- Welcome to the Cyber5 where security experts and leaders answer five burning questions on one hot topic in actual intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risks, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host Landon WinkelVoss, co-founder of Nisos, a managed intelligence company. In this episode, I talk with Nisos principals, Robert Volkert and Travis Peska. We talk about the evolution in Nisos over the past six years, including how we differentiate in the private sector threat intelligence market under our new chief executive officer, David Etue. Our managed intelligence mission combines open source intelligence analysis and data engineering to solve enterprise threats around cybersecurity, trust and safety platforms, reputation, fraud, third-party risk, and executive protection. Finally, we reminisce about our favorite investigations and talk about what's next for Nisos. Stay with us. Travis and Rob, welcome to the show. Rob, would you mind giving a little about your background for our listeners please? - Sure, thanks for having me on today, Landon. My name is Rob Volkert. I am the managing principal here at Nisos, I've been with the company since about 2018 and I started here as an intel analyst and then I kind of worked my way up, and now, I'm one of two people managers for our operations team. - Travis, over to you, sir. - My name is Travis Peska. I have also been at Nisos since 2018, came here to Nisos to work as a network operator and then have graduated to one of three intelligence principles. - Super, and can't wait to certainly get into this. Today, we'll be talking about the evolution of Nisos really from the operator's view as this is our six year anniversary. So going back to the beginning when Justin and I started the company, we always wanted to ultimately be an intelligence company. Certainly you have to solve problems that really matter to intelligence and that evolved in the market as part of a lot of different customer pain points, certainly over the years. But at the very core of it, it comes around, the open source intelligence trade craft that really you and Rob Volkert and Jared Hudson really bring to the table, combining that with a lot of the technical discipline real call-outs of course the Vinces as you know is one of the first operators and certainly Willis MacDonald as well, who was one of the primary forensics experts. And then of course yourself, Travis, bringing together that offensive mindset. So diving into why you came to Nisos and really Nisos being a combination of all those technical and open-source skill sets, Travis kind of already first, why did you come to Nisos? And what's your background. - Prior to Nisos, I spent nine years in the Marine Corps and US Intelligence Community where I was working primarily as a computer network operator. And when I left the Marine Corps, I was looking for challenging and technical. And while I was really looking for something that would kind of challenge all of my capabilities and really expand on my skill. - And Rob, how about yourself? You certainly came from the same types of background, probably just a little bit different of trade craft. How about yourself? - Well, Travis' background is probably a lot more interesting than mine, but I did come from the intelligence community on the defense department side as an analyst, most of my career and what I thought led and you and I knew each other from a while ago. And when you approached me about Nisos, I thought it was a really interesting concept for a startup and I thought it was a really great mission, basically testing, well, maybe you didn't look at it this way, but I did. It's sort of testing the private sector industry waters for a real managed intelligence value added, right? The way you'd sort of spoken the mission to me was the private sector needs the same caliber of skill sets, and experience, and training programs, and basically, cybersecurity companies that the public sector probably had a major advantage in. And I thought that was really interesting and it felt like a little bit of a challenge as well. And so, I was similarly to Travis was looking for a little change of scenery in my career out of the federal government. And so I think sometimes you can get lost in this idea that the only quote unquote threats facing our country can only be combated by federal government resources and in federal government spaces. And as we know now, after six years of being at Nisos, that's not the case that the same level of threat and sophistication is being directed at the private sector. - Well, I think that's certainly a good point. And I think that when Justin and I, when we first started the company, we wanted to be always an intelligence company and certainly, we had to solve problems that intelligence could solve. And I think that that's been an evolving process and of course that fusion really was really around the skill set. So Rob, your analytical skill sets and open source targeting skill sets. And then of course, Travis, your operator background from your offensive skill sets as well as your forensic and defensive skill sets and really around the network infrastructure and threat hunting perspective. So I guess next easy way to kind of transition is Travis, from your eyes, how has Nisos changed over the last six years? - Nisos has changed a lot over the last, at least three years that I've been here. And I think Nisos has changed me quite a bit as well. I have kind of grown as Nisos has grown, right? I mentioned, I came to Nisos as a penetration tester and then kind of took on our threat hunting and network defense and forensics type work, right? So I gained a lot of experience there, as I gained experience as Nisos gained experience, as our