1 00:00:01,280 --> 00:00:04,640 S1: Welcome to Unsupervised Learning, a security, AI and meaning focused 2 00:00:04,640 --> 00:00:07,490 S1: podcast that looks at how best to thrive as humans 3 00:00:07,490 --> 00:00:11,720 S1: in a post AI world. It combines original ideas, analysis, 4 00:00:11,750 --> 00:00:14,960 S1: and mental models to bring not just the news, but 5 00:00:14,960 --> 00:00:18,350 S1: why it matters and how to respond. All right, Jason, 6 00:00:18,350 --> 00:00:19,970 S1: welcome to Unsupervised Learning. 7 00:00:20,540 --> 00:00:24,140 S2: Thanks for having me. First time on unsupervised learning. Super excited. 8 00:00:24,170 --> 00:00:27,980 S1: Yeah, absolutely. So as most people know, we know each 9 00:00:28,010 --> 00:00:33,050 S1: other very well. And you've also started your own business recently. 10 00:00:33,050 --> 00:00:36,470 S1: You've got Arcanum Security up and running. So congrats on that. 11 00:00:36,500 --> 00:00:37,220 S1: Thank you. 12 00:00:37,220 --> 00:00:38,810 S2: I mean, you were you were the one who pushed 13 00:00:38,810 --> 00:00:40,040 S2: me to do it. So I got to thank you 14 00:00:40,040 --> 00:00:40,820 S2: on that one. 15 00:00:40,850 --> 00:00:44,540 S1: Yeah. Yeah. Really exciting to see that. And, uh, you're 16 00:00:44,540 --> 00:00:49,220 S1: also field CSO for, uh, for flare, which is super exciting. 17 00:00:49,220 --> 00:00:52,729 S1: So I'm sure you've got a million companies, like beating 18 00:00:52,729 --> 00:00:55,070 S1: down the door to try to, like, be associated with 19 00:00:55,070 --> 00:00:57,260 S1: you and like, get you on the team and everything. 20 00:00:57,260 --> 00:01:00,250 S1: So what was, uh, the thing that stood out and 21 00:01:00,250 --> 00:01:02,080 S1: made you want to do it with flair. 22 00:01:02,620 --> 00:01:06,759 S2: Yeah. So that's actually a really great question, I think. Um, 23 00:01:06,760 --> 00:01:10,809 S2: so but between leaving Ubisoft, which, you know, actually wearing 24 00:01:10,810 --> 00:01:13,959 S2: the merch right now, um, between leaving Ubisoft, the video 25 00:01:13,990 --> 00:01:16,660 S2: game company, and being CSO there and then coming back 26 00:01:16,660 --> 00:01:18,550 S2: into Red team, there was a year where I worked 27 00:01:18,550 --> 00:01:20,950 S2: with a buddy of mine at another consultancy before I 28 00:01:20,950 --> 00:01:23,290 S2: started my own thing. And so over the past couple 29 00:01:23,319 --> 00:01:26,470 S2: of years, I've been on the red teaming side, um, 30 00:01:26,470 --> 00:01:28,570 S2: a lot of red teaming, a lot of pen testing. 31 00:01:28,569 --> 00:01:34,000 S2: And what I noticed was that kind of adversary methodologies 32 00:01:34,000 --> 00:01:38,050 S2: had changed a little bit from what the very known 33 00:01:38,050 --> 00:01:43,089 S2: penetration testing methodologies and red teaming methodologies, um, had, uh, 34 00:01:43,090 --> 00:01:45,760 S2: you know, had consistently shown, at least from, you know, 35 00:01:45,790 --> 00:01:48,250 S2: me talking to peers and, you know, reviewing reports. And 36 00:01:48,250 --> 00:01:50,350 S2: I did a bunch of research in the last two years. 37 00:01:50,350 --> 00:01:55,360 S2: And so that shift was basically, um, adversaries are not 38 00:01:55,360 --> 00:01:57,990 S2: using hacking methods, at least in the traditional sense as 39 00:01:58,020 --> 00:02:00,570 S2: their first stop shop right there, looking on the dark 40 00:02:00,600 --> 00:02:05,250 S2: web for pre-owned accounts and credentials for organizations. And so 41 00:02:05,250 --> 00:02:07,620 S2: I had to figure out a way to add that 42 00:02:07,620 --> 00:02:10,770 S2: to my methodology when we did red team tests. And 43 00:02:10,770 --> 00:02:13,169 S2: so I baked off, you know, all of the companies 44 00:02:13,169 --> 00:02:16,320 S2: that did this because I wanted to, you know, provide 45 00:02:16,320 --> 00:02:19,680 S2: the best, uh, you know, adversary emulation that I could. 46 00:02:19,680 --> 00:02:22,110 S2: And so when I looked at all these companies, I 47 00:02:22,110 --> 00:02:25,230 S2: stumbled upon flair, um, at a conference, met one of 48 00:02:25,230 --> 00:02:29,820 S2: their reps and started using their trial and, uh, used it. 49 00:02:29,820 --> 00:02:32,640 S2: And it was it was an order of magnitude better 50 00:02:32,639 --> 00:02:35,310 S2: than any other vendor as far as finding creds for 51 00:02:35,310 --> 00:02:38,970 S2: an organization. Um, and they do it in a, you know, 52 00:02:39,000 --> 00:02:41,609 S2: a CRM, you know, kind of way, a credential exposure 53 00:02:41,610 --> 00:02:44,370 S2: management threat, Intel management way. I mean, they sell that, 54 00:02:44,370 --> 00:02:47,820 S2: but they also let pen testers and red teamers use 55 00:02:47,820 --> 00:02:50,220 S2: the data as well for their customers. So if I 56 00:02:50,220 --> 00:02:53,280 S2: have a customer for Arcanum, you know, I can use 57 00:02:53,280 --> 00:02:56,600 S2: the I can use my relationship with them to look 58 00:02:56,630 --> 00:02:58,910 S2: up creds on that company in the red team test. 59 00:02:58,910 --> 00:03:01,640 S2: And so, um, like five out of the last six 60 00:03:01,639 --> 00:03:06,260 S2: red team engagements that I had done in 2023, uh, 61 00:03:06,260 --> 00:03:09,410 S2: flare credentials, which are pulled off of the dark web, 62 00:03:09,440 --> 00:03:14,180 S2: telegram channels and stuff like that. Um, they came from 63 00:03:14,210 --> 00:03:17,600 S2: the success came from the credentials that came out of flare. Um, 64 00:03:17,600 --> 00:03:21,560 S2: and so I started talking to them and I was like, hey, um, 65 00:03:21,560 --> 00:03:23,929 S2: you know, like, really like what you guys are doing. 66 00:03:23,930 --> 00:03:25,880 S2: I ended up doing like a, I think one podcast 67 00:03:25,880 --> 00:03:29,750 S2: with them. Um, and then that transitioned to them being like, hey, 68 00:03:29,750 --> 00:03:31,490 S2: would you like to come work part time as our 69 00:03:31,490 --> 00:03:34,669 S2: field CISO? And I was like, yeah, absolutely. So that's 70 00:03:34,669 --> 00:03:37,730 S2: how that relationship started. And and now, you know, I 71 00:03:37,730 --> 00:03:40,970 S2: do content for them. Um, I advise them on product. 72 00:03:40,970 --> 00:03:43,610 S2: I do all kinds of stuff like randomly, you know, 73 00:03:43,610 --> 00:03:46,130 S2: it's a startup. Everybody wears every hat. So yeah, that's 74 00:03:46,130 --> 00:03:47,180 S2: that's how that started. 