1
00:00:22,193 --> 00:00:26,273
S1: In the standalone sponsored episode I speak with Ismael Valenzuela.

2
00:00:26,843 --> 00:00:29,483
S1: Ismael is the VP of threat research and Intelligence at

3
00:00:29,483 --> 00:00:34,433
S1: BlackBerry silence. We talk about modern threat intelligence, the shifting

4
00:00:34,433 --> 00:00:38,393
S1: attention of attackers, how JNI can be used for attacks.

5
00:00:39,563 --> 00:00:44,653
S1: How defenders are adapting to deny threats. And many other topics.

6
00:00:44,743 --> 00:00:48,313
S1: And with that, here is the conversation with Ismael Valenzuela.

7
00:00:53,293 --> 00:00:56,533
S1: All right. Hello. Welcome, Ismael, to unsupervised learning.

8
00:00:57,633 --> 00:00:59,403
S2: Thank you. Thank you, Daniel, for having me.

9
00:01:00,153 --> 00:01:03,093
S1: Yeah. Perfect. So I will have already introduced you. I

10
00:01:03,093 --> 00:01:07,233
S1: just want to get a brief, uh, sort of overview on, uh,

11
00:01:07,473 --> 00:01:10,593
S1: on yourself and and how you got into security and, uh,

12
00:01:10,593 --> 00:01:12,003
S1: what you do there at BlackBerry.

13
00:01:13,323 --> 00:01:17,973
S2: Sure. So I've been doing, uh, well, cybersecurity since, uh,

14
00:01:17,973 --> 00:01:20,823
S2: it was called, uh, something different, right? Information security. We

15
00:01:20,823 --> 00:01:24,783
S2: didn't call even cyber back then, but I started to do, um,

16
00:01:24,783 --> 00:01:29,253
S2: you know, cybersecurity related things back in 98, 99. And

17
00:01:29,253 --> 00:01:33,723
S2: I founded, uh, a company, a consulting firm doing, uh,

18
00:01:33,723 --> 00:01:37,833
S2: information security in at the end of 2000, beginning of 2001,

19
00:01:37,833 --> 00:01:41,043
S2: in Spain. That's, uh, where I come from. I moved

20
00:01:41,163 --> 00:01:42,963
S2: here to the States about ten years ago. But, yeah,

21
00:01:42,963 --> 00:01:46,923
S2: I've been doing cyber security for, I guess, like 24 years.

22
00:01:47,253 --> 00:01:50,583
S2: And what I do for BlackBerry is, uh, I lead

23
00:01:50,583 --> 00:01:54,993
S2: the threat research and intelligence team. So essentially I lead, uh, uh,

24
00:01:54,993 --> 00:01:58,353
S2: a team of, uh, very smart people that they not

25
00:01:58,353 --> 00:02:01,383
S2: only understand, uh, you know, the malware. I like to

26
00:02:01,383 --> 00:02:04,293
S2: talk about attackers weapons more than just like malware. Just

27
00:02:04,293 --> 00:02:07,173
S2: this just one subset of it. Um, I understand these

28
00:02:07,173 --> 00:02:10,263
S2: these attackers weapons, but they also understand the motivation. They

29
00:02:10,263 --> 00:02:15,273
S2: understand the geopolitics around, uh, you know, why attackers started

30
00:02:15,273 --> 00:02:17,913
S2: doing something. And that's more like what we call the

31
00:02:17,913 --> 00:02:20,313
S2: intelligence piece, right? So we cover all the aspects from

32
00:02:20,313 --> 00:02:25,323
S2: the more technical, the reverse engineering, the malware analysis, the, uh,

33
00:02:25,323 --> 00:02:28,083
S2: you know, helping to tune our machine learning models. I

34
00:02:28,083 --> 00:02:30,543
S2: know that your show is, you know, mostly about that.

35
00:02:30,543 --> 00:02:33,093
S2: So we, we, we work with the data scientists to

36
00:02:33,093 --> 00:02:36,963
S2: make sure that we, we tune these models for our products.

37
00:02:36,963 --> 00:02:40,113
S2: But we also, um, you know, do research on the

38
00:02:40,113 --> 00:02:41,853
S2: threat actors and their motivations.

39
00:02:42,633 --> 00:02:45,813
S1: Yeah, it's it's very interesting you say that the name

40
00:02:45,813 --> 00:02:49,113
S1: implies that I'm mostly about machine learning. It's actually kind

41
00:02:49,113 --> 00:02:51,783
S1: of a play in words. My background is actually almost

42
00:02:51,783 --> 00:02:56,793
S1: exactly 24 years in security. So about the same time. Yeah. Yeah.

43
00:02:56,793 --> 00:03:01,353
S1: So so it's not uh, it wasn't originally I my

44
00:03:01,353 --> 00:03:03,213
S1: whole career has been in security and then I sort

45
00:03:03,213 --> 00:03:06,993
S1: of transitioned into AI. So I think we probably have

46
00:03:06,993 --> 00:03:11,253
S1: a lot to talk about there. Um, I think it's

47
00:03:11,253 --> 00:03:13,953
S1: the right framing because I like to think about what

48
00:03:13,953 --> 00:03:17,283
S1: are the attackers doing, what techniques are they using and

49
00:03:17,283 --> 00:03:20,463
S1: inside of what context like global context, like you said, uh,

50
00:03:20,463 --> 00:03:25,593
S1: geopolitical context. And that's why I find threat intelligence so fascinating.

51
00:03:25,593 --> 00:03:28,413
S1: And yeah, maybe we can sprinkle some AI in there, but, uh,

52
00:03:28,413 --> 00:03:32,733
S1: not necessarily if it doesn't belong. Right. Um, so so

53
00:03:32,733 --> 00:03:35,313
S1: what would you say the, the primary things that are

54
00:03:35,313 --> 00:03:38,163
S1: happening right now, what are the trends like what are

55
00:03:38,163 --> 00:03:41,403
S1: attackers doing? Why are they doing it? Who who are

56
00:03:41,403 --> 00:03:44,043
S1: these different groups. What does that look like?

57
00:03:44,973 --> 00:03:47,883
S2: Well, I guess if I had to summarize it in

58
00:03:47,883 --> 00:03:52,863
S2: just one phrase, it's like the internet is a mess. Mhm.

59
00:03:53,253 --> 00:03:56,583
S2: It's a lot of everything and there is more of

60
00:03:56,583 --> 00:04:00,603
S2: everything on a daily basis. Um, we, we do this

61
00:04:00,603 --> 00:04:06,873
S2: quarterly thread reports. Uh, that they're very interesting for us specifically. Right.

62
00:04:06,873 --> 00:04:10,893
S2: And we, we're thrilled when we see, um, you know,

63
00:04:10,923 --> 00:04:15,153
S2: law enforcement agencies and uh, we even got like, you know,

64
00:04:15,153 --> 00:04:19,173
S2: United Nations and the Senate and a lot of other like, uh,

65
00:04:19,443 --> 00:04:22,023
S2: very important, you know, organizations coming to us and saying, oh,

66
00:04:22,053 --> 00:04:24,363
S2: you know, we're reading your third report and it's very awesome. Like,

67
00:04:24,363 --> 00:04:27,363
S2: we have these questions which, you know, it's fascinating, but

68
00:04:27,363 --> 00:04:30,033
S2: we do this primarily for us to understand the trends.

69
00:04:30,033 --> 00:04:32,553
S2: And one of the things that we just, uh, see

70
00:04:32,553 --> 00:04:37,923
S2: regularly is that there is a, uh, the regular constant

71
00:04:37,923 --> 00:04:42,993
S2: increase in the number of unique malware that we see, uh,

72
00:04:42,993 --> 00:04:45,123
S2: on a, on a per minute, right. So, for example,

73
00:04:45,123 --> 00:04:47,973
S2: I'm just looking at the last listings we have. Uh,

74
00:04:47,973 --> 00:04:50,913
S2: if you look at where we were about a year ago,

75
00:04:50,913 --> 00:04:57,843
S2: we were seeing from December 2022 to February 23rd, 1.5

76
00:04:57,843 --> 00:05:00,993
S2: unique hashes per minute. That's what we see with our telemetry, right?

77
00:05:00,993 --> 00:05:04,173
S2: Based on our products. And right now, the last number

78
00:05:04,173 --> 00:05:11,073
S2: I have is about 3.7 unique hashes per minute. Mhm. Uh,

79
00:05:11,073 --> 00:05:15,153
S2: targeting uh targeting you know our customers. Right. But it's

80
00:05:15,153 --> 00:05:20,013
S2: obviously everybody has different visibility, different angles. Uh, but this

81
00:05:20,013 --> 00:05:22,743
S2: definitely tells you that there's a lot more, there's a

82
00:05:22,743 --> 00:05:25,533
S2: lot more of unique malware that is being thrown out

83
00:05:25,533 --> 00:05:30,483
S2: there to organizations per minute. What else do we see?

84
00:05:30,873 --> 00:05:34,053
S2: I usually say attackers are lazy, right? When? When something works.

85
00:05:34,533 --> 00:05:35,853
S2: Why would you change it?

86
00:05:35,883 --> 00:05:36,873
S1: Yeah, absolutely.

87
00:05:37,653 --> 00:05:39,483
S2: In many cases it's a business for them, right? If

88
00:05:39,483 --> 00:05:43,503
S2: we're talking about cybercrime, uh, so we still see a

89
00:05:43,503 --> 00:05:49,533
S2: lot of old school stuff like the phishing attacks. Right. Uh, with, uh,

90
00:05:49,533 --> 00:05:53,943
S2: you know, embedded, uh, links or embedded, uh, PDFs. We're

91
00:05:53,943 --> 00:05:56,313
S2: seeing a lot of PDFs again, like these things coming.

92
00:05:56,343 --> 00:05:57,183
S1: Oh, interesting.

93
00:05:57,603 --> 00:05:59,283
S2: Come and go. Like, we haven't seen PDFs for a

94
00:05:59,283 --> 00:06:01,293
S2: long time. Now we're starting to see a lot of

95
00:06:01,293 --> 00:06:04,953
S2: PDFs again. And this usually has to do with, you know,

96
00:06:04,953 --> 00:06:09,063
S2: maybe some defenses that Microsoft has built into, uh, into

97
00:06:09,063 --> 00:06:11,553
S2: office lately that, you know, maybe sometime it will be

98
00:06:11,553 --> 00:06:15,033
S2: bypassed again and there will be a resurgence in, you know,

99
00:06:15,033 --> 00:06:20,973
S2: maybe macros or, uh, or other weaponized, um, uh, office documents.

