Threat Vector Podcast – "Lessons from the Underground"

Palo Alto Networks & N2K Networks
Host: David Moulton (Senior Director, Thought Leadership, Unit 42)
Guest: Keith Milarsky (Chief Global Ambassador, Q Intel; former FBI special agent)
Release Date: December 18, 2025

Episode Overview

This episode explores how lessons learned from underground cybercrime investigations can reshape modern Security Operations Centers (SOCs). Host David Moulton speaks with distinguished guest Keith Milarsky, who draws on over two decades of experience at the FBI—leading landmark takedowns of cybercrime forums and botnets—and his current work helping organizations transform cyber intelligence into robust, proactive defense strategies. The discussion emphasizes why thinking like an adversary, understanding context, and enhancing cross-sector collaboration are crucial for today’s security teams.

Key Discussion Points and Insights

1. Keith Milarsky’s Cybersecurity Journey

[02:22–05:19]

Keith began with the FBI in 1998, starting in Russian counterintelligence and later moving to cyber operations.
Notable career moments: the Robert Hanssen case, 9/11 investigation, and undercover operations in dark markets.
- Quote [02:47]:
  “I started out working Russian counterintelligence...Around 2004, my wife...jokingly said, ‘I’m giving you five years to get us out of D.C. or we’re getting divorced’...A position came open in this new, small cyber unit in Pittsburgh...So I started working with industry...looking at the dark markets...we crafted a legend for me to work undercover.”
Shifts in perspective between FBI/government (offensive, people-focused) and private sector/EY (defensive, prevention-focused).
- Quote [06:01]:
  “How we viewed the cyber threat...working with corporations is a lot different than how we viewed it in the government...to bring experiences from both sides, I think is really unique.”

2. Lessons from Undercover Work: Focusing on People, Not Just Malware

[06:39–08:35]

The core lesson: cyber threats are people-driven.
- Quote [07:01]:
  “We get so tied up in cyber with this malware, with this exploit...that we forget at the end of the day, it’s just people that are behind that keyboard...you don’t have a cyber problem. You have an adversary problem.”
Adversaries operate much like regular businesses—hiring staff, running operations.
Media misconceptions make adversaries seem cinematic; in reality, it’s often mundane, process-driven work.

3. What’s Broken in Today’s Security Operations Centers?

[10:32–14:07]

Alert fatigue and lack of context: SOCs are overwhelmed by alerts and logs, leading to a reactive, rather than strategic, approach.
- Quote [10:32]: “It’s alert fatigue...reacting to this alert, to this alert, to this malware, and it’s really not understanding the context of why you’re getting attacked.”
The mismatch between KPIs (focused on activity/ticket throughput) and true risk reduction.
Illustrative Tale [12:21]:
- A company failed to realize their “crown jewels” weren’t just financial assets, but critical business intelligence contained in emails.
- Chinese threat actors accessed a chief negotiator’s inbox for weeks, leading to billion-dollar losses during negotiations.
- Quote [12:21]: “From email hacks, they literally lost billions of dollars because there was no context...it just blows my mind.”

4. How to Make SOCs More Effective: Learning from the Adversary

[15:57–18:38]

Visibility into the dark web: Organizations must monitor criminal forums, chat channels, and marketplaces to anticipate how adversaries will attack.
- Quote [16:11]: “If you’re not seeing what the criminals are talking about...you’re flying blind...intelligence should drive operations.”
Intelligence should shape priorities: If criminals are discussing certain vulnerabilities, defensive actions should adapt quickly.
Tabletop exercises & muscle memory:
- Practicing incident response, understanding executive decision-making, and using intelligence to simulate scenarios is essential.
- Illustrative Anecdote [18:38]:
  - In a ransomware exercise, a CEO immediately decided to pay ransom, showing company culture’s impact on IR strategy.

