams is they'll take the check information. They'll go and create new checks.
You everybody knows how well you can print things. Now. They're able to print disinformation, print new checks or create fake credentials and start cashing those checks. And once again, if we can take these checks offline, hand them over to our fraud department, they're gonna to start working with that account to shut it down or monitor it more closely.
We're able to prevent fraud again with that instance. Dark web purchases. This is one of the things that's a little bit different that we do is we will make dark web purchases, through our service partnership. If we see an asset that we want to make a purchase on. Like I said, we don't have the team to be able to maintain it.
The marketplace relationships to maintain those relationships takes a lot of effort. It takes a lot of time to build it up, takes some effort to get into it where you're actually accepted into it. You can't just go join like Amazon. A lot of times, you got to prove means to get in there and maintaining that access is difficult.
So having partnerships great. A lot of times we'll see. Credentials for sale. A lot of times it's our members online accounts. Sometimes we'll buy those to take them down. One of the things we're proactive with is if we see, our user credentials possibly for sale, we'll buy those accounts, we'll take them down for a couple of reasons.
One is there's an honor among thieves on the dark web. They won't sell to multiple people, typically because they'll lose their reputation and they won't be able to sell. So once they buy something, they take it offline. So by taking it offline, we've basically taken that threat away. But more importantly, we can now look at that asset and potentially identify which breach it was involved with.
How did that asset become available on the dark web. And if we see that asset out there, we might be able to identify other assets or other user accounts that may have been exposed in a similar breach. So we can start looking at those accounts, possibly asking users to change their passwords, making additional, monitoring those so we can look at things and be proactive in our defenses on what we're doing.
Once again, at times we'll even make credit card purchases if we see a credit card online. If we meet certain criteria, we'll make that purchase. The way we look at it is it'll cost us a little bit of money to make that purchase. But once again, if we're saving ten, $20,000, a potential fraud, it's a positive gain for us.
The other thing that we talked about, mutual accounts, this is what a mutual account typically look online. And the examples we're showing you are not unique to First Community Credit Union. You can go find any financial institution. They all experienced the same issues. It's not unique to us. So what this will typically be is this issue in one of our online accounts available for sale.
They said from your account likely did it through online registration sets, account online. And what the bad actors are good at is they understand the processes banks use. Because they also want to do is they want to get access into the payment services available. The payment service is typically or put on hold most financial institutions for about 30 to 45 days.
So what they'll do is a hold the accounts for that long before they put them up for sale, and then once they put them up for sale, they'll start using it for manual activities, moving money through them. Once again. If we can shut these accounts down before they're actually used, we save the credit union money for and fraud.
Attack surface management. The other thing we're looking for is we're looking for our assets on the dark web and the web in general. We're looking to see if there's somebody creating, type squatting domains, domains similar to ours. We're looking for anybody impersonating their account. Like I said, one of the things financial institutions are very, one of the big attack vectors for the financial institutions is credit, harvesting techs, they'll look alike sites of our online banking sites, send out text messages to our members, fake text messages, get them to go to those sites, and they will give their credentials on those sites because it looks like our site.
So finding those credential harvesting sites and shutting them down as quickly as possible is another way that we're able to help prevent fraud and prevent our credit union from taking losses.
Intelligence and analysis. This is another area that's kind of unique for what we're doing with this is we utilize these tools to like I said, there's no search engine on the dark web. So being able to go on this tool and be able to search through the dark web and find information is a very, very critical tool for us.
We're able to look for information that's related to us, or we might see post for us. If we see a lot of chatter about a particular attack or something, it might be, you know, talking about, you know, maybe a firewall vulnerability or something that was noticed. We're able to go in there, look at that shored up, make sure those defenses are prepared for it.
So once again, we're not being we're not waiting for the attack to come to us. We're going to go prepare for the attack. Take away what the surface area was I have and be able to prepare for it. The other thing we do with this intelligence is we're able to create reports.
And once again, the other thing we're able to do is intelligence is also find information related to our industry. So this is talking about an NCUA breach about a year ago where a lot of data was leaked. So we're able to not only search for information, but we're able to search for information related to other industries we're working with, maybe partners we're working with, so we can see how well their security is doing because they're hiring some partners or handling our members data. So we also want to make sure they're handling it in a way that's acceptable to us.