100
00:06:21,063 --> 00:06:25,563
S2: And we also see a clear trend in the use of, uh,

101
00:06:25,563 --> 00:06:31,023
S2: cross-platform malware. Again, with this premise of attackers. See if

102
00:06:31,023 --> 00:06:35,253
S2: I can obtain more return on investment by crafting a

103
00:06:35,253 --> 00:06:40,053
S2: piece of malware that will will work across different platforms windows,

104
00:06:40,053 --> 00:06:44,253
S2: Linux and Mac OS by using, uh, you know, uh,

105
00:06:44,253 --> 00:06:50,613
S2: go or, you know, rust or other, um, cross-platform languages.

106
00:06:51,093 --> 00:06:52,893
S2: I'm going to be doing that. Right, because I'm going

107
00:06:52,893 --> 00:06:56,463
S2: to be able to reach out to a larger, uh,

108
00:06:56,463 --> 00:07:00,423
S2: population or get more victims. So there's just like, you know,

109
00:07:00,873 --> 00:07:03,213
S2: a brief summary of 50,000 foot overview of some of

110
00:07:03,213 --> 00:07:04,113
S2: the things that we see.

111
00:07:05,053 --> 00:07:07,543
S1: Okay, that that makes sense. Yeah. I'm looking at the report.

112
00:07:07,543 --> 00:07:10,873
S1: I pulled it up when you mentioned it. Uh, interesting.

113
00:07:10,873 --> 00:07:13,453
S1: And you got some breakdown by industry as well.

114
00:07:15,353 --> 00:07:17,903
S2: Yeah, I'm showing, by the way, some numbers that haven't been,

115
00:07:17,903 --> 00:07:19,943
S2: you know, published yet at this time that we're having

116
00:07:19,943 --> 00:07:23,453
S2: this conversation, but we publish very soon. So yeah, I'll

117
00:07:23,453 --> 00:07:24,623
S2: give you a heads up on that.

118
00:07:25,403 --> 00:07:29,933
S1: Yeah. Very cool. What about like, origins or types of attackers, like,

119
00:07:29,933 --> 00:07:34,073
S1: you know, hacktivists versus like a government versus, you know,

120
00:07:34,643 --> 00:07:37,433
S1: I don't know attacker types. Is it like is it

121
00:07:37,433 --> 00:07:40,973
S1: Eastern Europe? Is it Asia? Is it us versus us

122
00:07:40,973 --> 00:07:42,743
S1: like those types of things?

123
00:07:43,793 --> 00:07:47,273
S2: That's that's a good question. And again, like if you

124
00:07:47,273 --> 00:07:51,623
S2: look at this from a global perspective, unbiased perspective, you're

125
00:07:51,623 --> 00:07:55,163
S2: going to see that everybody's attacking everybody right. Everybody has motivation.

126
00:07:55,163 --> 00:07:58,613
S2: And cyber is just a weapon. It's just the how right. Uh,

127
00:07:58,613 --> 00:08:01,073
S2: but this has been done. If we look at governments,

128
00:08:01,073 --> 00:08:04,283
S2: for example, this has been done for many years, uh,

129
00:08:04,283 --> 00:08:06,833
S2: you know, in other areas. And it's still, you know,

130
00:08:06,833 --> 00:08:08,873
S2: done in other areas. And that's why there is not

131
00:08:08,873 --> 00:08:13,463
S2: only like cyber threat intelligence or CGI, but also human intelligence, right,

132
00:08:13,463 --> 00:08:18,263
S2: or open source intelligence and, you know, physical threats. And so, um,

133
00:08:18,263 --> 00:08:23,123
S2: but from a, from a CTI perspective, Cyberthreat intelligence, uh, we,

134
00:08:23,153 --> 00:08:25,223
S2: we have seen, you know, in the past that there

135
00:08:25,223 --> 00:08:29,723
S2: was a clear distinction between the so-called apts, the advanced

136
00:08:29,723 --> 00:08:36,323
S2: persistent threat nation, uh, states, um, attacks where the motivation

137
00:08:36,323 --> 00:08:41,663
S2: is stealing intellectual property or doing espionage. And, and then

138
00:08:41,663 --> 00:08:43,763
S2: the other world on the other side of the spectrum, right,

139
00:08:43,763 --> 00:08:47,303
S2: which is cybercrime. So this is the criminals are just

140
00:08:47,303 --> 00:08:49,133
S2: going after the money for financial gain.

141
00:08:49,343 --> 00:08:49,793
S1: Yep.

142
00:08:50,453 --> 00:08:52,973
S2: Um, and then the hacktivists. Right. That's kind of the

143
00:08:52,973 --> 00:08:55,043
S2: other group, uh, the people that are just like going

144
00:08:55,043 --> 00:08:57,293
S2: to hack into a company. And just because I don't know,

145
00:08:57,293 --> 00:09:00,383
S2: you sell, you make profit by selling records or music

146
00:09:00,383 --> 00:09:03,713
S2: and that's bad, right? That's evil. Right? Like that. Um,

147
00:09:03,713 --> 00:09:05,783
S2: they want to make a statement, right? A political statement

148
00:09:05,783 --> 00:09:11,123
S2: or socialist statement. These lines are more blurred than ever. Uh,

149
00:09:11,123 --> 00:09:15,053
S2: one of the reasons of that is because we, um,

150
00:09:15,053 --> 00:09:18,653
S2: we're more interconnected, right? And everybody has more of a

151
00:09:18,653 --> 00:09:22,583
S2: digital presence. And also because these weapons that attackers are

152
00:09:22,583 --> 00:09:27,503
S2: using in the past were like hard to craft or, uh,

153
00:09:27,503 --> 00:09:30,143
S2: it require a lot more skills maybe to do these

154
00:09:30,143 --> 00:09:33,113
S2: things these days. A lot of these are public, right.

155
00:09:33,113 --> 00:09:35,633
S2: And there's been a lot of, uh, red teaming tools

156
00:09:35,633 --> 00:09:38,393
S2: that have been leaked. Cobalt strike is one of the

157
00:09:38,393 --> 00:09:41,663
S2: common offenders, right. In that in that list, uh, but

158
00:09:41,663 --> 00:09:44,753
S2: also Metasploit, a bunch of other frameworks that are frameworks

159
00:09:44,753 --> 00:09:47,423
S2: are open, uh, they're available that people can just like,

160
00:09:47,423 --> 00:09:51,923
S2: go and modify. There's a lot of rats. One of, uh,

161
00:09:51,923 --> 00:09:54,443
S2: the rats, the remote access tools that we have been

162
00:09:54,443 --> 00:09:58,793
S2: discussing in one of our recent reports is a zinc rat.

163
00:09:58,943 --> 00:10:02,213
S2: And anybody can go online and just look at the

164
00:10:02,213 --> 00:10:04,583
S2: source code of a sink rat and then maybe modified

165
00:10:04,583 --> 00:10:10,463
S2: and use it, uh, for these, uh, nefarious purposes so that, um,

166
00:10:10,463 --> 00:10:14,453
S2: availability of these tools, attackers, weapons. Right. Makes it a

167
00:10:14,453 --> 00:10:17,033
S2: lot more difficult because sometimes you may have an apt

168
00:10:17,033 --> 00:10:21,143
S2: a nation state using these tools. And it's very hard

169
00:10:21,143 --> 00:10:27,293
S2: to attribute exactly who's behind this unless you have more information,

170
00:10:27,293 --> 00:10:31,073
S2: you know, you have context, geopolitical context in many cases,

171
00:10:31,073 --> 00:10:34,583
S2: and you can understand the motivation behind why somebody is

172
00:10:34,583 --> 00:10:35,333
S2: doing this.

173
00:10:36,143 --> 00:10:39,233
S1: Yeah, that makes sense. So it's all kind of blurring together.

174
00:10:39,563 --> 00:10:41,903
S1: I've seen that a lot with a lot of Russian

175
00:10:41,903 --> 00:10:46,613
S1: groups where someone was like, oh, apt related or whatever,

176
00:10:46,613 --> 00:10:52,013
S1: but really it's kind of like a cybercrime group, but

177
00:10:52,013 --> 00:10:54,533
S1: they are kind of given a little bit of a

178
00:10:54,563 --> 00:10:56,783
S1: go ahead by the government to not come after them

179
00:10:56,783 --> 00:10:59,123
S1: because they seem to be doing good things for the country,

180
00:10:59,123 --> 00:11:02,543
S1: but it's not a formal relationship. So it's like, are

181
00:11:02,543 --> 00:11:05,543
S1: they affiliated? Are they not affiliated? It's it's hard to say.

182
00:11:06,173 --> 00:11:10,913
S2: Right. You have initial access brokers now, right? You have affiliates, uh, contractors.

183
00:11:10,913 --> 00:11:16,073
S2: Like I could be an independent contractor and offering my services. My, uh,

184
00:11:16,073 --> 00:11:18,743
S2: you know, my skills, my time, uh, on behalf of

185
00:11:18,743 --> 00:11:20,543
S2: different groups. And one day, I could be working for

186
00:11:20,543 --> 00:11:23,093
S2: a cybercriminal group that has financial gain. The next day,

187
00:11:23,093 --> 00:11:25,883
S2: I could be working as part of a, um, you know,

188
00:11:25,883 --> 00:11:29,423
S2: maybe a nation state or some other type of, um, uh, group.

189
00:11:29,423 --> 00:11:32,363
S2: We have also seen and this is a trend that

190
00:11:32,363 --> 00:11:38,873
S2: we've seen recently, commercial organizations behind some of these campaigns. Um, and,

191
00:11:39,683 --> 00:11:42,953
S2: you know, large multinationals that that might be in the

192
00:11:42,953 --> 00:11:46,523
S2: process of a merger and acquisition and, you know, there's

193
00:11:46,883 --> 00:11:49,613
S2: the traditional way of doing a due diligence, uh, by

194
00:11:49,613 --> 00:11:52,763
S2: looking at, you know, the financial health of an organization

195
00:11:52,763 --> 00:11:57,443
S2: that is also like unofficial ways of doing due diligence. Sure. And, uh,

196
00:11:57,443 --> 00:12:00,323
S2: it's interesting we're seeing some of that. Uh, so when

197
00:12:00,323 --> 00:12:02,573
S2: I say that the internet is a mess, it's it

198
00:12:02,573 --> 00:12:03,293
S2: really is.

