Spotlight: Making the Most of Cyber Threat Intelligence with Itsik Kesler of KELA

In this Spotlight episode of the Security Ledger podcast, I interview Itsik Kesler, the CTO of the threat intelligence firm Kela about the evolution of threat intelligence and findings from the company’s latest State of Cybercrime Threat Intelligence report.

[MP3] | [Transcript]

In the last decade, so-called “cybercrime threat intelligence” has gone from being the specialty of three letter intelligence agencies to a standard part of many enterprise security portfolios. With threats online proliferating and with a thriving cybercriminal underground, organizations that care about security need an ear to the ground in cybercriminal forums and dark markets, where stolen data, access credentials and more are traded.

Itsik Kesler, CTO of KELA

Properly integrated into a cyber response program, cybercrime threat intelligence can give firms early warning about security breaches and alert them to the theft of sensitive data or the compromise of an employee account. It can even tip off firms about attacks that are still in the planning stage – not simply narrowing the “window of compromise” but slamming it shut.

Connecting The Dots: The Kremlin’s Links to Cyber Crime

Despite that, operationalizing the kinds of information that cybercrime threat intelligence firms provide is easier said than done, as a recent survey by the firm KELA shows. That company’s State of Cybercrime Threat Intelligence Report for 2022 surveyed 400 IT pros and revealed ongoing concerns about the risk of corporate information turning up on cybercrime forums, but also concerns about visibility into that risk, and a lack of clear policies within organizations to handle cybercrime threat intelligence. 

What’s the Future of Detection Teams? Five Predictions for What Lies Ahead 

In this Spotlight podcast, I speak with Itsik Kesler, the CTO of Kayla about the new report and about the challenges organizations face as they look to leverage cybercrime threat intelligence as part of their security operations.


Itsik Kesler (Kela): I’m Itsik and I’m the CTO at Kela

Paul Roberts (Security Ledger): itsik, welcome to the Security Ledger podcast.

Itsik Kesler (Kela): Thank you Paul. Great to be here. Thanks for having me.

Paul Roberts (Security Ledger): Okay. So for our listeners who are not familiar with Kela, tell us a little bit about your company, where your C T O and what Kela does.

Itsik Kesler (Kela): Sure. So Kela is a threat intelligence company focused on providing actionable intelligence. We specialize in this cyber grime on the ground. with the goal of digital crime. To support it. We have to know, understand exactly what’s happening in the cybercrime world and to monitoring it in such a way that our customers will have the most accurate and hematic coverage possible.

This means we have to have the most sustain, suitable technology to collect, analyze, and extract the right information for our users in an easy way to. In the Keala platform, you can find many different tools, both for alerting and monitoring investigation, tools for threat hunting, and [00:01:00] also some general transformation on what’s currently going on in the cybercrime underground.

Paul Roberts (Security Ledger): So I always ask this of our guests, cuz in the cyber security space it’s often, you get really interesting answers. But could you tell us just a little bit about your journey to the cybersecurity space and how you came to to get involved in the field

Itsik Kesler (Kela): Sure.

Paul Roberts (Security Ledger): In Israel where your company is based these stories often have a common theme.

Itsik Kesler (Kela): Yeah, yeah, before Kela, I served in the Israeli intelligence at the technology unit commonly the common story

Paul Roberts (Security Ledger): There, it is!

Itsik Kesler (Kela): Yeah. So I was there for quite a some time about, I think eight years. Something like that. After which I worked as a senior security researcher at the Israeli National Cyber Authority, which is an government organization whose mission is to provide a national level defense to support the civilian world. And then from about [00:02:00] 2017, I joined Kela first as a VP of R&D and then later on as a CTO.

Paul Roberts (Security Ledger): And I know cuz I I’ve been to Israel and talked to folks from the government. Like in Israel it’s really amazing. Like the government actually really has a pretty active program for going out, even like early for kids in middle and high school and kind of identifying people who have a proclivity or abilities, whether it’s math or computer science or whatever. Was that you as a kid, were you like a computer nerd as a kid or more of like a math science person or what was.