threat hunting services grew, our ability to understand actors and identify infrastructure and our capabilities and our skill sets grew as well. I mean, when we're talking about Nisos changing, there are so many different things that we can talk about having changed. We have significantly expanded our people, our skill sets, our tactics, techniques, and procedures. Everything about Nisos has grown over the last six years. It's really made us an incredible workforce to combat the threats that our clients are experiencing. - A lot of the work that we do is really outside the firewall. A lot of that has to be made relevant, certainly within their own corporate domains. And we started Nisos to be an intelligence company, you still have to solve problems of corporate enterprise to kind of piggyback on your comments earlier about that only the federal government can really combat these problems. I think that we've proven certainly the last six years that's not the case. You got to solve challenges that the private sector really cares about that really reduce risk, go through how that's evolved as well. - So the interesting thing to me, I guess I'm not necessarily talking six years ago again, when I joined the company, I don't wanna say it was sort of a nascent challenge because I think for these companies, the challenge and threat was real, but maybe our ability to tackle it in a comprehensive and like with a methodology has changed. And so I guess I'll use an example of a lot of stuff I did when I first came here was reducing people's digital footprint. So you would do a vulnerability assessment on usually a friendly like a CEO or CFO, and they just kind of wanted to know a little bit of what's out there and what can I do about it? And then we started with just a somewhat basic assessment of the individual and basic but comprehensive. And then I think over the years, we just sort of kept tacking on and seeing, okay, well, first of all, we've done the assessment, but what's next? Right, well, then let's find ways to make recommendations to mitigate that. And then I guess the third phase was, well let's actually go through the steps of mitigation. And so now, we've added a couple of services like our personally identifiable information removal, and that's sort of grown and evolved into what we call this executive shield service. So maybe we called it vulnerability assessment then. Now, it's a comprehensive package and it also includes a digital threat monitoring portion to it, right? Which is now that we've solved your immediate problem, well, what is the longer-term threat and mitigation strategy? Well, that could be monitoring for it. And now, we have a really good sense of this individual, their digital footprint, and then also the actors, the hostile actors footprint. And now, we know where to look. That's just example. I also see a lot of sometimes, it's nation state, I guess I'll just say it's more of a level of sophistication and the actors, and yes, some may be associated with the nation state, some may be just criminal actors, but they are getting better obviously. They're operating on a lot of non-traditional communication platforms or they may target social media platforms in the fraud or criminal activity they use. But in terms of their communication and operating ecospheres, they are not easy to find and they don't operate on those platforms that I think a lot of other companies may be sort of used to are collecting on. And so again, maybe three, six years ago, we were sort of on those major traditional platforms, but now, we have evolved along with the threats and now, we're operating on those harder to reach platforms, and we've developed things like personas and legitimacy in those personas so that we actually kind of live in those areas that those actors live in. Travis, you had touched upon the level of trade craft refinement and skill sets for people, I'm just curious, maybe it's not an either or, but do you feel like the trade craft is sort of the keystone thing that's changed amongst our operators? Or do you feel like it's the data sets that we procured, our automations or our workflows or like a combination of all of them? - Yeah, that's a good question. I really think that it's a combination of all of the above. As Nisos grows, we are collecting additional data. We're acquiring these data sets and we're integrating it into our methodologies and our practices. So as data becomes available, as we learn more about actors, right, we are feeding that back in to the skills and things that our operators have at their disposal. And we're referencing all of the information available to us in a faster and more efficient way. - Rob, I think that there's been in the threat intelligence space, there's certainly been a huge need to show who has the largest data lake, whether that's the largest portion of open source, whether that's the largest social media coverage, whether that's the largest dark web forum content, whether that's the ISP data. I mean, there's just so much data that is out there that can certainly be relevant to the intelligence mission, talk through like how we've differentiated from that and shifted that more toward a client-focused perspective. - Yeah, exactly. I think you hit it on the head, right? The collect and show and demonstrate, "Hey, we have access to all of this data" and show sort of quantitatively, "Hey, we are better than everyone else because we have quantitatively better data." And I don't wanna diminish that's important and that a lot of times there is qualitative differences, but I think what we are seeing now in particular and ethic, it's really neat that Nisos started in this phase. So I think we're seeing really the next phase in cold threat intelligence. And