75 00:03:47,210 --> 00:03:49,820 S1: No, that's very cool. And it flows really well with 76 00:03:49,820 --> 00:03:51,950 S1: what you're doing in Arcanum. Right. Because you're doing red 77 00:03:51,980 --> 00:03:54,320 S1: team over there. You're doing training over there. You're doing 78 00:03:54,320 --> 00:03:55,270 S1: all kinds of stuff. 79 00:03:55,300 --> 00:03:58,210 S2: Yeah, I mean, it comes in handy with the red teaming. 80 00:03:58,210 --> 00:04:01,060 S2: The purple teaming. Um, you know, the, you know, the 81 00:04:01,060 --> 00:04:02,620 S2: times when we do consult a little bit on blue 82 00:04:02,650 --> 00:04:05,560 S2: teaming as well, which is, you know, threat intelligence and 83 00:04:05,560 --> 00:04:10,150 S2: exposure management and um, yeah, really, it's been awesome. And 84 00:04:10,150 --> 00:04:12,760 S2: they've been really receptive to from, you know, when I 85 00:04:12,790 --> 00:04:16,360 S2: am a customer asking for, you know, features, they're on it, 86 00:04:16,360 --> 00:04:18,520 S2: they're like, hey, like we'll build that soon. It's on 87 00:04:18,520 --> 00:04:21,670 S2: the roadmap. So um, and they're one of the only players, 88 00:04:21,670 --> 00:04:25,359 S2: I think that also works with, um, like those pentesting companies, right, 89 00:04:25,360 --> 00:04:27,850 S2: where you can redistribute that threat Intel data and that 90 00:04:27,850 --> 00:04:30,339 S2: exposure data to use it in your engagements. So I 91 00:04:30,339 --> 00:04:31,630 S2: think that's really cool too. 92 00:04:31,720 --> 00:04:35,620 S1: Yeah, I really like that red team focus that that's 93 00:04:35,620 --> 00:04:40,810 S1: really powerful. Um, so what what would another protection scheme 94 00:04:40,810 --> 00:04:43,450 S1: look like for a customer? So let's say you're a 95 00:04:43,450 --> 00:04:47,080 S1: regular customer and you buy a flare. Is this essentially 96 00:04:47,080 --> 00:04:49,989 S1: threat Intel that's coming down to you to notify you 97 00:04:49,990 --> 00:04:52,029 S1: that a credential has been compromised? So, you know, to 98 00:04:52,029 --> 00:04:54,210 S1: rotate it? Is that like the main use case? 99 00:04:54,600 --> 00:04:59,010 S2: Yeah. So in in kind of the dark web world. Right. 100 00:04:59,070 --> 00:05:01,260 S2: That attackers kind of go through there's, there's really the 101 00:05:01,260 --> 00:05:06,029 S2: stepping stone or like I call it levels of, of 102 00:05:06,029 --> 00:05:08,550 S2: data that's exposed via the dark web. Right. And so 103 00:05:08,550 --> 00:05:09,960 S2: this is part of that research I did in my 104 00:05:09,960 --> 00:05:13,320 S2: last two years. And so the first level is creds 105 00:05:13,320 --> 00:05:14,970 S2: that have already made it to the clear web. Right. 106 00:05:15,000 --> 00:05:17,040 S2: So this is stuff that you will see. And have 107 00:05:17,040 --> 00:05:19,830 S2: I been pwned and leaked X. And you know some 108 00:05:19,830 --> 00:05:23,160 S2: things like this. Right. Um, and so these things are 109 00:05:23,160 --> 00:05:26,130 S2: already on the public web. They're posted via paste sites, 110 00:05:26,250 --> 00:05:29,460 S2: they're already on torrent listed sites and stuff like that. 111 00:05:29,460 --> 00:05:33,000 S2: And so that's the first place an adversary will go, okay, um, 112 00:05:33,029 --> 00:05:36,870 S2: to look for creds. Now, uh, there are several other intermediaries, 113 00:05:36,870 --> 00:05:38,640 S2: but eventually you get to one of the higher tiers, 114 00:05:38,640 --> 00:05:45,780 S2: the higher levels. And that level is looking on telegram, discord, WhatsApp. Um, and, 115 00:05:45,810 --> 00:05:47,640 S2: you know, some of the dark web forums that are 116 00:05:47,640 --> 00:05:51,210 S2: invite only to find really fresh what we call, um, 117 00:05:51,230 --> 00:05:54,140 S2: you know, basically they're the result of Steeler malware. Um, 118 00:05:54,140 --> 00:05:57,859 S2: and so these packs of, um, you know, data from 119 00:05:57,860 --> 00:06:02,060 S2: Steeler malware end up being sold, and they include, uh, 120 00:06:02,060 --> 00:06:06,560 S2: credentials and cookies, um, from a user that might be 121 00:06:06,560 --> 00:06:09,740 S2: associated to your business. And so that's where attackers will 122 00:06:09,740 --> 00:06:11,330 S2: end up. And then right after that is the step 123 00:06:11,330 --> 00:06:13,640 S2: where they actually try to hack you. Right? Um, but 124 00:06:13,640 --> 00:06:15,140 S2: they'll do all the easy stuff first. 125 00:06:15,170 --> 00:06:18,620 S1: Okay. And then so we hear a lot about like 126 00:06:18,650 --> 00:06:22,520 S1: toufar bypass or whatever. So is this where the Toufar 127 00:06:22,550 --> 00:06:24,710 S1: bypass comes in with the cookie stuff? 128 00:06:24,890 --> 00:06:28,219 S2: Yeah, exactly. So, um, you can have your credentials stolen 129 00:06:28,220 --> 00:06:31,940 S2: in a myriad of ways, right? Uh, and that is 130 00:06:31,940 --> 00:06:36,800 S2: stymied by kind of traditional, um, you know, traditional security 131 00:06:36,800 --> 00:06:39,950 S2: advice of using toufar. Right. And I think that what 132 00:06:39,980 --> 00:06:42,469 S2: a lot of people miss out on is that most 133 00:06:42,470 --> 00:06:45,410 S2: of the time when credentials are stolen, other than from, like, 134 00:06:45,440 --> 00:06:50,200 S2: a breach, right? They're stolen via credit stealer malware. which 135 00:06:50,200 --> 00:06:53,740 S2: owns your whole computer. And that means that the cookies 136 00:06:53,740 --> 00:06:57,220 S2: in your browser, like Chrome or Firefox, are stolen from, 137 00:06:57,339 --> 00:07:00,010 S2: you know, from that malware and sold as well. And 138 00:07:00,010 --> 00:07:03,429 S2: so that means that you can just inject a cookie 139 00:07:03,760 --> 00:07:06,400 S2: into a website and never be asked for a password 140 00:07:06,430 --> 00:07:08,290 S2: or a cookie. You know, the cookie. You know, for 141 00:07:08,290 --> 00:07:11,560 S2: those who aren't really, um, you know, aware of the, 142 00:07:11,590 --> 00:07:14,020 S2: you know, technology or I'm sure most people who watch 143 00:07:14,020 --> 00:07:15,850 S2: your show, you know, are aware of what cookies are, 144 00:07:15,850 --> 00:07:19,450 S2: but in most senses, authentication cookies. Just tell the website 145 00:07:19,450 --> 00:07:21,610 S2: that you are already authenticated, and you can view a 146 00:07:21,610 --> 00:07:24,670 S2: page for a certain amount of time or an authenticated 147 00:07:24,670 --> 00:07:27,640 S2: section of an application. So you have you have Netflix, right. 