Pass the intel, please. [Only Malware in the Building] - CyberWire Daily

Summary7 min read

Episode Overview

Podcast: CyberWire Daily
Episode: Pass the intel, please. [Only Malware in the Building]
Date: November 28, 2025
Host: Selena, with co-hosts Dave and Keith

Main Theme:
This special Thanksgiving encore dives into the practicalities and value of information sharing in cybersecurity—how organizations, from private industry to public sector, work together to combat emerging threats, enhance resilience, and foster a safer digital space. The episode explores the successes, challenges, and ways forward for public-private partnerships and actionable intelligence, drawing on real-world examples and the hosts’ own experiences.

Key Discussion Points & Insights

1. The Realities of Information Sharing

Public-Private Partnerships Are Essential:
The hosts explore why collaboration between sectors is crucial for collective defense. They share stories of ad-hoc encounters at conferences and reflect on how these chance meetings can spark critical projects (06:32).

Quote:
"It's one of these lovely little kismet moments that are happening all the time at conferences." – Selena (06:42)
Barriers to Sharing:
Fear of liability, loss of customer trust, or leaking sensitive data often keeps organizations from fully participating. Both cultural and legal barriers persist, despite progress (10:46).

Quote:
"Most companies are thinking, well, I can't disclose my customer information or PII or talk about an intrusion... and be on the front page of the New York Times." – Keith (10:49)

2. Trust and Building the Right Frameworks

The Need for Neutral Ground:
Keith discusses the establishment of the National Cyber Forensic and Training Alliance (NCFTA) as a third-party hub to foster trusted sharing between government, industry, and academia (09:11).

Quote:
"He was able to set up a nonprofit, which became the NCFTA… so it wasn't owned by the government... and you could come together and share cyber threat intelligence." – Keith (09:58)
Start Small, Build Trust:
Organizations are encouraged to share only what they're comfortable with at first, trusting relationships can lead to deeper collaboration over time (17:13).

Quote:
"Share whatever makes you comfortable and then let's build that relationship, that trust and then share more whenever you feel more comfortable." – Keith (17:20)

3. Success Stories and Impactful Operations

Collective Wins:
Operation Endgame and the Coreflood takedown exemplify the tangible results from robust collaboration between private and public actors (14:28).

Quote:
"Operation Endgame… would not have happened without everyone coming together and sharing their information." – Selena (13:44)

Memorable Moment:
"The Attorney General... said, 'Just remember, guys, if you break it, you bought it.'" – Keith (15:24)

4. Making the Case for Information Sharing Internally

Demonstrating Business Value:
The group discusses how to convince boards and legal teams that sharing information not only serves the greater good but protects the company and can boost its reputation (16:26).

Quote:
"You may get your name on the takedown press release… your company is part of the greater good of policing the Internet." – Keith (16:55)

5. The Role of Industry Groups and Back Channels

ISACs, Alliances, and Backchannels:
Information sharing isn’t always formal. Trusted backchannels, ISACs, and consortia are vital to day-to-day defense (23:47). The informal "high school reunion" vibe at conferences helps foster these networks.

Quote:
"It goes on all the time and it's all built on trust...it was like a high school reunion." – Keith (23:47)
Constant Dialogue:
Sharing intelligence—openly in blogs, reports or privately—often triggers new insights and partnerships (30:09).

Quote:
"Publishing information begets more information. It's fantastic." – Selena (30:09)

6. Legal Protections and Government Responsibility

The Need for Liability Coverage:
Expiration of legislative protections (e.g., CISA 2025) leaves organizations hesitant to share. Legal clarity is a prerequisite for widespread, good-faith collaboration (26:37).

Quote:
"Those protections in place are just vital because without them, probably 90% of legal counsel is going to say no." – Keith (27:00)

7. Tactical and Strategic Benefits

From Tactical to Operational:
Tools like MITRE ATT&CK help distill intelligence into actionable steps, facilitating sector-wide resilience. Sharing isn't just altruism; it's directly beneficial in both detection and response (19:53).

Quote:
"Mitre ATT&CK… all of the community can access… it's a one-stop shop for... next steps and actions." – Selena (19:53)
Operational Transparency and Outcomes Matter:
Future success depends on sharing not only intelligence, but the outcomes and efficacy—moving from "buzzword" to real-world value (36:00).

Quote:
"Sharing the outcomes... how you took action on it and how it protected your organization can actually provide a lot more benefit." – Selena (36:06)

8. The Human Element

Personal Motivation for Collaboration:
Most researchers and practitioners are driven by a sense of duty to the greater good—a shared mission to make the cyber realm safer for all (31:51).

