In this episode of Threat Vector, David Moulton is joined by Keith Mularski, Chief Global Ambassador at Qintel and former FBI cybercrime investigator, to explore how threat intel forged in the underground is reshaping today’s SOC. Keith shares lessons from his legendary career—undercover operations, dismantling DarkMarket, and leading some of the FBI’s most successful cybercrime takedowns. Together, they dig into how security operations centers can evolve by adopting the mindset of the adversary. You’ll hear why today’s SOC needs to prioritize threat context over alert volume, how collaboration across sectors drives real transformation, and why the next leap in SOC maturity won’t be technical—it’ll be strategic. You can also find Keith as one of the hosts of N2K CyberWire's Only Malware in the Building podcast that publishes the first Tuesday of each month. Check it out.
Protect yourself from the evolving threat landscape – more episodes of Threat Vector are a click away
Transcript
[ Music ]
David Moulton: Welcome to "Threat Vector," the Palo Alto Network's podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of Thought Leadership for Unit42.
Keith Mularski: One is have intelligence drive your operations, really understand what's going out there, who the adversary is, you know, that's out there. Again, from that, use that to drive your operations on where you're focusing on in your SOC, you know, whether that be TVM or your SIEM and SOAR work or whatever. And then finally, game plan, put all that into play, through tabletop exercises, get that muscle memory, you know, so that when you do get attacked, which you will, you're not going through the fog of war in those first 24 hours. You know, you have that muscle memory, you know how to react, you know how you're going to respond to that, and you'll be much more effective. [ Music ]
David Moulton: Today, I'm speaking with Keith Mularski, Chief Global Ambassador for Qintel. Keith spent over 20 years as a special agent with the FBI, where he led groundbreaking cybercrime investigations, including operations that dismantled the "GameOver Zeus" botnet and the infamous "DarkMarket" forum. Now at Qintel, he helps organizations translate intelligence into proactive defense. And today we're going to be talking about how the SOC can evolve by learning from the underground and why thinking like the adversary is more important than ever. Keith, welcome to the "Threat Vector." I'm really excited to have you here today. And hopefully on our third try, now that the tech is working and the record button is there, we're going to make an incredible podcast.
Keith Mularski: David, I am excited to be here and I think it's going to be a lot of fun.
David Moulton: So talk to me a little bit about your journey from the underground cybercrime investigations to now global security evangelism.
Keith Mularski: Yeah, so I had a very unique start. You know, I started at the FBI in 1998. I started out working Russian counterintelligence back then in counterintelligence. And I got to work some really cool cases like the Robert Hansen investigation, the bugging of the State Departments, and then I worked 9/11 as well at the Pentagon. And like around 2004, my wife -- we were living in Washington, DC, at the time, and I don't know if you've ever lived there, but the traffic is horrible. And my wife jokingly said, I'm giving you five years to get us out of DC or we're getting divorced, you know, jokingly. So I started looking for jobs. And a position came open in this new small little unit, cyber unit, in Pittsburgh, at a place called the National Cyber Forensic and Training Alliance, or the NCFTA. And this was a cyber unit to work with private industry. So I had some technical background that I had learned at the FBI, and I applied and got it, and it was just me and another agent. So I started working with industry and started looking at the DarkMarkets and, you know, the cyber underground. So I worked with the industry, and we crafted a legend for me to work undercover. And I worked undercover for a couple of years. And I'm sure we'll talk about that a little bit more in depth as we -- in our conversation. But then my cover got blown after a couple of years, so my undercover days were numbered and done. So then I went over to the Pittsburgh field office and led the most amazing cyber group I've ever seen in my entire life over there. I was very fortunate to have just some thoroughbreds and some rock stars there. And we were able to work some great cases. And I had a great US attorney's office with Dave Hickton there. And we brought the very first nation-state indictment against Chinese nation-state actors, APT1. Which we could talk about that as well as we go forward. I'm sure we got some stories. And then we brought some big botnet cases down like Game Over Zeus and things like that. And then in 2018, I got my 20 years in at the FBI, so I was eligible for retirement, so it was time to move on to greener pastures in private industry. So I was fortunate to get a position at Ernst & Young. In the last couple of years, I led their cyber threat management group. So it was interesting now to be able to then see the different perspective of what Fortune 100 companies were interested in and how, you know, they viewed cyber compared to what we looked at cyber in the FBI. So a nice bridge between the two.