And this is an example of some of the information we find online. This is an account that we might have been searching for. Has the Bitcoin address email telegram handle. So once again this has given us intelligence about who we're dealing with. A particular given moment.
And what I was talking about earlier is, you know, we do a lot of information to present to our executive team. What we'll do is we'll typically go in here and ask it to create a summary for us, and it'll give us executive reports, and we're able to give that executive report to our executives so that they're able to understand what we're facing as far as threats at a given moment.
So we'll typically do this about weekly or bi weekly forum. And what we're does is it tells them not only what the credit union is facing with the financial services industry as a whole is facing, so that when we're asking for resources or saying, hey, we're facing this threat, or they might be looking at a particular solution, we can say, hey, the solution might not be a good fit because we're seeing these type of attacks.
They have all this information in front of them, so they're well aware of what we're dealing with on the financial side or the security side.
And this is one of the more unique things that we've used it for. This one was a little bit interesting. You want to talk about a crummy way to start your day is have your DSH, DHS agent call you at 715 in the morning until you're a part of a ransomware breach. It's not a good way to start your Monday.
But anyway, that's what occurred to us about a year and a half ago. My DSH, DHS s agent called me and said, hey, you're part of a breach that's been notified on a lot of chatter boards. You might want to get in and look at it. Thing was, I got to work that morning and one of my analysts got there about the same time I did.
We immediately pulled information from what we were seeing in the feeds from this tool. It gave us several indicators, several, artifacts that we could go in and look at. We took those artifacts, looked at them. We went on the dark web ourselves, pulled them down, looked at them, started evaluating them, compare them to known information we had, and within an hour we were able to conclusively say, hey, we went to our executives and said, hey, this isn't affecting us.
This is not a breach against us. The reason we can say it is there's five first community credit unions in the United States. None of them are affiliated with one another. What happened to this instance was there was a first and credit union that was part of a ransomware attack, but the bad guys were lazy. And what they did, they went to Google, likely just search for a credit union.
Our marketing team had done a really good job of getting us high up in the search engines, so they pulled our logo and URL and attributed the attack to us 24. It was about an hour or two into this. The Federal Reserve called me and said, hey, you're part of a ransomware breach. And I'm like, no, we're not.
Let me present you all this information. Here's all our findings. I think we believe is this credit union this or United States. They took our information, they went back, called us back about an hour later and said, hey, you are correct. That was what we did find as well. So this is one way that we were able to thwart that type of information and getting out.
One of the things I found kind of funny about this is when you guys are dealing with security researchers, be very careful that term security researcher I came to believe after this, a lot of them should be called security influencers because they did absolutely zero research to figure out that it was us. They just took other blog posts and regurgitated what that last blog post said.
And it kind of propagated for a couple of weeks. Actually, as of a few months ago, I still hearing that it was affecting us and we had people say, no, it wasn't affecting us. So be aware when you're doing security researchers, they might not be doing any research. So always kind of take what they're showing you and validate what they're talking about.
And one of the things I had to say about this is the reason we do all this information like this is, you know, Mike Tyson once said, everybody has a plan until they get punched in the face. And I equate that to, you know, we always have security plans. We have incident response plans for what we do get punched in the face.
But what if we could take this intelligence like this and duck and dodge and never take that blow to the face all of a sudden? We don't have to have that plan. We just have to keep moving and keep avoiding our adversaries blows. So. Anyway, that's some of the ways that we're using threat intelligence to proactively help our defenses proactively take down fraud and proactively help our credit union just be more secure, protect those member data.
That's our ultimate goal, is to carry operations. And with that, that's the end. Also any questions anyone? If yes, if anybody has any questions let me get the microphone to you. Because that's the only way that Zuma is going to hear the question. I actually have one last dance. Make him sing it. You were talking about, purchasing FCC you assets.
How does the Darkweb account that you're doing these purchasing things with not get outed as FCC you because it's like, oh, I'm only buying this stuff. That's one of the tricks we use. We use it. We go through our partner with our six year old. They're actually the ones who provided us that service. So they have multiple accounts that they're using.