Quote:
"Most of us are in this industry because we care and because we want to do good... we want to protect each other." – Selena (31:56)
Humor and Relatability:
Running dip jokes and playful banter throughout enhance camaraderie and make the technical discussion relatable.

Notable Quotes & Memorable Moments

| Timestamp | Speaker | Quote / Moment | |-----------|---------|----------------| | 07:45 | Dave | "My take is that public private partnerships are kind of like karaoke. Everybody's enthusiastic until it's their turn." | | 15:24 | Keith | "'Just remember, guys, if you break it, you bought it.' And that was the last thing that he signed off on a warrant to be able to do it." | | 17:20 | Keith | "Share whatever makes you comfortable and then let's build that relationship, that trust and then share more whenever you feel more comfortable." | | 23:47 | Keith | "It goes on all the time and it's all built on trust...it's such a small community. Even though you think of all the security researchers out there, there's thousands of them, but everybody knows everybody." | | 30:09 | Selena | "Publishing information begets more information. It's fantastic." | | 36:06 | Selena | "Not just sharing information, but sharing what happens and how you have used it and how you took action on it and how it protected your organization can actually provide a lot more benefit." | | 37:43 | Selena | "Absolutely, yes. You don't want to just have intelligence that you can hang in your office or on your mantelpiece." |

Timestamps for Key Segments

[06:32] – Anecdotes about real-life meetings at conferences and their impact
[09:11] – Background of the NCFTA and the impetus for establishing third-party sharing centers
[12:27] – Concerns from both independent researchers and companies about sharing intelligence
[13:44] – Positive example: Operation Endgame’s collaborative achievements
[15:24] – “If you break it, you bought it” - Attorney General warning and its lesson
[16:26] – How to build the business case for information sharing to leadership
[17:41] – Non-profit, ISAC, and researcher-led methods of sharing and the benefits
[23:47] – The role of backchannels, informal trust networks, and conferences
[26:37] – Legal liability, government responsibility, and the chill from expired protections
[30:09] – The effect of publishing research on industry-wide response and collaboration
[34:11] – Discussion of over-sharing and moderation in intelligence communities
[34:17] – Thoughts on the future: normalizing info sharing as “just how business is done”
[36:06] – Emphasis on communicating outcomes, not just sharing data

Closing Thoughts

The Future of Information Sharing

Normalization Over Novelty:
With more than two decades in the space, the co-hosts hope information sharing becomes so integrated into cyber operations that it's simply “how we do business,” rather than a buzzword or special effort (34:17).
From Sharing “Stuff” to Sharing “Outcomes”:
A key future goal: ensuring that organizations not only share indicators, but document and communicate how sharing led to positive action and improved defense (36:06).
Collective Defense, Collective Trust:
The conversation circles repeatedly back to trust, relationships, and the mission of shared security. Being open, communicative, and community-oriented is the heart of effective information sharing.

Tone & Style

Warm, humorous, conversational, and occasionally irreverent—particularly about dips and karaoke analogies.
Strong emphasis on real-world experiences, mutual trust, and practical advice; avoids jargon, focuses on storytelling and shared lessons.

Final Words

"The greater good."
The refrain echoes throughout, underlining the ethos of the cybersecurity community—sharing information, sharing outcomes, and building trust isn’t just a tactical need, but a foundational value that keeps everyone safer.

"Deck the halls with threat intelligence," quips Selena, underscoring that while the work is serious, the camaraderie and shared sense of purpose make all the difference.

