Tales from Tracking Cybercriminals – Matthew Gracey-McMinn, Netacea

[00:00:00] Matthew Gracey-McMinn: One threat actor I was speaking to from Russia, I was trying to convince him that I was Japanese, so I was typing Japanese into Google Translate to turn it from Japanese into Russian and he sat there and he told me, "a lot of the Japanese I speak to speak much better Russian than you. You should really study harder. You know, your foreign language skills are really poor." And I was sat there like, "If you knew, if you knew I was British, you would be very impressed with my Japanese, which is on point!"

[00:00:27] Cyril Noel-Tagoe: Hello everyone and welcome to Cyber Security Sessions, our regular podcast exploring all things cyber security. I'll be your host, Cyril Noel-Tegoe, principal security researcher at Netacea, the world's first fully agentless bot management product. Threat intelligence plays an important role in cyber security, and understanding the potential threats to your operations is vital in protecting yourself from harm. To quote the Art of War, "if you know the enemy and know yourself, you need not fear the result of hundred battles" and cyber defenders are really facing hundreds of battles. But how do you infiltrate the often closely guarded communities to learn about the enemy? Well, to dig deeper into the world of cyber threat intelligence, I'm excited to have a very special guest for this bonus episode of Cybersecurity Sessions. My boss and Netacea's head of threat research, Matthew Gracey-McMinn. Hey Matt, thanks for joining.

[00:01:19] Matthew Gracey-McMinn: Hi Cyril, thanks for having me. It's nice to be on the podcast.

[00:01:24] Cyril Noel-Tagoe: Could you please introduce yourself to our listeners?

[00:01:27] Matthew Gracey-McMinn: Absolutely. So I'm Matthew Gracey-McMinn, and as Cyril said, I run the threat research team here at Netacea. Our mandate basically is to provide relevant, timely, and actionable intelligence to our internal teams and our customers, allowing them to get ahead of the bots, developers, and the bot users in order to try and stop business logic attacks. Essentially providing the sort of intelligence they need in order to defend themselves more effectively.

[00:01:54] Cyril Noel-Tagoe: Brilliant, brilliant. So obviously when I was offered the chance to interview you, put my boss in the hot seat, I'm not gonna say no to that and I can tell you've definitely been very different since you found out you're gonna come on the podcast, but our professional relationship started prior to Netacea in the wonderful world of security consultants. So how did that and your career path following that lead you into threat research and threat intelligence?

[00:02:18] Matthew Gracey-McMinn: So it has been a bit of a wobbly path since we first crossed paths all those years ago in consulting. After we worked together as consultants, to mostly working on things such as privacy and security maturity, audits, that sort of thing. I ended up moving across into a SOC environment, Security Operations Center, primarily working as an incident responder, so I spent a few months working as an incident responder before moving up to a breach response and threat hunting team, which is really where I started getting a lot more involved in some of the major issues. Quite a few actually made the BBC News, international news, that sort of thing. You know, it was really, really exciting. But you also get a lot of calls at 3:00 AM and that sort of thing, and as much as I really enjoyed that and I started really, I enjoyed the competitive mental cybersecurity battles that are going on when you're doing breach response, and then found the threat hunting really interesting, I started interacting a lot more with threat intel team at the SOC company and getting a lot more knowledge around threat intel, that sort of thing. Started reading up a lot more of sort of threat intel reports and that sort of thing. And very quickly I realized that I was getting quite frustrated in the threat breach response and threat hunting world primarily because it's very reactive. You know, the attacks have already happened and you're trying to, you're trying to stop someone who's kind of already won. They've already at least won some victories in that overarching campaign and you're trying to drive them back out of the network. You're trying to take control back. I started to realize that really if you could get ahead of these people and stop the attacks before they happened, or knew what was gonna happen before it actually happened, you could reduce the impact significantly. And so I started looking more towards trying to move into threat intelligence and trying to provide that early warning system, that pre-warning, that information that can actually stop an attack from happening in the first place. Never mind just recovering from one.

[00:04:03] Cyril Noel-Tagoe: So break that down for me. Kind of that process of threat intelligence. How do you get that early warning?

