Information is the new gold. Whether you’re a business or an individual, cybercriminals are always finding new ways to breach your security defenses and steal your sensitive data.
It takes one data breach to compromise your financials and personal information.
So, how can you secure your online privacy and security beyond the mainstream advice found all over the internet, that hackers already know as much as you do?
In this new interview series by Safety Detectives, we bring you exclusive insights from top executives and leading cybersecurity professionals. Join us as they share expert tips, real-world experiences, and untold truths about protecting and securing your valuable information.
Our guest today is Dan Sherry, cofounder & CEO of Pulsedive, a free threat intelligence platform that provides high-fidelity, actionable intelligence on millions of IPs, domains, URLs, and threats using open-source threat intelligence (OSINT) feeds and user submissions from around the world. They also have paid products, and enterprise commercial platform offerings.
With years of experience in incident response, security engineering, and security operations across both government and Fortune 500 financial services, he leads Pulsedive’s efforts in delivering quality threat intelligence to security teams worldwide.
He started his career at ADP as an Associate Security Engineer and later as a Senior Security Analyst and Associate CIRC Analyst before joining the Federal Reserve Bank of New York as Cyber Security Analyst in 2016. He also holds a BS in CyberSecurity and several certifications, including a CompTIA Security+ and a GIAC Certified Intrusion Analyst (GCIA).
To start, can you please introduce yourself and share your journey to founding Pulsedive?
I am Dan Sherry, the cofounder & CEO of Pulsedive, a company delivering frictionless threat intelligence solutions to growing teams. I work on building and improving our threat intelligence platform which helps security defenders analyze malicious sites and address threats in real-time.
Being exposed to hacking in my teens led me to a lifelong interest in coding and information security. I spent the early part of my teenage years in AIM chat rooms, where I met a lot of hackers and programmers who reverse engineered AIM’s protocols and built tools that exploited it. I picked up programming at 14 so I could build tools myself that expanded on what was already out there.
By the time I went to university I loved programming, and chose Computer Science as my major. I was fascinated by the idea that I could build something with just my knowledge and a keyboard, that could be used by millions of people all over the world.
Because I knew information security was a growing industry, I switched my major to Cybersecurity pretty early on. It’s a really difficult and multi-layered subject to learn on your own so a curriculum to structure that education really helped. I became more interested in the defensive side of security in my studies and went on to work for a large payroll provider with a leading security organization, moving around between incident response and security engineering and operations.
Even back then, I knew I wanted to build something on my own that could help critical organizations defend themselves against nation state hackers and cybercriminal organizations with unlimited resources.
The earliest ideas around Pulsedive were born from challenges I faced working on these defensive security teams. We were getting a ton of alerts on IP addresses and URLs and ingesting a ton of open source intelligence on cyber threats, so how can we correlate the two data sets in order to understand if what we’re seeing has been seen before by someone else? This led to Pulsedive’s use by security practitioners all over the world today.
What are the pain points you solve, and for whom?
The Pulsedive Community platform brings together known threat intelligence into one place, vetting the data to reduce noise and help identify risks. Security practitioners working in security operations, threat hunting and detection, incident response, and risk management rely on our up-to-date intelligence to make information decisions within their roles.
Two of our most-searched data types include threats (e.g., APTs, ransomware, phishing, vulnerabilities) and indicators (e.g., domains, IPs, and URLs). By presenting a wealth of context and correlating data together, our users can simplify their investigation and make better decisions, faster.
What are the most common cybersecurity and online privacy threats affecting end users? Why are these threats particularly concerning?
Over the past decade, industry-leading companies have made strides in making the Internet a safer place. HTTPS is now standard, end-to-end encryption is becoming more widespread across messaging apps, and app stores have implemented better security standards that developers must meet for their apps to be accepted.
However, two persistent threats still come to mind: phishing/scams and insecure devices.
Phishing and online scams
Phishing sites and online scams are becoming more convincing, inventive, and targeted. On the phishing side, it’s easy to find employees with sensitive access, like an administrative assistant, on LinkedIn and send them a convincing phish to gain access to the organization.