Loading summary

Transcript99 lines

[00:02]
Selena
You're listening to the Cyberwire network, powered by N2K. Welcome to a very special Thanksgiving encore of Only Malware in the Building. In this episode, we dive into today's most compelling threats and explore what makes information sharing actually work. From public private partnerships to actionable intelligence so so organizations can stay ahead of emerging risks. We hope you enjoy this encore of Only Malware in the Building. Thank you for listening and for those celebrating, have a safe and happy Thanksgiving.
[00:43]
Dave
What's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally, get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.
[01:46]
Selena
Give Big Save big with RACC Friday deals at Nordstrom Rack For a limited time, take an extra 40% off red tag clearance for a total Savings up to 75% off. Save Save on gifts for everyone on your list from brands like Vince Cole, Haan, Sam Edelman and more. All sales final and restrictions apply. The best stuff goes fast, so bring your gift list and your wish list to your nearest Nordstrom Rack today.
[02:13]
Dave
Introducing Metaray Band Display, the world's most advanced AI glasses with a full color display built into the lens of the glasses. It's there when you need it and gone when you don't. Send and receive messages, translate or caption live conversations. Collaborate with Meta AI and more. Be one of the first to try Meta Ray ban display. Visit meta.com metaraybanddisplay to book a demo and find your pair.
[02:44]
Selena
Follow signs for I95 South.
[02:48]
Keith
You realize we're late again, right? Selena's gonna kill us.
[02:53]
Dave
I told you I had to do a dip check. You can't show up to the Fishy awards without the proper dip represent.
[03:01]
Keith
You brought like half the grocery store.
[03:04]
Dave
Keith. Preparation is key. Nobody likes a dry chip, dude.
[03:11]
Keith
Can I, can I, can I have a chip?
[03:13]
Dave
Absolutely not.
[03:14]
Selena
Turn left onto Diagon Alley. Your destination will be on your left. You two are unbelievable. I told you to leave early. Now we're going to be late. And we're nominated.
[03:30]
Keith
We did leave early. Then Dave decided to run a full audit on condiments.
[03:36]
Dave
Quality assurance is everyone's responsibility.
[03:40]
Selena
If we win tonight and I can't give my acceptance speech, I'm blaming you two.
[03:44]
Keith
Dave, check to see if they're covering the wards pre show on the radio.
[03:51]
Dave
Hey, this is pretty catchy.
[03:53]
Selena
I mean, it is, but it's not what we're looking for. Keep scrolling. Three of the zero days are actively being exploited.
[04:02]
Keith
If you like Keen.
[04:04]
Dave
Well, hello there and welcome back to American top 40.
[04:08]
Keith
Doesn't sound like it's on yet. Dave, can I please have a chip?
[04:11]
Dave
No. Stop asking me. I had a temp job out of college. I don't think they're covering the red carpet yet. Maybe we'll make it after all.
[04:23]
Selena
Dave, the clock literally says we're 20 minutes late.
[04:27]
Keith
But in cyber security time, that's basically on schedule.
[04:32]
Dave
Exactly. Besides, we've got great tunes, solid company and sick dips in the back seat. What could go wrong?
[04:40]
Selena
You know, when I agreed to come tonight, I didn't think we'd be driving your antique mobile, Dave.
[04:46]
Dave
Antique? I will have you know this is vintage. Classic. Timeless.
[04:51]
Selena
Timeless. Like a typewriter in an office full of laptops.
[04:55]
Dave
Hey, this typewriter has gotten us through a lot of traffic safely.
[04:59]
Selena
Hopefully that's true for tonight too.
[05:02]
Keith
Dave, if you're going to be eating while driving, at least you could give me a one chip.
[05:07]
Dave
No, these are ratioed. One chip per dip. Swirl system integrity.
[05:13]
Selena
Dave, both hands on the wheel.
[05:16]
Dave
Relax. It's a controlled dip environment.
[05:18]
Keith
You're actually gatekeeping the dip.
[05:21]
Dave
Yes. Chain of custody.
[05:23]
Keith
Just one gate.
[05:25]
Dave
Let go of the chip.
[05:26]
Keith
Then give me one.
[05:29]
Selena
Guys, you two are gonna make us late and headline the traffic report.
[05:33]
Dave
You owe me guac.
[05:34]
Keith
Worth it.
[05:36]
Selena
Alright, no more fighting you to. Let's just ride the rest of the way in silence. Next year I'm taking an Uber. Hello everyone and welcome to Only Malware in the Building. Today, with my co hosts Dave and Keith, we are going to be diving into to information sharing and public private partnerships. It is November. We're giving thanks. We're thinking about the ways that we are thankful for our different partnerships and different information that we're able to share back and forth with the wonderful, wonderful cybersecurity community. So why don't we go ahead and kick us off and part of the reason why we're inspired to do this Episode is because, Keith, I just recently saw you. This is very exciting.
[06:32]
Keith
Yeah, it was amazing. So we're halfway around the world, were at Europol in the Netherlands, and all of a sudden we're at a conference, and I'm looking across the room and I'm like, hey, there's Selena.
[06:43]
Selena
Exactly. Hey, there's Keith. And I had no idea that you were going to be there. It's one of these lovely little kismet moments that are happening all the time at conferences. And one of the topics that you were talking about and speaking about at the conference was how public private partnerships work and how they can actually contribute to doing things like takedowns or impacting operations, sharing with the private sector to be more resilient and secure.
[07:11]
Keith
Yeah. And everybody's always talking about sharing public private alliances, sharing threat information. And so, you know, when we were getting together, Dave, we were like, you know, we should talk about this on some of the obstacles, good ways to be able to share information, some of the concerns that people have, and really kind of the right way to do it, because if you don't do it right, it's just kind of worthless. So Selena and I, we got together and we're like, hey, this. This sounds like a good topic. And I'm sure, Dave, you probably have a lot of people that come on Cyberwire that talk about public private alliances and sharing information as well.