148 00:07:27,670 --> 00:07:31,540 S2: And so, you know, you leave Netflix logged in for weeks, months, 149 00:07:31,540 --> 00:07:34,570 S2: years sometimes. Right. And that's controlled by the cookie. When 150 00:07:34,600 --> 00:07:37,150 S2: your browser visits Netflix, the first thing it does is 151 00:07:37,150 --> 00:07:40,090 S2: it looks for the Netflix authentication cookie. And it says yes, 152 00:07:40,090 --> 00:07:44,380 S2: Daniel has that one. It's it's hasn't set to expire yet. 153 00:07:44,380 --> 00:07:47,200 S2: And so we know this is Daniel coming from this 154 00:07:47,230 --> 00:07:50,040 S2: cookie and we'll let them in without asking for username 155 00:07:50,040 --> 00:07:51,000 S2: and password. 156 00:07:51,660 --> 00:07:54,180 S1: Yeah, that totally makes sense because like in the course 157 00:07:54,180 --> 00:07:57,360 S1: of a session or even, you know, half a day 158 00:07:57,360 --> 00:08:00,300 S1: or a day, you're hitting hundreds of things, right? And 159 00:08:00,300 --> 00:08:03,090 S1: you can't be re-authoring each time. So you're just sending 160 00:08:03,090 --> 00:08:05,610 S1: a cookie. So that makes sense. So I imagine in 161 00:08:05,610 --> 00:08:08,850 S1: the forums they're going to have like decay numbers for 162 00:08:08,850 --> 00:08:11,730 S1: how long this token is going to be valid. 163 00:08:12,060 --> 00:08:14,550 S2: Yeah. And the dark and the dark web forums, you know, 164 00:08:14,580 --> 00:08:17,430 S2: they'll they'll sell the packs of, you know, like Red 165 00:08:17,430 --> 00:08:20,580 S2: line is the biggest credential stealing malware right now. In fact, 166 00:08:20,580 --> 00:08:24,150 S2: I think Cisa came out with an advisory just yesterday that, uh, 167 00:08:24,150 --> 00:08:26,160 S2: or the DoD just came out with an advisory saying 168 00:08:26,190 --> 00:08:29,880 S2: it's their number one, like focus is to fight, um, 169 00:08:29,880 --> 00:08:33,030 S2: Red line, which is one of the credential stealer malware 170 00:08:33,030 --> 00:08:36,360 S2: and um, and yeah, so that'll steal the cookies and 171 00:08:36,360 --> 00:08:38,460 S2: the credentials and a whole bunch of other stuff too. 172 00:08:38,490 --> 00:08:40,920 S2: Like when you see one of the packs being sold, 173 00:08:40,920 --> 00:08:44,220 S2: it's usually, uh, you know, sold. And it has a 174 00:08:44,220 --> 00:08:46,339 S2: whole bunch of zips in it, and the zips in 175 00:08:46,340 --> 00:08:48,650 S2: it have the result of the malware. You get a 176 00:08:48,650 --> 00:08:52,160 S2: screenshot of the desktop, you get that person's stored Chrome 177 00:08:52,160 --> 00:08:54,800 S2: credentials for all the sites they visit. You get the 178 00:08:54,830 --> 00:08:57,470 S2: cookies for all the sessions that the browser is logged into. 179 00:08:57,500 --> 00:09:00,410 S2: So all of their consumer apps, you get a full 180 00:09:00,410 --> 00:09:06,650 S2: hardware listing of every app that's running on the infected machine. Yeah. 181 00:09:06,650 --> 00:09:08,599 S2: It's crazy. I mean, I mean, Red line is a 182 00:09:08,600 --> 00:09:10,370 S2: pretty advanced infostealer. So yeah. 183 00:09:10,400 --> 00:09:13,550 S1: Yeah, I saw a thing yesterday. I got it marked for, um, 184 00:09:13,550 --> 00:09:20,360 S1: for the show later. Uh, Russian national Roudometof, uh, just 185 00:09:20,360 --> 00:09:24,469 S1: got captured for the red line. Yeah. And evidently they've 186 00:09:24,470 --> 00:09:27,290 S1: got full source code and everything, and, uh. Yeah, bad 187 00:09:27,320 --> 00:09:30,470 S1: OpSec was, uh, which has never happened before. Bad ops 188 00:09:30,559 --> 00:09:31,610 S1: never happened. Yeah. 189 00:09:32,360 --> 00:09:32,780 S2: Yeah. 190 00:09:32,809 --> 00:09:36,650 S1: I mean, yeah. That's interesting. So. So you just really 191 00:09:36,650 --> 00:09:40,490 S1: like the flow that flare is using here to like, 192 00:09:40,760 --> 00:09:45,550 S1: are they, are they better at going deeper into these forums. 193 00:09:45,580 --> 00:09:47,559 S1: Like what do you think sets him above right? Because 194 00:09:47,559 --> 00:09:49,930 S1: there's a lot of people playing in this space. 195 00:09:49,960 --> 00:09:53,800 S2: Yeah. For sure. So, um, I mean, I don't recommend 196 00:09:53,800 --> 00:09:57,040 S2: a product unless I, I review like kind of the 197 00:09:57,040 --> 00:09:59,830 S2: whole space, right? So, um, you know, like, in another life, 198 00:09:59,830 --> 00:10:01,630 S2: I probably could have been a Gartner analyst or something 199 00:10:01,630 --> 00:10:04,689 S2: like that, you know, but, uh, uh, but yeah, it 200 00:10:04,690 --> 00:10:08,350 S2: is the level at which, um, they go for their credentials. 201 00:10:08,350 --> 00:10:11,500 S2: It's really the research team. They're finding other novel ways 202 00:10:11,500 --> 00:10:14,559 S2: to of surfacing the data that ends up on the 203 00:10:14,559 --> 00:10:18,700 S2: dark web. Um, you know, I'm, uh, I may, may 204 00:10:18,700 --> 00:10:20,739 S2: or may not be aware of a new feature that's 205 00:10:20,740 --> 00:10:23,920 S2: going to launch pretty soon around this whole thing of cookies. Um, 206 00:10:24,040 --> 00:10:26,979 S2: coming out in, uh, in a couple of weeks. But, um, 207 00:10:26,980 --> 00:10:31,270 S2: to help people just. Yeah, in mass invalidate, um, cookies 208 00:10:31,270 --> 00:10:34,600 S2: from B2C companies. Right. So, like, Netflix is a great example, right? 209 00:10:34,630 --> 00:10:37,569 S2: So we could, you know, flare could work with Netflix 210 00:10:37,570 --> 00:10:39,790 S2: and give them a list of all cookies that have 211 00:10:39,790 --> 00:10:42,220 S2: been compromised, and then they can feed that into a 212 00:10:42,220 --> 00:10:46,350 S2: script that will invalidate those sessions. Oh yeah, and in 213 00:10:46,350 --> 00:10:49,380 S2: real time over API too. So, um, so those are 214 00:10:49,380 --> 00:10:51,690 S2: some exciting things. And that's the kind of stuff like, 215 00:10:51,720 --> 00:10:54,630 S2: you know, we talk about internally, they're building quickly, but 216 00:10:54,630 --> 00:10:58,260 S2: it is really the, the depth of the, um, you know, 217 00:10:58,290 --> 00:11:00,120 S2: the threat research or whatever you want to call it, right? 