199
00:12:03,923 --> 00:12:08,363
S1: Yeah. Interesting. And what are some of the specific techniques

200
00:12:08,363 --> 00:12:11,423
S1: or tactics that people are using? It seems like with,

201
00:12:11,423 --> 00:12:14,543
S1: with proliferation of AI, it seems like spearfishing is one

202
00:12:14,543 --> 00:12:17,093
S1: of the things that's getting really easy, really easy to

203
00:12:17,093 --> 00:12:19,913
S1: target specific people, especially if you put in a whole

204
00:12:19,913 --> 00:12:24,263
S1: bunch of context information about a particular target. You can

205
00:12:24,263 --> 00:12:27,623
S1: really make the email compelling. One of my favorite examples

206
00:12:27,623 --> 00:12:30,863
S1: of this is somebody who just, uh, has a big ego.

207
00:12:30,893 --> 00:12:33,173
S1: I don't know, sometimes happens in security, but you could

208
00:12:33,173 --> 00:12:35,093
S1: just be like, hey, I saw your last talk. It

209
00:12:35,093 --> 00:12:39,353
S1: was amazing, right? I really agree with your point about this.

210
00:12:39,353 --> 00:12:43,103
S1: And I wrote an article about your talk and I'm

211
00:12:43,103 --> 00:12:44,943
S1: going to. Actually send it on to the New York

212
00:12:44,943 --> 00:12:47,793
S1: Times or something. You send that in a phishing email,

213
00:12:47,793 --> 00:12:49,983
S1: like you're going to get a lot of security people.

214
00:12:50,433 --> 00:12:55,683
S1: And it's one thing to handcraft that email, right? But

215
00:12:55,683 --> 00:12:58,383
S1: that's pretty difficult. But what if you have a crawler

216
00:12:58,383 --> 00:13:01,203
S1: who can pull all the security people and then pull

217
00:13:01,203 --> 00:13:03,723
S1: all the people who have given talks recently, then you

218
00:13:03,723 --> 00:13:06,783
S1: could pull a particular point out of the talk and

219
00:13:06,783 --> 00:13:09,333
S1: then craft the email and send it to them. Well,

220
00:13:09,333 --> 00:13:11,733
S1: now you can maybe do that at scale, you know,

221
00:13:11,733 --> 00:13:15,063
S1: at the level of like a criminal organization or even

222
00:13:15,063 --> 00:13:17,823
S1: at the level of like an apt group for like

223
00:13:17,823 --> 00:13:21,573
S1: government to target more important people. So I feel like

224
00:13:21,573 --> 00:13:24,093
S1: that is one of the use cases that's getting really bad.

225
00:13:24,093 --> 00:13:26,433
S1: Are you guys seeing a lot of spear phishing type stuff?

226
00:13:27,303 --> 00:13:29,913
S2: Well, we have seen reports right over the last couple

227
00:13:29,913 --> 00:13:33,483
S2: of years of a specific threat actors. I'm thinking, for example,

228
00:13:33,483 --> 00:13:35,943
S2: North Korea, that that has been involved in this type

229
00:13:35,943 --> 00:13:40,953
S2: of targeting, cyber security researchers specifically, uh, specifically working for

230
00:13:40,953 --> 00:13:43,683
S2: certain companies that may have access to certain information that

231
00:13:43,683 --> 00:13:48,003
S2: might be useful for, for them. Uh, but, yeah. And and,

232
00:13:48,003 --> 00:13:50,463
S2: you know, we have actually data that supports what you're saying.

233
00:13:50,463 --> 00:13:54,723
S2: For example, uh, in our report, uh, the report that

234
00:13:54,723 --> 00:13:57,123
S2: we released, uh, a few months ago, we again, we

235
00:13:57,123 --> 00:13:59,403
S2: do this every quarter. Right. But we have seen an

236
00:13:59,403 --> 00:14:03,813
S2: increase since last year, coincidentally or not, with the release

237
00:14:03,813 --> 00:14:07,203
S2: of ChatGPT and all these, uh, generative AI tools, we

238
00:14:07,203 --> 00:14:12,753
S2: have seen a surge in phishing attacks against Japan. And,

239
00:14:12,753 --> 00:14:15,063
S2: you know, Japan is a very interesting, uh, area because

240
00:14:15,063 --> 00:14:17,373
S2: we usually see some malware in Japan that we don't

241
00:14:17,373 --> 00:14:20,463
S2: see in other places. Again, everything is is every region

242
00:14:20,463 --> 00:14:24,543
S2: has like, their own characteristics. Right? But in Japan we

243
00:14:24,543 --> 00:14:27,813
S2: have seen like for example, uh, Emotet, some variants that

244
00:14:27,813 --> 00:14:30,033
S2: we haven't seen anywhere else. And, you know, they come

245
00:14:30,033 --> 00:14:33,873
S2: and go. But now with these tools, guess what? Like,

246
00:14:33,873 --> 00:14:37,023
S2: everybody can speak fluent Japanese, right? Yeah. And Japanese is

247
00:14:37,023 --> 00:14:40,233
S2: not really easy, right? At least for for us foreigners.

248
00:14:40,233 --> 00:14:43,713
S2: And it's just a very particular region of the world. Now,

249
00:14:43,713 --> 00:14:48,123
S2: these has opened up the possibility of any threat actor

250
00:14:48,123 --> 00:14:52,803
S2: out there to craft really, you know, legit looking, uh,

251
00:14:52,803 --> 00:14:56,493
S2: phishing emails to, to target this specific area of the world,

252
00:14:56,493 --> 00:14:59,583
S2: which is also, you know, a wealthy country with a

253
00:14:59,583 --> 00:15:04,053
S2: lot of industries and could be profitable. So, yes, the

254
00:15:04,053 --> 00:15:07,413
S2: data supports that attackers are using generative AI for these

255
00:15:07,413 --> 00:15:09,213
S2: type of, um, purposes.

256
00:15:09,783 --> 00:15:13,743
S1: Yeah. It's a really interesting point that you make. So

257
00:15:14,193 --> 00:15:16,623
S1: you've probably seen this conversation a million times in your

258
00:15:16,623 --> 00:15:19,383
S1: career because you've been doing this so long. It's like

259
00:15:19,833 --> 00:15:22,803
S1: somebody talks about how, you know, you can't hack Linux.

260
00:15:22,803 --> 00:15:27,153
S1: Linux is the most secure operating system. Windows is so insecure.

261
00:15:27,153 --> 00:15:29,373
S1: And I'm guilty of this. Back at, you know, 20

262
00:15:29,373 --> 00:15:31,833
S1: years ago, I used to think I was on the

263
00:15:31,833 --> 00:15:34,623
S1: most secure operating system because I only run Linux or

264
00:15:34,623 --> 00:15:39,183
S1: I only run whatever. And it's like, actually, if people

265
00:15:39,183 --> 00:15:41,703
S1: actually pointed a little bit of the attention that is

266
00:15:41,703 --> 00:15:45,093
S1: pointed at windows for the last 20 years, and they

267
00:15:45,093 --> 00:15:49,723
S1: pointed that at Linux it would be a nightmare. It

268
00:15:49,723 --> 00:15:54,133
S1: would be an absolute nightmare. And the reason windows appears

269
00:15:54,133 --> 00:15:57,643
S1: to be so bad because it's so targeted. And so

270
00:15:57,643 --> 00:16:00,043
S1: the point that you bring up about Japan is really interesting.

271
00:16:00,043 --> 00:16:04,963
S1: It's like maybe they're very vulnerable to spear phishing, but

272
00:16:04,963 --> 00:16:07,333
S1: no one's been able to get the email through because

273
00:16:07,333 --> 00:16:10,303
S1: they don't speak Japanese. So now you have an area

274
00:16:10,303 --> 00:16:14,203
S1: that's not hardened against these types of attacks. But the

275
00:16:14,203 --> 00:16:16,213
S1: door is now open where it was closed for the

276
00:16:16,213 --> 00:16:17,203
S1: last 20 years.

277
00:16:18,103 --> 00:16:20,503
S2: It's a window of opportunity. Right. And that's that's one

278
00:16:20,503 --> 00:16:23,473
S2: of the key things in the whole impact equation. If

279
00:16:23,473 --> 00:16:25,573
S2: we look at risk management oh now we're going to

280
00:16:25,573 --> 00:16:27,853
S2: put people to to sleep. Now risk management.

281
00:16:28,123 --> 00:16:29,713
S1: Not me I'll be awake.

282
00:16:31,093 --> 00:16:33,193
S2: But uh but yeah the impact right at the end

283
00:16:33,193 --> 00:16:35,473
S2: of the day it's all about that. You can usually

284
00:16:35,473 --> 00:16:39,163
S2: say you can just like, try to protect against everything

285
00:16:39,163 --> 00:16:41,623
S2: you need to define. What is that? What is the

286
00:16:41,623 --> 00:16:45,193
S2: problem you're trying to solve. Right. And it can't be everything.

287
00:16:45,193 --> 00:16:48,973
S2: You cannot protect all of your assets. Um, like in

288
00:16:48,973 --> 00:16:50,953
S2: the physical world, you have to assume, okay, you know,

289
00:16:50,953 --> 00:16:54,673
S2: some things can go and it's okay. You just, you know,

290
00:16:54,673 --> 00:16:57,133
S2: go and replace them. But other things can't, right? Because

291
00:16:57,133 --> 00:17:00,253
S2: they have a high value to us. Yeah. Uh, that's

292
00:17:00,253 --> 00:17:03,043
S2: what we need to, to define and. Yeah. Linux. Uh,

293
00:17:03,043 --> 00:17:05,293
S2: I remember a couple of years ago we released a

294
00:17:05,293 --> 00:17:09,553
S2: paper on symbiote, which was a Linux implant that we

295
00:17:09,553 --> 00:17:15,313
S2: saw targeting organizations in Latin America, especially financial organizations. And

296
00:17:15,313 --> 00:17:17,863
S2: it was a very interesting piece of software, right, of

297
00:17:17,863 --> 00:17:22,243
S2: malware in this case, uh, doing command and control over DNS, etc..