[07:45]
Dave
We do. I'm curious, though, like, my take is that public private partnerships are kind of like karaoke. Everybody's enthusiastic until it's their turn.
[07:58]
Selena
I will have you know I am enthusiastic even when it is my turn for karaoke. Yeah. So.
[08:04]
Dave
Well, truth be told, me too. In fact, they have a hard time pulling the mic away from me.
[08:10]
Selena
I know. We got it. Vaudeville. You, Kane off.
[08:14]
Dave
Seems like everybody wants everyone else to go first when it comes to information sharing. Is that an accurate assessment?
[08:21]
Keith
Yeah, I think so. And then, you know, sometimes the government is. They're a little too broad on what does information sharing actually look like? You know, nobody wants, you know, when somebody comes in and goes, hey, we're the government. We're here to help. Now give us all your information. You know, people like, whoa, wait a second. Backtrack a little bit. How are we going to do this properly? So. So. So we thought we can kind of COVID maybe some of the genesis of how this started and where things are going and kind of how if you want to get involved in information sharing, maybe how you could start with your company or just you as a researcher.
[08:55]
Dave
Yeah. Can we start with some of the history here? I mean, Keith, your time back with the FBI, were you with the agency at the outset of some of these programs?
[09:11]
Keith
From an FBI perspective, one of the main information sharing places that they set up was called the National Cyber Forensic and Training alliance in my hometown of Pittsburgh. Of course, my boss at the time named Dan Larkin, he was kind of a visionary, and he was the national white collar crime and cyber supervisor at the Pittsburgh field office. And he was looking at Pittsburgh at the time and said, well, you know, we have some good banks like PNC and Mellon Bank. We had the cert at that time. It was the, that was the cert, the main cert in the United States there. At Carnegie Mellon you had great universities at, at the University of Pittsburgh, Carnegie Mellon, Penn State. And then down the, down the road you had the Internet Crime Complaint center, which was receiving all these fraud complaints. And so he was saying, well, how could we kind of bring all those things together and kind of tackle this emerging thing, you know, of cybercrime? So what he was able to do was set up a nonprofit, which became the NCFTA and kind of had to be like this neutral space. So it wasn't owned by the government, it wasn't owned by any company or any academic institution. And then this way you can kind of come together and share cyber threat intelligence.
[10:39]
Dave
What was the response to that? Were people, did people embrace it or was there a certain degree of skepticism?
[10:46]
Keith
Well, naturally, there's always skepticism from sharing with, with the government and you know, how. What are the controls? Because most companies are thinking, well, I don't want to, I can't disclose my customer information or the PII or I don't want to talk about a intrusion that we had and be on the front page of the New York Times, you know, saying, hey, we have bad security control. So, so there is a lot of animosity or concern really at, at, at the beginning of doing that and to make sure that you kind of do it right. And Selena, you want to kind of like talk about, like, some of the concerns that you would. Sharing things with the government as well.
[11:27]
Selena
Yeah. So I think when it comes to information sharing, there are a few ways that you can think about it from both of an independent contributor and threat researcher perspective, as well as like a company and private company perspective. And I think, you know, a lot of times people are definitely concerned with sharing information because they don't want any PII to be leaked and they don't necessarily want to get involved in, in A case or something like that where, where it kind of gets big. And then also too, people kind of just want to deal with it themselves, right? Like we just, we want to, we want to keep this in house. We want it, we don't really want to talk about it. We don't want anyone knowing our business. Right? Like, no one wants to be a center of gossip, whether it's about a cyber attack or, you know, how many dips you ate at, at a party, Dave. So, so that's, that's part of it. And also too, I think that the question of, of, of what is actionable and how is this information being used. I think historically there hasn' been a broad understanding of okay, what, what is happening with this information and what's going on with it. What is happening with this information? If I give it to you, what, what is it doing? But what I think has been really cool over the last few years is there has been a lot more visible public private partnership and collaboration. And one of the things that I like point to is Operation Endgame, for example, where there was a lot of private sector companies, like security companies, who collaborated with international law enforcement to do some very major take of some of the most prominent botnets and loaders that would lead to ransomware that would not have happened without everyone coming together and sharing their information. In the private sector. Every company has unique visibility. No one is looking at all of the same information. And that goes the same thing for the private sector. Right? The US Government sees a lot of different things than what the private sector does at proofpoint. We see tons of initial access. That's where we live and breathe and email and my team in particular is email specific. And so, you know, we're seeing initial access access and then we go dark. So we don't have any, you know, post exploitation visibility. And that's why it's important for us to collaborate with other threat