218 00:11:00,150 --> 00:11:04,709 S2: That the team that gets into the forums and, and 219 00:11:04,710 --> 00:11:07,980 S2: the telegrams and the discords is better than any other 220 00:11:07,980 --> 00:11:09,840 S2: I've seen. So, I mean, it's really at the end 221 00:11:09,840 --> 00:11:11,670 S2: of the day for any of those platforms, it's how 222 00:11:11,700 --> 00:11:14,459 S2: deep can they get into the ecosystem. Um, you know, 223 00:11:14,490 --> 00:11:16,830 S2: so bad that, you know, sometimes, you know, we see 224 00:11:16,860 --> 00:11:19,260 S2: people talking about flare on the dark web and like 225 00:11:19,290 --> 00:11:22,290 S2: lamenting the fact that we're, you know, like exposing all 226 00:11:22,320 --> 00:11:23,730 S2: their stuff. So yeah. 227 00:11:24,030 --> 00:11:27,450 S1: That's cool. Yeah, yeah. Uh, what what other stuff are 228 00:11:27,450 --> 00:11:30,630 S1: you thinking about right now? Um, in terms of, like, 229 00:11:30,660 --> 00:11:34,620 S1: malware activity that that, um, flare already catches or you're 230 00:11:34,620 --> 00:11:37,559 S1: looking forward to them catching like other types of, like, 231 00:11:37,590 --> 00:11:40,500 S1: forward leaning malware or attacks. 232 00:11:40,830 --> 00:11:46,520 S2: So exposure of, you know, exposure of, um, malware that 233 00:11:46,520 --> 00:11:50,569 S2: is like infostealer malware or credential stealer malware, um, is 234 00:11:50,600 --> 00:11:53,540 S2: is kind of what flare started with. But, you know, 235 00:11:53,570 --> 00:11:58,160 S2: that's part of a sub, you know, category of threat Intel. Right. 236 00:11:58,190 --> 00:12:00,050 S2: And so like threat Intel includes a whole bunch of 237 00:12:00,050 --> 00:12:03,859 S2: types of IOCs, right. Um, and so over the course of, 238 00:12:03,890 --> 00:12:06,199 S2: you know, this last year and this next year, we've 239 00:12:06,200 --> 00:12:10,490 S2: really been focused on also providing traditional threat Intel or 240 00:12:10,490 --> 00:12:13,640 S2: forum monitoring or brand monitoring for a business when a 241 00:12:13,670 --> 00:12:17,720 S2: campaign might start against them. Or we've been working with 242 00:12:17,750 --> 00:12:20,870 S2: the US government and several branches of government, you know, 243 00:12:20,900 --> 00:12:25,220 S2: tracking even, you know, some high profile threats to the nation, 244 00:12:25,309 --> 00:12:29,360 S2: election integrity, you name it. We're working with big companies 245 00:12:29,360 --> 00:12:32,720 S2: who I can't mention, you know, but AI companies and, 246 00:12:32,750 --> 00:12:35,690 S2: you know, fraud and abuse and AI based on threat 247 00:12:35,690 --> 00:12:40,809 S2: actor like IOCs and recognition. So there's that There's also 248 00:12:40,840 --> 00:12:43,600 S2: we did an acquisition really recently for Attack Surface Management, 249 00:12:43,600 --> 00:12:46,240 S2: which I know you're an expert in. Um, and so 250 00:12:46,240 --> 00:12:49,390 S2: for eternal attack surface management, that'll be something we also 251 00:12:49,420 --> 00:12:54,490 S2: move into offering in 2024 or 2025. Um, and so, 252 00:12:54,520 --> 00:12:57,010 S2: you know, my dream of what I've told flair is that, 253 00:12:57,040 --> 00:13:00,610 S2: you know, I feel like external attack surface, like kind 254 00:13:00,610 --> 00:13:04,630 S2: of this brand monitoring or campaign monitoring on top of 255 00:13:04,660 --> 00:13:09,490 S2: the credential exposure. Um, really great stuff that they do already. 256 00:13:09,490 --> 00:13:13,270 S2: I feel like this can fit into, um, like a 257 00:13:13,270 --> 00:13:16,929 S2: dashboard and a flow of, you know, general threat intelligence 258 00:13:16,929 --> 00:13:18,700 S2: that I think no one else really offers. And I'm 259 00:13:18,700 --> 00:13:20,500 S2: really excited to see when we can put it all 260 00:13:20,530 --> 00:13:23,829 S2: together in, you know, for one, one person to access 261 00:13:23,830 --> 00:13:25,179 S2: it in one place. 262 00:13:25,570 --> 00:13:29,650 S1: Yeah. That's fantastic. So basically, you'd be able to look 263 00:13:29,650 --> 00:13:32,020 S1: at your entire attack surface, see where you have like 264 00:13:32,050 --> 00:13:35,470 S1: exposures or whatever. It's almost like outside in and then 265 00:13:35,470 --> 00:13:36,550 S1: inside out. Right. 266 00:13:36,580 --> 00:13:39,270 S2: Yeah. Yeah. I mean imagine Imagine logging into a dashboard 267 00:13:39,270 --> 00:13:43,229 S2: and seeing all your assets. Everyone that has a login understanding. 268 00:13:43,230 --> 00:13:46,920 S2: If you breach credentials, work on that login, understanding how 269 00:13:46,920 --> 00:13:50,670 S2: to defend against that B2C or corporate app. You know, 270 00:13:50,700 --> 00:13:54,720 S2: invalidate sessions. Also understand, you know, what kind of threat 271 00:13:54,720 --> 00:13:57,960 S2: actors are targeting, which apps on your infrastructure. And you 272 00:13:57,960 --> 00:14:00,959 S2: can do that both externally and potentially internally as well. 273 00:14:00,990 --> 00:14:03,840 S1: So yeah starts to tie in a little bit with 274 00:14:03,870 --> 00:14:06,840 S1: like IAM type stuff where you're just you just understand 275 00:14:06,840 --> 00:14:09,660 S1: all the logins and how those logins work and which 276 00:14:09,660 --> 00:14:12,929 S1: ones are federated, like which ones have or have not 277 00:14:12,929 --> 00:14:15,959 S1: been compromised or whatever, maybe even like which ones haven't 278 00:14:15,960 --> 00:14:20,010 S1: been used, like they might be more vulnerable, you know? Yeah. 279 00:14:20,040 --> 00:14:23,490 S2: I mean, we already have filters for freshness. And you 280 00:14:23,490 --> 00:14:25,290 S2: asked earlier like kind of like how I consume it 281 00:14:25,290 --> 00:14:27,450 S2: since I'm a red teamer. Right? I use the credential 282 00:14:27,480 --> 00:14:30,150 S2: browser feature the most for flare. And so you log 283 00:14:30,150 --> 00:14:33,030 S2: in and you just put in a domain. So like, 284 00:14:33,060 --> 00:14:35,790 S2: you know, unsupervised learning.com or something like that. And then 285 00:14:35,790 --> 00:14:38,940 S2: it just filters down. You know what types of credentials 286 00:14:38,940 --> 00:14:42,000 S2: have been on the dark web for it? So what 287 00:14:42,000 --> 00:14:45,240 S2: do they come from? Breach lists or they come from 288 00:14:45,240 --> 00:14:49,020 S2: stealer logs, or they come from some other chatter or whatever. 289 00:14:49,020 --> 00:14:51,630 S2: And then you get that immediately and you can export 290 00:14:51,630 --> 00:14:54,930 S2: that to just start using. Um, but but yeah, that's 291 00:14:54,930 --> 00:14:57,570 S2: the way I use it. But organizations, you know, obviously 292 00:14:57,570 --> 00:15:00,810 S2: have a more holistic kind of want there as well. 293 00:15:00,810 --> 00:15:03,450 S2: So we're continuing to develop a whole bunch of features. 