what I mean by that is we're getting beyond exactly what you said, sort of this deluge of threat data and information and collecting things like popular social media post feeds where you just log in and you'd sift through just thousands of posts or thousands of reams of data. And number one, social media platforms, at least the big ones, they're really good now at policing themselves and detecting a lot of the malicious activity and or removing accounts that violate terms of service. So a lot of the threats aren't really emanating from there anymore. And two, with the threat intel feeds, they'll give you really good star points or leads, but you really need to be a subject matter expert now. And some companies have those experts and they have the resources, and the knowledge, and skill sets, and everything else. But there's a lot of companies that don't, and I would venture to guess a lot of those companies have subject matter experts on maybe one to five sort of threats that they face and probably on a more recurring daily or weekly basis. But when that threat evolves or there's a new threat that they're not used to, it's kind of like, "Well, what do you do there?" And that gets sort of my third point is you really need experts who can go outside of that quote unquote network firewall and become immersed in that digital ecosystem or ecosystems where the threat actors are kind of living. And this is really the area where Nisos lives. And I think we're only gonna get better at it in the future. And so I think part of what attracts people to our company and how we retain people is that challenge. And I think instead of sort of shrinking away or worrying about it is staying up and not worrying about, "Oh my Gosh, where's that next threat coming from?" We actually look at it and say, "Man, I can't wait for that next problem that the clients are gonna face. - Very well said, and I guess Travis, from your perspective, having that offensive background that you did bring certainly a unique capability and skill set, we can't exactly hack back, that's illegal, but there's certainly a lot of aspects in terms of identifying infrastructure kind of like you said that are critical really to this mission because it's not just cyber actors or APT actors that use malicious infrastructure. So I guess question relate to you is how you bridge those skills as well and augment the team and with that skill sets in the manage intelligence paradigm? - So to expand on what Rob was saying, right, we do, we have to understand the threat actors, right? Whether that requires immersing yourself in the places where these actors are living, you need some sort of lead, right? Whether that lead comes from an intel feed, whether that lead comes directly from an actor, you need some sort of unique identifier in order to expand and learn different infrastructure. Taking a unique identifier, like a username, an email, an IP address, a domain name, anything, and leveraging the tools and the data sets and the capabilities we have to further understand the actor's network of people and an infrastructure, that's what we intend to do, right? We want to eliminate all of the infrastructure, all of the networks associated with this actor so that we can monitor and predict what's happening next. To Rob's point about, what is that actor doing next? That is the fun and challenging part, right? We want to try to understand what is coming next so that we can get ahead of it and better protect our clients and infiltrate those threat actors earlier so that we can get leads earlier into the next set of attacks, the next set of threats. - That's a perfect way to transition certainly to the next topic. And that's really around the investigations because I think that there's certainly a lot that happens that clients don't see, and I think that the differentiation really of Nisos' is really to provide the answers whereas a lot of other different types of companies will provide just data, which is not intelligence. They actually wanna provide actual intelligence that's timely, relevant, and actionable. And so there's certainly a lot of things that happen on the backend that are not seeing when they're just see the answers, Rob, from your perspective, without getting into client specific clients, what have been your favorite investigations over the past three years? - Well, I'll answer it in a couple of different ways. One, just personally for me, the attribution cases are always the most fun and that when I say attribution, it's generally unmasking an actor and finding out who their true identity is. That can be anything from an email address, someone sending an email to a CEO and harassing them or threatening them to a Twitter account. That's posting insider information from the company, a lot of times it's an employee or a disgruntled ex-employee, or it could be someone all the way onto the dark web. And we actually even have a sort of this fun little thing we do where we drop a nuke emoji when someone is finally unmasked and that's sort of a rite of passage when you get to drop that for the first time. And so it's always fun, obviously it's fun when you get to do it, but it's also fun watching other people on their first time when they actually do it 'cause it's a really cool feeling. And so I remember in one summer in particular, to be honest, they were all fun, I can't even narrow it down to one, but we sort of took apart this entire network on one of the social media platforms that was doing some disinformation like tactics. And I just remember, everybody was sort of all hands on deck and we were working nights, we were working weekends, and it was one of those times where it doesn't even feel like work you're up at midnight or you have a flash of brilliance