5. The Power of Public-Private Collaboration

[21:03–24:14]

Keith emphasizes the need for targeted, focused information sharing between industry and law enforcement.
Success in major botnet takedowns (e.g., GameOver Zeus, Operation Endgame, Trickbot) relied on coordination among security vendors, banks, and law enforcement.
- Quote [21:22]: “No one organization...has complete visibility...the biggest successes...are when we have things very narrowed on what we want to accomplish...then you can come up with a strategy on how to attack things.”

6. Cultural Barriers and Progress in Global Collaboration

[24:14–26:28]

While the U.S. leads in some areas, gaps are closing rapidly worldwide.
Legal and operational frameworks differ across countries, requiring flexibility (e.g., classifying crimes as “wire fraud” instead of “cyber” where necessary).
Security cultures—both in government and commercial spheres—are gradually converging on best practices.

7. The Evolving Adversary: Tactics and Trends to Watch

[26:28–28:47]

Supply chain attacks are increasing—SolarWinds cited as a prime example.
Nation-state actors favor “living off the land” (LOTL) techniques to evade detection tools like EDR.
Cybercriminals continue to succeed with phishing and abuse of remote management tools, which are often whitelisted.
- Quote [26:47]: “We’re seeing much more...of trying to live off the land...Phishing is still huge...AI is making phishing lures much more, much better...But at the end of the day, social engineering still works very well.”

Notable Quotes & Moments

[07:01] Keith Milarsky: “You don’t have a cyber problem. You have an adversary problem.”
[12:21] Keith Milarsky: “[They] literally lost billions of dollars because there was no context...just triaging this or triaging that, really not understanding who your adversary is, why they’re attacking you and what they’re really after.”
[16:11] Keith Milarsky: “Intelligence should drive operations.”
[18:38] Keith Milarsky: “You’ve got to do tabletop exercises...Testing your incident response plan, testing your policies, understanding how the C-suite is going to make decisions...can help you prioritize.”
[21:22] Keith Milarsky: “No one organization...has complete visibility...biggest successes...are when we have things very narrowed on what we want to accomplish.”

Fun/Casual Moments

[29:26–31:28] "Only Malware in the Building" and Hot Sauce Challenge
- Keith shares stories from a related podcast, including participating in a hot sauce challenge.
- Quote [29:36]: “We did. All three of us did the highest level twice when Dave tried to turn on his FBI interrogation techniques on me, which was a lot of fun.”

Timestamps for Important Segments

Keith’s background & transition: [02:22–05:19]
Lessons from undercover dark market work: [06:39–08:35]
What’s wrong with the SOC today: [10:32–14:07]
The need for context and threat intelligence: [12:21–14:49]
Adversary collaboration lessons for defenders: [15:57–18:38]
The value of tabletop exercises & culture: [18:38–21:03]
Cross-sector collaboration in practice: [21:03–24:14]
Cultural differences & legal frameworks: [24:14–26:28]
Emergent tactics and threats: [26:28–28:47]
Closing and personal anecdotes: [28:54–31:28]

Takeaways for Security Professionals

Focus on the human adversary, not just technical tools.
Context is king—understand not just what’s happening, but who is attacking and what they want.
Threat intelligence and dark web monitoring enable proactive, prioritized defense.
Culture and company leadership profoundly shape response effectiveness.
Effective public-private collaboration requires clearly defined, targeted goals.
Stay vigilant for both sophisticated threats (supply chain, LOTL) and ongoing basics (phishing, social engineering).

Where to Find More

Keith Milarsky on LinkedIn and the podcast “Only Malware in the Building.”
Connect with host David Moulton and explore further Palo Alto Networks thought leadership via their security blogs and conference appearances.

For security pros aiming to advance their SOC effectiveness, this episode underscores the value of adversary-driven mindset, targeted collaboration, and not losing sight of the people (both defense and offense) at the center of every cyber battle.