294 00:15:03,450 --> 00:15:07,109 S2: And you know, my my big pie in the sky 295 00:15:07,140 --> 00:15:10,410 S2: view will, you know, you know we're still working towards that. 296 00:15:10,410 --> 00:15:13,050 S2: The bread and butter has been the, the uh, the 297 00:15:13,050 --> 00:15:17,729 S2: exposure management, um, both GUI and API. Um, and that's 298 00:15:17,730 --> 00:15:21,960 S2: what we've been focusing on for a majority of it. But, um, 299 00:15:21,960 --> 00:15:25,440 S2: you know, we recently, um, you know, extended the team 300 00:15:25,440 --> 00:15:28,560 S2: and hired a bunch of new researchers as well. You know, 301 00:15:28,590 --> 00:15:31,290 S2: there's there's whole areas that, um, we want to get 302 00:15:31,290 --> 00:15:34,560 S2: deeper in and build more features for. So I think that, um, 303 00:15:34,560 --> 00:15:36,780 S2: the sky's the limit, honestly, for for flair. 304 00:15:37,380 --> 00:15:41,820 S1: Yeah. That's fantastic. Now is everything, um, kind of like pull. 305 00:15:42,030 --> 00:15:44,580 S1: You go to the portal to get the latest updates. Like, 306 00:15:44,610 --> 00:15:46,830 S1: what if someone forgets to go to the dashboard, they 307 00:15:46,830 --> 00:15:49,950 S1: just lose their login or they're just busy or whatever? 308 00:15:49,980 --> 00:15:53,850 S1: Is there also, like a push, like notifications or email 309 00:15:53,880 --> 00:15:55,140 S1: or that type of thing? Yeah, we have. 310 00:15:55,170 --> 00:15:59,130 S2: We have full API access. So you could use Chatops 311 00:15:59,130 --> 00:16:02,430 S2: to remind you with a webhook to remind you via 312 00:16:02,430 --> 00:16:05,880 S2: slack or Teams or whatever you use at your organization. 313 00:16:05,910 --> 00:16:08,340 S2: In fact, a lot of really forward facing companies are 314 00:16:08,340 --> 00:16:10,410 S2: using Chatops to do this kind of stuff, right? For 315 00:16:10,410 --> 00:16:12,540 S2: a lot of security data, not just us, but, you know, 316 00:16:12,570 --> 00:16:14,910 S2: for everything, right? Where, you know, you log into slack 317 00:16:14,910 --> 00:16:16,320 S2: in the morning and there's a whole channel that would 318 00:16:16,320 --> 00:16:18,180 S2: be like flare ops or something like that, and it 319 00:16:18,180 --> 00:16:21,030 S2: gets pushed like here, the new, you know, six credentials 320 00:16:21,030 --> 00:16:22,710 S2: that we found between the time you went to sleep 321 00:16:22,710 --> 00:16:25,230 S2: and the time you woke up and you know that 322 00:16:25,230 --> 00:16:27,270 S2: that have appeared on the dark web, here's where they 323 00:16:27,270 --> 00:16:29,880 S2: come from, you know, and then you can add that 324 00:16:29,880 --> 00:16:33,710 S2: to your teams, you know, um, list to check to 325 00:16:33,740 --> 00:16:36,110 S2: see if those sessions have been compromised or whatever. So. 326 00:16:36,560 --> 00:16:38,900 S1: So I know you're doing a whole bunch in AI 327 00:16:38,930 --> 00:16:43,160 S1: as well. And AI automation on the Arcanum side. Have 328 00:16:43,160 --> 00:16:45,739 S1: you all been thinking about any sort of chatops sort 329 00:16:45,770 --> 00:16:49,730 S1: of optimizations, like something drops into the channel? Can we 330 00:16:49,730 --> 00:16:53,120 S1: actually go in and validate that credential or something? Yeah. 331 00:16:53,120 --> 00:16:56,360 S2: So that is usually in the, in the B2C kind 332 00:16:56,360 --> 00:16:58,880 S2: of world, like like a Netflix or an Amazon or 333 00:16:58,880 --> 00:17:01,520 S2: anything like that, right. Um, that is usually up to 334 00:17:01,550 --> 00:17:04,160 S2: the client, you know, to, to implement. Right. Because each 335 00:17:04,190 --> 00:17:06,800 S2: app is different. And we would have to know, you know, 336 00:17:06,830 --> 00:17:10,580 S2: kind of the general app login flow. So usually that 337 00:17:10,580 --> 00:17:13,520 S2: part is left to them. But for the for the 338 00:17:13,520 --> 00:17:15,830 S2: corporate logins, you know, where a lot of people need 339 00:17:15,830 --> 00:17:18,619 S2: to log in via an identity provider or SSL or 340 00:17:18,619 --> 00:17:21,979 S2: something like that, that is more easily for us to find. And, 341 00:17:22,010 --> 00:17:23,750 S2: you know, maybe in the future that could be something 342 00:17:23,750 --> 00:17:26,899 S2: that we offer an automated service for, you know. So, um, 343 00:17:26,930 --> 00:17:28,129 S2: testing the credentials of. 344 00:17:28,310 --> 00:17:32,020 S1: An agent there, listening, watching that channel, taking actions. right? 345 00:17:32,050 --> 00:17:34,960 S2: And it could easily be done with some of the 346 00:17:34,960 --> 00:17:39,370 S2: AI that exists right now. Honestly, it's just, uh, you know, like, um, 347 00:17:39,520 --> 00:17:41,530 S2: I think that a lot of people I mean, the 348 00:17:41,530 --> 00:17:43,689 S2: features we have right now in the platform for AI 349 00:17:43,690 --> 00:17:49,659 S2: are more based around translation and correlation of data. So 350 00:17:49,690 --> 00:17:52,990 S2: we do have an AI agent that's built into flair. 351 00:17:52,990 --> 00:17:55,479 S2: And so when you go into any of the views, um, 352 00:17:55,480 --> 00:17:57,160 S2: first of all, the first great thing about it is 353 00:17:57,190 --> 00:17:59,440 S2: let's say you're dealing with a threat actor post that's 354 00:17:59,440 --> 00:18:02,889 S2: in Russian. Well, you know, I can translate your ROI, 355 00:18:02,920 --> 00:18:05,379 S2: which is called, I think it's called Alexandria internally we 356 00:18:05,380 --> 00:18:08,920 S2: call it. But, um, it can it can translate that instantly. 357 00:18:08,920 --> 00:18:12,010 S2: So you can read the context of the conversation, um, 358 00:18:12,010 --> 00:18:15,369 S2: about your company. And then it can also tie together 359 00:18:15,369 --> 00:18:17,889 S2: disparate sources of information, whether something showed up in a 360 00:18:17,890 --> 00:18:20,590 S2: steamer log. And then there's also conversation about it in 361 00:18:20,590 --> 00:18:23,649 S2: a forum, conversation about it in a chat channel, you know, 362 00:18:23,680 --> 00:18:26,290 S2: something like that can tie those things together. Um, so 363 00:18:26,290 --> 00:18:29,110 S2: those are, those are all things that, you know, were 364 00:18:29,109 --> 00:18:33,149 S2: the first really easily automatable things. And then we're going 365 00:18:33,180 --> 00:18:36,270 S2: to continue to, um, to deploy, I'm sure more and 366 00:18:36,270 --> 00:18:37,710 S2: more AI features. Yeah. 367 00:18:38,280 --> 00:18:41,310 S1: Yeah, that makes sense because I mean, it's kind of similar. Um, 368 00:18:41,310 --> 00:18:44,190 S1: threat Intel is kind of similar to vulnerability management. It's 369 00:18:44,190 --> 00:18:46,890 S1: like you do the cool thing, which is you surface 370 00:18:46,890 --> 00:18:49,889 S1: this thing. But then on the other side of the threat, 371 00:18:49,890 --> 00:18:53,430 S1: Intel and the other side of the vault management is fix, right? 