"hacker intelligence officer" xue feng: there is only one truth, we must find it

Posted by santillano at 2020-03-05

The first time I knew Xue Feng was in 2015, when a programmer friend jumped to work for him, I asked his friend who he was? My friend said that a big bull who left his job and started his own business had a technology explosion. I asked how much the explosion was. As a result, my friend gave me a tongue twister: "Xue Feng dug Microsoft loopholes and got Microsoft to directly dig him to Microsoft.". It took me a long time to figure it out. I held out my thumb and called 666.

A friend said that Xue Feng planned to start a business to do "Threat Intelligence". I asked him what the threat intelligence was. He paused and said, "cough..." Have you seen spy war movies? War intelligence, you know, "Threat Intelligence" is the attack and defense intelligence used by hackers to fight each other.

I immediately made up Xue Feng's image of "intelligence big man": sharp eyes, wearing black clothes, scarred face, holding a cigar in his mouth, coming and going mysterious, whereabouts are uncertain

It wasn't until I got to know Xue Feng that I found out that the "intelligence tycoon" of the original network security industry was so

When I saw Xue Feng last week, as usual, he was wearing a business polo shirt, brown yellow trousers and slim glasses. When it comes to motivation, he will immediately get up to write and draw on the glass wall. He is thin and not tall, quite like a young teacher.

(Mr. Xue is in class)

It turns out that all the movies are fake, and all the powerful technical bulls in reality are quite low-key.

Xue Feng is not only a technology tycoon, but also an outstanding entrepreneur. In the past three years, his company "Weibo online" has raised 120 million yuan a year, which is rare among domestic security start-ups.

What's more, Xue Feng is the first batch of entrepreneurs who do Threat Intelligence in China. His story basically reflects the overall development of domestic Threat Intelligence market.

Today, light black came to 1818. His business story.


Back in one night in May 2015, Xue Feng was so excited that he couldn't sleep all night. The next morning, he asked some good friends to come out and invite them to resign and start their own business together.

The first day, Xue Feng and these friends talked about threat intelligence. When they mentioned a related company, they suggested that you could invest while the valuation was not high. After a discussion, everyone felt that the direction was good, but no one expected that Xue Feng's real intention was to do it by himself, let alone suddenly.

Although Xue Feng said afterwards that "in fact, he didn't think too much about it at that time. Instead of investing in others, he could do it by himself". But at that time, he was Amazon China's chief security officer, with stable work and good pay, so he quit?

It's said that entrepreneurship is a life of nine deaths. What can make him make this determination? If we don't do it, we can't even invest in others. We have to do it ourselves? Is there a mine at home?

In the conference room, Xue Feng calmly pushed his glasses and said:

"In those two years, I often pondered the question: why can a lot of big companies be turned upside down by hacker organizations? Even if they hire first-class security technicians. What's wrong? "

At that time, he saw a surprising figure in a data leakage report: in 2014 alone, more than 80000 companies in the United States were hacked, and many large companies were pinned on the stigma of information security.

"Sony Pictures, from executive salaries to personal information of ordinary employees, are all made public by hackers suspected of coming from North Korea. JPMorgan Chase group, one of the largest financial services institutions in the United States, has lost more than 70 million customer information. "

What is the truth?

Xue Feng found that at that time, information security was too dependent on defense technology. A firewall was broken by hackers, and the whole network was like a castle plan.

In that situation, there is a serious imbalance between the attacking and defending sides, and the attacking side takes the advantage.

In terms of time, the attacker is always faster, and the defender can only protect passively; in terms of tools, the attacker can try various ways at will, while the defender remains the same; in terms of number, an enterprise may be repeatedly attacked by dozens or even hundreds of attack groups, with different postures.

What's more, the enemy is dark and I am clear. The defenders don't know who they are, what tools they use, or even how many waves of people have come.

"It's like when you hear a crow every day, but every time you open the door, you find no one and you can't do anything."  

This is probably the anxiety of almost all the security defenders at that time.

In 2015, Xue Feng got inspiration from a security startup called crowdstrike.