researchers, for example, and other companies like for example, we've collaborated with the DEFA report where they see the full attack chain and they can say like, okay, you guys saw this initial access piece. Here's what we saw as you know, follow on compromises and here's what it led to. And I think that, you know, oftentimes when we think about information sharing, we think about it behind closed doors. But one of the most important and useful ways of information sharing is making stuff public and saying, you know, here's my research on this, here's all this information, I'm, you know, putting it up on GitHub or I'm putting it up in a blog and I'm sharing this information to the broader community. So it can be like, okay, I can take action on this regardless of whether I am in law enforcement or if I'm a private sector person, or if I'm just an independent researcher that wants to learn more about this particular threat.
[14:28]
Keith
Yeah, I think it's really important, like you had mentioned Operation Endgame, that you really focus on something specific that you want to share on. Because it's not like, hey, we want all your data. Nobody has the time to go through all the data anyways. But if, like, if you know that, you know that this particular piece of malware is going to affect a number of people, then you can pull those teams together and share that specific information. You know, like, so somebody has that initial access. Maybe somebody knows how to reverse engineer the malware and come up with a solution to bring it down. I got to share one of my favorite stories since you had talk about with Operation Endgame. When we did the core flood takedown, which we brought a whole bunch of people to do that, it was so funny. We were practicing on how we were going to do this takedown and eliminate it, and we were going to send a stop command from One of the C2s that we took over. We were testing it, testing it and testing it, and we had to make sure there weren't going to be blue screens of death all around. So we had to go to the Attorney General and present our solution. And he's like, okay, well, sounds really good. But just remember, guys, if you break it, you bought it. And that was the last thing that he signed off on a warrant to be able to do it. So I'll never forget that.
[15:47]
Dave
Oh, wow.
[15:49]
Selena
If you break it, you bought it.
[15:57]
Dave
So what are the practical implications of this? If I am an organization, let's start with the private sector. I'm in a private organization and I recognize as, let's say, a security professional within that organization that this is worthwhile. How do I make that case to the powers that be, to my board, to my boss, that us putting time and effort into this sort of collaboration is going to pay dividends for us as an organization. Yeah.
[16:26]
Keith
So I think first is if you were going to be messaging your board or trying to get the lawyers on board, you need to talk about why it's a problem to your company and why being part of the greater good will actually help impact and actually make your company safer. Everybody only has so many cycles in a day. And now you're telling me you want to spend extra cycles now working overtime to kind of help the government or help this team, you know, so what does it really mean to the company? Why is it a problem? And also if you're part of the takedown, you may get your name on the takedown press release that you helped. So that could be good publicity on that. Your company is part of the greater good of policing the Internet out there. So I think that's kind of where I would start first. And then you can start talking about what types of information that you could share. And, and I think the government looks at it from a standpoint as share whatever makes you comfortable and then let's build that relationship, that trust and then share more whenever you feel more comfortable. But really just kind of start out sharing what you can as part of this project and lend your expertise and let's see if we can't make a collective win.
[17:42]
Selena
Well, I think so too. There's other options, right? I think a lot of times we think about information sharing as oh, I'm going to share with the government. There's also, for example, like non profits, like the Cyber Threat alliance is like a collective for information sharing can be very beneficial, right, because like you're sharing and then you're also getting information back before it gets public often in many cases. And so you can, you know, be prepared and so you can add that additional layer of preparation within your own product and services. Or you know, from a researcher perspective, like this is this is what I have to be focusing on or like know that's coming up up from more of like a public private partnership. There's also ways to do like notifications if it, you know, if it's like really open and collaborative, be like, oh, have you seen this? Or like it's a way to kind of say like, is this unique to me and my organization or is this a broader problem that's affecting all of the industry and it can help kind of be a way for collective defense where we have a better understanding. Certainly all of the ISACs, information sharing ISACs that are set up for different industries, that is a very, very useful way for organizations to get involved in information sharing and getting to know their peers within the industry. As a researcher and from an, from that perspective, one of the best things about information sharing is it helps me get to know other people within the community and like what they sort of specialize in and like what do you know about that could potentially help with my research or with community development. And how, you know, how can we share this information? How, how can I operationalize it within my organization or with you or you know, we stumble across something and it's like, hey, do you know anyone that might be able to help me with this or that might find this very beneficial? Even when things are made public, there can be a big lack of awareness. So even having that avenue for saying, hey, I just want to make sure that everyone is aware of this as a way to communicate and have like a central repository of information. An example of like, from like a tactical intelligence perspective, like mitre, ATT and CK having a, an existing framework where intelligence is shared, really condensed down into actionable pieces that all of the community can access. With Mitre, ATT and ck, it's like we see this technique, we're adding it to our database, we have defenses that are available and it's a really like a one stop shop for you to be like, okay, I see this happening, I need to know how to, to take next steps and next actions. I'm going to consult this database or I'm going to consult this group that I'm in as a way to get more information about this and how to protect myself.