372 00:18:53,460 --> 00:18:58,889 S1: Take the action. So I could imagine, like we were saying, 373 00:18:58,890 --> 00:19:01,290 S1: some sort of agent that sits there and is like 374 00:19:01,290 --> 00:19:03,960 S1: it's hooked up to Jira, it's hooked up to these 375 00:19:03,960 --> 00:19:07,439 S1: different control systems. It can actually push ACLs, you know, 376 00:19:07,470 --> 00:19:11,100 S1: invalidate credentials, stuff like that. But, um, it's also early 377 00:19:11,100 --> 00:19:12,869 S1: days for AI, so you don't want to be hooking 378 00:19:12,869 --> 00:19:16,260 S1: up too much power for AI on production systems, right? Yeah. 379 00:19:16,290 --> 00:19:18,270 S2: I mean, definitely a double edged sword, right? Like for 380 00:19:18,270 --> 00:19:20,850 S2: every AI feature you put out has to be tested 381 00:19:20,880 --> 00:19:24,810 S2: against a multitude of things, right? Um, yeah. So. Yeah, definitely. 382 00:19:25,470 --> 00:19:30,500 S1: Yeah, totally. Um. Well, not going to let you get 383 00:19:30,530 --> 00:19:34,609 S1: off without talking about Arcanum. What are you doing over there? 384 00:19:34,790 --> 00:19:39,020 S2: Yeah. Yeah, absolutely. So, uh. So Arcanum is my company. 385 00:19:39,170 --> 00:19:41,480 S2: The name comes from a fantasy book that you and 386 00:19:41,480 --> 00:19:43,609 S2: I have both read. But if anybody else hasn't read it, uh, 387 00:19:43,609 --> 00:19:45,590 S2: name of the wind is probably one of the best 388 00:19:45,590 --> 00:19:50,090 S2: fantasy books of our generation. And, um, The Arcanum in 389 00:19:50,119 --> 00:19:52,850 S2: that book series, which doesn't have a conclusion yet, which 390 00:19:52,850 --> 00:19:56,659 S2: is really sad. Um, is is the school of magic. 391 00:19:56,660 --> 00:19:59,960 S2: And so, uh, you know, we're we at Arcanum do 392 00:19:59,960 --> 00:20:02,570 S2: a ton of training. So we have two classes. One 393 00:20:02,570 --> 00:20:05,990 S2: is an offensive security based course. Uh, and it's my 394 00:20:05,990 --> 00:20:10,580 S2: 20 years of experience in doing penetration testing and web 395 00:20:10,609 --> 00:20:14,120 S2: app hacking through bug bounty. Um, and so it's my 396 00:20:14,119 --> 00:20:19,100 S2: experience there, uh, high focus on reconnaissance and some Osint stuff, 397 00:20:19,100 --> 00:20:21,230 S2: some red teaming techniques, and then also just a lot 398 00:20:21,260 --> 00:20:24,530 S2: of web hacking. Um, and it's, that's a three day 399 00:20:24,530 --> 00:20:26,950 S2: course that we run. And so that was the first 400 00:20:26,950 --> 00:20:30,490 S2: thing that we launched Arcanum for, was that training. And 401 00:20:30,490 --> 00:20:35,500 S2: then shortly after that, this year we launched an AI training. 402 00:20:35,500 --> 00:20:38,290 S2: But it's not a how to hack AI training. It's 403 00:20:38,320 --> 00:20:42,100 S2: a how to use AI in your security role training. 404 00:20:42,100 --> 00:20:44,830 S2: And so we call it red blue, purple AI. And 405 00:20:44,859 --> 00:20:48,340 S2: and that, you know, that training basically is teaching people, 406 00:20:48,340 --> 00:20:49,600 S2: whether you're a red team or a blue team or 407 00:20:49,630 --> 00:20:52,629 S2: a purple team or how to scale yourself, um, you know, 408 00:20:52,660 --> 00:20:55,390 S2: with AI and so that's a two day course. And then, 409 00:20:55,420 --> 00:20:57,640 S2: you know, usually, I mean, just being honest, we're very 410 00:20:57,640 --> 00:21:02,139 S2: small still early days, but, um, but, you know, usually 411 00:21:02,140 --> 00:21:04,179 S2: we'll do those trainings. And what will happen is, you know, 412 00:21:04,210 --> 00:21:06,280 S2: someone will be like, oh, that was excellent. Can you 413 00:21:06,310 --> 00:21:08,290 S2: come do some consulting for us? Whether they want us 414 00:21:08,290 --> 00:21:10,389 S2: to do their red team or a purple team engagement 415 00:21:10,390 --> 00:21:13,480 S2: or a pen test or, you know, do some AI 416 00:21:13,510 --> 00:21:17,979 S2: consulting and then, um, so we'll do custom consulting too, um, for, 417 00:21:18,010 --> 00:21:19,000 S2: for a lot of places. 418 00:21:19,030 --> 00:21:22,510 S1: Yeah, yeah. And I can say for myself, I've, I've 419 00:21:22,510 --> 00:21:26,760 S1: attended both and they were absolutely fantastic. Honestly, I think 420 00:21:26,790 --> 00:21:30,060 S1: you're the best trainer in security. Oh, I know, I know, 421 00:21:30,060 --> 00:21:32,669 S1: we're best friends, so, like, I'm going to be biased, but, um, 422 00:21:32,670 --> 00:21:35,609 S1: I think I'm good at being objective. And I really 423 00:21:35,609 --> 00:21:38,340 S1: think you're the best trainer in security, so thank you. 424 00:21:38,369 --> 00:21:42,150 S1: Encourage people to check that stuff out. Yeah. Um, yeah. 425 00:21:42,150 --> 00:21:45,750 S1: And the I class was absolutely fantastic. Even better the 426 00:21:45,750 --> 00:21:48,150 S1: second time. Just absolutely loved it. 427 00:21:48,300 --> 00:21:51,780 S2: Yeah, I think I think I learned a lot from, um, well, 428 00:21:51,810 --> 00:21:54,240 S2: from you and some other people too, about creating very 429 00:21:54,240 --> 00:21:57,419 S2: fresh content. Right. So, um, you have augmented, which is 430 00:21:57,420 --> 00:22:01,440 S2: an AI course that focuses on more than just security. Um, 431 00:22:01,470 --> 00:22:04,409 S2: but I think what I learned is that there is 432 00:22:04,410 --> 00:22:09,300 S2: a craving for training that stays up to date. Right? 433 00:22:09,330 --> 00:22:11,580 S2: Because like a lot of the training organizations that exist 434 00:22:11,609 --> 00:22:14,040 S2: right now, they just create a training and then it's 435 00:22:14,040 --> 00:22:16,320 S2: out there and then they never update it. Right. And 436 00:22:16,320 --> 00:22:20,310 S2: security and I move so crazy fast and it's like 437 00:22:20,340 --> 00:22:23,640 S2: it's like, okay, so by the time you take that training. 