EP211 Decoding the Underground: Google's Dual-Lens Threat Intelligence Magic

Guest:

• Kimberly Goody, Head of Intel Analysis and Production, Google Cloud

Topics:

• Google's Threat Intelligence Group (GTIG) has a unique position, accessing both underground forum data and incident response information. How does this dual perspective enhance your ability to identify and attribute cybercriminal campaigns?
• Attributing cyberattacks with high confidence is important. Can you walk us through the process GTIG uses to connect an incident to specific threat actors, given the complexities of the threat landscape and the challenges of linking tools and actors? 
• There is a difficulty of correlating publicly known tool names with the aliases used by threat actors in underground forums. How does GTIG overcome this challenge to track the evolution and usage of malware and other tools? Can you give a specific example of how this "decoding" process works?
• How does GTIG collaborate with other teams within Google, such as incident response or product security, to share threat intelligence and improve Google's overall security posture? How does this work make Google more secure?
• What does Google (and specifically GTIG) do differently than other organizations focused on collecting and analyzing threat-intelligence? Is there AI involved?

Resources:

• “Cybercrime: A Multifaceted National Security Threat” report
• EP112 Threat Horizons - How Google Does Threat Intelligence
• EP175 Meet Crystal Lister: From Public Sector to Google Cloud Security and Threat Horizons
• EP178 Meet Brandon Wood: The Human Side of Threat Intelligence: From Bad IP to Trafficking Busts
• “Wild Swans: Three Daughters of China” book
• How Google Does It: Making threat detection high-quality, scalable, and modern
• How Google Does It: Finding, tracking, and fixing vulnerabilities
• “From Credit Cards to Crypto: The Evolution of Cybercrime” video