And, you know, we do the purchases through them. So they're able to obfuscate that it's us making the purchase necessarily. Yeah. We we basically act as that middleman. Right. And, just like Bryan said, we have a dedicated team, myself, again, I come from law enforcement, military background. So I've managed my own personas, like we talked about last year in our persona management workshop.
Derek out there, we all, everyone here at Cyber Cisco have, a whole inventory of personas that we're leveraging, so that when we need to whether engage with a threat actor or conduct a purchase, or, you know, post some activity on a source to gain trust amongst the threat actor community of that particular source.
We have all these different personas available to us so that we can never be attributed to, like, a certain identity or maybe a certain organization. So, for example, for making a purchase of like a compromised account for a, for FCC, you we don't always have to use the same persona. And we would never reveal any of any information to the threat actor if we were, you know, had to engage with them to do that acquisition.
But we have a large, large library. We're always creating new personas, because, you know, this threat actor landscape, it's it's dynamic. We're constantly have to deal with the different obstacles when it comes to getting access to sources like Brian mentioned earlier or making acquisitions. So we're always, we're always on our toes and making sure that we have that access and that purchasing power available to us.
Great question. I'm running over to the next question right now.
Thank you. Talking about against, the legality of, those activities, what are the boundaries when it comes to, let's say, for example, on a breach forum and you're trying to buy credits for your account so that you can sometimes, you know, unlock certain, ability to see certain leaks that you use for dirty intelligence. When it comes to legal issues, how how far is too far?
Does engaging in purchasing those credits already too far? Or it will depends on what the use with the data. It depends on what we're doing. The data. For us, we work on a very high ethical standards. That's one of the things that we emphasize over and over with our security team that we have win those ethical people alive.
Basically. But we have to also think like the bad guys. And the thing is, the bad guys are gonna have an account available. And once again, if it's a FTC asset and we take it off line, we're not necessarily taking those credentials and using them for our own personal good to be able to, access somebody's account.
What we're doing is, like I say, we're turning that information pretty much immediately over to our fraud team or our card services team, so they can continue the investigation from there. A lot of times we work very closely with those teams to provide them intelligence because they don't see the information on Darkweb. They kind of leave that up to us to do the searching for that, and we'll turn the information we find over to them so they can continue the investigation.
It's like, hey, we found this information online. You may want to look at it. They may also be doing some investigation on those accounts from a whole different angle. And what we're doing is just giving them additional assets or resources. And they can conduct an investigation with. So it it's a very, symbiote symbiotic relationship we have with those two groups in our organization because we do provide them a lot of information for those investigations.
And in further to that, you know, from like, from a threat intelligence collecting collection perspective, you know, the data that shows up in these forums, ultimately ends up to be public data. That being said, we understand the sensitivity of it, especially like you mentioned, whoever asked the question. Thank you for your question. If there's a leak, breach forms.
Right. And it's a file that we're downloading and extracting and within within that leak, there's everything from, you know, Chase Bank to FCC, U. To Bank of America, whatever it is. Because we've gone through that extra step of downloading that data and passing it, we protect it. And we're not just, you know, passing that data out to, every threat intelligence user or through the different feeds. We we try and protect it and just give it to those, that it actually belongs to so that they can remediate those issues.
You mentioned chat IQ. Two quick reports. I was wondering, are there any other ways you are leveraging AI in, your task force? Right now we're very cautious what we do with AI. One of the things we're cautious with it about is we're concerned about the controls on. At this point in time, we do a lot with member data, PII information, you know, early on, you know, Samsung has some information put in AI and it was confidential information, but now it's public because it got broadcast out there.
So we're just trying to access all the controls on AI to a large degree to make sure we don't expose any member data because as I mentioned, our whole our whole objective at our with our ops team is to protect members data. And so we're trying to evaluate to make sure running the old AWS, this wasn't configured correctly, thing with most breaches over the past several years.
So we have all the controls in place that we need to protect that data when we do decide to use some AI products. So right now, this one is, fairly safe because we're not exposing member data for us. They've got very much contained into their private area, and it's typically just searching for, like I said, relevant information for stuff that's already on the dark web.
So. Thank you. Anybody? Yes.