[20:16]
Keith
You're right on key on that, what you were just saying, because as an FBI agent what I wanted is I want industry to tell me what I should be working on. You know, there are so many different things that you could be working on out there and you only have so many cases that you could work. So if you're telling me me that you know that, that this botnet or this ransomware group is the worst of the worst and that's where I should be focusing on, that really helps me with my targeting and then to be able to leverage the expertise from the industry working groups because you know, everybody has that different layers of visibility that could help me to focus on where I need to do search warrants or where I need to send legal process or just to really understand the threat and get victim notification out. So really as an agent, the industry is really the eyes and ears of where I want to focus.
[21:22]
Dave
From phishing to ransomware, cyber threats are constant. But with NORD layer, your defense can be too. Nordlayer brings together secure access and advanced threat protection in a single seamless platform. It helps your team spot suspicious activity before it becomes a problem. By blocking malicious links and scanning downloads in real time, preventing malware from reaching your network. It's quick to deploy, easy to scale, and built on zero trust principles. So only the right people get Access to the right resources. Get 28% off on a yearly plan at nordlayer.com cyberwire daily with code CYBERWIRE28 that's nordlayer.com CyberWire Daily Code CYBERWIRE28 that's valid through December 10, 2025. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allowlisting, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with ThreatLocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. How much of this goes on behind the scenes? The back channels, the, you know, the group chats on signal? How important are are those in, in this whole effort?
[23:48]
Keith
Oh, it goes on all the time and it's all built on trust. So it's really building these personal relationships and understand who does what in what company. When we were at Europol, it was like a high school reunion. We're just going through this like, hey, I haven't seen you in ages. We haven't caught up in real life in a long time. It's such a small community. Even though you think of all the security researchers are out there, there's thousands of them, but everybody knows everybody. So it was just really good to get together and you hear what people working on and you may say, well, hey, I may have something that could help you out. And so it's just like this, you know, build on personal relationships.
[24:28]
Selena
Well, and I think too it can be a catalyst for furthering an understanding of cybersecurity in general. And Dave, I don't know if you hear this from guests on your podcast, but I think a lot of times people in our industry are a little bit frustrated with the sort of lack of understanding of cybersecurity issues from law enforcement or policy or like decision makers or even within companies. Right. Like, is that something that you hear a lot where it's still kind of this like, little bit of a black box where there's A, there's a gap between the people that are doing the work and like knowledgeable about things and then the people that are making the decisions, whether it's policy or, you know, business decision making. And I think that that's where information sharing can really help close that gap.
[25:10]
Dave
Yeah, for sure. I tend to refer to it as a translation layer, you know, like between the folks who are talking tech and the folks who are talking business risk. And there has to be somebody who speaks both of those languages, which is like the old joke about the UK and the US that is two nations separated by a common language. And I feel like somehow I'm experiencing.
[25:35]
Keith
That right now over in London.
[25:36]
Selena
Dave. Quite, quite right.
[25:40]
Dave
Belt or braces. So there's those kinds of things. I'm curious how much of a responsibility we think the government has to enable these things because, you know, as we're recording this, we are still in the midst of a government shutdown. And as part of that, the CISA 2025 legislation, which provided coverage for protection for organizations who are sharing from liability, is in limbo right now. It's technically expired. And I think a lot of organizations are still in good faith sharing, hoping that it will be reinstated retroactively. But I think it points to the fact that organizations need these reinsurances from the government that they can share without risk of repercussions.
[26:37]
Keith
Yeah, that's important because when I was at the FBI, I, I thought everybody shared with the government willingly. And then I went to EY and it was just like every time we were doing an incident response or whatever, it was like, nope, nope, we're not giving this, we're not calling the FBI, we're not calling the Secret Service.
[26:55]
Dave
Keith, put down that phone.
[27:00]
Keith
Yeah, so those protections in place are just vital because without them, probably 90% of legal counsel is going to say no. Hey, yeah, we want to do the greater good bit. At the same time we have to protect our company. We need to make sure that we're not liable for anything. You know, once those protections are in place, we'll, we'll continue to do it, but it's really essential that that gets taken care of.