[00:04:08] Matthew Gracey-McMinn: So there is the, what's called the threat intelligence life cycle, which depending on whom you ask, is sort of five or seven stages. And really, what you're looking at in the intelligence life cycle is, direction stage. You know, you start off by asking a question, you know, who's likely to attack us? What sort of methodologies are they going to approach us with, what are the tools they're going to use? You know, those sorts of high level questions. And then you take this away and you start gathering intelligence from it. You collect up intelligence, you collect data and raw information, and then you process that and turn it into something that can actually be analyzed. You then perform the analysis on it, and then from that you can try and answer the questions. You know what questions you're looking to try and answer. So who's going to attack us, for instance. When, where, how? You've gathered information that can probably answer that question. You've processed this, you've performed some analysis on it. You can then report back to the targets of those attacks, answering those questions, providing them with the information of, "Well, this group of people are going to attack you. This is their list of objectives. This is what they have to achieve in order to basically win. This is what they have to do to beat you. This is what they have to do to achieve their objective. This is the methodology they're going to employ. Here are the tools that they are planning to use." And then we can use that to say, "this is how we would recommend you stop them." And using that provides people with a much more focused response to their cyber security issues rather than just going, "We're looking for bad stuff. We want to stop all the bad stuff." You're going, "Well, what are the actual things that are, first, viable attacks against you? And secondly, what are the ones people who are interested in attacking you are actually capable of?"

[00:05:40] Cyril Noel-Tagoe: You talked about kind of focus response there. If we break the focus that you currently deal with, that's primarily business logic attacks now, right?

[00:05:48] Matthew Gracey-McMinn: Yeah.

[00:05:48] Cyril Noel-Tagoe: So I guess firstly, how does a business logic attack differ from another type of cyber attack?

[00:05:54] Matthew Gracey-McMinn: So in a nutshell, essentially your sort of traditional cybersecurity attack works simply by trying to get your computer to do something it's not supposed to do. They lock your files away so you can't access them. They wipe everything. They wipe your master boot record. They do some sort of damage like that, something that's not supposed to happen. A business logic attack, however, is fundamentally different in that rather than trying to get something to not work or do something it's not supposed to do, they instead use the intended functionality of the system to perform a malicious action. So the usual example I give is if, say, we have a big eCommerce website and I go to the payment portal and I put in a bit of say, SQL injection or some sort of code or something into the credit card number field, I could maybe get by with saying, "Hey, don't charge me for this item," in which case I'm essentially stolen the item that I placed the order for. Alternatively I could say, "Give me all of the credit cards for all of your customers." Something like that. I could try and get the server to do something it's not supposed to let happen. That would be your traditional cybersecurity attack. A business logic attack would be if I go in and put in a credit card number, a legitimate credit card number, but it's yours, Cyril. So I'm going to steal your credit card and use your credit card number. Now, the eCommerce site have to accept credit card numbers. That's their entire business model. Their business logic is if someone puts in a legitimate credit card number, and it passes all the checks and details, that is going to be accepted and the order will be placed. However, criminals may have a list of 2 million stolen credit cards and they'll put them all into this credit card field and see which ones stick, essentially, you know, which ones can they actually use, and let's say they can use 2,000 of them. They've just conducted 2,000 cases of fraud, but they have not made the server do something it wasn't supposed. So it is that fundamental difference of, they are using the intended functionality, the intended business logic of the website to perform malicious actions.

[00:07:49] Cyril Noel-Tagoe: And how does that affect intelligence operations?