Itsik Kesler (Kela): I’m sorry to say that. Yes, I was a nerd as a kid. I playing with the C code even and HTML and some. JavaScript from school yeah, playing video games and stuff. Interesting times. Yeah.

Paul Roberts (Security Ledger): So I’d ask you what you did in Israeli intelligence, but I always ask that question and I always get the same answer.

Itsik Kesler (Kela): You already know the answer.

Paul Roberts (Security Ledger): So Kela’s focused on, what we would term kind of cyber threat intelligence. [00:03:00] So focus on the cyber criminal underground. But I thought it’s always good to talk about what we mean by these terms cuz they get thrown around by reporters like me. And sometimes we use them generically when the types of, organizations, individuals, entities that Kela really focuses on. What are we talking about? What is the cyber criminal underground as you see it and as Kela sees it,

Itsik Kesler (Kela): So first of all, many people refer to these cyber crime underground as the dark web or the dark net, and this is actually the terms that we don’t like to use.

Paul Roberts (Security Ledger): yeah, they’re different. They’re different things actually. Yeah.

Itsik Kesler (Kela): Yeah, exactly. Usually you hear these terms in the mainstream media as a way to sound frightening, to sign, like some spooky things going on under there. But we actually don’t like to use these terms. According to what we believe when we are talking about the cybercrime underground, we usually refer to the places where the bad guys, the tech, the hackers and [00:04:00] criminals are using to communicate, to collaborate and monetize these actions. It can look like a standard closed forum.

It can be even a standard instant messaging group chat or some other things that might look pretty straightforward. Essentially, the cybercrime underground is vast and behaves as a parallel ecosystem with service providers, sellers, buyers talents emerging and these ecosystems is keep changing.

Paul Roberts (Security Ledger): Yeah and it’s a huge ecosystem. I saw some. I dunno. Somebody’s shared some graphic on Twitter that estimated that the cyber crime, the GDP of the cyber criminal underground was something like the third largest gdp. It was like US China, and then like cybercrime or something. I don’t know if that’s true, but it’s a pretty big ecosystem. Am I right?

Itsik Kesler (Kela): Yeah I also don’t know about the, now the exact numbers, but it’s a huge ecosystem and you can see it evolves and especially in every economical ecosystem, you can see things evolve according to demand and [00:05:00] needs. The cyber crime underground works the same way. You can always see a need and you will always, some will find someone who will provide this need for money, of course.

And this is how this evolves. It starts from a standard forum and continues once you, there are sites and there are services in In this field where you can just browse solve a market, see what kind of a credentials you want, or what kind of a bot you want to get. And with the click of a button, you will get the exact credentials or the exact bot on a compromise machine without doing much of a ef of an effort.

So it sounds like something spooky and something that goes in in behind the scenes, but it actually. It evolves and automates and it’s very dynamic and very advanced ecosystem.

Paul Roberts (Security Ledger): It’s a business environment, really, right? And the dark web, it’s funny, I, the dark web, I think it, that term gets thrown around because of the word “dark”, and we associate darkness with criminality [00:06:00] and so on. But in fact, the dark web is really just the non indexed web, right? It’s just all the sites out there that aren’t being crawled by Google, not necessarily malicious. And there’s definitely a part of the dark web that is linked to cyber crime, but not all of it.

Itsik Kesler (Kela): Yeah, that, that’s exactly correct. Yeah I think it sells and that’s what makes it, continuously. Yeah, going more and more

Paul Roberts (Security Ledger): Click bait. Yeah. Good for the headlines. Good for the headlines. So what are the, what are some of the group so I think when we think of cyber crime often these days we’re thinking of like ransomware groups, and this is where a lot of the money is. But what are the different entities or groups or schemes that are populating the cybercrime underground right now?

Itsik Kesler (Kela): There are many different types of actors and different types of groups each acting differently with different ideology. I think that basically almost all of them are doing it for profit doing it for money, but as. As sort of an ecosystem, as you said, there are different [00:07:00] jobs and different spec specialties in this type of actions.

For example, some of the groups or some of the people in this field are specialized in just getting an initial access to organization. Just getting the right credential or getting a VPN access to an organization. And then after that, they just sell it to another group that will get this access into used.