David Moulton: So that's really fascinating. And I don't know if you're a fan of David Epstein's "Range" book, but you just remind me of somebody that is able to go and pick up enough skills, go deep enough, and then shift gears and apply them in another space. And as a former designer, that really appeals to me. You know, 20 years of building systems, probably not the most secure, designing things that were, you know, user experience focused and delightful, but I know caused some headaches for the engineers. And now I can go on to the other side and go, okay, this is what we're trying to achieve on this side. Here's what we're trying to achieve there. How do you bring it together? And you're the epitome of being able to do that, you know, at a totally elevated level within security. It's pretty amazing.
Keith Mularski: Well, thanks. Yeah, it's definitely a different perspective because how we viewed the cyber threat when I worked at EY and working with corporations is a lot different than how we viewed it in the government, you know. And when I was working, we were looking at the SOC, you know, you're looking at how do we prevent, how do we protect, and, you know, you're in defense mode. On the government side, you're really looking at the people, you're looking, going offensive, we're trying to get cuffs on people. So it's really two different perspectives. And to kind of be able to bring experiences from both sides, I think is really unique.
David Moulton: So let's go back to that undercover work that you were talking about where, you know, you didn't have forever, but you did have some experience with it. You know, you worked undercover on the "DarkMarket" forum, and that's been widely covered. You know, it's been in books like "Kingpin" or "DarkMarket." What's the one lesson from that experience that still shapes how you approach cybersecurity today?
Keith Mularski: Yeah, it's definitely about the people. You know, we get so tied up in cyber with this malware, with this exploit, with this new attack, that we forget at the end of the day, it's just people that are behind that keyboard. You know, it's -- I think -- my good friend, Shawn Henry, who's a CrowdStriker, was at the FBI, he had a saying, he said, you know, you don't have a cyber problem, you have an adversary problem. And really those adversaries are people that are sitting every day, you know. When you think about, you know, APT groups, they work for the government. So they're government employees, they're working nine to five, they're working government shifts. You know, they're coming in, they're ordering pizza, you know, going out for, you know, runs during the day. And, you know, you could track all that stuff. And, you know, the difference is that they're coming to work and they're hacking into companies as opposed to, you know, doing something else in the government. Cyber criminals, it's the same thing. Some of these cybercriminal organizations are very sophisticated. You know, they are recruiting coders and, you know, programmers, just like you would, a regular corporation. They're setting up, you know, dummy and shell companies, distributing films and opening up restaurants and things like that. So these are corporations, they're businessmen. But really, at the end of the day, it's really the people that you're dealing with. It's not just, you know, a piece of malware.
David Moulton: Yeah, I was just talking to one of our writers here. He's got a series called "Ctrl + Alt + Delusion." And we're -- well, he went back and looked at, you know, things like "Sneakers" or "The Net," right? Some of these hacker movies. And there were a lot of liberties that the directors took with these to make it interesting. And one of the conclusions that Ben and I got to is like, on some level, being an attacker, being a, you know, an adversary, is inherently boring. It's just somebody at a computer staring at a screen doing work. And you really can't make great cinema out of that alone, so you've got to find other ways to inject drama in it. But we also think of, you know, the sort of like lone wolf mentality, you know, this attacker that's out there that, you know, clacks on the keyboard a couple of times and they're like, ah, I've got access, you know, it's very quick. And I think that while that is fun media, fun cinematography, right, like on the other side, it's done a disservice where people think that there's some sort of, you know, mystery to this. But what you're describing and what I think is the reality, a lot of this is just work.
Keith Mularski: Yeah.
David Moulton: It's just a job. And depending on what your goals are, whether it's an APT that's looking for, you know, government secrets or some sort of espionage, or if you're on the criminal side, you're looking to say, can we turn a profit, you know, that is in excess or a number of margin points ahead of the cost of doing the work. It's just a business. And then I think you do get back to that, like it's a business of being an adversary. And then you have to look at it through that lens. And I actually want to get into that with you a little bit today. But let's start with the SOC, right? Like the state of the SOC today. From your perspective, what's fundamentally broken or outdated about the way that many security operations centers are set up?