[00:07:52] Matthew Gracey-McMinn: Fundamentally what we are looking at is actually a different industry to a lot of other intelligence providers. So a lot of other providers are looking for things like ransomware groups, your really big APTs, nation state actors, all this sort of stuff. We're going much more focused into actors who are not trying to break things. Their goal really is generally purely financial. Now, a lot of cyber actors are the same criminal actors in particular, but these ones are specifically looking to use the intended functionality of the website. So we are looking for people with particular skill sets, often a good understanding of business practices. And we are generally looking people who may not necessarily in some cases be breaking the law. So scalper groups, for instance, are a bit of a problem for a lot of businesses, particularly eCommerce. Scalper groups, for those who don't know, are groups who try to buy large amounts of low supply, high demand goods. If over the pandemic you tried to get hold of a PS5, or gym equipment or a home spa in the UK, one of those home jacuzzi things you could put in your garden, and you struggled to get those, the main reason for that was scalpers were buying them all up, and then they were selling them at massively marked up prices. So you know, they're not necessarily people acting illegally. So many of them try to err away from the sorts of dark web marketplaces and stuff that illegal stuff happens. Other business logic attackers, credential stuffers, doing carding attacks, those sorts of things, they are much more illegal. So they do go down into some of the dark web forums. Again, some are still on open web forums as well. They're generally, however, not as technically skilled as some of the more advanced, say ransomware operators are. So what they often do is they use freely available or paid for tools and then launch these attacks. And what we've seen as a result of this is a sort of splitting of the ecosystem. We've got bot developers, these developers who build these tools, they tend to be skilled in terms of development work. And then we have people who actually use these tools who are often much less skilled and instead have things like stacker views in order so they can drag and drop bits of code that they may not themselves understand, but they can just drag and drop the code in and create an attack that way that will exploit business logic.

[00:09:56] Cyril Noel-Tagoe: So you talked a bit about the skills of the attackers. But I guess as head of research, you're responsible for building the team at Netacea, the threat research team. So for people who are looking at threat intelligence as a career path, what advice would you give them in terms of their skills and the tools they need to actually do threat intelligence?

[00:10:14] Matthew Gracey-McMinn: So if you're looking into getting involved in threat intelligence, I think probably the first thing I would encourage you to have is to have a curious mind. You always want to be learning. I know I myself have imposter syndrome, quite a lot of the time people ask me questions and I, my answer is usually, "I don't know. I'm going to have to go and look that up." That's very common. You know, I had issues with that and worries about it coming through my career path. Speaking to younger analysts who are starting off in the area as well, they have very similar worries. They feel like, "Oh, I should know the answer to this. I shouldn't have to look it up." You don't know everything. No one's ever going to, and really the point of being a threat intelligence analyst is that you can go away and research things. So you need to be able to think outside the box. You need to be able to consider, how could an answer to this question, you know, the straightforward answer of," Oh, I've Googled the question." There's no answer. Well, how else could I approach this? Thinking outside the box, number one. Curiosity, they're up there as well with that. I would say other key attributes as well. Don't think you need to be limited just to, if you don't have a strong STEM background, you know, if you haven't studied STEM at university to like doctoral level, you can't really work in this field. That's eminently not the case. A lot of the people I've spoken to come from language backgrounds. There's lots of threat actors who talk in other languages. So being able to speak and understand those languages is important. It is important to have the technical knowledge. So I would encourage people to build up those sorts of technical skills, certifications of Computer Security Plus provide a bit of a syllabus to try and follow, which is often a good, quick recommendation there. But don't be put off if you don't feel too confident around computers. Those skills can be built. Try to build those skills. I think as well, it's a bit of an odd one as someone who is a hiring manager, but the ability to lie is also quite useful.

[00:12:02] Cyril Noel-Tagoe: Perfect.

[00:12:03] Matthew Gracey-McMinn: There's a bit of an interesting one to be saying, but at the end of the day, you're trying to infiltrate these people's forums, their marketplaces, that sort of thing. You have to be able to pretend to be someone. So perhaps rather than saying you have to be good at lying, perhaps say you're a good actor, you have to be good at acting rather than...

[00:12:20] Cyril Noel-Tagoe: Let's dive into that a little bit. You've gotta be good at infiltrating these forums. So, I mean, I know there's gonna be stuff you can't say on here, and of obviously you're gonna be good at lying and if you did say stuff, we can't verify if that's true or not. But, are there any stories of how you gain access to these forums or groups that you can share?