438 00:22:23,670 --> 00:22:25,530 S2: A lot of the tools are outdated. A lot of 439 00:22:25,530 --> 00:22:28,770 S2: the methodologies are outdated, especially in the AI. Like AI, 440 00:22:28,800 --> 00:22:33,030 S2: AI by far is like, you know, every class I teach, 441 00:22:33,030 --> 00:22:35,910 S2: which is once a quarter live, I have to basically 442 00:22:35,910 --> 00:22:38,760 S2: re dev the whole class because there's new, you know, 443 00:22:38,790 --> 00:22:42,090 S2: advents in prompt engineering, there's new advents in rag, new 444 00:22:42,090 --> 00:22:46,110 S2: advents and agents, all that stuff. And so I think 445 00:22:46,109 --> 00:22:50,639 S2: that's what makes my trainings different than other people's. Right. Um, because, 446 00:22:50,670 --> 00:22:53,070 S2: you know, I'm doing that. And then also, I think 447 00:22:53,070 --> 00:22:55,650 S2: one of the crazy cool things was while cohort one, 448 00:22:55,650 --> 00:22:58,139 S2: you were in, um, as a guest. And so in 449 00:22:58,140 --> 00:23:00,780 S2: all my courses, whether it's the offensive security one or 450 00:23:00,780 --> 00:23:02,860 S2: the AI one, every day I bring in 1 or 451 00:23:02,859 --> 00:23:06,090 S2: 2 guests who offer either like a different viewpoint than me, 452 00:23:06,090 --> 00:23:08,850 S2: or who are specialists even above me in some cases. 453 00:23:08,850 --> 00:23:11,879 S2: And we will talk for about 30 to 40 minutes 454 00:23:11,880 --> 00:23:13,949 S2: as like an interview included in the class, and I 455 00:23:13,950 --> 00:23:17,070 S2: will ask some very hard questions to them that only 456 00:23:17,100 --> 00:23:19,170 S2: you know, like that only really like a homie would 457 00:23:19,170 --> 00:23:22,210 S2: give you the answer to in a small group setting, 458 00:23:22,420 --> 00:23:24,280 S2: and I think that has also made the classes great. 459 00:23:24,280 --> 00:23:26,980 S2: So like last one in the offensive security class, we 460 00:23:26,980 --> 00:23:31,420 S2: had Sam Curry Zls come on talking about his hacking methodology, 461 00:23:31,570 --> 00:23:33,310 S2: and he's the guy who just did the big Kia 462 00:23:33,340 --> 00:23:36,370 S2: hack with his group of, you know, hackers, which was 463 00:23:36,400 --> 00:23:40,090 S2: Ian Carroll and some other people too. We've had some, uh, 464 00:23:40,720 --> 00:23:44,650 S2: subs come on, Shabaam Sha. And he talked about, uh, 465 00:23:44,650 --> 00:23:48,760 S2: like pretty hardcore reconnaissance methods that weren't talked about anywhere else. 466 00:23:48,760 --> 00:23:51,340 S2: And so luckily, I know people. You came on cohort 467 00:23:51,369 --> 00:23:56,139 S2: one and talked about your philosophy for agents flows and 468 00:23:56,140 --> 00:23:59,710 S2: everything like that. Um, from, you know, from augmented. But 469 00:23:59,710 --> 00:24:02,830 S2: you gave away some secrets there too. So that's how 470 00:24:02,830 --> 00:24:04,840 S2: I like to run a class. Like it's like a small, 471 00:24:04,840 --> 00:24:07,149 S2: intimate group. And yeah, it does. 472 00:24:07,180 --> 00:24:11,890 S1: It feels extremely close knit and intimate. And after like 473 00:24:11,890 --> 00:24:14,470 S1: the second hour and definitely after like the first day, 474 00:24:14,500 --> 00:24:17,920 S1: you feel close with all the other people because it's 475 00:24:17,920 --> 00:24:20,670 S1: a very sort of welcoming thing, like it's just discussion 476 00:24:20,670 --> 00:24:25,139 S1: happening and everyone's listening to you, but it's also just 477 00:24:25,170 --> 00:24:27,600 S1: a yeah, it's just a really good vibe. It's the 478 00:24:27,600 --> 00:24:31,530 S1: best training vibe. And I've been taking sand since, you know, whatever, 479 00:24:31,530 --> 00:24:34,320 S1: early 2000. And it's like it's the best training vibe 480 00:24:34,320 --> 00:24:35,160 S1: I've ever seen. 481 00:24:35,430 --> 00:24:37,980 S2: Yeah, I think, I think one of the cool things 482 00:24:37,980 --> 00:24:41,190 S2: too is that like, um, I don't ever consider myself 483 00:24:41,190 --> 00:24:43,140 S2: that I'm going to be the absolute master. I think 484 00:24:43,140 --> 00:24:46,469 S2: overall my methodologies and the structure of the training is 485 00:24:46,470 --> 00:24:49,230 S2: very well put together. But if someone comes in chat, 486 00:24:49,260 --> 00:24:51,300 S2: you know, for one of the courses and is like, hey, 487 00:24:51,330 --> 00:24:53,880 S2: have you thought about this thing? You know, sometimes we'll 488 00:24:53,880 --> 00:24:56,159 S2: divert and look into like a new tool or a 489 00:24:56,160 --> 00:24:59,129 S2: new piece of methodology right in the class and you know, 490 00:24:59,160 --> 00:25:01,859 S2: you can't get that anywhere else. Um, so, so I 491 00:25:01,859 --> 00:25:04,020 S2: think that vibe is I'm never going to consider myself 492 00:25:04,020 --> 00:25:06,719 S2: the ultimate expert in that vibe is helpful for people 493 00:25:06,720 --> 00:25:09,150 S2: who also come to the course and are experts. So. 494 00:25:09,300 --> 00:25:10,230 S1: Yeah, totally. 495 00:25:10,380 --> 00:25:10,860 S2: Yeah. 496 00:25:11,250 --> 00:25:16,290 S1: Awesome. And, uh, what is next for flair? Like you 497 00:25:16,290 --> 00:25:19,100 S1: talked about? You hinted at a few different things, but 498 00:25:19,190 --> 00:25:21,320 S1: what do you see happening? Like you talked a little 499 00:25:21,350 --> 00:25:25,429 S1: bit about your pie in the sky version of mixing 500 00:25:25,430 --> 00:25:30,680 S1: like C10 and all the different stuff altogether? Yeah. And 501 00:25:30,680 --> 00:25:32,810 S1: any features that might be coming out end of the 502 00:25:32,810 --> 00:25:34,520 S1: year or first part of next year. 503 00:25:34,910 --> 00:25:35,450 S3: Yeah. 504 00:25:35,450 --> 00:25:37,760 S2: So I think that's, um, I actually don't know what 505 00:25:37,760 --> 00:25:41,870 S2: I'm allowed to talk to you about, but hopefully it's fine. Uh, is, uh, 506 00:25:41,869 --> 00:25:45,050 S2: is there's going to be some new features, um, around 507 00:25:45,080 --> 00:25:48,200 S2: cookie exposure because a lot of people are getting really, 508 00:25:48,200 --> 00:25:52,580 S2: really great at, uh, mitigating breached credentials, but less good 509 00:25:52,580 --> 00:25:55,010 S2: on the cookie exposure stuff. So some APIs there that'll 510 00:25:55,010 --> 00:25:57,590 S2: help you track cookies which are fresh, which have been 511 00:25:57,590 --> 00:26:00,890 S2: exposed via malware campaigns or a whole bunch of stuff. 512 00:26:00,890 --> 00:26:02,990 S2: Right now, we focus a lot on the stealer log data, 513 00:26:02,990 --> 00:26:05,420 S2: but we're starting to focus more and more on career 514 00:26:05,420 --> 00:26:09,229 S2: phishing campaigns by threat actors. Um, and taking that too, right? 