"They have completely changed their thinking. In addition to detecting suspicious samples, they will also check the relationship between programs, the network relationship between computers and servers, and use the correlation analysis of various information to determine the source of threats.

"In the case of door prying, a lock alone can't stop bad people. You need professional monitoring equipment, such as a camera, to find the bad people who break in.

If the problem is serious, when the police come, they will identify each other's tools and professional standards through the traces of lock picking. They will ask the security guard what suspicious people have been in and out of the community recently. They will call the camera to monitor the records and compare whether the nearby habitual criminals are according to their appearance They will retrieve all useful clues to restore the process of the crime and the portrait of the suspect, and finally find the suspect.

The first half is monitoring and the second half is traceability. " Xue Feng said.

Obviously, if the defenders in the cyberspace world also have the general investigative ability of the old police, they can also use various data to restore the attack process, locate the attack group, and call the police to check the water meter at home.

At that time, this method was proved feasible in foreign countries, which made Xue Feng excited.

"The target industry characteristics, attack methods, tools, exploits, Trojan samples, server domain names, IP, digital certificates, etc. of a gang of hackers are all useful data, which can be used to restore the portraits and attack processes of hackers."

Xue Feng's description reminds me of the classic scene in the police bandit film: the criminal investigation police put PPT in the small dark room to analyze the criminal clues, combed out the relationship venation of the criminal gangs against the pictures on the wall, and finally stuck a dart on the top portrait.

Interestingly, Xue Feng was born in public security.

"Prediction, response, defense and discovery are all very important. But in the past, the security industry focused most of its attention on defense and used too little security data."  

Xue Feng found the truth and was as excited as the discovery of the new world. According to his many years of offensive and defensive experience, he firmly believed that this road would work.

Everything is developing too fast. It took Xue Feng more than a month from having an idea to starting his career. His determination finally made him win the favor of capital. It is said that Xue Feng's child was about to be born at that time, and even the investment negotiation had to be arranged near the hospital.

It turns out that Xue Feng's judgment is correct. Almost at the same time, one security company in China also realized the significance of threat intelligence.

7. In August, Tianji friendship alliance and baimaohui entered the threat intelligence; in September, 360 established the Threat Intelligence Analysis Center, and in October, the beacon Threat Intelligence alliance was established A gust of wind blows to the country, and everywhere it goes, it blooms.

On the last day of 2015, December 31, Weibo Online Official Weibo suddenly sent out a threat analysis report, with a paragraph of "Ithaca island" by the Greek poet kawafis attached at the beginning, just like his mood:

"When you leave for Ithaca, I hope your journey will be long, full of miracles, full of discoveries To commemorate 2015, the passing first year of China's threat intelligence. "

(the picture is taken from Weibo @ Security Threat Intelligence)


"At that time, many people didn't understand what threat intelligence was, what it could do, and how to use it. They often had to explain it for half a day." This is Xue Feng's first problem. He figured out a way to do something.

Back to the technical report mentioned above, at that time, the Security Department of a large factory in China submitted a 0day vulnerability of flash player to Adobe company. Adobe was surprised to find that the vulnerability had been used by hacker organizations to attack the high-level management of enterprises, so it urgently released a patch.

Who is the attacker? What do you want to do? Is it aimed at China? Is it to steal trade secrets? It was in the ring.

Just as everyone was talking about it, Xue Feng hurriedly took the following analysts and began to correlate the data to analyze a series of important threat Intelligence:

This attack group is likely to be the hacker organization "dark inn" that appeared a few years ago.

Not only the attack techniques and processes are the same, but also the characteristics of target industry, country, crowd, anti killing soft technology and server-side framework are very consistent.

According to the past Threat Intelligence, the "dark inn" group focuses on the executives who go out to open a room. They will blackout the WiFi in the hotel room where the victim lives to implement phishing.

In the report, Weibu online immediately suggested that CXO of the enterprise should upgrade the flash player immediately, open a room carefully to connect to the hotel WiFi, and do not click the strange link and email attachment

"I just want you to know that security incidents can do so many things from the perspective of threat intelligence." Xue Feng said.