at two in the morning and you got to run down your computer and then you wanna tell everyone the next morning when they wake up and everybody just kept taking, we'd take one. We would unmask go to the next one, go to the next one. And like I said, I mean, I use the word dismantle. We didn't actually dismantle it ourselves obviously, but we provided illumination and then we passed all this to the client and they took action on it. And so that was really cool also to see some of the fruits of your labor. So I would say that in terms of the actual investigative work, I think those in general for the company to be quite honest are probably the most interesting ones. And then the other thing I would say is I just really enjoyed being part of this team itself and watching everyone grow. And I think it's kind of cool that we do these podcasts where you can look back, now that Travis and I have been in the company for several years and cause you don't often look back and see the growth and the change. And I think it's really neat to see other people grow in terms of everything through, if you developed your writing ability to a lot of folks come in like me with maybe more of an analytic or an ozone background. And then you kind of watch them develop their technical skill sets through on the job training, actual training. And then some of the technical people start to develop their more OSINT or sort of analytic assessment and writing capabilities. And I actually, a Testament to Travis, I think he's really become a really solid writer and analytic thinker in the last couple of year and that's awesome. - Rob, I really do appreciate that coming to Nisos as a penetration tester, my previous job was, hack the box and then get out, let somebody else write the report. But really, here at Nisos, the ability to perform analysis, write a report, work with the team, and ultimately provide intelligence on the threat actor or just on the threat to our clients, right? Like that has become really a fun way to grow. I appreciate the compliments, Rob, a lot of that probably stems from the training and the work with you and the rest of the team. But as far as investigations go, it's funny that that Rob says his favorite are the attribution. Yes, like I am trying, I'm struggling to find what is my favorite, right? Because they're all my favorite, but really the technical, right? I'm highly technical person, anything incredibly is fun to me. That is what I typically prefer, or just gravitate toward, I guess when it comes to technical investigations, one of my favorite things to do is work with the tools and the malware of threat actors, right? Because it gives me the opportunity to perform forensics, to do some sort of pseudo pen testing, right? And understand these tools, see what they're communicating with and ultimately figure out how are they threatening our clients. These tools, they are typically implementing some sort of abuse against our clients. And it is up to us to immerse ourselves in the actors or in the actors threat group, communicate with those actors, acquire the tools and then understand the tools and gather the data, right, associate it with those tools so that we can understand the threat actors, the network infrastructure associated with the tool. And then we can go to our clients and tell them, here's what the tool is. Here is the functionality. Here are the actors, right? The IP addresses, the domains and everything else associated with this particular tool. And then from there, we can understand, okay, well, why, why is the tool doing this specific thing? Is it something that we can inform the client on and help implement protections and additional security mechanisms to prevent those abuses from even being vulnerable in the first place? So really, that is not a specific investigation, but that is my favorite thing to do here at Nisos. And surprisingly, common among multiple investigations. - There was this one case where basically we had to look like we were coming out of, and it was an IP address, had to look like it was coming out of a very remote location in the United States. And when I first started heard about this requirement from the client, I just dismissed. And I was like, "That's crazy." There's no way we're gonna do this. And of course, for Travis, that's basically a call to let's get to work. And so he spent not only weeks, but I think months trying to sort of find a way to set this up, actually get it established, get it running, get it set up on a recurring basis so that it wouldn't go down as soon as the computer turned off or something like that. And then not only that, but then he had to create a backstory to a persona for a legitimate reason why this entity would even be on the platform interacting with this actor that we were looking at. And so he just kept sort of tinkering and tinkering away, chipping away, chipping away, chipping away. And finally, after several months, we sort of got it up and running and then we're like, okay, the final test is, will the actor believe this, right? Because it almost felt like a little bit like a straw house or something like a fall at any point, right? And the actor is gonna identify us and expose us as frauds. But the whole thing went off, actor believed it. And had we actually been allowed to see each other in person, I would have gone out and bought you a beer Travis. But anyway, that was really impressive to me that you were able to lead that charge and pull that off. And I think that's just a great example of that Nisos culture and mentality like I was talking about before, when that problem presents itself, that's when we really take that as a challenge and something that we're just gonna keep chipping away until we solve it. - So that was