298
00:17:22,243 --> 00:17:25,543
S2: We see a lot of web shells right on Linux, uh,

299
00:17:25,543 --> 00:17:31,543
S2: servers essentially, um, uh, program, um, programs that are supposed

300
00:17:31,543 --> 00:17:35,743
S2: to run, uh, commands or do execution on these, uh, boxes.

301
00:17:35,743 --> 00:17:37,333
S2: And think about it like the cloud. What is the

302
00:17:37,333 --> 00:17:40,033
S2: cloud made out of, right? Linux box boxes. Yeah, yeah.

303
00:17:40,933 --> 00:17:44,563
S2: And and we have everybody has more cloud presence. So absolutely.

304
00:17:44,563 --> 00:17:46,723
S2: I had a conversation a few days ago about the

305
00:17:46,723 --> 00:17:50,623
S2: importance of looking at these, uh, systems. You know, miter

306
00:17:50,623 --> 00:17:55,543
S2: has a miter attack matrix for Linux. And, uh, if

307
00:17:55,543 --> 00:17:58,753
S2: you look at the government, uh, agencies, the documents, recommendations

308
00:17:58,753 --> 00:18:01,453
S2: from NSA, from CSI, everybody says, you know, you need

309
00:18:01,453 --> 00:18:06,253
S2: to look at these, uh, systems because they're often overlooked.

310
00:18:06,253 --> 00:18:11,083
S2: People do not run endpoint protection on them. And, you know,

311
00:18:11,083 --> 00:18:14,383
S2: you trigger memories. Uh, I'm probably all right. But you

312
00:18:14,383 --> 00:18:16,873
S2: probably remember this when setting up Linux systems back in

313
00:18:16,873 --> 00:18:19,003
S2: the day. And all ports were open by default.

314
00:18:19,003 --> 00:18:19,903
S1: Oh, absolutely.

315
00:18:19,903 --> 00:18:23,323
S2: You have to close them like manually. Yeah. Uh, so

316
00:18:23,323 --> 00:18:26,563
S2: there's a lot of implicit trust that sometimes we put into,

317
00:18:26,563 --> 00:18:31,303
S2: into these systems making assumptions that are not necessarily true. Yeah.

318
00:18:32,143 --> 00:18:35,173
S1: Yeah. I just I really love that idea of, um,

319
00:18:35,623 --> 00:18:39,013
S1: language being a barrier that has stopped attacks from getting

320
00:18:39,013 --> 00:18:44,353
S1: through before and with Lmms open opening up. Translation. So

321
00:18:44,353 --> 00:18:47,683
S1: that barrier comes down. What about, uh, deepfakes? Are you

322
00:18:47,683 --> 00:18:50,923
S1: seeing much around that where it's easier to convince people

323
00:18:50,923 --> 00:18:51,583
S1: of things?

324
00:18:52,593 --> 00:18:56,703
S2: Well, it's a natural next step, right? And I remember

325
00:18:56,703 --> 00:18:58,953
S2: months ago I was in a close meeting with some

326
00:18:58,953 --> 00:19:05,133
S2: government agencies and, um, the head of this agency who

327
00:19:05,133 --> 00:19:07,473
S2: was mentioning that they were really seeing these type of

328
00:19:07,473 --> 00:19:11,763
S2: deep fakes, uh, with, uh, you know, calls, uh, where

329
00:19:11,763 --> 00:19:14,613
S2: they were imitating the voice of somebody and using that

330
00:19:14,613 --> 00:19:18,003
S2: to essentially for financial gain. Right. The typical business email compromise.

331
00:19:18,003 --> 00:19:21,093
S2: But now with with voice. And that's what we're seeing

332
00:19:21,093 --> 00:19:25,293
S2: on the news right now. We're seeing these, uh, deepfakes

333
00:19:25,293 --> 00:19:28,083
S2: using voice, using video, like jumping on a on a

334
00:19:28,083 --> 00:19:30,183
S2: zoom call. Oh, it's it's a CFO calling.

335
00:19:30,183 --> 00:19:32,313
S1: Yeah, I saw that one. That was so crazy.

336
00:19:32,943 --> 00:19:41,193
S2: Exactly. And, uh, it's just, again, one more iteration on, um,

337
00:19:41,193 --> 00:19:43,533
S2: something that we have known for a long time, you know,

338
00:19:43,533 --> 00:19:49,203
S2: same motivation. Just the tools are changing. And with the, um, the, the, uh,

339
00:19:49,203 --> 00:19:52,653
S2: democratization right, of these tools, as they become more available

340
00:19:52,653 --> 00:19:55,023
S2: to people out there, these things are going to just,

341
00:19:55,023 --> 00:19:58,653
S2: you know, make the environment, the internet, even a lot more, uh,

342
00:19:58,653 --> 00:20:00,423
S2: noisier than they are. It is today.

343
00:20:01,173 --> 00:20:04,083
S1: Yeah, absolutely. And then you have the issue of, like,

344
00:20:04,383 --> 00:20:08,613
S1: if you have a whole bunch of AI bots or

345
00:20:08,613 --> 00:20:12,483
S1: agents operating and they're, they're taking all these actions against APIs,

346
00:20:12,693 --> 00:20:14,883
S1: how how do you know if it's a real human

347
00:20:14,883 --> 00:20:17,403
S1: on the other side, or if that's automation or it's

348
00:20:17,403 --> 00:20:19,623
S1: AI or it's an agent or some sort?

349
00:20:21,273 --> 00:20:23,493
S2: That's a good question. And that's actually one of the

350
00:20:23,493 --> 00:20:26,463
S2: the uses of, uh, of email. Right. One of the

351
00:20:26,463 --> 00:20:28,683
S2: best things that we can use ML for is to

352
00:20:28,683 --> 00:20:34,023
S2: create patents. And, uh, by looking at the behavior of, uh,

353
00:20:34,023 --> 00:20:37,863
S2: the normal behavior of a, of how users interact with

354
00:20:37,863 --> 00:20:41,973
S2: an application, uh, you would, you know, kind of, uh,

355
00:20:41,973 --> 00:20:45,993
S2: infer whether that's normal or not, because typically these botnets

356
00:20:45,993 --> 00:20:48,933
S2: will behave in a, in a different, in a different way. Um,

357
00:20:50,223 --> 00:20:53,943
S2: as usual, you know, it's we usually talk about attackers

358
00:20:53,943 --> 00:20:57,633
S2: tools or attackers weapons. Sorry. And I like to talk

359
00:20:57,633 --> 00:21:01,653
S2: also about defenders weapons because, you know, this is at

360
00:21:01,653 --> 00:21:03,873
S2: the end of the the day, we're talking about technology

361
00:21:03,873 --> 00:21:07,113
S2: that can be used for good or for evil. And

362
00:21:07,113 --> 00:21:10,233
S2: many times we just focus on on the tools itself.

363
00:21:10,233 --> 00:21:12,903
S2: But we don't talk that much about strategy. Right. Um, uh,

364
00:21:13,023 --> 00:21:14,883
S2: somebody that has been doing this for a long time,

365
00:21:14,883 --> 00:21:17,313
S2: I started on the what we call the red side. Right.

366
00:21:17,313 --> 00:21:18,273
S2: The red teaming.

367
00:21:18,273 --> 00:21:19,203
S1: Yep. Same here.

368
00:21:19,473 --> 00:21:22,173
S2: Hackers and pentesting and all of that. I'll tell you

369
00:21:22,173 --> 00:21:24,783
S2: what you got boring. You got at some point where

370
00:21:24,783 --> 00:21:26,733
S2: it was boring because it was easy to get into

371
00:21:26,733 --> 00:21:28,473
S2: the organizations.

372
00:21:28,473 --> 00:21:30,393
S1: And you come back to the customer the next year

373
00:21:30,393 --> 00:21:31,743
S1: and they haven't fixed anything.

374
00:21:32,193 --> 00:21:35,823
S2: They don't care. Yes we know. Yeah. For a water

375
00:21:35,823 --> 00:21:37,863
S2: plant in a, you know, country in Europe, I'm not

376
00:21:37,863 --> 00:21:41,613
S2: going to say more. And uh, I, I joined, you know,

377
00:21:41,613 --> 00:21:44,493
S2: I connect to the network 9:00 and by noon I

378
00:21:44,493 --> 00:21:47,523
S2: already had local admin and one of the boxes that

379
00:21:47,523 --> 00:21:50,733
S2: control the OT environment. Right. So that's it. At that point,

380
00:21:50,733 --> 00:21:51,993
S2: you know, you're a consultant. What do you do? You

381
00:21:51,993 --> 00:21:55,083
S2: write the report, take screenshots, do everything. I create my

382
00:21:55,083 --> 00:21:58,143
S2: own local admin account right on that box. So I

383
00:21:58,143 --> 00:22:00,243
S2: was called six months later to come back and do

384
00:22:00,243 --> 00:22:02,943
S2: a retest. Hmm. Guess what? The first thing I checked

385
00:22:02,943 --> 00:22:04,833
S2: is that is that my user, you know, is still

386
00:22:04,833 --> 00:22:06,453
S2: there on that box.

387
00:22:06,453 --> 00:22:08,343
S1: Oh, yeah. Nice. Nice.

388
00:22:08,403 --> 00:22:11,763
S2: Six months later. So that's that was probably the defining

389
00:22:11,763 --> 00:22:14,163
S2: moment for me when I was like, you know what,

390
00:22:14,493 --> 00:22:17,103
S2: I need to I need to help these people in

391
00:22:17,103 --> 00:22:18,933
S2: a different way. So that's when I moved to the

392
00:22:18,933 --> 00:22:22,233
S2: cyber defense side. And I find fascinating to talk about

393
00:22:22,233 --> 00:22:26,643
S2: several different strategy because, you know, you cannot fight these

394
00:22:26,643 --> 00:22:29,073
S2: people because at the end of the day, the other

395
00:22:29,073 --> 00:22:31,803
S2: side of the spectrum is not AI, right, or bots.