Dark inn is not the first time to show off skills online. As early as a few months ago, a sensational xcodeghost event broke out on the Internet. There were a large number of apps with viruses in the app store of Apple store, including the apps of some big companies that we use every day, and even the official apps of many banks.

At that time, the whole Internet in China began to boil, CNCERT issued an early warning, and major network security companies and departments issued various analysis reports. Weibu online also analyzed the incident from the perspective of threat intelligence. Through the association among sample features, IP, domain name and other data, they directly locked the identity of the suspect, and speculated that the originator of the incident was closely related to the other two malicious programs.

(this is the threat intelligence data clue map combed at that time)

"After those events, more and more people in the industry began to pay attention to threat intelligence."

In addition to the technical report, Xue Feng also launched the "face brushing preaching mode".

Around 2016, he frequently appeared as a speaker in major cybersecurity conferences, and the audience was often attracted by his personal resume first:

"Former chief security officer of Amazon China, director of Microsoft China Internet security strategy, and the first Chinese speaker at the top blackhat European Security Conference and Microsoft bluehat conference.".

Later, the audience noticed the company and was moved by the content of his speech.

"Xue Feng's sales ability is very strong." His colleague ocean commented on him. However, I found that Xue Feng was not such a smart talker. What he really touched me was that he believed in Threat Intelligence from his heart and his own career. This kind of firmness emanating from the inside out is easy to infect others.


In the conference room, Xue Feng tried to explain to me the development track of micro online. He took up his pen and drew a circle on the glass wall, in which he wrote two English words "thread graph" and threat data graph. He said:

"This is the core value of micro step, a huge threat map library, including a series of data from sample eigenvalues to servers, domain names and so on. After combing analysts or machine learning models, they will become a useful Threat Intelligence."

Me: "where did all this data come from?"

Xue Feng: "there are mainly several types of data acquisition channels, including open channels, commercial channels, micro step threat intelligence community, security personnel from all over the world are submitting it every day; there are also partner channels, we have cooperation with more than 30 AV manufacturers."

Me: wait, more than 30 AV manufacturers? A... V?

Xue Feng: anti virus, anti-virus manufacturer, Kaspersky, Microsoft and so on!


(I searched a website in the micro engine and found some strange things.)

Xue Feng said, and wrote a pile of words outside the circle.

"The rest are all landing plans, the purpose of which is to export our core Threat Intelligence to customers and meet their specific security needs."

Several key words outside the circle form a line, just like Xue Feng's "March line" in the past three years.

(yaoge tries to restore the picture Xue Feng drew on the wall)

Around 2017, "threat intelligence is hard to land" was once a topic that many people enjoyed, and micro online has made many attempts.

At first, micro step online made a set of Threat Intelligence special search engine similar to Baidu and Google. Users upload suspicious samples for security inspection, and enterprises can realize mass query through API interface.

However, there are not many enterprises willing to use the API. First, the API interface is a little complicated. Second, domestic enterprises prefer to download more antivirus engines to check, rather than upload sensitive files to third-party manufacturers, which is very different from foreign countries.

"Three? The four one? There will be so many customers receiving API around 2016. " Xue Feng did not shy away from the commercial tragedy at that time, "the main focus is on the construction of threat intelligence analysis library."  

Later, Xue Feng simply turned the threat search engine into a community. If someone is engaged, he can submit relevant information to others for free inquiry, so as to prevent the attack group from engaging in other people again, and at the same time, let everyone find out the behind the scenes.

The community didn't bring money to Weibo online, but it won them popularity and laid the foundation for later events. Xue Feng said that at present, the community can receive 300000 to 500000 threat messages every day, and the community has become one of the main sources of industry awareness of Weibo online.

By the middle of 2017, two systems, TDP and tip, were developed online. One can analyze the internal traffic of the enterprise, and comprehensively judge the threat by combining the external threat intelligence. The other can help the enterprise manage the Threat Intelligence efficiently. So far, they have won the benchmark customers of several major industries in China, and started the situation of customer surge.

Xue Feng listed the names of dozens of companies, including China Merchants Bank, Bank of communications, Tencent, PetroChina, State Grid, Galaxy Securities, stock connect, Shunfeng and so on.