At the time of writing this, an ongoing malicious campaign is targeting Microsoft Azure cloud environments. The attackers are targeting a wide range of individuals, from sales directors to finance managers to executives like vice presidents and CEOs, in the attempt to gain access to valuable resources and sensitive data.
Source: https://www.proofpoint.com/us/blog/cloud-security/community-alert-ongoing-malicious-campaign-impacting-azure-cloud-environments
On the scam side, threat actors have been very effective at capturing vulnerable victims who are not expecting foul play. Today, there are more attack vectors than ever to do that, including search engines and app stores. As an example we observed firsthand, users search for a technical support number, call the first number (which appears legitimate), then end up falling victim with compromised banking credentials.
“Realtime Register is now differentiated as an ICANN registrar with our detailed abuse statistics for domain names under management. This allows us to zero in on large incidents, effectively taking action together with our customers.”
Berend van Dalfzen, CEO, Realtime Register
Insecure devices on a network
There have been many instances of strangers peeping on households by gaining access to smart devices that have not been developed, tested, and installed with security as a primary concern. Some of these are security cameras, smart devices, or voice assistants.
Two recent examples of cam acts:
- https://threatpost.com/inexpensive-webcam-turned-into-backdoor/115854/
- https://www.nbcnews.com/tech/tech-news/i-m-your-baby-s-room-nest-cam-hacks-show-n950876
🛡️ It’s important to set strong passwords and security controls to restrict access to these devices from outside the network. The same principles apply to organizations that set up network devices and servers without adequate security controls, and fail to track them in their asset inventory. It’s easy to set up a foothold or backdoor on those devices for persistence.
A reason for that is also that weak passwords and lack of MFA persist as key issues, leading to compromises at large companies and serious breaches of sensitive data.
What common beliefs about cybersecurity and online privacy do you passionately disagree with? Why?
There are several beliefs about passwords that have been adopted by the cybersecurity community that have not yet caught up to the general public. Importantly, keeping the end user in mind to balance “security against attackers” with “positive user experience” leads to improved security outcomes.
To start, password lockouts are causing far too much pain to real users, and they can be mitigated by implementing better security controls on the provider side that render account lockouts less applicable. For example, secure password hashing algorithms are built to be slow to mitigate brute force attacks, and MFA adds another layer of protection.
Password lockouts should not necessarily be phased out entirely, but implementing a higher number of attempts (e.g., 30 or so), will capture automated login attempts without negatively impacting genuine users. There is also an acceptable risk and use case for writing down passwords. Users should use password managers and utilize random password generation for online accounts where possible. However, it’s also okay to write down a strong master password and store it physically so it doesn’t have to be remembered.
A malicious actor breaking into your password manager account with a weak password and immediately gaining access to all of your accounts poses a larger risk compared to someone breaking into your home, finding your strong but written-down password, and then trying to figure out what it’s for and how to gain access to your online services. The former is typically automated and done remotely, while for the latter an attacker must be in your home and have the motivation and know-how to break into digital accounts.
💡 Users who are not as comfortable or familiar with new technologies may be more successful improving their security by managing a physical password book versus the realistic alternative of re-using the same password for all of their online accounts.
Lastly, password complexity requirements. Length is the most important factor for the time it takes to successfully brute force an account. Using an exclamation point instead of a number won’t make a huge difference with today’s hardware if the password isn’t long enough.
What are some things that people should START doing today that they’re currently not doing to protect their information?
For individuals, use a password manager to generate random passwords for your online accounts. At the very least, use longer passwords that are unique for each sensitive account. For example, your email password and bank password should be different, and your banking passwords should be different from each other.
In addition, use app-based MFA where available. SMS-based 2FA has recently become an attack vector with SIM swapping*. For MFA, use an app that can sync across devices; if you lose your phone or get a new one, it’s a huge pain to move the tokens over to the new device. CISA has released detailed guidance around phishing-resistant MFA, including app-based solutions:
https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
* What is a A SIM swap scam
A SIM swap scam (also known as port-out scam, SIM splitting, simjacking, and SIM swapping) exploits the mobile phone service provider’s ability to port a phone number to a different SIM card. It targets a weakness in 2FA and two-step verification to take over accounts.