Keith Mularski: It's alert fatigue. I mean, it's just, you know, every day that's just triaging things. I loved when I was at EY, I was in a meeting. I went to one of their board meetings and the CISO got up and he was giving statistics about the attacks that they blocked, you know. And it was like, we blocked -- I think it was like something like 25,000 attacks or something like that. I mean, those are like firewall logs. I mean, that really wasn't -- you know, that's people touching your door. That's really not understanding that you're getting attacked, you know. And it's just, you know, reacting to this alert, to this alert, to this malware. And it's really not understanding the context of, you know, why you're getting attacked. And I think that's one of the biggest things of -- that I see that's what's wrong with the SOC. It's just that you're so focused on looking at that pane of glass, preventing, making sure that, you know, you're not going to end up, you know, in the newspaper for being the victim of the latest ransomware attack. You're really failing to understand the context of why you're getting attacked or really what's happening.
David Moulton: So I've heard this phrase of like, be careful what you measure because you may get it. And I think you're getting to this to a level of like, you know, our attacks are really firewall logs or we're measuring throughput on tickets and not really looking for, did this make us more resilient? Did we go out and threat hunt? Did we actually move the company or the organization towards a point where we've lowered our risk and the KPIs are set up, you know, on activity, not on lowering risk? What's the biggest mismatch you see between threat reality and SOC design?
Keith Mularski: Yeah. Well, let me backtrack on just to hit a point on like, I think people miss a lot on context. And I'm going to share a story of when I was at the FBI, you know, we were working with a company, and the Chinese threat actors were in their system. And, you know, the company had great visibility into this, you know, the activity of the threat actors in there. And every Tuesday night, the threat actors were coming in, and they were stealing email inboxes. And, you know, and I'm talking to the CISO and he's like, look, you know, we know what they're doing. They're nowhere near our crown jewels. You know, I don't want to boot them out because then we may not have visibility again. So I know what you're seeing, it's just email inboxes. So I started talking and I'm like, okay, well, whose inboxes are they taking? And it turns out it was their chief negotiator who was doing a deal in China, you know.
David Moulton: Oh no.
Keith Mularski: So the Chinese for weeks were just reading what this company's bottom line was, their whole strategy of what they were going to do over there in China. So when they went over there, you could guess where the China -- you know, they saw the bottom line. You can guess where the Chinese opened up their bidding, right at their bottom line.
David Moulton: Yeah.
Keith Mularski: So they -- from email hacks, they literally lost billions of dollars because there was no context. You know, because it's just triaging this or triaging that, really not understanding who your adversary is, why they're attacking you, and what they're really after. That's what's really missing in today's SOC operations, in my opinion. You know, I think the tools do a good job, but, you know, if you're not getting the context, you know -- I think that case just blows my mind.
David Moulton: Yeah. So I don't know much about the case, but you're basically saying that the crown jewels were not defined as the company's intel and business strategy inside of China. And therefore, they gave it away. Like they knew it was being taken and they're like, oh, it's fine. Which is a context issue. If you understood what the adversary is really after, you would have said, we've got to shut that down immediately.
Keith Mularski: Yeah.
David Moulton: Oh, man.
Keith Mularski: Or if you had that visibility, you know, you could think offensive. You know, maybe you throw some disinformation out there and kind of help yourself and have some kind of fun with it.
David Moulton: Right.
Keith Mularski: But yeah, it was a losing situation.
David Moulton: Yeah, that's unfortunate. And I like that idea of like, if you know that's there, maybe you're not going to get rid of the visibility because you want to be able to keep an eye on. But how do you mix in something that is confusing or causes the negotiations to maybe flip back in your favor? That's a little bit more sophisticated and I think a little bit of departure from what most defensive-minded security is all about. So I like how you're thinking there, Keith. You know, the idea of giving a little bit of a honeypot to go get tricked on, that's fun.