[00:12:40] Matthew Gracey-McMinn: Yeah, absolutely. So we use what are called sock puppets in the industry. So fake identities, fake accounts, that sort of thing. And what you often have to do is try to join some of what we consider lower tier groups. So you have this sort of tiered structure to many of these groups as well as in the different forums. And what happens is you can kind of join these easily accessible ones that you don't really need an invite to and that sort of thing. And you can build up a bit of a reputation for this sock puppet, for this fake identity. And as they build up more and more of a reputation, they may get invited to some of the more locked down parts of that group. Those are areas in which the slightly more detailed conversations go on. People have to be a bit more trusting to share information with you, that sort of thing. You start getting into those. As you start developing those relationships more and more, you may get invited to other groups, which are, again, much more locked down. And that sort of same pattern repeats itself as you sort of move deeper and deeper into the sort of locked rooms that sort of follow on from one another and that sort of way. And then when you're actually interacting with them, you know, you can get a lot of information out from these people without them realizing much. It can be quite hard because sometimes they want things in return and obviously we don't want to give away the keys to the kingdom of how to actually break into these places, that sort of thing. So quite often you have to do things like maybe fake an attack or try and claim credit for something you haven't actually done, those sorts of things, and see what you can do. There are quite a good few good, fun stories. So the one threat actor, I mentioned people from language backgrounds can be good threat intelligence analysts. That was sort of trumping my own horn a bit. I studied Japanese and East Asian history at University and one threat actor I was speaking to from Russia, I was trying to convince him that I was Japanese, so I was typing Japanese into Google Translate to turn it from Japanese into Russian, speaking to him, and he sat there and he told me, "a lot of the Japanese I speak to speak much better Russian than you. You should really study harder. You know, your foreign language skills are really poor." And I was sat there like, "If you knew, if you knew I was British, you would be very impressed with my Japanese, which is on point." So you do have that sort of thing. And then, others as well. Basically social engineering. We talk a lot about social engineering being an offensive technique, but it's also useful for threat intel teams. So, one of our analysts, one of your teammates, Cyril, he annoyed one threat actor, this threat actor was basically claiming he had something to sell to people and it would facilitate attacks on lots of different networks. And our colleague basically said, "I think I know how to get it out of him." And he basically posted on this guy's forum saying "he doesn't have it, he's lying." And the guy goes, "I do have it. And it was like, "No, no, no. I don't believe you." "I do have it. I don't have to prove anything to you." "He's lying. Everyone, he doesn't really have it. It's all a scam. He's gonna take your money and run", and the guy goes "fine. I will prove to you that I have it. Here is all the information you need to stop it for free." Which was a bit foolish of him to give away. But we're not going to look a gift horse in the mouth.

[00:15:33] Cyril Noel-Tagoe: Yeah, I guess with these forums, it's all about the reputation, right? And if people believe that you're not legit, and to be honest, like, these are criminals and scammers, so it's understandable to think they might not be legit, but if you complain to that, that's a great way of kind of getting them to give you information.

[00:16:07] Cyril Noel-Tagoe: Look, what we're doing most of the time is investigating people who in some cases may be criminal. I know like, some of the stuff you talked about, like scalping, that isn't illegal. But some of the stuff like carding and credential stuffing is, right? So there's that potential criminal activity and the companies we're working for, they might want to follow with some legal actions. So how does that kind of change the way that we investigate and the kind of the information we provide?

[00:16:32] Matthew Gracey-McMinn: There's kind of two questions in one there, which is that the whole split between the legal and the illegal sort of actions that we monitor. So scalping, for instance, is not illegal unless it's sort of event tickets and that sort of thing, but it's not an illegal act generally in the UK or US, though there are actions in both countries to try to regulate against it. So we are seeing efforts to try and regulate it. As a result of that, what we do for people who are acting illegally versus ones who are either unethical, acting legally, it's very different and we have very specific rules of engagement. So we have policies and processes written down. I speak with our legal counsel very, very regularly, making sure everything's up to date, making sure everything's all right. And if there's any gray areas, anything we're unsure of, I go straight to our legal team to make sure we're following things ethically. Our senior leadership team, all the C-suite have direct oversight over everything we are doing and any concerns, any worries are escalated to them for review. We also make sure that everyone in the team's following sort of the standard set by professional bodies, ISC Squared, Crest, those sorts of things as well. So their standards are embedded into our daily actions. As a result of that, when someone's acting legally, if unethically, as a general rule, we're not looking into trying to facilitate an arrest of an individual who may be taking some rather dangerous criminal activities, you know. We're trying to stop them doing something to a company that the company doesn't want them to do. And for that reason, we may get, acquire their tooling, that sort of thing, but we are not going to try and bring them down as a person or put them into prison that there's no need for that. For the illegal actors, however, where a customer is looking to try and take legal action, we can try and facilitate those sorts of activities. So what we do is we try to speak with the customer, understand what is the minimum amount of information required for them to pursue a legal action, what intelligence is required, and we can provide that intelligence to law enforcement, usually as a sort of tip off, essentially as a... "here is a body of evidence from the victim of an attack, as well as from the open web, the dark web, showing who the attacker was. Here you go. Might wanna take some actions on this," that sort of thing. Or if the company themselves wish to litigate against the individual, we can provide them again, the bare minimum. And we usually have quite a few meetings going back and forth to understand, what is bare minimum? We specify very strict rules of engagement around that to ensure that the rights and privacy of the target of, of the operation is as protected as possible.