And then later on they will maybe evolve this access and sell it to Ransom group. And then the ransom group will do the ransom. So there are different types of, working in different ways.

Paul Roberts (Security Ledger): Very specialized.

Itsik Kesler (Kela): Yeah, there are different jobs and different titles and different actions that each group is taking and I think that I ideologically speaking, if there is any ideology in these areas, you could see that some of the, I think, ransom groups there are those who will say that they want to take any health institute during the pandemic or nonprofit organizations, but if they won’t do it, [00:08:00] some other ransom group will do it. So I think that essentially the money talks in there and it’s not about the ideology.

Paul Roberts (Security Ledger): Yes we have occasionally seen ransomware groups behave in. Quote unquote ethical manner, which usually means after they’ve popped somebody who ends up being like a pediatric hospital. Maybe they’ll give them the decryption key back, but it seems like there are just as many examples where they don’t give them the decryption key back.

So yeah, I think the jury is out on whether, there’s any ethical behavior in in, in that particular, industry. So when I think about threat, cyber threat intelligence groups like Kela, I think about companies, you’ve got researchers, specialists who are, who have integrated themselves with these communities and groups and forums and are just monitoring and keeping tabs on what’s going on, both generally.

Obviously specifically on behalf of your clients and what their interests are. Is that how Kela [00:09:00] works or are there other as we would say, secret sauce involved in what, in your platform and what you do.

Itsik Kesler (Kela): Yeah, we have a very expert, intelligent. People who are continuously monitoring this field and continuously looking for the places where those kind of people communicate and where the markets are evolving. And every time we find this kind of a source, we find this kind of a website that is interesting. One of the secret sauce that we are doing here at Kello is trying to see how we can. And monitor this source automatically. So if there is a new form, it’s nice to monitor it manually and see what’s going on. But it’ll be much more easy and much more, complete way to automatically monitor it and automatically alert when there is some talks about an organization.

When someone is selling or offering something to sell, we want. To identify it as [00:10:00] soon as possible. And we want to, to the right organization to behave the right way according to what is being published. So it’s both the, I think that it is a joint between the technology and the people here at.

Paul Roberts (Security Ledger): It’s a huge space and Right. I It’s like anything else. This is a lot of, as they might say, unstructured data that you’re managing. So having it’s gonna be impossible to have humans monitoring everything that goes on.

Itsik Kesler (Kela): Yeah. That, yeah, that’s right. And also one of the challenges is how to take all this unstructured data or of this post and all the data that we’ve collected and to make it into a structured data. Is it to consume, is it to integrate, and is handle later on, analyze. Exactly. this is also one of the technical challenges that we’re facing when dealing with this kind of data.

Paul Roberts (Security Ledger): So Kela just came out with a big report, the State of Crime Threat Intelligence report. And this was a survey that you did of basically 400 professionals who were involved in [00:11:00] working with threat intelligence within enterprises first question would be, what were you looking to. Learn from this survey and what types of questions were you looking to answer in this report? And then we’ll talk about some of the findings, which are really interesting.

Itsik Kesler (Kela): Okay, so actually we didn’t really hope to find something specific. Our goal was to get and build a clear image of the current state of the threat intelligence field in order to raise a general awareness of the issues. There. That’s why

That’s actually why we wanted to address the analyst themselves and not the manager. We wanted to talk with those who cope with this challenges in the day-to-day job to understand what they’re thinking and what they think the main issues are, and later on to reflect it to the management of reflective to the [00:12:00] community on what they are facing with.

I think that there are lots of predictions out there but some of them are solely based on gut feelings and not necessarily the actual states in the field. And that’s what we wanted to see in the survey on, in this research.

Paul Roberts (Security Ledger): Let’s talk about some of the findings here. So again, 400 IT professionals that you surveyed. And one of the big takeaways was that you had, almost 70% 69. were concerned about threats from cyber, from the cyber criminal underground to their organization. And more than half, 54% said they wouldn’t be surprised if they found data from their organization actually floating around in one of these cybercriminal forums. I, I guess I, I get the seven and 10 are concerned about it. A little discouraging. The more than half felt like their organization would be easy prey. What should we conclude from that? Sik.