[27:26]
Selena
Well, and I think right now we're in a time of a lot of success of public private partnerships and seeing some of the wins, I think has been really great, especially when it comes to cybercrime. So I think historically there's been a lot of focus on espionage and nation state activity and spying and that sort of thing from a collective defense perspective. But I think right now, over the last couple of years, it's been really heartening, I think, to see the information sharing and the collective defense and collaboration from a cybercrime perspective. And it's led to some really big wins, you know, even if it's sort of like a temporary disruption. And if you look at, for example, like the loomastealer takedown recently with Microsoft and law enforcement collaborating on that, it did have a really big impact. It was, you know, it was a little bit limited and you know, loomasteeler kind of bounced back a little bit. But even those cases can have significant impact on the operators themselves, the ecosystem selling distrust, you know, having these questions in the threat actors minds of like, is this really worth it? To me, having to impose costs like literal finance financial costs as well as the time cost and the reputation cost can be massive. So right now, public private partnership is, is essential in combating everything from cybercrime to, you know, this sort of nation state activity. And, and threat actors are not slowing down, they're not going anywhere. And it's really important for organizations to feel confident in sharing that, you know, critical threat intelligence because really, collective defense from both a national security perspective, but as well as like a business risk and resilience perspective is really, really a cornerstone of that, is in, you know, information sharing and making sure that everyone is aware of these threats.
[29:10]
Dave
Yeah.
[29:11]
Keith
And it's important, you know, that nobody has complete visibility, so you have to share the information in order to get the complete picture. I know you had mentioned, you know, that there are a number of information sharing on the cyber crime side, but there is one that called the National Defense Cyber alliance down in Huntsville that is really put together for those national security attacks as well. So it's not as widely known as maybe some of the other, like ISACs and the NCFTA and others, but it is kind of sprouting and growing as well.
[29:49]
Dave
Selina, I'm curious. You know, you and your colleagues at proofpoint publish a lot of research. How much do you find that that sparks conversations with other folks in the industry? When you publish something, do you get a bunch of responses from that and say, hey, I saw what you published and we think we might have something related here?
[30:10]
Selena
Oh, all the time. It happens all the time. It's great. And that's why I like publishing stuff. We want more information. So publishing information begets more information. It's fantastic. It doesn't happen with literally everything we publish, but almost everything we publish, I have to say, and in a lot of Cases, you know, we'll, we'll reach out to our information sharing partners ahead of time. Be like, do you guys have any visibility into this? What are you seeing? How are you responding to this? So recently, earlier this year, my colleague Ola and I published some details on remote monitoring and management abuse as being delivered as first stage payload. So we see of course, a lot of the first stage email threat being, you know, RMMs being dropped that way, which was very unique. But we're like, okay, but what happens next? And then Also, are these RMMs that are being delivered as a first stage payload, are they different than the ones that are being used post compromise? So once a threat actor actually has access to an environment, are they using the same tools or different tools to move laterally? We reached out to our partners at the Defi report at Red Canary, you know, other folks in the industry to be like, hey, like, what are you seeing and how is that tying into the RMM narrative and the conversation? And so we ended up, you know, publishing some details and Red Canary has some fantastic information about RMMs that they also have published and made available. And then certainly, you know, with DFA report, they do deep dives into the attack chains and say, okay, you know, looking at this and a lot of times when a company will publish information about a particular attack chain that's happened post compromise, we can go back to our data and oh, we saw this activity, like this is related to this threat actor from this August 2025 campaign. So we know now that this RMM is dropping this particular malware because of information that was shared from the community. And so it's really important to not only be open to collaboration, but also if you can share what you can with people. And what I have found is that fellow researchers are so open. It's really great because I think, you know, most of us are in this industry because we care and because we want to do good and we want to have, you know, a safe world and contribute to collective defense. Whether that's, you know, we work for the government or whether that's we work for a business or whether that's we run our own security consultancy. Right? Like, I think a lot of us are driven by that community idea of, you know, we want to protect each other. And so I think that that really shows how beneficial it can be when people do push stuff out there and be open with sharing.
[32:49]
Dave
Keith, what about moderation? I mean, like, did you ever run into folks who were kind of over sharing and you had to ask them to to dial it back or, you know, like, like I. Stop calling me.
[33:03]
Keith
No, no, no, I don't think that. I don't think that ever happened. Everything in moderation, though, Dave. Just remember that's the key of life. Everything in moderation.