[00:18:50] Cyril Noel-Tagoe: Have you had any strange requests from customers around this? So you said you got kind of got these really strict rules. Have there been any ones that you're like, "Ooh, not quite sure where that that fits in?"

[00:19:00] Matthew Gracey-McMinn: We've had quite, I wouldn't say strange ones, but it always surprises me how eclectic the mix of requests coming in is. So we get everything from, "we know that there is a refund fraud group targeting us, and we would like to investigate them. We don't know how on earth they are performing refund fraud," which, as you know from your research, Cyril, which I'm quite happily going to take credit for now, refund fraud is essentially where someone pretends to send an item back and claims a refund for it whilst retaining control of the actual item, essentially. There's a number of different methods for it. Different refund fraud groups target lots of different companies. It's costing, I think the US retail industry, about $23.2 billion a year at this point, as an estimate. So we've been asked to investigate groups of those and figure out, you know, how can we stop them? How can we change our processes? That sort of thing. Other ones include simple stuff like, "Oh, we've seen people talking about this bot. Could you have a look into this?" Others are, "This person is claiming that they've been able to rob us. We dunno if it's true or not. Could you look into it?" That sort of thing. Others are, "this person is selling gift cards from our organization. Could you look into that, figure out how they're doing that?" The spectrum of it is quite broad and what I've usually found is as we start discussing one project, they'll go, "Oh, there's also this thing and this thing and this thing and this thing." And people have these sorts of, "there's this weird thing going on, which I don't have time to look at in my general day security job, but I'm pretty sure it's bad. But I dunno how bad it is. So I dunno how to priorities this thing. Could you go and have a look into it and figure out, A, what's going on? B, how big a problem is it for me, and C, maybe how could we go out stopping it?" Yeah, it sort of spirals quite quickly that the sorts of different questions people suddenly start coming up with.

[00:20:43] Cyril Noel-Tagoe: I guess with just that wide range of requests, there must be some very interesting findings that you get from those. Is there maybe one or two that again, that you could share without naming any specifics?

[00:20:53] Matthew Gracey-McMinn: Yep. So there's been a couple of interesting ones. So going back to the refund fraud one. There's quite a few refund fraud as a service groups who facilitate other people doing refund fraud, they conduct the fraud for you and then take a cut of the profits. Usually about 8-15%, I think it is. You're the one who did a lot of that research.

[00:21:10] Cyril Noel-Tagoe: It was about a couple years ago. It's now about 20 to 30%.

[00:21:14] Matthew Gracey-McMinn: 20 to 30% now. Yeah. Cool. So there we go. Me trying to take credit for Cyril's work and doing so. Yeah, so, so yeah. So there's lots of those refund fraud groups. And the one group we looked into, well, we were working with the customers to try and investigate how refund fraud was being conducted against them. And as we started gathering data around their refunds, they and us pretty much simultaneously, to be honest, because once you had the data in front of you, it's pretty obvious what was going on, realized that most of the fraudulent refunds were coming through a single post office in the northeast of England. So the people would take these refunds back to that particular post office, and it's like, well, possibly there may be some sort of insider threat or something going on with that area there. A few other interesting ones we've had. So, I mentioned the one where we were basically just, one your colleagues essentially antagonized the bad guy in a sort of playground, "na, na, I don't believe you" sort of way into giving away the keys to the kingdom. Yeah, there's loads and loads of stories. Plenty of Stuff I'd love to be able to talk about in a pub, which I really, really can't unfortunately.