396
00:22:31,803 --> 00:22:36,153
S2: It's people doing this. You cannot fight that with just tools,

397
00:22:36,153 --> 00:22:39,693
S2: with just products, right? You need those. You need the weapons,

398
00:22:39,693 --> 00:22:43,263
S2: but you also need the strategy, the human brain to. Yeah.

399
00:22:43,593 --> 00:22:46,893
S2: And what you're doing and justify why you're doing something

400
00:22:46,893 --> 00:22:51,063
S2: and change tactics if needed. Right. Like in any sports

401
00:22:51,063 --> 00:22:53,913
S2: game you get to, you get to change tactics. If

402
00:22:54,093 --> 00:22:55,713
S2: they're not working. Yeah.

403
00:22:56,253 --> 00:22:58,803
S1: Yeah. Interesting. You mentioned a water plant. I had an

404
00:22:58,803 --> 00:23:04,923
S1: eye opening assessment as well, assessing a water system for uh,

405
00:23:04,923 --> 00:23:09,483
S1: for a state. Um, yeah. Really really interesting. We seem

406
00:23:09,483 --> 00:23:12,993
S1: to be, uh, brothers. También hablo espanol.

407
00:23:13,293 --> 00:23:17,763
S2: So también si si si podemos seguir en espanol. Si quieres. Si.

408
00:23:18,333 --> 00:23:19,803
S1: It won't be very smooth.

409
00:23:19,923 --> 00:23:20,163
S2: Uh.

410
00:23:20,673 --> 00:23:26,193
S1: My vocabulary is bad, but you'll play though. Um, so

411
00:23:26,193 --> 00:23:30,393
S1: what about supply chain attacks? Are you seeing that or

412
00:23:30,393 --> 00:23:34,443
S1: do you have that stuff in your, uh, in your report?

413
00:23:34,443 --> 00:23:36,693
S1: Is it one of the things you talk about, like, like,

414
00:23:36,693 --> 00:23:40,593
S1: essentially it seems to be getting worse and worse like these.

415
00:23:40,593 --> 00:23:43,293
S1: The breaches keep happening and you keep realizing, oh, wait,

416
00:23:43,293 --> 00:23:46,083
S1: but they're vendors. Oh, but what about their vendors? And

417
00:23:46,083 --> 00:23:47,673
S1: it's like, how do you secure the chain all the

418
00:23:47,673 --> 00:23:48,363
S1: way down?

419
00:23:49,023 --> 00:23:51,553
S2: Yeah. No, absolutely. And I think we have a. We

420
00:23:51,553 --> 00:23:54,493
S2: have a paragraph there or a comment on, on these uh,

421
00:23:54,493 --> 00:23:57,793
S2: in the, in the latest report that we're publishing. Um,

422
00:23:57,793 --> 00:24:00,673
S2: and we talk about the secure by default approach, rather

423
00:24:00,673 --> 00:24:03,313
S2: the government, especially here in the US with the, uh,

424
00:24:03,313 --> 00:24:07,033
S2: executive order, uh, they're trying to push for these, right?

425
00:24:07,033 --> 00:24:10,663
S2: Cisa pushing for these as well, especially with, um, you know,

426
00:24:10,663 --> 00:24:14,863
S2: protection of critical infrastructure. So, so important. But other countries

427
00:24:14,863 --> 00:24:17,863
S2: as well, the United Kingdom, Canada, EU, the G7, they're

428
00:24:17,863 --> 00:24:22,543
S2: all issuing guidelines on, on, uh, on on this topic

429
00:24:22,543 --> 00:24:25,063
S2: of like creating secure software. But but here's the thing.

430
00:24:25,303 --> 00:24:28,783
S2: Are we ever going to fix that problem? No. There's

431
00:24:28,783 --> 00:24:32,383
S2: always going to be something. Right? Can we do something

432
00:24:32,413 --> 00:24:35,263
S2: to fix it and use, you know, you know, for example,

433
00:24:35,263 --> 00:24:38,593
S2: programming languages that make better use of memory. Yeah. So

434
00:24:38,593 --> 00:24:41,923
S2: we have less buffer overflows. Yes. Absolutely. Right. Technology is

435
00:24:41,923 --> 00:24:44,833
S2: going to help there. But we're never ever going to

436
00:24:44,833 --> 00:24:48,283
S2: end up creating like 100% secure software because there's no

437
00:24:48,283 --> 00:24:50,143
S2: such a thing in the world. Right? There's no 100%

438
00:24:50,143 --> 00:24:54,613
S2: secure with anything. Yeah. Um, but so that's, that's what the,

439
00:24:54,613 --> 00:24:59,953
S2: the laws and regulations are pushing for in my team as, as,

440
00:24:59,953 --> 00:25:02,833
S2: you know, researchers, uh, what we do is to analyze

441
00:25:02,833 --> 00:25:04,633
S2: what we, what we're seeing out there. And what we

442
00:25:04,633 --> 00:25:08,143
S2: see is attackers obviously doing the supply chain attacks in

443
00:25:08,143 --> 00:25:12,613
S2: the SolarWinds style. This is like very highly targeted attacks

444
00:25:12,613 --> 00:25:15,733
S2: that we don't see on a daily basis. Right. Mhm. Um,

445
00:25:15,883 --> 00:25:22,483
S2: but you also see. Like pseudo supply chain attacks. What, uh,

446
00:25:22,843 --> 00:25:25,993
S2: what we see is, uh, for example, imagine these small.

447
00:25:27,063 --> 00:25:29,913
S2: Company in. I'm going to pick a, I don't know,

448
00:25:29,913 --> 00:25:32,043
S2: another region of the world that say, the Nordics write

449
00:25:32,043 --> 00:25:36,213
S2: something about language. Uh, so you have, you know, Finnish

450
00:25:36,213 --> 00:25:38,913
S2: and Swedish and Danish and not a lot of people

451
00:25:38,913 --> 00:25:41,793
S2: out there in the world speak these languages. So there

452
00:25:41,793 --> 00:25:45,393
S2: is this little company out there that they have this freeware. Right.

453
00:25:45,393 --> 00:25:48,933
S2: And it's a dictionary of, uh, Nordic, you know, terms,

454
00:25:48,933 --> 00:25:52,203
S2: something like that. And a lot of companies that want

455
00:25:52,203 --> 00:25:54,813
S2: to do business with the Nordics, they actually download this

456
00:25:54,813 --> 00:26:01,203
S2: freeware software. So let's put the bad guy hat on. Right. So, uh,

457
00:26:01,203 --> 00:26:04,143
S2: if I want to target these organizations, what do I do?

458
00:26:04,143 --> 00:26:07,983
S2: Very simple. I just either attack this website and replace

459
00:26:07,983 --> 00:26:11,493
S2: that freeware dictionary with something else that is, that has

460
00:26:11,493 --> 00:26:14,073
S2: an extra piece of code in it, right, to compromise

461
00:26:14,073 --> 00:26:17,673
S2: these organizations that are going to be downloading it. Or

462
00:26:17,703 --> 00:26:24,753
S2: I try to, um, um, essentially clone that side, right?

463
00:26:24,753 --> 00:26:28,653
S2: Scrape it, clone it, and instead of, uh, Nordic. Dictionary.com

464
00:26:28,653 --> 00:26:35,553
S2: is Nordic. Dictionary.com. Yeah. And or Nordic. Uh, hyphen dictionary.com.

465
00:26:35,553 --> 00:26:38,613
S2: And I'm going to be, uh, cloning all of that.

466
00:26:38,613 --> 00:26:41,643
S2: And I'm going to be serving this type of dictionary

467
00:26:41,643 --> 00:26:45,153
S2: that has this extra code. We see that a lot. And,

468
00:26:45,153 --> 00:26:48,123
S2: you know, through emails now we get the phishing factor

469
00:26:48,123 --> 00:26:51,753
S2: right through or any other type of communications. Hey, download this,

470
00:26:51,753 --> 00:26:56,313
S2: use this little thing. Uh, now we're targeting specific location

471
00:26:56,313 --> 00:27:00,243
S2: specific region. It's not really a supply chain attack as we,

472
00:27:00,243 --> 00:27:03,873
S2: you know, think of it, but there's a lot of that, uh, happening.

473
00:27:04,113 --> 00:27:08,463
S1: Interesting. And where do you see these attacks sort of going,

474
00:27:08,493 --> 00:27:12,003
S1: I guess involving AI or not involving. I guess it's

475
00:27:12,003 --> 00:27:16,563
S1: probably the biggest switch. So what happens with threat intelligence

476
00:27:16,563 --> 00:27:22,413
S1: when both the attacker and the defender are powered with AI? Like,

477
00:27:22,683 --> 00:27:26,043
S1: does everything get faster, like the window for attack and

478
00:27:26,043 --> 00:27:31,443
S1: the winter window for fixing things? Uh, closes faster? Uh,

479
00:27:31,443 --> 00:27:32,193
S1: what do you think?

480
00:27:33,483 --> 00:27:36,753
S2: You know, that's a that's a good question. And from

481
00:27:36,753 --> 00:27:39,633
S2: a technology perspective, I like to assume that everybody has

482
00:27:39,633 --> 00:27:42,423
S2: access to the same. Right. Um, it's just a matter

483
00:27:42,423 --> 00:27:46,563
S2: of how well you can implement something like we all

484
00:27:46,563 --> 00:27:49,143
S2: have access to pretty much the same type of knowledge

485
00:27:49,143 --> 00:27:52,953
S2: about technology. Uh, the difference is, you know, how fast

486
00:27:52,953 --> 00:27:56,613
S2: can you do something, build it or weaponize it and

487
00:27:56,613 --> 00:28:00,183
S2: how effective it is, how well built it is. And

488
00:28:00,183 --> 00:28:04,883
S2: tested proved. And even if you if you assume that

489
00:28:04,883 --> 00:28:07,193
S2: everybody has the same weapons. Right. So it's a it's

490
00:28:07,193 --> 00:28:11,123
S2: a Sam zero kind of a game. The difference is

491
00:28:11,123 --> 00:28:14,573
S2: on the tactics and the strategy, right? The human, the

492
00:28:14,573 --> 00:28:17,903
S2: humans behind it. So that's why I think I love

493
00:28:17,903 --> 00:28:20,573
S2: to talk about the human in the loop. Right. When

494
00:28:20,573 --> 00:28:24,533
S2: we talk about AI. Uh, the brain, somebody that can,

495
00:28:24,533 --> 00:28:27,263
S2: you know, observe what's going on, assisted by these bots

496
00:28:27,263 --> 00:28:31,043
S2: or AI and then make a decision based based on that.