How it works:
- Scammers collect personal details about the victim, often through phishing emails, buying them from data brokers, or social engineering techniques.
- They impersonate the victim and contact the mobile carrier, claiming that the original SIM card has been lost, stolen, or damaged. They provide the personal information to convince the carrier to switch the service to a new SIM card in their possession.
- The carrier activates the new SIM card, which is controlled by the scammer. This allows the scammer to intercept all incoming calls and texts, including one-time passwords sent via SMS or phone calls
Protecting information is not only about fully preventing attacks, it’s also about stopping it as early as possible to prevent further loss. On the organizational side, our research has shown many security teams are siloed with little communication and information sharing within and across organizations. Company social events, all-hands meetings, and industry gatherings help break down these siloes organically, since it lowers the barrier to get in touch with the right security contacts when things go wrong once people know each other on a more informal level.
🛡️ While organizations actively mitigate risks and track threats, it’s impossible to perfectly predict where and how the next attack will happen. That’s where having connections and information sharing infrastructure can get you just-in-time warnings and context that cannot be achieved alone.
Pulsedive’s CTI Networking Report provides a great deep dive into the current state of CTI networking and why ongoing collaboration and adaptation are so crucial in 2024. The report builds on the findings from their previous study conducted in 2022, revealing changes in behaviors, attitudes and practices within the CTI community over the past two years.
👉 https://blog.pulsedive.com/cti-networking-2024/ 👈
Have any recent major breaches affected how you handle your business operations?
Our experience in incident response and security engineering helps us understand what security practitioners are most interested in with regards to malicious IPs and websites. We apply this expertise to inform our threat intelligence products, helping security operations teams quickly determine if an alert is a true or false positive. While we collect comprehensive data on sites through our on-demand scanning, we highlight the important tidbits for a faster determination.
We’ve made it easier in our platform for our users to search, track, and understand pervasive cyber threats that are affecting organizations today. Feedback from Pulsedive users who are researching active threats directly impacts the data we offer and how it can be used.
What are some of the most creative or sophisticated online scams you’ve encountered in your career?
Virtual kidnapping scams top the list. While virtual kidnapping fraud is not new, the scam evolved in the past decade to be “fully remote” and impact anyone, anywhere. In the case known as Operation Hotel Tango, over 80 victims across multiple states were identified, collectively losing more than $87,000, highlighting how the shift to native English calls and broader targeting vastly increased the number of potential victims.
What are Virtual kidnapping ransom scams
Virtual kidnapping scams leverage psychological manipulation and modern technology, such as internet searches and phone calls, to create a believable but fake kidnapping scenario, tricking victims into paying ransoms without any physical abductions.
With the increasing accessibility of deep-fakes for both voice and audio, it is becoming harder and harder to distinguish what is authentic in a seemingly high-urgency and emotionally-charged situation. Public awareness and training is essential to combat the efficacy of these cybercrime operations.
What are some resources for individuals interested in learning more about cybersecurity threat intelligence (CTI)?
- CTI Fundamentals Resources by Curated Intelligence (https://github.com/curated-intel/CTI-fundamentals)
- Best CTI Events by Grace Chi (https://blog.pulsedive.com/the-biggest-best-cti-events/)
- CTI Self-Study Plan by Katie Nickels (https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-1-968b5a8daf9a)
- CTI Core Competencies Framework by John Doyle & Mandiant Team (https://www.mandiant.com/sites/default/files/2022-05/cti-analyst-core-competencies-framework-v1.pdf)
- Pulsedive Dashboard for latest news and events (https://pulsedive.com/dashboard/)
Last but not least, Pulsedive’s Community platform is a great, and free, way to perform research and analysis. Keep an eye out for updates, as well as educational blogs like our “CyberChef 101” tool guide, to learn about the field of threat intelligence.
👉 https://blog.pulsedive.com/tool-guide-cyberchef-101/ 👈
Learn more about Pulsedive
Website: pulsedive.com
LinkedIn: linkedin.com/company/pulsedive
X: x.com/pulsedive
Learn more about Pulsedive
Website: pulsedive.com
LinkedIn: linkedin.com/company/pulsedive
X: x.com/pulsedive