[00:22:24] Cyril Noel-Tagoe: And I guess, so from the customer's point of view, kind of the end result for them, what's been the benefit?

[00:22:29] Matthew Gracey-McMinn: So for a lot of the customers it's, number one, actually answering all of those questions. You know, these are the sorts of questions that appear during your day to day. And particularly it's the case of, "I don't know", it's those unknown unknowns often that annoy people, keep people awake at night. Like, "I know something weird is going on. Is it a problem? Is it not? I don't know how big of a problem it is", That sort of thing. And then of course there's more, there's the known unknowns as well. You know, there's very specific problems of "how do we actually deal with this?" And for a lot of companies as well, it's a case of "we started trying to investigate this ourselves. We didn't really have the access to the forums. We didn't have the expertise to actually decipher this and figure this out. And frankly, we don't also have the time". Because for lots of companies, they don't have in-house threat intel teams, and even they do have a threat intel team, they're a bit tied up with the ransomware groups and that sort of thing. They don't have the specific focus on business logic attacks and those attack vectors. So a lot of people come to us really because they need our specific expertise, our specific access, and contacts within those communities. They need someone who can harness those in order to answer some very specific questions for them so that they can solve some major problems. For a lot of these companies, particularly the really big retailers, these problems run into the hundreds of millions a year. Refund fraud, you know, individual fraudsters are making an absolute fortune from this. You know, a standard order size is often run into the thousands of dollars, and then people are making dozens of these. That adds up very, very quickly, month on month, year on year. Scalper bots can add up to a huge amount of damage through loss of brand reputation, even loss of availability of the website. Some of the really interesting ones that have caused problems for businesses as well, to go back to your previous question, we had a couple of businesses who've been, "for some reason, we see sudden surges of new account registrations on our registration portal. And, we're not sure, you know, why that is. Also as an unrelated thing, we've been added to a load of block lists for emails" and that sort of thing, and what we very quickly found out was that attackers were enumerating their user accounts they got just generate a list of emails and go, "Who is a customer of this company?" Put all of them into the registration portal and see which ones say you already have an account and those that don't already have an account suddenly have an account created for them, generating millions of emails going out, that then adds this company to spam lists so that then their legitimate emails can't go out. And the scammers then have a list of refined "who is a customer of this company", and then they go and send phishing emails to these individuals so that the actual spam list and the, fake account creations are all just byproducts of a very different attack that wasn't intended to do either of those things. So you know, those sorts of symptoms of another problem are also what we often get asked about, and then we end up diverting off and going, "Oh, actually the real cause of this is something that, as initial glance may seem unrelated."

[00:25:18] Cyril Noel-Tagoe: I guess that goes back to that early warning system then, right? Cause if that's the precursor to kind of a phishing attack, which then could be used as another way of taking over accounts, then you've got that system in place that actually, look, this is happening and this might be leading onto something else.

[00:25:33] Matthew Gracey-McMinn: Absolutely. Yeah.

[00:25:35] Cyril Noel-Tagoe: I know because I've built quite a bit of it, but we've got a lot of automation in house to be actually able to kind of do this research at scale. but talk to me a little bit about the Business Logic Intelligence Service that we're launching and how that ties in, these deep dives you've kind of been talking to where kind of the automation and packages is up for customers.