Keith Mularski: Yeah. Those kind of operations, you know, anytime you could do that, it's a blast. [ Music ]
David Moulton: Well, you've had this front row seat to how cybercriminals collaborate and evolve, right? What can security teams learn from how adversaries operate that would make their SOCs more effective?
Keith Mularski: I think, you know, you need to get visibility into the dark web. So when we're talking criminals right now, you need to make sure that you're getting intelligence on, you know, the forums that are out there, the telegram channels, the jabbers. So you need to have visibility and see what they're talking about. You know, I mean, you know, there was just recently in, you know, "Clop," using a new exploit that's out there. You know, people were talking about how to leverage that in, you know, in the forums right now. So if you're not seeing what the criminals are talking about on how they're going to use it to attack you, you're flying blind, you know. We had a term in the FBI where we said, intelligence should drive operations. So that's where you're collecting, you understand what you're up against, you understand what the adversary is going to do. And once you do that, then that could drive operations. So, you know, if we hear that cyber criminals are talking about exploiting the CVE, now maybe now you should be looking at your TVM program. You know, how are you prioritizing? Is, you know, your patch cycle of 30 days, is that good right now? Or, you know, or, hey, this is being exploited right now in the wild. You need to make this, you know, a critical and patch this, you know, right away. So really, you know, having that visibility and having that intelligence of understanding what's going, you know, in the marketplaces, that should drive your operations on where you should be focusing in on. So whether that be focusing on something with identity or focusing on something with TVM, you know, really the bad guys are going to kind of drive that for you, in my opinion.
David Moulton: So how do you take essentially an IT function inside of, you know, security, which is inside of IT, that needs some lead times and has some of these process and build in, I guess, a culture of being opportunistic and being able to sense and respond to that intel, to those behaviors, those observables, so that you're not caught flat-footed where, you know, is it a 30-day patch cycle? Is that good or bad? How do we move it up to today? How do we not worry about it? Because for us, it's got, you know, defense in depth and we've got some layers in place. So we've probably got ourselves 60, 90 before we have to roll that out. And, you know, just looking at those types of things things that need to maybe change as far as like a culture or a process. What do you recommend there?
Keith Mularski: Yeah, I think you got a game plan. You got to do tabletop exercises. You need to be having these type of discussions. You know, you need to kind of be like a football team, you know. When you think about, as a CISO, you're like a football coach. You know, you have 15 games or 16 games that you're going to -- well, now I guess in the NFL, it's 17, games that you're going to play. You know, and you see your schedule and you know who you're going up against, you know, whether this is a passing team or a running team. And you watch game film and then you practice, you know, for that. So again, you know, kind of if you view it like that, where, you know, you're looking, using the intelligence, seeing what the playbooks are that the adversaries are using. And then you put it into play with tabletop exercises, going through the procedures, testing your incident response plan, testing your policies, understanding what the C-suite, how they're going to make decisions on things. I was in a tabletop exercise, for example, when I was at EY and we were with a company and we had a great ransomware scenario set up. This was going to be like a three-hour TTX. And we get in there and it was going to hit one of their facilities and, you know, that was making like $2 million a year. And the ransom was -- I mean, $2 million a day that they were going to lose if they were down. And the ransom was like $3 million. And literally in the first 15 minutes we were there, the CEO comes in and goes, he goes, so we're losing 2 million. We lost 2 million yesterday from being down. We're losing 2 million today. And the ransom is $3 million. Pay the guy. You know, I mean, it was like literally in that quick, you know. So you kind of knew where they stood. You knew what the culture of the company was and kind of, you know, how they were going to view. On other ones, you know, I was in places where people were like, no, you know, it is a sense of pride that we are not going to pay this ransom. We are not going to give in to the criminals. So you really need to know, again, you know, discussing with your team how things are going to evolve, what you should be focusing on, understanding really how, you know, the CEO and legal and all that, how they're going to react to different things too. And that could help you prioritize what you're focusing on, what you're not focusing on as well.
David Moulton: Keith, you talked about this idea that security is a people problem and, you know, you've worked in law enforcement, you've been in consulting, now you're in threat intel. What are some examples of the most successful cross-sector collaboration and what do you think made it work?