Itsik Kesler (Kela): I wouldn’t call it easy prey. I think that the high, this high percentage is, so some show something [00:13:00] positive actually, that the awareness for the, this kind of threats is out there. I think that es essentially every big organization might have a small leakage. An untrained employee falls for a fishing attack or press the one link, for example.

And I think that the understanding that this employee information might eventually be found and exploited later on in the Cylogram Underground is good as people will understand that they will need to monitor these places for these exact unknown cases. To understand that something is being sold even now, even though they have all of the other defenses in place.

I think that one of the interesting gaps that raised from this report is the issue of trainings. Actually. Organizations understand the risk, the cyber underground poses, but they don’t really understand how to correctly act on it. That, by the way, led us to initiative started that we have started last year of workshops meant to [00:14:00] help the analyst with approving the capabilities whether they use Kela products or not.

We wanted to improve the knowledge and improve their understanding on how they should react and what they should do by attending to this kind of workshops.

Paul Roberts (Security Ledger): of, one of the takeaways from the report was that around 40%, 38% of the people you surveyed had concerns that their organization would not be able to detect a breach. That, that re resulted in data , leaking to the cyber underground, cyber criminal underground. What does that speak to? And I guess the question behind that is what does it take for organizations to detect the types of breaches that lead to data ending up on cyber criminal forums? My sense is often it’s through third parties. It’s not a fault of the company itself.

It might be a supplier or a , third party software vendor platform that they’re using. So what? What is involved in that? And why are, why were the people you surveyed [00:15:00] so worried that they weren’t gonna be able to detect these leaks?

Itsik Kesler (Kela): Well, I I agree with the video about the third parties. I think that the third parties might be the element which, which is in risk, which you cannot control over. and we saw many examples in the past of a third party being compromised and later on affecting its own customers. That’s one of the factors that might be in risk.

And I think that the, there are many other factors that might be in risk, whether it is the users that are using the same passwords between the different services. So one service has been exploited and then the telcos might use the same pass try the same password on the organization account. As we said in the cybercrime underground, there are many different types of entities.

And one of these entities is the initial access brokers. And I think people usually think that

Paul Roberts (Security Ledger): The, these are the subcontractors basically who do the actual compromise of the organization, right?

Itsik Kesler (Kela): They do the initial compromise and then they’ll sell this initial compromise [00:16:00] to other groups. They can sell it to a ransom group or they can sell it to a more advanced taking group who will take this initial access and do some network recon, reconnaissance and lateral some lateral movement in the network to get some more information out of it.

And I think that many people think that the bridge is just when the data has been leaked, but the bridge is starting much more earlier. And this is where the defenders are maybe find it hard to find these places where the bridge has already happened. Some initial broker already offered the access for sale, but they don’t know it yet because nothing has really has published.

And this is where this threat intelligence solution. Help to detect this initial access being sold or even someone is mentioning credentials for some third party service that the company is using, for example.

Paul Roberts (Security Ledger): So you’ve mentioned lots of different types of data usernames and passwords, credentials obviously credit card numbers and, other personally identifiable information. Is [00:17:00] that most of what’s really for sale on the, these cyber criminal forums or is there other types of data as well that companies might not think, oh, this is valuable or interesting to a cyber criminal?

Itsik Kesler (Kela): Everything you can fi think about is being sold in this cyber cloud. That’s how it works. You can see there everything from passports to credit card as you set to credentials. You can even see their RDP access to SE for sale. You can see someone posting an A credentials to an RDP server, not really know what is between, behind this RDP server.

Paul Roberts (Security Ledger): access. Remote desktop. Desktop protocol. Yep. Yep.

Itsik Kesler (Kela): Yeah. And also an access to a PayPal account. Access to a private Steam accounts as well. Access a Netflix that someone that people are selling. You can, everything you can think of can be sold over there. And I think that as we mentioned before, even though sometimes the organizations think, okay, we haven’t found anything about the organization itself, so we are safe.

