Copyright 2021 - All Right Reserved
Home Operational An Interview With Calvin So: A Cyber Threat Intelligence Researcher
Home
/
Operational
/
An Interview With Calvin So: A Cyber Threat Intelligence Researcher

Interview with Calvin So, Cyber Threat Intelligence Researcher

Calvin So is a Threat Intelligence Analyst at the global threat intelligence firm, Flashpoint.

 

He excels in threat intelligence, malware analysis, and automation, leveraging his skills to collaborate security operations, incident response, threat hunting, and risk/vulnerability management.

 

Calvin has a proven track record of proactively supporting red/purple teams and enhancing overall cybersecurity defenses.

 
You can find Calvin on LinkedIn by clicking here  

Can you describe the biggest cyber threat you’ve encountered this year and how your team responded to it?

This year, ransomware has remained one of the most significant cyber threats, affecting many sectors and often involving third-party data compromises.
 
At Flashpoint, we utilize a comprehensive suite of proprietary and open-source tools to detect if an organization’s data has been compromised.
 
This could be through client/vendor relationships or direct postings by threat actors.
 
Our team discovers these incidents through proactive monitoring and by responding to requests via our Request for Information (RFI) services, where clients can request information and receive tailored reports from our intelligence experts who provide the crucial “so what” analysis directly within the platform.
 
Additionally, we provide clients with enhanced visibility and curated insights into potentially compromised data.

What are some of the most effective tools and techniques you use for threat detection and analysis?

The Flashpoint Ignite platform operates like a highly advanced search engine for various data sources.
 
I’ve used it extensively, both as a consumer on a CTI team and now at Flashpoint, to gain comprehensive visibility into threat actor activities.
 
This includes tracking their operational security mistakes, analyzing their credibility, identifying potential toolkits, and tracing usernames, wallet addresses, IP addresses, and email addresses associated with various threats.
 
This intelligence platform is invaluable for building detailed profiles of various threat groups.
 
Additionally, I use a series of custom Python scripts, developed by my team and me, which leverage Flashpoint APIs.
 
For instance, we use Flashpoint’s Optical Character Recognition (OCR) capabilities to sift through large datasets and identify compromised credentials or login portal screenshots, often leading to significant breakthroughs.
 
Echosec, Flashpoint’s geospatially-enriched open-source intelligence solution, is another valuable tool, providing insights into geopolitical events and enabling monitoring and investigations.
 
This helps us stay informed about events that might impact our clients.
 
For enrichment, pivoting, and identifying threat capabilities, I frequently use a variety of paid and open source platforms for checking historical domain data, Indicators of Compromise (IOCs) and building YARA rules, malicious infrastructure, reverse image search, and malware analysis.
 
When conventional methods fall short, I explore various GitHub repositories related to OSINT or threat intelligence, which sometimes yield valuable insights.
 
My research process follows the intelligence life cycle, including Planning/Direction, Collection, Analysis, Dissemination, and Feedback.
 
This structured approach helps navigate the complexities of threat identification and analysis.

How do you stay updated with the constantly evolving landscape of cyber threats, and what resources would you recommend to other professionals in the field?

Staying updated with the ever-evolving cyber threat landscape is essential.
 
I rely heavily on monitoring cyber vendor research reports, which help assess the threat actor groups or attack trends that might impact specific organizations.
 
Secondary sources like cyber/IT blogs also disseminate these reports and provide valuable insights.
 
Following a list of security researchers on X is another excellent way to stay updated.
 
These researchers often conduct investigations that uncover new campaigns, additional Indicators of Compromise, or significant dark web postings.
 
Some of my favorites to follow include:
 
@Bushidotoken
@_montysecurity
@TLP_R3d
@OSINT_Tactical @banthisguy9349
@Jon__DiMaggio
@Vxunderground
 
Media outlets such as the New York Times, Financial Times, and Washington Post are also valuable resources.
 
Since many business leaders get their news from these sources, understanding the impacts of emerging cyber threats is crucial.
 
This helps in predicting and responding to inquiries from senior management.
 
Additionally, information shared by Information Sharing and Analysis Centers (ISACs) and Flashpoint’s FPCollab is invaluable.
 
ISACs focus on industry-specific threats and campaigns, helping internal CTI teams prioritize and navigate emerging threats.
 
They also facilitate information sharing among organizations within the same industry.
 
Examples include:
 
  • FS-ISAC (Finance)
  • Health-ISAC, ME-ISAC (Media)
  • and the newly formed Crypto-ISAC. FPCollab operates similarly to ISACs but is primarily an information-sharing space for Flashpoint clients.

This platform allows for focused and collaborative intelligence sharing, enhancing our ability to respond to threats effectively.

Can you share a specific case where your threat intelligence made a significant impact on preventing a cyber attack or mitigating its effects?

We began tracking and reporting on a cyber threat group well before it gained attention from mainstream media. By analyzing the group’s tactics, techniques, and procedures early on, our client’s red team was able to use this intelligence to identify a vulnerability in their helpdesk system.

This early detection allowed them to set remediation strategies promptly, significantly reducing the risk of the organization falling victim to future attacks.

What advice would you give to someone new in the field of cyber threat intelligence to help them become proficient and stay ahead of emerging threats?

Embrace imposter syndrome and stay curious.

The goal of cyber threat intelligence is to strengthen cyber programs and proactively identify cyber threats for an organization.

Roles in this field are driven by the intelligence requirements that need to be met—essentially, finding actionable information that teams can use.

To meet these requirements, you need a diverse skill set, which is why many cyber threat intelligence analysts come from varied backgrounds.

For example, someone might have minimal IT experience but extensive intelligence analysis experience.

Others might come from IT or other cyber roles with a deep technical understanding of attack vectors but lack intelligence analysis experience.

Some might have been fraud analysts with a deep understanding of the cybercrime ecosystem.

It’s important for CTI professionals to work on what they’re missing to become well-rounded generalists capable of understanding almost all cyber threats.

To build this diverse skill set, constantly upgrade your knowledge by learning about cyber concepts, investigation techniques (such as phishing analysis, malware analysis, and vulnerability analysis), and the cybercrime ecosystem.

Personally, I enhance my skills by writing security research blogs on interesting analysis techniques, malware analysis, and coding tools.

Additionally, I participate in cyber examinations from SANS and other niche cyber courses to stay current and deepen my expertise.

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

@2025 – Patch Management. All Right Reserved.