Threat Vector Podcast – "Lessons from the Underground"

Episode Overview

Key Discussion Points and Insights

1. Keith Milarsky’s Cybersecurity Journey

[02:22–05:19]

Keith began with the FBI in 1998, starting in Russian counterintelligence and later moving to cyber operations.
Notable career moments: the Robert Hanssen case, 9/11 investigation, and undercover operations in dark markets.
- Quote [02:47]:
  “I started out working Russian counterintelligence...Around 2004, my wife...jokingly said, ‘I’m giving you five years to get us out of D.C. or we’re getting divorced’...A position came open in this new, small cyber unit in Pittsburgh...So I started working with industry...looking at the dark markets...we crafted a legend for me to work undercover.”
Shifts in perspective between FBI/government (offensive, people-focused) and private sector/EY (defensive, prevention-focused).
- Quote [06:01]:
  “How we viewed the cyber threat...working with corporations is a lot different than how we viewed it in the government...to bring experiences from both sides, I think is really unique.”

2. Lessons from Undercover Work: Focusing on People, Not Just Malware

[06:39–08:35]

The core lesson: cyber threats are people-driven.
- Quote [07:01]:
  “We get so tied up in cyber with this malware, with this exploit...that we forget at the end of the day, it’s just people that are behind that keyboard...you don’t have a cyber problem. You have an adversary problem.”
Adversaries operate much like regular businesses—hiring staff, running operations.
Media misconceptions make adversaries seem cinematic; in reality, it’s often mundane, process-driven work.

3. What’s Broken in Today’s Security Operations Centers?

[10:32–14:07]

Alert fatigue and lack of context: SOCs are overwhelmed by alerts and logs, leading to a reactive, rather than strategic, approach.
- Quote [10:32]: “It’s alert fatigue...reacting to this alert, to this alert, to this malware, and it’s really not understanding the context of why you’re getting attacked.”
The mismatch between KPIs (focused on activity/ticket throughput) and true risk reduction.
Illustrative Tale [12:21]:
- A company failed to realize their “crown jewels” weren’t just financial assets, but critical business intelligence contained in emails.
- Chinese threat actors accessed a chief negotiator’s inbox for weeks, leading to billion-dollar losses during negotiations.
- Quote [12:21]: “From email hacks, they literally lost billions of dollars because there was no context...it just blows my mind.”

4. How to Make SOCs More Effective: Learning from the Adversary

[15:57–18:38]

Visibility into the dark web: Organizations must monitor criminal forums, chat channels, and marketplaces to anticipate how adversaries will attack.
- Quote [16:11]: “If you’re not seeing what the criminals are talking about...you’re flying blind...intelligence should drive operations.”
Intelligence should shape priorities: If criminals are discussing certain vulnerabilities, defensive actions should adapt quickly.
Tabletop exercises & muscle memory:
- Practicing incident response, understanding executive decision-making, and using intelligence to simulate scenarios is essential.
- Illustrative Anecdote [18:38]:
  - In a ransomware exercise, a CEO immediately decided to pay ransom, showing company culture’s impact on IR strategy.

5. The Power of Public-Private Collaboration

[21:03–24:14]

Keith emphasizes the need for targeted, focused information sharing between industry and law enforcement.
Success in major botnet takedowns (e.g., GameOver Zeus, Operation Endgame, Trickbot) relied on coordination among security vendors, banks, and law enforcement.
- Quote [21:22]: “No one organization...has complete visibility...the biggest successes...are when we have things very narrowed on what we want to accomplish...then you can come up with a strategy on how to attack things.”

6. Cultural Barriers and Progress in Global Collaboration

[24:14–26:28]

While the U.S. leads in some areas, gaps are closing rapidly worldwide.
Legal and operational frameworks differ across countries, requiring flexibility (e.g., classifying crimes as “wire fraud” instead of “cyber” where necessary).
Security cultures—both in government and commercial spheres—are gradually converging on best practices.

7. The Evolving Adversary: Tactics and Trends to Watch

[26:28–28:47]

Supply chain attacks are increasing—SolarWinds cited as a prime example.
Nation-state actors favor “living off the land” (LOTL) techniques to evade detection tools like EDR.
Cybercriminals continue to succeed with phishing and abuse of remote management tools, which are often whitelisted.
- Quote [26:47]: “We’re seeing much more...of trying to live off the land...Phishing is still huge...AI is making phishing lures much more, much better...But at the end of the day, social engineering still works very well.”