Keith Mularski: Public-private alliances and that sharing between are absolutely pivotal. Last week, I was just at Europol where there was a cyber conference there where they had, you know, all of the law enforcement from the EU and a bunch of industry there as well, just to kind of get together and talk about that. It is so imperative, because no one organization or company has complete visibility into this problem, you know. So even when you think about like financial crime, not one, you know, financial institution is going to have complete visibility. But, you know, you bring in -- you know, let's say, you know, five different FIs come together, sharing the information back and forth. You bring the law enforcement in understanding the threat that's going against them. And then, you know, then you can bring in some other security reachers or, you know, like people at Palo or people at Qintel, you know, to give a little bit of context of what you're seeing out there, you know, maybe, you know, come up with other solutions and, you know, and then you can come up with a strategy on how to attack things. I think, you know, we hear too often about, okay, you know, the government just says, share your data with us, you know, with industry. And that's just so broad. I think the biggest successes that we've had in public-private alliances are when we have things very narrowed on what we want to accomplish on, let's say, an initiative. So to give you, like, from my background, you know, I've been a part of a number of botnet takedowns. So, you know, let's say like "GameOver Zeus," which we talked about, you know, that was a great one where, you know, the banks were getting hit by Zeus that was out there. You know, the security companies were looking at the malware, and they were able to come up with a great way to be able to poison the botnet. You know, and then the FBI, we were able to kind of go after the bad guys and kind of get the legal thing around it. So bringing everybody together to go after this one botnet, to come up with, you know, a solution on how to prevent the fraud, a solution on how to take down the botnet, and then get the legal framework in from the government to be able to actually execute that, made it very successful. And, you know, there's been a number of big takedowns like "Operation: Endgame" that was just done recently. You know, against some of the, you know, the stealers and, you know, "TrickBot" takedown as well. So it is so imperative that we pull together, but it's also imperative that we really be targeted on what we're going after.
David Moulton: So you've mentioned these different groups and each one has a different mission, but when they come together, they can work towards that common goal. What things have you noticed in different cultures that make it easier to work together or the kinds of things that you may say, look, if we want to get to that point where we're collaborating and we're having these big successes, these big wins, we need to move away from in our culture? Because it seems to me that that's the, you know, the crashing together of these different cultures could either define whether it works or whether it fails.
Keith Mularski: Yeah. I mean, I think we're making strides. You know, we're here in the United States, and I think, you know, we're a few years ahead, at least definitely on the law enforcement side than maybe some of our other partners were. And, you know, they're rapidly closing that gap. You know, even just like the security apparatuses, you know, in the United States, it's a lot different than in the EU. So like if you go to like RSA Europe compared to RSA, you know, in San Francisco, it's like night and day. You know, same with Black Hat as well. But I think, you know, we're bridging that gap a lot more. And I think, you know, we're trying to get some of the laws up to speed. So, you know, some countries, let's say in the EU or across the world, they don't have the same cyber laws that we have here in the States, even though some of our cyber laws in the States are a little bit old too. So sometimes you have to call it something different. Instead of "cyber," maybe you call it "wire fraud" or "bank fraud" or "organized crime," and you put it in those terminologies, and, you know, then they get it, you know. But, you know, some countries are, you know, like Germany and the Netherlands and, you know, the Brits, they're really on the forefront pushing things as well. So I just think it's just kind of, it's slowly evolving. We're not where we want to be yet, but we are getting better, I think, moving forward.
David Moulton: So let's talk about the adversarial landscape for a moment. You know, each time I look at some of the research or I read what others are putting out, it seems like it's getting more sophisticated over time. What are some of the emerging tactics or trends that you're really watching closely right now?