You mentioned that, you end up purchasing all of the, I guess, the leaked information that is found in the dark web. Do you and you might have mentioned this, but do you actually end up purchasing every piece of information that's found on the dark web and and, send that over to your before our team.
We don't purchase every piece. We have certain criteria we work from. And we look at it and we kind of evaluate things all the time. So what we'll do is we'll try to assess the information. A lot of times if we're able to, we'll dig through it. And we can potentially sometimes identify the accounts without making a purchase.
So we're taking the information is made available to us. And a lot of times we're able to, you know, a lot of legwork and a lot of digging. We can sometimes identify the accounts, but we'll see others where it just, has certain criteria that we're looking for and we're like, okay, this is what we need to purchase because we've typically when we've seen these type of accounts, they're typically say larger volume accounts or larger dollar accounts.
So we'll say, hey, this is one that we want to take a look at more closely. Sometimes we win. Sometimes your account has a large balance. Sometimes the accounts negative, which is kind of a wash. But it's one of those things you just kind of take a chance on. And hopefully you win more often than lose. So and from I guess cyber six killed to they, they send you the notification that something's been found right.
Or is that your team that gets that notification and then y'all decide if you're going to purchase that or not? Yeah. We're certain notifications about what we've done with the platform is we're able to put in certain criteria. So for like us, we've got our bin numbers in there. We've got executives, we've got domains, we've got IP addresses, we've got all kinds of assets that are related to us.
So if any of those ever appear anywhere, we receive alerts about it saying, hey, this has been mentioned somewhere in the dark web, or this might be available on the dark web. We're immediately flagged, notified about it, and we've got protocols that we'll take actions on based off what the type of information it is. Cool. Thank you. And actually it's important.
Oh I'm sorry another question. No I was going to follow up. Go ahead first okay. Yeah I was going to say, you know, just like the example where Brian and his team dealt with, the, the false ransomware group or ransomware post, you know, with threat intelligence, whether you're doing it manually or you're consuming feeds or whatever it might be, some people tend to panic when, when they're presented with intelligence.
But it's it's important that with that intelligence, you're getting the context around the threat. So just like Bryan's team does, you can assess the threat, try and correlate it using other systems that you have internally, and really determine what the threat might actually be of what the impact is. If you do nothing or or what you might be able to prevent if you do remediate ahead of time.
So, it's just a really awesome, part of security where we're able to leverage this intelligence and be able to get ahead of these threats and, you know, not have to, you know, freak out when DHS calls you whatever o'clock in the morning saying, hey, you're in a ransomware breach. You're like, no, we're not. We already looked at it.
So, you know, it's a really huge advantage we have as threat intelligence analysts around their industry. And the thing I was going to add is if you're able to identify the account without actually making the purchase, Brian, you're basically damaging the seller's reputation by leaving it out there after you've resolved it. Sometimes. Yeah. Because sometimes what they do is they, you know, they don't necessarily account for us looking at it.
So when we're able to see certain pieces of information, we're able to identify it back to an account. So if they leave too much information available, that's how we're able to identify it back. So they're not necessarily expecting us to be the ones looking at it because we have you can kind of look at a public private key.
They have the public key at their we have the private key on our side. We're we to look at it by looking at our members actual data, to be able to try to match it up. So they're not expecting us to have that reciprocal information. So it gives us an advantage of being able to kind of piece it all together and, you know, put on an investigative hats and see what we might go to find.
So that's actually a really good perspective. Who, whoever the, the host is there, because there are many different types of pieces of data that threat actors sell, whether it's those compromised credit cards or it's credentials, or it's, you know, some sort of data set, whatever it might be. But, right, in certain cases, you might be able to identify the risks there, just based on the intelligence that you have alone and remediate that threat without the threat.
Actor even knowing that you've remediated it. So if that so so if another threat actor comes along and purchases it and then realize that whatever they bought is no longer valid, that does hurt the threat actors reputation. So that's a that's that's a fantastic perspective on it. And I'm going to be using that for now for my research.
Thank you. Glad to help. I introduced you last year. That's Bob. Oh, hey. How are you? All right. Doing well. Anybody else have a question? Then it looks like, thank everybody for coming. Thank you for joining us. And, we'll give you some time back. It's 233. So next, our next, presentations at three. Thank you all.