497
00:28:31,223 --> 00:28:34,313
S2: For a small, for a lot of small organizations that

498
00:28:34,313 --> 00:28:36,713
S2: will probably require some sort of a, you know, a

499
00:28:36,713 --> 00:28:39,653
S2: third party, uh, a partner, somebody that can help, right, to,

500
00:28:39,653 --> 00:28:42,323
S2: to provide that guidance. But there's never going to be

501
00:28:42,323 --> 00:28:46,163
S2: a substitution for the business itself, knowing the business like,

502
00:28:46,163 --> 00:28:49,763
S2: you know, your business, right? A manufacturing plan, they know

503
00:28:49,763 --> 00:28:53,363
S2: their business. They they know things that nobody else is

504
00:28:53,363 --> 00:28:55,733
S2: going to be able to know. So I think that's

505
00:28:55,733 --> 00:28:59,723
S2: that's where the key of this is, is making security accessible,

506
00:28:59,723 --> 00:29:04,163
S2: making intelligence accessible to those making the key decisions. This

507
00:29:04,163 --> 00:29:06,863
S2: is not just the SoC analyst, right. Or the incident

508
00:29:06,863 --> 00:29:09,623
S2: responder or the threat hunter, which is, you know, probably

509
00:29:09,833 --> 00:29:13,313
S2: at the level that we operate, um, that we like, right,

510
00:29:13,313 --> 00:29:15,383
S2: because we like technology and the toys and all that.

511
00:29:15,383 --> 00:29:18,053
S2: But but no, more importantly, it's to making these intelligence

512
00:29:18,053 --> 00:29:22,913
S2: accessible to decision makers, to the sea level executives so

513
00:29:22,913 --> 00:29:26,603
S2: they can understand what's happening right in, in with their business,

514
00:29:26,603 --> 00:29:30,143
S2: for example. Um, we do a lot of business in Asia-Pacific,

515
00:29:30,143 --> 00:29:34,913
S2: and we see manufacturing plants in Taiwan that are being

516
00:29:34,913 --> 00:29:39,533
S2: targeted with very specific pieces of malware that have geofencing.

517
00:29:39,533 --> 00:29:43,483
S2: So they're only going to execute. If they execute within

518
00:29:43,483 --> 00:29:48,253
S2: that region. Right. In that that geolocation. Those are geo coordinates.

519
00:29:48,403 --> 00:29:51,253
S2: So what that means is that it's highly targeted, of course.

520
00:29:51,253 --> 00:29:54,553
S2: And who has a vested interest in what's happening in

521
00:29:54,553 --> 00:29:57,913
S2: manufacturing plants in Taiwan? Well, you can think of a,

522
00:29:57,913 --> 00:30:00,673
S2: you know, one country, for example, that that has extensive

523
00:30:00,673 --> 00:30:04,123
S2: operations in terms of, uh, uh, espionage in the, in

524
00:30:04,123 --> 00:30:08,383
S2: the region. Yeah. Um, well, if you're an executive of

525
00:30:08,383 --> 00:30:10,483
S2: a manufacturing company in the US and you want to

526
00:30:10,483 --> 00:30:12,553
S2: open up a plant in Taiwan, don't you think that

527
00:30:12,553 --> 00:30:15,523
S2: you would like to know that? Right. But the thing

528
00:30:15,523 --> 00:30:20,623
S2: that that affects your business operations, um, we have seen

529
00:30:20,623 --> 00:30:23,383
S2: threat actors going back to Russia right? In the past,

530
00:30:24,223 --> 00:30:28,273
S2: targeting law firms here in the US, looking at mergers

531
00:30:28,273 --> 00:30:33,703
S2: and acquisitions and using that information to play the stock exchange. Mhm. So,

532
00:30:33,913 --> 00:30:36,283
S2: so all of these things have implications in the, in

533
00:30:36,283 --> 00:30:39,853
S2: the real world. And I think that that's something that

534
00:30:39,853 --> 00:30:43,423
S2: I'm particularly I want to say obsessed with. But, but

535
00:30:43,423 --> 00:30:46,273
S2: I try to work with and it's trying to make

536
00:30:46,273 --> 00:30:53,383
S2: this type of intelligence more. Digestible, more, um, strategic. Right,

537
00:30:53,383 --> 00:30:55,663
S2: for those that are making these type of decisions.

538
00:30:55,963 --> 00:31:01,573
S1: That's interesting. I, um, I, uh, built the, uh, security

539
00:31:01,573 --> 00:31:06,493
S1: measurement program over at Apple, uh, for a number of

540
00:31:06,493 --> 00:31:10,153
S1: years in the past, and that was a big part

541
00:31:10,153 --> 00:31:12,313
S1: of my I also was in the military. So I

542
00:31:12,313 --> 00:31:15,223
S1: was thinking in these same exact terms that you're describing.

543
00:31:15,223 --> 00:31:20,863
S1: So I was thinking data. Information and then, uh, insights

544
00:31:20,863 --> 00:31:25,033
S1: and then intelligence. And at the very top of that

545
00:31:25,033 --> 00:31:27,523
S1: is the decision maker. So I'm trying to figure out

546
00:31:27,523 --> 00:31:30,133
S1: what is the most work that I can do for them,

547
00:31:30,133 --> 00:31:33,613
S1: to enable them to make a decision. So they're not

548
00:31:33,613 --> 00:31:38,263
S1: processing logs, they're not even looking at log summaries, which

549
00:31:38,263 --> 00:31:40,843
S1: would be like the next level up, but instead they're

550
00:31:40,843 --> 00:31:44,323
S1: being told a story. Um, so it's a narrative. So

551
00:31:44,323 --> 00:31:48,463
S1: the narrative is something like, you know, um, this enemy

552
00:31:48,463 --> 00:31:52,933
S1: tends to attack between the hours of two and 3 a.m., right?

553
00:31:52,933 --> 00:31:55,903
S1: They tend to come in a small group of 3

554
00:31:55,903 --> 00:32:00,553
S1: to 4 people wearing dark clothing. They carry light weapons.

555
00:32:00,553 --> 00:32:04,273
S1: They don't come on full moon. But tonight is not

556
00:32:04,273 --> 00:32:06,463
S1: going to be a full moon. It's actually a new moon.

557
00:32:06,463 --> 00:32:12,013
S1: So there's no moon whatsoever. So therefore we think it

558
00:32:12,013 --> 00:32:16,033
S1: might happen tonight. And here's why we think that. Right.

559
00:32:16,033 --> 00:32:18,553
S1: So that brings them all the way up to the

560
00:32:18,553 --> 00:32:21,793
S1: decision point. And that's what that's my favorite type of

561
00:32:21,793 --> 00:32:25,543
S1: threat intelligence where it it gives you data but it

562
00:32:25,543 --> 00:32:28,243
S1: doesn't drown you in the data. It actually does analysis

563
00:32:28,243 --> 00:32:30,193
S1: that brings you right up to the point that they

564
00:32:30,193 --> 00:32:32,983
S1: can make a decision. So what does that look like

565
00:32:32,983 --> 00:32:36,433
S1: for you? I see this report here which looks quite good,

566
00:32:36,433 --> 00:32:39,733
S1: but what else do you have within your philosophy and

567
00:32:39,733 --> 00:32:43,243
S1: your product that helps you do that for the decision maker?

568
00:32:44,623 --> 00:32:46,963
S2: Yeah. So so when we look at for example, this

569
00:32:46,963 --> 00:32:50,713
S2: report is it's a mix. Right. We have some more, um,

570
00:32:50,713 --> 00:32:55,093
S2: narrative in the beginning. Um, high level introduction. Uh, so

571
00:32:55,093 --> 00:32:57,673
S2: I said before, we have, you know, from people in

572
00:32:57,673 --> 00:33:01,873
S2: the Senate to, uh, uh, you know, CSOs reading these

573
00:33:01,873 --> 00:33:04,723
S2: to also city analysts. So one of the things that we, we,

574
00:33:04,723 --> 00:33:07,183
S2: we do is to, you know, do like a high level,

575
00:33:07,183 --> 00:33:09,793
S2: you know, executive summary for anybody out there that wants

576
00:33:09,793 --> 00:33:12,403
S2: to share these type of things with, with, uh, executives

577
00:33:12,403 --> 00:33:15,163
S2: just know they're not going to read a lot of things, right.

578
00:33:15,163 --> 00:33:18,823
S2: If anything, they may just steal a few infographics. Um,

579
00:33:19,033 --> 00:33:22,453
S2: and one page. Right. No more than that. So we

580
00:33:22,453 --> 00:33:25,393
S2: try to to stick to that rule, uh, and then

581
00:33:25,393 --> 00:33:28,093
S2: we go into more statistics. Uh, a lot of people,

582
00:33:28,093 --> 00:33:31,183
S2: you know, love to see these, like, trends. Uh, this

583
00:33:31,183 --> 00:33:32,923
S2: also gives us the opportunity to talk to, you know,

584
00:33:32,923 --> 00:33:37,123
S2: media and journalists. They love the numbers. Yeah. And and

585
00:33:37,123 --> 00:33:42,433
S2: it helps right to, to also identify trends. And then

586
00:33:42,433 --> 00:33:45,883
S2: we look at cyber attacks per industry. So for example,

587
00:33:45,883 --> 00:33:48,523
S2: if you are in what we call critical infrastructure, right.

588
00:33:48,523 --> 00:33:51,283
S2: And this could be, you know, hospitals, this is a

589
00:33:51,283 --> 00:33:55,363
S2: manufacturing plant. This is a power plant. Uh, what are

590
00:33:55,363 --> 00:33:58,963
S2: some of the top threats for your industry? Right. Sure.

591
00:33:58,963 --> 00:34:01,183
S2: If you're in health. What do you want to look at?