Keith Mularski: I think supply side attacks, I mean, that's just the biggest thing. You know, we saw how successful that could be with SolarWinds. You know, we saw how that could be successful with just getting -- attacking a third party to get access to the networks. You know, we're seeing much more from, let's say, a nation-state standpoint of trying to live off the land, robber attacks, things that really aren't, know, leaving, you know, artifacts on the systems that EDR. EDR right now is, I mean, EDR is pretty amazing, you know, of where it was 15 years ago to where it is. And the bad guys all know that as well. So they try to get in places where they know there's not EDR, you know. So they're becoming more sophisticated on that. From the cybercriminal side, you know, still tried and true techniques are still working. Phishing is still huge. Here we are, you know, 20 years -- you know, I started working the "Digital Phishing Net" project in 2005, and here we are 20 years later, still talking about phishing being one of the, you know, the biggest thing. There's all these different phishing kits. AI is making phishing lures much more -- much better, you know, that are out there. But at the end of the day, people -- social engineering still works very well. So we do talk about sophisticated attacks, and those are really fun to investigate and look at and see the emergence of that. But there's still just a lot of basic things that are out there with phishing, people using RMM tools to, you know, now being their initial infection vector, you know, because those are usually whitelisted. So now if you're going into an RMM tool, you know, you're just not going to get detected.
David Moulton: Love the breakdown there. Where can folks find you out on the internet if they want to continue the conversation or look at what you're publishing?
Keith Mularski: Yeah, so I'm on LinkedIn. So I'm doing a number of thought leadership things out there on LinkedIn. You could always reach out to me. I'm on a podcast with two amazing people, Selena Larson from Proofpoint and Dave Bittner from CyberWire. Our podcast is called "Only Malware in the Building." That's monthly. So you could check us out there where we have a lot of fun talking about cyber issues. And then I'm out and about, you know, at many different conferences. So always glad to have the conversation.
David Moulton: Well, and let me take it back to the "Only Malware in the Building." How did you get to be the one to not eat the hot sauce on that episode with Bittner and Selena?
Keith Mularski: Oh, I ate the hot sauce. So here's a funny story with that, Dave, is that, I was watching the hot ones to prepare for it. And, I thought that, you know, hey, I could only just take like a bite, you know, I just had to take a bite as I was asking the questions. But we got like three of them in, and they're like, you're not eating the whole wing. So I had to go back and eat all my wings there. So I did do all the levels, including -- we did, all three of us did, the highest level twice, when Dave tried to turn on his FBI interrogation techniques on me, which was a lot of fun.
David Moulton: Well, I've got to say that that was a lot of fun to watch that episode. I'll go ahead and make sure that there's a link to it in the Show Notes. And yeah, I was talking to my brother about Hot Ones, and you know, Da Bomb is always the one that people start to have their mental faculties, they lose it, man. That's the reason you watch the show on some levels that that one hits. And I get this random package in the mail maybe two weeks ago, and I open it up and it's just a little jar of this Da Bomb. And you know, sometimes the intrusive thoughts come in and you're like, I'm going to try it, I'm going to try it. And then I'm like, nope, nope. That's like an entire day, maybe two days, just gone on a bottle of hot sauce that I don't need to risk it on.
Keith Mularski: I recommend if you do the hot sauces, you gotta, it makes -- not that it's any easier, but when you go up and you graduate -- you gradually go up, I think it's a little bit easier, as opposed to just like going and popping one of those big ones. I think that will crush you. One of our producers, when we were filming that, you know, did the hot one right at the end, and she was dying. She's like, how did you do it? But when you kind of build up to it, wasn't bad. It was a lot of fun.
David Moulton: It's kind of like getting into a cold pool, you know, toes in, stay there for a little while and eventually are up to your chin. But yeah, no cannonballs in. We're not young kids anymore. Well, Keith, thanks for coming on. This was a fun conversation, and I really appreciate you sharing your insights around the SOC, but also some of your stories. And we'll have to have you back on as you see what the next chapters bring for you. Because I don't think that you're one of those guys that's going to say, you know, I popped out of the FBI, did a little bit of a stint here and then went and found my rocker and did nothing. I'm going to see what you're actually rocking here in the next couple of years.
Keith Mularski: Sounds good, David. The pleasure's all mine. Thanks a bunch. [ Music ]
David Moulton: That's it for today. If you like what you heard, please subscribe wherever you listen and leave us your review on Apple Podcast or Spotify. That feedback and your reviews really do help me understand what you want to hear about. Or you can reach out to me directly in the show, email me at threatfactor @paloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Original music and mixed by Eliott Peltzman. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]