[00:25:54] Matthew Gracey-McMinn: Absolutely. So the Business Logic Intelligence Service is geared specifically for business logic. So we're not trying to move into the ransomware space and all of that. If we do catch stuff like that, we do, of course, tell our customers. What we are after, however, very much, and what we are very, very good at is the business logic groups. Like I mentioned, we have access to all the major groups. We have sock puppets, fake identities that are quite well renowned in these communities, quite well respected. So people do talk to them, they invite them to things. We can talk to these people. We get the information. When we started doing those sorts of things for our customers, we very quickly found a lot of our customers like, "This is great. We have more questions for you. Could you go and answer these?" And then that spiral to non-customers actually coming to us and saying, "Hey, we'd love to actually get some more intelligence on these problems we've got that seem to be, you know, we've heard through the grapevine through some of your customers that you actually can answer these business logic intelligence questions that our current intelligence provider doesn't do because they're slightly outside of their wheelhouse." So we're very focused on that area of our expertise and the bot management in the business logic attack space that not many other people really, really are operating in that space from a threat intelligence perspective. And as we got more and more requests for this, it just became a case of, formalize this into an actual service that we're offering. And so we now have a sort of two track model. We have a subscription track for people who want a sort of continuous flow of intelligence coming in, answering of their questions as they pop up, that sort of thing. And just sort of general metrics over time of, you know, how often are you mentioned on these forums, how regularly an attacker is developing new tools for you. How do you stand across your industry. Answering those sorts of broader questions, that's quite useful for management, that sort of thing. As well as going deep dive into, you know, who are the known adversaries, who are the attackers hitting us? How is the ecosystem developing? What is the relationship between the different groups and the attackers? You know, are there any pressure points we could use to try and reduce the operational effectiveness of any of these groups? Yeah, that those sorts of slightly more the weeds sorts of information, so that we can provide on a subscription basis. And there's four tiers of subscriptions, Essential, Annual, Quarterly, Monthly. Monthly, as you might imagine, very hands on, very involved. All of those levels have provided significant value to our customers. And then we have the other track, which is our bespoke project track, which is where someone comes to us with a, "Here is an objective we're trying to achieve, or a question we need answered" and we scope the project for them and say, "This is how we would recommend we approach this". So for instance, "we know of a refund fraud group who are targeting us. We would like you to infiltrate that group and identify how they're actually attacking us. Give us their methodologies, give us recommendations on how to stop their methodologies from functioning", and that sort of thing. So that, that's a very sort of bespoke project down there. And we've had, like I said, refund fraud style investigations, looking into synthetic identity fraud, also running the whole gammut to looking into proxy networks that may be attacking individuals, that sort of thing as well.

[00:28:50] Cyril Noel-Tagoe: And how does this all feed back into the core Netacea bot management product?

[00:28:55] Matthew Gracey-McMinn: So it works best as an add-on, because all the information we gather can go to Netacea's internal teams, particularly data scientists, bot experts. And that information can be fed back much more easily and because we're so well integrated, you know, we sit together in the same office. It makes life a lot easier for us. We can feed that direct information directly to people who are actually trying to stop these attacks from happening. Nonetheless, it can work as a standalone service and for some people that, that is what they have asked for and what they are getting. And that information can then be used by the business however they want to use it. So it may be used simply for reporting and tracking of metrics over time. It may also be used to inform other instant response activities. There's a huge variety of different uses for this intelligence. It is ideally suited as an add-on. I would say it works best if you've got the bot management, and if you've got the bot management, this can really enhance the power of that tool and really help it to function at a far greater level. But nonetheless, on its own, it still has a great deal of value and people have certainly found value in that, particularly in the bespoke projects.

[00:30:01] Cyril Noel-Tagoe: Yeah, and I guess with the bot management product, there's a base level of this intelligence already feeding into that, right? It's not that if you don't get this, you're not gonna get anything at all.

[00:30:09] Matthew Gracey-McMinn: No, no, no. Absolutely. So all of Netacea bot management customers were getting a level of threat research support already. They're not having that taken away from them. They are getting the option to have enhanced services added on, which is what they were asking for.

[00:30:22] Cyril Noel-Tagoe: Brilliant. Well, thank you Matt. I think we are just about running out of time, but it's been very fun having you in the hot seat for once.

[00:30:29] Matthew Gracey-McMinn: I am dripping with sweat, but I'm glad I survived it. It's been a pleasure being on.

[00:30:35] Cyril Noel-Tagoe: Everyone's lucky this is audio only. But thank you to all our listeners for tuning into this episode of Cybersecurity Sessions. If you enjoyed this podcast, please be sure to subscribe and like, or leave a review on your podcast platform of choice. We'd love to get your feedback. You can also get in touch with us via Twitter, that's @cybersecpod or by email to podcast@netacea.com. Thanks again for listening. And we'll see you again on our next episode.