592
00:34:01,393 --> 00:34:03,103
S2: If I'm if I'm in healthcare, I don't want to

593
00:34:03,103 --> 00:34:07,123
S2: see all these, you know, malware that is targeting financial organizations,

594
00:34:07,123 --> 00:34:09,253
S2: for example. Because that's not what I may what I

595
00:34:09,253 --> 00:34:13,093
S2: may see. Mhm. And it's also very interesting talking about trends.

596
00:34:13,093 --> 00:34:18,073
S2: What we have seen is that, um, traditional cybercrime against

597
00:34:18,073 --> 00:34:22,243
S2: financial organizations tend to reuse the same malware over and

598
00:34:22,243 --> 00:34:27,223
S2: over again. Mhm. It's less targeted versus attacks against healthcare

599
00:34:27,223 --> 00:34:30,643
S2: and government local governments. We're not talking about you know

600
00:34:30,643 --> 00:34:34,453
S2: the large large government facilities in many cases we're talking

601
00:34:34,453 --> 00:34:40,153
S2: about small government, you know, estate uh, agencies uh, or

602
00:34:40,153 --> 00:34:45,373
S2: schools even. Right. Education. Yeah. And we see more highly targeted. Right.

603
00:34:45,373 --> 00:34:50,893
S2: Because they're going after specific, uh, objectives. Mhm. So that's,

604
00:34:50,893 --> 00:34:53,383
S2: that's the idea of uh, this is data that I

605
00:34:53,383 --> 00:34:55,423
S2: would like to have to be able to build my

606
00:34:55,423 --> 00:34:59,083
S2: threat model. And then finally something that we would like

607
00:34:59,083 --> 00:35:01,993
S2: to include, there's a geopolitical analysis and common. So we

608
00:35:01,993 --> 00:35:06,793
S2: have people that are experts in geopolitical analysis uh looking

609
00:35:06,793 --> 00:35:09,343
S2: at what's going on. Like for example, a few months ago,

610
00:35:09,343 --> 00:35:15,013
S2: December 23rd, uh, the US. Japan and South Korea. They

611
00:35:15,013 --> 00:35:19,003
S2: signed an agreement to defend against North Korea attacks. Mhm.

612
00:35:19,573 --> 00:35:22,153
S2: That's that's on the news. Right. So you see that

613
00:35:22,153 --> 00:35:23,893
S2: how is that going to influence what we're going to

614
00:35:23,893 --> 00:35:26,113
S2: be seeing in Asia Pacific over the next few months.

615
00:35:26,143 --> 00:35:30,073
S2: Well there's definitely an impact right. Yeah. Um so if

616
00:35:30,073 --> 00:35:34,003
S2: you're operating again you have business in that area. You

617
00:35:34,003 --> 00:35:37,543
S2: want to have that type of context and information. And

618
00:35:37,543 --> 00:35:40,363
S2: then the rest of the report is more maybe a

619
00:35:40,363 --> 00:35:43,213
S2: little bit more, uh, technical. So if you want to

620
00:35:43,213 --> 00:35:46,513
S2: learn more about the CVEs that are getting exploited, uh,

621
00:35:46,513 --> 00:35:51,313
S2: this is more like the information that a SoC may consume,

622
00:35:51,673 --> 00:35:55,333
S2: you know, threat hunters, uh, maybe incident responders, uh, at

623
00:35:55,333 --> 00:35:57,223
S2: a more tactical level.

624
00:35:58,253 --> 00:36:02,453
S1: Yeah, that makes sense. Uh, so looking for like a

625
00:36:02,453 --> 00:36:06,773
S1: year or two, do you expect AI advancements to help

626
00:36:06,773 --> 00:36:08,513
S1: attackers or defenders more?

627
00:36:10,963 --> 00:36:13,993
S2: Again, very good question. I think that eventually it's going

628
00:36:13,993 --> 00:36:18,193
S2: to be a net net right. For for everybody, for

629
00:36:18,193 --> 00:36:20,533
S2: both attackers and, and defenders. I think the key it's

630
00:36:20,533 --> 00:36:23,713
S2: going to be not that much on the technology but

631
00:36:23,713 --> 00:36:26,773
S2: how you use it when you. But I love to

632
00:36:26,773 --> 00:36:29,563
S2: talk about the factor of time. If you look at

633
00:36:29,563 --> 00:36:35,653
S2: an attack chain. Mhm. Some people just they, they believe

634
00:36:35,653 --> 00:36:37,963
S2: there's always going to be like a cyber bullet right.

635
00:36:37,993 --> 00:36:42,133
S2: Uh silver bullet sorry a cybersecurity silver bullet that. Oh

636
00:36:42,133 --> 00:36:44,443
S2: this is the only thing I have to install. Right. Just.

637
00:36:45,433 --> 00:36:47,863
S2: Install these. And sometimes vendors, you know, the marketing could

638
00:36:47,863 --> 00:36:50,683
S2: be a bit, you know, confusing and could give you

639
00:36:50,683 --> 00:36:53,803
S2: the illusion that if you just do this, you're going

640
00:36:53,803 --> 00:36:55,363
S2: to be you're going to be good. No, it's a

641
00:36:55,363 --> 00:36:57,343
S2: lot more complicated than than that. That's why you need

642
00:36:57,343 --> 00:36:59,593
S2: the human factor. But if you look at an attack chain,

643
00:37:00,283 --> 00:37:02,713
S2: you know, we usually say this thing that attackers, they

644
00:37:02,713 --> 00:37:04,633
S2: have to be the right ones and defenders. We have

645
00:37:04,633 --> 00:37:07,333
S2: to be right all the time. Uh, well, if you

646
00:37:07,333 --> 00:37:10,033
S2: look at it from an endpoint perspective, then yes. Right.

647
00:37:10,033 --> 00:37:13,663
S2: And we see attackers are trying different things and that's

648
00:37:13,663 --> 00:37:16,033
S2: what we try to build, you know, predictive models. And

649
00:37:16,033 --> 00:37:19,453
S2: you know, you had shield in your, in this, uh,

650
00:37:19,453 --> 00:37:22,753
S2: your show talking about the math behind all of these

651
00:37:22,753 --> 00:37:25,333
S2: and why these predictive models work. So we have to

652
00:37:25,333 --> 00:37:28,393
S2: be right there every single time and how we do that.

653
00:37:28,393 --> 00:37:30,673
S2: But if you look at attack Chain, you step out,

654
00:37:30,673 --> 00:37:34,483
S2: you zoom out as a defender. All I need to do.

655
00:37:35,293 --> 00:37:39,823
S2: Is to detect the presence of the attacker once. Mhm.

656
00:37:39,883 --> 00:37:43,513
S2: That's right. So I have a whole attack chain I

657
00:37:43,513 --> 00:37:46,513
S2: have like all the way from the attacker is, you

658
00:37:46,513 --> 00:37:49,213
S2: know maybe doing some reconnaissance or trying to get some

659
00:37:49,213 --> 00:37:52,993
S2: information from my organization to the initial access, which could

660
00:37:52,993 --> 00:37:55,003
S2: be email or it could be, you know, some sort

661
00:37:55,003 --> 00:37:59,053
S2: of exploitation of a service all the way to the

662
00:37:59,053 --> 00:38:02,773
S2: attacker's objective. Right? Which is what either to hold hostage

663
00:38:02,773 --> 00:38:06,553
S2: of your environment or to where the valuable data is.

664
00:38:06,583 --> 00:38:11,473
S2: This takes time, right? Sometimes in a targeted attack, it

665
00:38:11,473 --> 00:38:14,083
S2: could be. It could be days. It could be weeks.

666
00:38:14,653 --> 00:38:19,573
S2: So you have multiple opportunities across that attack. Interesting. Successful.

667
00:38:19,693 --> 00:38:21,343
S2: So that's why I say, you know, we don't talk

668
00:38:21,343 --> 00:38:24,613
S2: that much about cyber defense strategy. But if you look

669
00:38:24,613 --> 00:38:27,313
S2: at it from that perspective, all I need to do

670
00:38:27,313 --> 00:38:31,783
S2: is to have the right sensors and the right, uh.

671
00:38:33,953 --> 00:38:34,223
S3: And.

672
00:38:34,583 --> 00:38:39,023
S2: You know, policy enforcement points in the right places to

673
00:38:39,023 --> 00:38:41,933
S2: be able to disrupt that activity. As long as the

674
00:38:41,933 --> 00:38:44,963
S2: attacker doesn't get to the final, you know, stage of

675
00:38:44,963 --> 00:38:48,563
S2: the attack. Those actions and objectives I'm I can win.

676
00:38:48,563 --> 00:38:50,903
S1: I love I love that I've never actually heard that

677
00:38:50,903 --> 00:38:55,553
S1: put in a positive light. You're basically inverting the whole thing, saying, yeah,

678
00:38:55,553 --> 00:38:59,033
S1: the the attacker only has to be right once, but

679
00:38:59,033 --> 00:39:02,063
S1: look how many opportunities the defender has to see what

680
00:39:02,063 --> 00:39:05,513
S1: they're doing because they have to go through this whole chain.

681
00:39:05,513 --> 00:39:09,053
S1: And those every point on that chain is an opportunity

682
00:39:09,053 --> 00:39:10,013
S1: to detect.

683
00:39:10,823 --> 00:39:14,033
S2: Exactly. And look, it's like the physical world, right. It's

684
00:39:14,033 --> 00:39:16,853
S2: not that hard if I, if I'm trying to protect

685
00:39:16,853 --> 00:39:21,173
S2: a defend my, my, my house, right. My home and

686
00:39:21,173 --> 00:39:22,583
S2: I have my valuables, I'm not going to put them

687
00:39:22,583 --> 00:39:24,923
S2: like close to the, to the front door where somebody

688
00:39:24,923 --> 00:39:28,313
S2: could just smash the door and grab it and quickly leave.

689
00:39:28,313 --> 00:39:31,133
S2: If I do that and I get stolen, like, look, it's,

690
00:39:31,133 --> 00:39:34,133
S2: you know, shame on me. Yeah, I have a really,

691
00:39:34,133 --> 00:39:38,363
S2: really poor defensive security detector, right? I put my valuables

692
00:39:38,363 --> 00:39:41,693
S2: next to the front door next to a perimeter window. Yeah. Uh,

693
00:39:41,843 --> 00:39:43,613
S2: what do you do? Like a bank does, right? You

694
00:39:43,613 --> 00:39:47,363
S2: have the safe in the basement. And what you do,

695
00:39:47,393 --> 00:39:52,373
S2: you architect with a lot of preventive mechanisms. Those are walls, right?