[33:10]
Dave
Except for dips. Except for dips.
[33:11]
Keith
Except for dips. But no, no, I think, you know, again, just, you know, share. Share what you can. And I mean, I guess sometimes, you know, you got a little too much. And I would say back to somebody, I got enough right now. Just, you know, I'm good with what you got, you know, what you gave me, but I'm good right now. But I don't think that happens too frequently. You know, if, if you're sharing, especially when you're like, as part of, like, like, like the NCFTA or the CDA or, you know, those isac, if you're sharing that information, chances are, you know, like, let's say you're a financial institution and you're sharing threat information that you're seeing, chances are another financial institution is going to get hit in a month from now. So that could help them with their defense, you know, because maybe, like, if you're like a, you know, a big top five bank, you're going to see the attacks first and then the smaller credit unions are going to see those in, you know, eight to 10 months. So if you're sharing that information, you're really helping the greater good, you know, down the line as well.
[34:12]
Dave
Where do you suppose we're headed here? What's the future look like when it comes to information sharing?
[34:17]
Keith
The one thing that I just want to say is, you know, we've been doing this a long time. You know, over 20 years, we've been sharing information. And my one pet peeve, Dave, is that I go to a lot of conferences and new people that have come that have just been around for one year or two years, they go, hey, we need to. We need to do information sharing. We need to. But it's like, we've been doing this 20 years. We're not reinventing the wheel. So I am hoping that in the future, in these next couple years, that people will be talking about it, that this is just part of how we do business on the Internet and how we do business as the white hats and the greater good. And this isn't something new that we need to talk about all the time because it's just being like air. You're just breathing and you're doing it naturally. So that is my hope.
[35:04]
Selena
Hope.
[35:05]
Keith
I hope we get there.
[35:07]
Selena
Well, I think right now is a very interesting time for information sharing, Dave, as you mentioned. So my hope is that people continue to realize the value of this and whether or not there are roadblocks in place from existing means of information sharing or whether we continue as we have been. Either way, I mean, I think, to Keith's point, just making it part of how we do business, and also I think, too, having a better understanding and seeing the outcomes, because I think oftentimes people are a little bit hesitant to be like, oh, well, what are we doing? Sharing information and not understanding some of the outcomes that can be. Be very, very beneficial. And so I think not just sharing information, but sharing what happens and how you have used it and how you took action on it and how it protected your organization can actually provide a lot more benefit and. And can, you know, make people more engaged with it. Because, you know, I actually always joke when I go to a conference or when I'm listening to a podcast or whatever. It's like if someone says public private partnerships, I'm like, drink, like, bingo. You know, like. Like, okay, keyword, buzzword. Because oftentimes it's like, okay, well, so what? Like. Like, it's. It's. It's a public private partnership is like, it exists, but if it's not leading to actionable information and actionable information sharing and you're not seeing the results of it, it can seem like this buzzword or this, like, okay, yeah, sure, whatever. Like, we're just gonna fill a panel to talk about it at a conference. So I think when it comes to, like, the future of information sharing, sharing the outcomes, and I think, you know, some of the. Some of the big cybercrime takedowns that have happened that, you know, have all those logos and have all those names of the people that have been involved is huge because you're like, okay, this is the reality. This is what happens with. With the information that we share.
[37:01]
Keith
The communication is the key because people want to know that what they're sharing is actually being put to good use. And it's useful because then that will build that. That trust and say, hey, I want to do more. You know, I want to do this more. Nobody wants to just share information to a black hole. Just like, hey, it's just going in there. And I don't know whether my data is good or not, or what I'm providing is going to the greater good. So I think communication and messaging, that is really key going forward as well.
[37:29]
Selena
The greater good.
[37:31]
Keith
The greater good.
[37:32]
Selena
The greater good. Every time. I just have to say it like that.
[37:37]
Dave
Actionable intelligence is much better than all of the decorative intelligence. This line lying around, right?
[37:43]
Selena
Absolutely, yes. You don't want to just have intelligence that you can hang in your office or on your mantelpiece.
[37:50]
Dave
Caring is sharing.
[37:51]
Keith
Are we going to talk about decorative intelligence for Christmas then, on our next podcast?
[37:55]
Selena
Oh, there you go. Yeah. Deck the halls with threat intelligence.
[38:01]
Dave
Yeah.
[38:22]
Selena
Well, this has been a lot of fun. This is one of. One of the things that I am very passionate about, Keith, I know you are as well. And Dave, you are basically an information sharing group yourself as the podcast host of Cyberwarf. Yeah. I mean, you do intelligence, distribution and communication that are very, very vital as well. So, you know, that's actually one part of information sharing is communicating out to a massive audience and hoping, you know, people. People take action on it. So, yeah, so thank you everybody for tuning in, as always, and we hope you enjoyed this episode of Only Malware in the Building, and we will see you next time.