Notable Quotes & Moments

[07:01] Keith Milarsky: “You don’t have a cyber problem. You have an adversary problem.”
[12:21] Keith Milarsky: “[They] literally lost billions of dollars because there was no context...just triaging this or triaging that, really not understanding who your adversary is, why they’re attacking you and what they’re really after.”
[16:11] Keith Milarsky: “Intelligence should drive operations.”
[18:38] Keith Milarsky: “You’ve got to do tabletop exercises...Testing your incident response plan, testing your policies, understanding how the C-suite is going to make decisions...can help you prioritize.”
[21:22] Keith Milarsky: “No one organization...has complete visibility...biggest successes...are when we have things very narrowed on what we want to accomplish.”

Fun/Casual Moments

[29:26–31:28] "Only Malware in the Building" and Hot Sauce Challenge
- Keith shares stories from a related podcast, including participating in a hot sauce challenge.
- Quote [29:36]: “We did. All three of us did the highest level twice when Dave tried to turn on his FBI interrogation techniques on me, which was a lot of fun.”

Timestamps for Important Segments

Keith’s background & transition: [02:22–05:19]
Lessons from undercover dark market work: [06:39–08:35]
What’s wrong with the SOC today: [10:32–14:07]
The need for context and threat intelligence: [12:21–14:49]
Adversary collaboration lessons for defenders: [15:57–18:38]
The value of tabletop exercises & culture: [18:38–21:03]
Cross-sector collaboration in practice: [21:03–24:14]
Cultural differences & legal frameworks: [24:14–26:28]
Emergent tactics and threats: [26:28–28:47]
Closing and personal anecdotes: [28:54–31:28]

Takeaways for Security Professionals

Focus on the human adversary, not just technical tools.
Context is king—understand not just what’s happening, but who is attacking and what they want.
Threat intelligence and dark web monitoring enable proactive, prioritized defense.
Culture and company leadership profoundly shape response effectiveness.
Effective public-private collaboration requires clearly defined, targeted goals.
Stay vigilant for both sophisticated threats (supply chain, LOTL) and ongoing basics (phishing, social engineering).

Where to Find More

Keith Milarsky on LinkedIn and the podcast “Only Malware in the Building.”
Connect with host David Moulton and explore further Palo Alto Networks thought leadership via their security blogs and conference appearances.

wavePod

Lessons from the Underground

Powered by Wave AI

Summary

Threat Vector Podcast – "Lessons from the Underground"

Episode Overview

Key Discussion Points and Insights

1. Keith Milarsky’s Cybersecurity Journey

2. Lessons from Undercover Work: Focusing on People, Not Just Malware

3. What’s Broken in Today’s Security Operations Centers?

4. How to Make SOCs More Effective: Learning from the Adversary

5. The Power of Public-Private Collaboration

6. Cultural Barriers and Progress in Global Collaboration

7. The Evolving Adversary: Tactics and Trends to Watch

Notable Quotes & Moments

Fun/Casual Moments

Timestamps for Important Segments

Takeaways for Security Professionals

Where to Find More

Summary

Threat Vector Podcast – "Lessons from the Underground"

Episode Overview

Key Discussion Points and Insights

1. Keith Milarsky’s Cybersecurity Journey

2. Lessons from Undercover Work: Focusing on People, Not Just Malware

3. What’s Broken in Today’s Security Operations Centers?

4. How to Make SOCs More Effective: Learning from the Adversary

5. The Power of Public-Private Collaboration

6. Cultural Barriers and Progress in Global Collaboration

7. The Evolving Adversary: Tactics and Trends to Watch

Notable Quotes & Moments

Fun/Casual Moments

Timestamps for Important Segments

Takeaways for Security Professionals

Where to Find More