696
00:39:52,373 --> 00:39:55,073
S2: The access control systems, then. But do you know that

697
00:39:55,073 --> 00:39:57,503
S2: in the absence of any detection response, what's going to happen?

698
00:39:57,503 --> 00:40:00,563
S2: Somebody's going to, you know, come with a huge drill

699
00:40:00,563 --> 00:40:04,943
S2: or explosives or it's just a matter of time. But

700
00:40:04,943 --> 00:40:07,643
S2: if you architect with the right sensors and you also

701
00:40:07,643 --> 00:40:13,763
S2: in parallel, you add security cameras, right? You know, motion sensors, um,

702
00:40:13,763 --> 00:40:18,413
S2: you know, thermal sensors or vibration sensors, whatever. And you

703
00:40:18,413 --> 00:40:20,213
S2: orchestrate all of that in a way that you can

704
00:40:20,213 --> 00:40:23,513
S2: have a fast response with the big guys, with the

705
00:40:23,513 --> 00:40:27,653
S2: big weapons showing up quickly, you're effectively now building a defensible,

706
00:40:27,653 --> 00:40:31,913
S2: secure architecture that where you have prevention, but also in parallel,

707
00:40:32,033 --> 00:40:35,483
S2: you know, sensors for monitoring, for visibility, for detection and

708
00:40:35,483 --> 00:40:39,083
S2: for response. When you combine all of these things, which again,

709
00:40:39,083 --> 00:40:43,943
S2: is technology plus people and processes then have a lot

710
00:40:43,943 --> 00:40:46,913
S2: more chances to be successful. And all you need is

711
00:40:47,123 --> 00:40:50,333
S2: once right, the attacker will have to commit the perfect

712
00:40:50,333 --> 00:40:54,263
S2: crime and to be, you know, right every single time

713
00:40:54,263 --> 00:40:59,573
S2: to bypass absolutely everything you have architected with. And that's usually,

714
00:40:59,573 --> 00:41:01,313
S2: you know, it usually doesn't happen.

715
00:41:01,763 --> 00:41:05,483
S1: Yeah, I really love that positive spin on it. Like

716
00:41:05,483 --> 00:41:08,213
S1: I said, I've never actually heard it put that way. Um,

717
00:41:09,323 --> 00:41:12,533
S1: so what about the short term though? I feel like

718
00:41:12,533 --> 00:41:16,133
S1: in the short term that AI attacks are so new with,

719
00:41:16,133 --> 00:41:19,493
S1: you know, deepfakes and spearfishing that the attacker is going

720
00:41:19,493 --> 00:41:22,313
S1: to be able to move faster to use all these techniques.

721
00:41:22,523 --> 00:41:25,583
S1: But I agree with you that over time it's going

722
00:41:25,583 --> 00:41:29,063
S1: to equalize. In fact, because the defender has more context,

723
00:41:29,063 --> 00:41:32,993
S1: I think it actually might switch towards the defender maybe later,

724
00:41:33,233 --> 00:41:37,343
S1: but it'll mostly equalize. Do you agree that though early on,

725
00:41:37,343 --> 00:41:40,733
S1: like the next couple of years, the attacker might have

726
00:41:40,733 --> 00:41:42,953
S1: the advantage because they could just move so fast and

727
00:41:42,953 --> 00:41:45,593
S1: they don't care about like production readiness?

728
00:41:46,493 --> 00:41:50,003
S2: Yes. And that's typically the case. Right. We on the

729
00:41:50,003 --> 00:41:53,363
S2: defender side we have to now look at how we

730
00:41:53,633 --> 00:41:57,803
S2: responsibly use this technology. Right. And yeah that may involve

731
00:41:57,803 --> 00:42:01,853
S2: like lost regulations. And that's that's always like you know

732
00:42:02,153 --> 00:42:05,573
S2: uh slow. Yeah. Uh, in the meantime there's, there's things

733
00:42:05,573 --> 00:42:08,063
S2: that we urge people to do, which is like, you know,

734
00:42:08,063 --> 00:42:11,603
S2: to protect themselves with products that are using, you know,

735
00:42:11,603 --> 00:42:15,293
S2: the latest and greatest technology. Um, you know, we we

736
00:42:15,293 --> 00:42:19,463
S2: all know that defending with signatures is like playing whac-a-mole. Yeah,

737
00:42:20,243 --> 00:42:22,463
S2: but but still, we see a lot of companies out

738
00:42:22,463 --> 00:42:24,743
S2: there that they feel safe because they have a traditional

739
00:42:24,743 --> 00:42:27,173
S2: antivirus just defending with signatures. Right. Or.

740
00:42:27,173 --> 00:42:29,753
S1: Well, maybe that's why PDFs of attacks are coming back,

741
00:42:29,753 --> 00:42:34,613
S1: because the malware detection stuff like antivirus, old antivirus can

742
00:42:34,613 --> 00:42:38,033
S1: only hold so many signatures. So as they move through time,

743
00:42:38,033 --> 00:42:39,863
S1: they kind of take out the old ones. Maybe they

744
00:42:39,863 --> 00:42:42,623
S1: took out some PDF ones. So now the attacker goes

745
00:42:42,623 --> 00:42:45,953
S1: back to the PDF ones. Right? Right. Yeah.

746
00:42:45,953 --> 00:42:49,043
S2: So so yes, it's uh, it's always an arms race.

747
00:42:49,703 --> 00:42:52,883
S2: But that's why it's important to raise awareness. Uh, that's

748
00:42:52,883 --> 00:42:55,823
S2: that's why it's important to have that's what we try

749
00:42:55,823 --> 00:42:58,973
S2: to do with these reports. Right. To communicate. Look, this

750
00:42:58,973 --> 00:43:02,063
S2: is what's happening. And, you know, these are the tools

751
00:43:02,063 --> 00:43:04,313
S2: and this is the strategy, the tactics that you should

752
00:43:04,313 --> 00:43:06,443
S2: be using. And.

753
00:43:06,713 --> 00:43:07,883
S3: Um, but.

754
00:43:07,883 --> 00:43:13,323
S2: But yeah, just assume that attackers, they know. Like, you know,

755
00:43:13,323 --> 00:43:16,173
S2: the products that are out there and how the majority

756
00:43:16,173 --> 00:43:18,603
S2: of people use them. So I'm always a big proponent

757
00:43:18,603 --> 00:43:22,983
S2: of like add your own little strategy there. Right. Mhm.

758
00:43:23,583 --> 00:43:26,043
S2: You know that attackers are going to go after your

759
00:43:26,043 --> 00:43:29,613
S2: organization and do reconnaissance and scrape your website like add

760
00:43:29,613 --> 00:43:32,613
S2: a little decoy somewhere, something that will give you an

761
00:43:32,613 --> 00:43:36,033
S2: early warning, something that will help you to get that

762
00:43:36,033 --> 00:43:39,693
S2: indicator towards the beginning of that attack chain. That can

763
00:43:39,693 --> 00:43:43,083
S2: give you an advantage over the adversary that takes the

764
00:43:43,083 --> 00:43:46,713
S2: adversary by surprise. How many times will the adversaries, you know,

765
00:43:46,713 --> 00:43:49,683
S2: take us by surprise? How many times can we get

766
00:43:49,683 --> 00:43:52,983
S2: them by surprise, by doing something that they were not expecting? Yeah.

767
00:43:54,563 --> 00:43:56,603
S2: I think that's that's an area where we still have

768
00:43:56,603 --> 00:43:59,903
S2: to to do more and. Well, that's what I hope

769
00:43:59,903 --> 00:44:03,203
S2: that we are contributing with these type of, uh, applications.

770
00:44:03,653 --> 00:44:07,763
S1: No. That's perfect. I think that is a good place

771
00:44:07,763 --> 00:44:10,313
S1: to start. But where can we learn more about what

772
00:44:10,343 --> 00:44:13,733
S1: you and your team are doing and, uh, your latest research, uh,

773
00:44:13,733 --> 00:44:15,623
S1: when is it going to come out and when can

774
00:44:15,623 --> 00:44:16,613
S1: we get a link to that?

775
00:44:17,513 --> 00:44:21,113
S2: Sure. So, uh, of course, uh, the best way to, uh, uh,

776
00:44:21,113 --> 00:44:22,823
S2: you know, look at our reports is to go to

777
00:44:22,823 --> 00:44:26,903
S2: our website, blackberry.com. Uh, we have a section for our, uh,

778
00:44:26,903 --> 00:44:30,503
S2: threat research, a threat center. And it's typically, you know,

779
00:44:30,503 --> 00:44:33,263
S2: front in the, in the in the main page. Uh,

780
00:44:33,263 --> 00:44:35,723
S2: there's going to be a link to, to our reports. Uh,

781
00:44:35,723 --> 00:44:38,963
S2: but also, you know, I'm very active on social media, LinkedIn, um,

782
00:44:39,113 --> 00:44:42,533
S2: you know, x, uh, my handle is about security.

783
00:44:42,533 --> 00:44:44,633
S3: So that's also, oh, very nice username.

784
00:44:46,283 --> 00:44:47,813
S2: I still don't know how I got that one. But again,

785
00:44:47,813 --> 00:44:49,973
S2: like this is an advantage of being on this field

786
00:44:49,973 --> 00:44:53,453
S2: for a long time, right. Yeah. About security and, um, yeah,

787
00:44:53,453 --> 00:44:55,733
S2: I'm happy to, uh, connect with any of our, you know,

788
00:44:55,733 --> 00:44:58,673
S2: the audience here. And, you know, you have a fantastic show.

789
00:44:58,673 --> 00:45:00,923
S2: So thanks for for having me.

790
00:45:00,923 --> 00:45:03,533
S1: Yeah, absolutely. Thanks for coming on. And we'll put all

791
00:45:03,533 --> 00:45:05,813
S1: those links, uh, in the show notes so people can

792
00:45:05,813 --> 00:45:07,903
S1: find them. Thanks a lot.

793
00:45:08,533 --> 00:45:09,343
S3: Excellent. Thank you. Danny.