515 00:26:09,260 --> 00:26:13,580 S2: Because the two methods that adversaries use to steal your 516 00:26:13,580 --> 00:26:16,639 S2: creds and cookies, one is stealer malware. They'll get malware 517 00:26:16,640 --> 00:26:19,750 S2: on your machine. Some bot somehow, either via drive by download, 518 00:26:19,750 --> 00:26:22,840 S2: you download a torrent, your kid downloads a Fortnite, you know, 519 00:26:22,869 --> 00:26:26,380 S2: X or something like that, you know, or you get 520 00:26:26,380 --> 00:26:29,619 S2: spear phishing with credit capture and cookie capture in the 521 00:26:29,619 --> 00:26:32,169 S2: middle right, which is predominantly what red teams do. This 522 00:26:32,170 --> 00:26:34,540 S2: is what I do in my campaigns, right? We'll set up, 523 00:26:34,570 --> 00:26:38,140 S2: you know, something like Evil Jinx and fake an Okta portal, 524 00:26:38,140 --> 00:26:40,330 S2: and then phish all your people, and eventually they will 525 00:26:40,330 --> 00:26:43,210 S2: log in with credentials and will capture both the credential 526 00:26:43,210 --> 00:26:45,430 S2: and the cookie. So that's the same thing bad guys do. 527 00:26:45,460 --> 00:26:48,610 S2: I think the stats are, you know, it's like 54% 528 00:26:48,609 --> 00:26:52,810 S2: of initial access for breaches. Is them just buying a 529 00:26:52,840 --> 00:26:57,909 S2: cookie from stealer malware. And then 33.8% is still phishing 530 00:26:57,910 --> 00:27:01,630 S2: these days to do to do credit capture. Um, I'm 531 00:27:01,630 --> 00:27:03,399 S2: looking at the CSA stats that I had in a 532 00:27:03,400 --> 00:27:06,369 S2: browser window over here. So, um, yeah, so we want 533 00:27:06,400 --> 00:27:08,950 S2: to get more into that data as well. We do 534 00:27:08,950 --> 00:27:10,240 S2: some of it already, but we want to get even 535 00:27:10,240 --> 00:27:14,680 S2: better at it. Um, and then yeah, more traditional threat 536 00:27:14,680 --> 00:27:20,910 S2: Intel features coming for flare. Um, and better visualizations, better dashboards, 537 00:27:20,910 --> 00:27:23,699 S2: better filters like these are all things that, you know, 538 00:27:23,730 --> 00:27:27,270 S2: are table stakes for a threat intelligence platform. Um, and 539 00:27:27,270 --> 00:27:29,850 S2: then we haven't we haven't implemented yet a ton of 540 00:27:29,850 --> 00:27:33,960 S2: the attack surface. We just, um, you know, uh, Nick 541 00:27:33,960 --> 00:27:39,180 S2: Ascoli is one of the guys that we purchased his, um, ESM, um, product. 542 00:27:39,180 --> 00:27:41,670 S2: And so we haven't implemented a ton of it yet. But, 543 00:27:41,700 --> 00:27:44,010 S2: you know, over 20, 25, we're going to implement a 544 00:27:44,010 --> 00:27:46,230 S2: ton of it. And then like you said, it bleeds 545 00:27:46,230 --> 00:27:48,960 S2: into vulnerability management too, right? So at what point do 546 00:27:48,990 --> 00:27:51,840 S2: you know, at what point do companies like us or 547 00:27:51,840 --> 00:27:54,720 S2: even other ESM companies what at what point do they 548 00:27:54,750 --> 00:27:58,800 S2: consider exposing vulnerability information like, you know, doing scanning of 549 00:27:58,800 --> 00:28:01,620 S2: some sort for vulnerabilities, you know, and including that in 550 00:28:01,619 --> 00:28:03,239 S2: the visibility? Because at the end of the day, as 551 00:28:03,240 --> 00:28:06,360 S2: a consumer of something like this, I really don't like 552 00:28:06,359 --> 00:28:09,270 S2: to be logging into so many disparate platforms. Right? I 553 00:28:09,270 --> 00:28:13,410 S2: would love all of this to be in one place. Um, but, um, 554 00:28:13,410 --> 00:28:15,500 S2: you know, no one's no one's perfected that out. Everyone's 555 00:28:15,500 --> 00:28:18,320 S2: trying it, but no one's perfected that yet, so. 556 00:28:18,350 --> 00:28:23,359 S1: Yeah, that makes sense. Um, cool. Well, where can people 557 00:28:23,359 --> 00:28:24,950 S1: learn more about flare? 558 00:28:25,640 --> 00:28:29,540 S2: So if you go to the main flare page, there's 559 00:28:29,540 --> 00:28:31,699 S2: a free trial. This is also something that made it 560 00:28:31,700 --> 00:28:33,830 S2: really easy for me to benchmark them. Was that flare 561 00:28:33,830 --> 00:28:36,950 S2: actually offers a like a free trial. Anybody can sign up. 562 00:28:36,950 --> 00:28:38,600 S2: They just have to be approved by, you know, a 563 00:28:38,600 --> 00:28:42,770 S2: flare representative internally for legitimate use. But, um, yeah, flare 564 00:28:42,770 --> 00:28:44,960 S2: was the only one that was easy to access and 565 00:28:44,960 --> 00:28:49,340 S2: really start taking off. Um, so I think that, um, 566 00:28:49,340 --> 00:28:52,250 S2: you know, our wonderful staff gave you a link, um, 567 00:28:52,250 --> 00:28:54,050 S2: in the doc, but I don't have it in front 568 00:28:54,050 --> 00:28:55,820 S2: of me. So do you have the free trial link? 569 00:28:55,850 --> 00:28:56,780 S3: I do, yeah. 570 00:28:56,780 --> 00:29:01,700 S1: So it's trifler.io/unsupervised learning, and. Oh, there you go. Free 571 00:29:01,730 --> 00:29:02,750 S1: seven day trial. 572 00:29:02,900 --> 00:29:03,590 S3: Oh, awesome. 573 00:29:03,590 --> 00:29:06,140 S2: So that's even better than the regular free trial. So yeah. 574 00:29:06,410 --> 00:29:06,950 S3: Yeah. Okay. 575 00:29:06,950 --> 00:29:09,260 S1: Very cool. And where can people learn more about Akana? 576 00:29:09,740 --> 00:29:21,560 S2: So Akana, our our website is Arcanum. Arc. Arc. Arcanum. Arc. And, um. Uh. Dash. Sex.com. Um. 577 00:29:21,590 --> 00:29:24,560 S2: And then, uh, you can follow me on Twitter. I'm 578 00:29:24,590 --> 00:29:26,840 S2: AJ Haddox and so I'll talk about all this stuff 579 00:29:26,840 --> 00:29:29,030 S2: randomly on there. 580 00:29:29,390 --> 00:29:31,850 S1: Awesome, man. Well great conversation. So glad to have you 581 00:29:31,850 --> 00:29:34,460 S1: on the show and, uh, talk to you soon. 582 00:29:34,790 --> 00:29:35,990 S2: Awesome. Thanks, man. 583 00:29:37,910 --> 00:29:41,120 S1: Unsupervised learning is produced and edited by Daniel Miessler on 584 00:29:41,150 --> 00:29:45,710 S1: a Neumann U87 AI microphone using Hindenburg. Intro and outro 585 00:29:45,740 --> 00:29:49,070 S1: music is by Zomby with a Y, and to get 586 00:29:49,070 --> 00:29:51,170 S1: the text and links from this episode, sign up for 587 00:29:51,170 --> 00:29:54,080 S1: the newsletter version of the show at Daniel Missler Comm 588 00:29:54,140 --> 00:29:57,680 S1: Slash newsletter. We'll see you next time.