definitely a team effort. I won't take full credit, full responsibility for that one, but I do appreciate that. And if I can continue with that, one of the most interesting things about that was that we had the actor actually remote into our infrastructure. And once the actor remoted into our infrastructure, we are able to capture additional information about that particular actor including email addresses and IP addresses, not previously known in the investigation. And on top of that, we were able to record unbeknownst to the actor, record everything that they were doing so that we could report on their TTPs to the client and kind of make an assessment, why are they performing certain actions? What are they looking for? And really that was an incredible investigation. I really enjoyed that one, Rob, thanks for bringing that one up. - There's certainly a lot of people that could be called out, but if we're going back to the early days, everything that we're talking about here really revolves mostly around the skill sets of Rob, Jared, of course, Vinces being the technical mastermind with Willis and Travis, and certainly, you guys have been so critical for doing everything that we've just been talking about for the past 10 minutes that leads us to just such flawless execution. So I guess, kind of rounding it out here, what's the future hold for our mission and what have been the lessons learned over the last three years? - That's a good question. So as I alluded to earlier, I think it's really interesting and important, frankly, to kind of look back on where you've come as a company. And so I think three of the core lessons that I've learned, and I would like to say that our company has learned in the last 3 to 6 years have been one, be flexible, right? And that means be flexible to the needs of the clients most difficult problems. They change, sometimes they change because of technology. Sometimes it's a sophistication of the actor. Sometimes it's just the nature of the threat, but what is actor's intention? Is it for profit? Is it for on behalf of a nation state? Is it just to make a ideological statement, et cetera? And so you have to be responsive enough to that, or I think you get left behind. And I think that's where we see a lot of, one of the reasons why our clients come to us, I think is because of that idea that some companies are able to be adaptable and flexible and some can't. And so they come to us. So second point is be disciplined, right? So do as much work over and over as you can until you get really good at it. You can develop a methodology behind it and then you really start to automate it, and ideally it sort of goes in that order. But as I mentioned before, you have to be flexible enough that sometimes it doesn't go in that order, but I think that's really important lesson that we have taken away. We've started the company with a lot of different services. Some of those we've sunset over the years. And I think that's where we've become disciplined enough now that we really pride ourselves and try to own that managed intelligence space. So I would say be disciplined is the second thing. And then the third thing is invest in your people. They're the heart and soul of your organization. They are the ones that are really good at being adaptive and flexible. They are team focused if you attract the right talent, and they're the ones who are getting you through those hard times and also enjoying the good times. And so I see that most clearly on the operation side, that's where I am, but I think it's really neat to see that in the rest of our company, I think we're really professionalizing ourselves all over from the sales team to we're setting up a whole development team over seas, the marketing team. I mean, look at this podcast right here, right? And our IT team. And so it's really neat to see all of these different aspects of our company that are going through that sort of professionalization phase. - To add onto that, I do think that our team is the heart and soul. However, we have an increasing amount of data to sift through and Nisos, right, which is building automations and tools to more reliably and more efficiently sift through all that data, pull out the relevant information and then being able to kind of automatically create relations to other pieces of information, right? If we can do all of that faster and more efficiently, we can give our humans the additional time, right, to perform the actual intelligence and analysis. So really as Nisos grows, right, our TTPs grow, and there are some of them, some of those TTPs we can automate, we are an automated product, but we do use technology to enable our services and allow our analysts to make faster and more informed decisions. And with more informed decisions, we can provide better intelligence to our clients and allow them to action that intelligence appropriately. - Rob, Travis, thank you so much for your dedicated leadership the last few years, you guys really have taken us to another level of the company really through your selfless leadership as well as your technical abilities and the ability to not only teach Nisos teammates, but certainly transfer that knowledge to our clients. I can't thank you enough and appreciate it. For the latest subject matter expertise surrounding Nisos intelligence, please visit us at www.niso.com. There we feature all the latest content from Nisos' experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all Nisos' teammates who engage with our clients to conduct some of the world's most challenging security problems under the job plane and conduct high state security investigations. Without the value of the team provides day in day out, this podcast would not be possible. Thank you for listening.