But if [00:18:00] I know for example, that an employee is working for an organization and the employee has leaked the password, the attacker might try the same password on the on the organizational account of the same employee. Depending on the organization assets, it’s one thing, but also not not less important is defending the employees assets as well.

I think.

Paul Roberts (Security Ledger): But the sense I get is they get initial access, then they really look around for whatever there is to find and potentially sell. They take it all in and then figure out what they can sell off, or what they can make money off of.

Itsik Kesler (Kela): Yeah, that’s correct. And if an organization can find this in time, if the organization can find it initial access for selling time, it can prevent later on much more devastating attack. It can prevent a ransomware attack. It can prevent later on a data breach attack just by identifying that someone is selling an access to some company asset.

Paul Roberts (Security Ledger): And those initial access that, as you said, phish attacks drive-by downloads, that type of thing. Or there are [00:19:00] new variants of attacks that are being tried to to gain access.

Itsik Kesler (Kela): I think that there are it is, it varies and it changes among the time. There are some maybe malicious apps that people are downloading into their phones. It might be site or a malicious application that someone is downloading or add on to the browser that someone is installing.

There are lots of ways to get credentials from a user’s device. So it’s hard to say and it keeps evolving. So every month or every day or so, you can find some new tool that is being sold or that is being used to published later on credentials.

Paul Roberts (Security Ledger): So in your survey, almost half of the people you surveyed, 48% said that their organization didn’t have a formal policy for using or leveraging cyber crime threat intelligence as part of their operations and procedures. Obviously, as a company that’s in this industry what does that say to you, and I guess what are some ways that companies can and [00:20:00] should be using the types of information that Kela provides?

Itsik Kesler (Kela): I think that what should lead this kind of a policy is the. Training and knowledge of how these bad guys are operating. Know what is the initial ex brokers know what is actually being solved in this cybercrime underground. Understand what’s going on. And once you have the right knowledge, you’re halfway there.

Once you understand the potential of everything you can correctly build your risk assessment and behave commonly with the right mitigation plan when each event is happened. Of course you can use companies like us or other threat intelligence experts instead of reinventing the wheels we saw in the survey, for example, that some of the organizations are just building their own tools or writing their own script, which is good.

But the, I think that for the right coverage, this ecosystem is keep evolving. Every now and then you can hear of a new form. You can hear a new market. Not relying on the comp on companies that these [00:21:00] are the solely purpose might miss might miss some data.

Paul Roberts (Security Ledger): It’s hard to stay on top of that in addition to all the other work you’re doing. And that’s all your company does, right?

Itsik Kesler (Kela): Yeah. And I see the struggle that the developers are having with co, with maintaining the coverage, with maintaining the correct ACC access to all of these places. So relying on in-house tools instead of relying on the. You might not have the right, or you might not have the right visibility on all of the places. You might have visibility on some of the places, but not on the all of them, and not maybe up to date.

Paul Roberts (Security Ledger): So one of the things we’ve been writing a lot about, obviously, is the shift to attacks on supply chains. Open source repositories, third party providers. We just saw the attack on Circle a couple weeks ago. Resulted in exposure potentially of a lot of secrets is are you seeing any cyber criminal undergrounds the evidence of those types of breaches as well, the supply chain compromises that are getting access tokens and [00:22:00] credentials and so on.

Itsik Kesler (Kela): Sure. I think that the supply chain attacks has begun many years ago, and you can still see it when threat actors are attacking a company which is also a vendor of other companies, and then use the credentials data collected or used the information data. From this vendor to attack its clients. It’s not that complicated for the right threat actors to understand how to do it, and they do it because they have the information. It’s just a matter of analyzing it and then using it later on. So technologically speaking, it’s not that of a challenge for the threat actors. yeah, we can see it. And of course,

Paul Roberts (Security Ledger): So when I think of often threat intelligence, I think of it as, the company’s gonna become aware that there’s been a data leak. They’re gonna, they’re gonna see some of their documents or executive emails or whatever out there in these forums and are gonna walk back from that to say, okay, there was an incident.