Last year, Weibo online bought onedns, a well-known public domain name resolution service provider, to export its threat intelligence capabilities in the form of domain name resolution.

"Directly change the DNS domain name resolution server address of the enterprise or its own computer to" "or" "to obtain our security service. Once the dangerous domain name is accessed, it will automatically intercept and alarm." Xue Feng said that the point is not to install any additional software, you might as well recommend it to your friends. I say yes. (it's also the fulfillment of commitments...)

In 2017, Gartner, a global authoritative it analysis organization, released the 2017 Global Threat Intelligence Market Guide, among which Weibo online was listed as the only Chinese manufacturer. It took only two years from the company's establishment to its selection, which set a record for global security companies. Xue Feng attributed the reason to "the knife is fast enough and the needle is sharp enough."  


In mid-2018, people's attention was attracted by new technology trends such as blockchain, and the topic of "Threat Intelligence" did not have the noise of the previous year.

One time, a friend patted Xue Feng on the shoulder and said, "how come the threat intelligence is not hot now?" Xue Feng didn't care at that time, but after a while, another friend also talked about it. "Why don't a few discuss Threat Intelligence in the circle of friends now?"  

"I thought about it and thought it was going to happen." Xue Feng said that in the early one year, every start-up company boasted that it used deep learning algorithm and artificial intelligence technology. This year, everyone's focus is not on whether you use AI or not, but on what problems you can solve and how well you can solve them.

In fact, any new technology and technical concept are the same. When it seems to be "left out", there may be two results. One is that it's really finished playing, the other is that it has become a recognized infrastructure, just like the existence of water and electricity.

This is also in line with Gartner's general model of Technological Development - type cycle, which is usually translated as "maturity curve" or "hype curve" in Chinese. From the emergence of innovation, to a large number of media reports and discussions, to the reality of landing, and finally to a large number of adoption.

(Gartner believes that technology generally needs to go through several stages: innovation, media hype, landing and large-scale application)

"To start a business, after all, you have to believe in your own judgment, not the hot spots in your circle of friends." Xue Feng said.

At that moment, through Xue Feng's eyes, I felt the excitement of "heaven will come down to a great post" three years ago, the night before he decided to leave and start his own business, as if I saw the back of the Greek poem when he knocked it down on New Year's Eve.

When you leave for Ithaca,

I hope you have a long way to go,

Full of wonder, full of discovery.

Lestrugones, Cyclops,

Angry Poseidon -- don't be afraid of them:

You won't encounter monsters like this on your way,

As long as you exalt your thoughts,

As long as there is a special feeling,

Lend your mind and body.

Lestrugones, Cyclops,

The barbaric Poseidon - you will not meet them

Unless you take them all the way into your soul,

Unless your soul sets them up in front of you.

I hope you have a long way to go.

I wish there were many summer mornings,

When you are so happy and excited

Enter the harbor you saw for the first time:

I hope you stop at the Phoenician Market

Buy beautiful things,

Mother of Pearl and coral, amber and ebony,

Every kind of perfume that is ecstatic.

You can be as enchanted as you want:

May you visit many Egyptian cities

Ask for advice from people of insight and continue to ask for advice.

Keep Ithaca in your heart,

Arriving there is the purpose of your trip.

But don't go too fast,

It's better to extend it for a few more years,

When you get to the island, you're old,

The gains along the way have made you rich and square,

You don't need isaka to get your money rolling.

It was Ithaca who gave you such a magical journey,

Without it you would not have set out.

Now she has nothing to give you.

And if you find it's so poor, it's not

Ithaca wants to fool you.

Since then you have become very intelligent and knowledgeable,

You don't get it,

What these ithacas mean.


Finally, I'd like to introduce myself. I'm Xie Yao, the author of science and technology popularization. I usually talk about various kinds of high-level technical knowledge and black technology in a popular and interesting way. If you have any interesting technology problems, you can add my personal wechat: dexter0.

If you don't want to lose it, please pay attention to [light black technology]!

----Click on the picture to read more wonderful articles----