We’re seeing evidence of it. We need to go back and figure out what happened and so on. Is there a way in which the types [00:23:00] of data and information you provide can actually help companies proactively prevent the breach from happening? Apply. Cyber criminal threat intelligence to actually hardening their organization. Not always just going back and finding stuff that’s happened.

Itsik Kesler (Kela): I think that, yeah companies can do some proactive actions. Of course the most easier action is to detect every time a credentials and admin compromise. And this is something that every intentions company can can give you. And then I update the credentials of the user. But I think that the more proactive actions might be, for example, to continuously update, get updates on compromised assets throughout the world, eh, compromised assets, meaning that someone is attacked in server, that later on can be used, can be sold and used by other attackers to perform attacks on other organizations. So if you maintain a blacklist of all of the compromised assets this is something that you can proactively defend yourself against, potentially [00:24:00] actions that will be taken on your network.

Paul Roberts (Security Ledger): Servers that might be using command and control and stuff like that.

Itsik Kesler (Kela): Exactly. Before it even become the attack itself. You can proactively protect yourself against it.

Paul Roberts (Security Ledger): Final question. It’s been a big year geopolitically with Russia’s war on Ukraine that has really shaken up the you know, political landscape. What changes have you seen in the cyber criminal underground? Obviously a lot of cyber criminal activity is centered in and around, Russia and the former Soviet Republics. Early on there was a lot of tension within some ransomware groups that had both Ukrainian and Russian members. Are you seeing any spillover effect of that kinetic war in the cyber criminal underground?

Itsik Kesler (Kela): Yes, as you mentioned, there was at the beginning of the war, there was the issues with the Conti Group which tied itself with Russia. And then later on someone published their internal communications as a revenge, as a revenge. . And I think that once they have done so it then made [00:25:00] them a bit of a challenge to get money from the US companies when they actually said that they are on the Russian side. US companies were challenged to pay them the ransom because it’s illegal to create to a Russian entity.

Paul Roberts (Security Ledger): They would be violating the sanctions. That’s

Itsik Kesler (Kela): Yeah, . And I think that, that led later on the county group to maybe change their name and create some other groups instead. And this kind of effect, we saw the beginning of the war, but ever since then, things are the way they were.

We haven’t seen any major change. We haven’t seen any major shift. All of the ransom groups are continuing to attack. Yes, some of them are, most of them are based in Eastern Europe or in Russia, but they are not fully announcing it. So you don’t really it does, they don’t, it doesn’t really affect them and things are as they were, I think, so far.

Paul Roberts (Security Ledger): Are we making any progress on against [00:26:00] these cyber criminal groups or is it still heady days in the cyber criminal world, things are going great.

Itsik Kesler (Kela): I think that things are as usual in the cyber crime areas of unfortunately

Paul Roberts (Security Ledger): a growth market.

Itsik Kesler (Kela): unfortunately. Yeah.

Paul Roberts (Security Ledger): Yeah. IIK. Is there anything that I didn’t ask you that I should have asked you before we break?

Itsik Kesler (Kela): I think that you’ve covered everything. I think that one of the things that people should take from this talk is that we don’t want people to work out of fear, but out of strength of knowledge of this, how it works. And I think that this is the crucial part when dealing with this kind of, Cybercrime space of these cyber crimes challenges.

And this is the things that we are trying to cope. And this is the training gap and the tools gap that we saw in this survey that we’ve done. And once the right training is done, once they have the, once people have the right tools, I think this will help them to create their policy to understand how they work to [00:27:00] build a mitigation plan and the mitigation policy and behave accordingly and not stress out whenever there is a big event might affect them.

Paul Roberts (Security Ledger): Itsik Kessler , CTO at Kela, thank you so much for coming on and speaking to us on the Security Ledger podcast. It’s been a pleasure

Itsik Kesler (Kela): Thank you very much, Paul. It’s been a pleasure for me as well.

Paul Roberts (Security Ledger): We’ll have to do this again. We’ll have you on again.

Itsik Kesler (Kela): I’ll take you up on it!

(*) Disclosure: This post was sponsored by Kela. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.

Comments are closed.