WEBVTT - A Conversation With Ismael Valenzuela About AI and Threat Intelligence 0:00:22.193 --> 0:00:26.273 In the standalone sponsored episode I speak with Ismael Valenzuela. 0:00:26.843 --> 0:00:29.483 Ismael is the VP of threat research and Intelligence at 0:00:29.483 --> 0:00:34.433 BlackBerry silence. We talk about modern threat intelligence, the shifting 0:00:34.433 --> 0:00:38.393 attention of attackers, how JNI can be used for attacks. 0:00:39.563 --> 0:00:44.653 How defenders are adapting to deny threats. And many other topics. 0:00:44.743 --> 0:00:48.313 And with that, here is the conversation with Ismael Valenzuela. 0:00:53.293 --> 0:00:56.533 All right. Hello. Welcome, Ismael, to unsupervised learning. 0:00:57.633 --> 0:00:59.403 Thank you. Thank you, Daniel, for having me. 0:01:00.153 --> 0:01:03.093 Yeah. Perfect. So I will have already introduced you. I 0:01:03.093 --> 0:01:07.233 just want to get a brief, uh, sort of overview on, uh, 0:01:07.473 --> 0:01:10.593 on yourself and and how you got into security and, uh, 0:01:10.593 --> 0:01:12.003 what you do there at BlackBerry. 0:01:13.323 --> 0:01:17.973 Sure. So I've been doing, uh, well, cybersecurity since, uh, 0:01:17.973 --> 0:01:20.823 it was called, uh, something different, right? Information security. We 0:01:20.823 --> 0:01:24.783 didn't call even cyber back then, but I started to do, um, 0:01:24.783 --> 0:01:29.253 you know, cybersecurity related things back in 98, 99. And 0:01:29.253 --> 0:01:33.723 I founded, uh, a company, a consulting firm doing, uh, 0:01:33.723 --> 0:01:37.833 information security in at the end of 2000, beginning of 2001, 0:01:37.833 --> 0:01:41.043 in Spain. That's, uh, where I come from. I moved 0:01:41.163 --> 0:01:42.963 here to the States about ten years ago. But, yeah, 0:01:42.963 --> 0:01:46.923 I've been doing cyber security for, I guess, like 24 years. 0:01:47.253 --> 0:01:50.583 And what I do for BlackBerry is, uh, I lead 0:01:50.583 --> 0:01:54.993 the threat research and intelligence team. So essentially I lead, uh, uh, 0:01:54.993 --> 0:01:58.353 a team of, uh, very smart people that they not 0:01:58.353 --> 0:02:01.383 only understand, uh, you know, the malware. I like to 0:02:01.383 --> 0:02:04.293 talk about attackers weapons more than just like malware. Just 0:02:04.293 --> 0:02:07.173 this just one subset of it. Um, I understand these 0:02:07.173 --> 0:02:10.263 these attackers weapons, but they also understand the motivation. They 0:02:10.263 --> 0:02:15.273 understand the geopolitics around, uh, you know, why attackers started 0:02:15.273 --> 0:02:17.913 doing something. And that's more like what we call the 0:02:17.913 --> 0:02:20.313 intelligence piece, right? So we cover all the aspects from 0:02:20.313 --> 0:02:25.323 the more technical, the reverse engineering, the malware analysis, the, uh, 0:02:25.323 --> 0:02:28.083 you know, helping to tune our machine learning models. I 0:02:28.083 --> 0:02:30.543 know that your show is, you know, mostly about that. 0:02:30.543 --> 0:02:33.093 So we, we, we work with the data scientists to 0:02:33.093 --> 0:02:36.963 make sure that we, we tune these models for our products. 0:02:36.963 --> 0:02:40.113 But we also, um, you know, do research on the 0:02:40.113 --> 0:02:41.853 threat actors and their motivations. 0:02:42.633 --> 0:02:45.813 Yeah, it's it's very interesting you say that the name 0:02:45.813 --> 0:02:49.113 implies that I'm mostly about machine learning. It's actually kind 0:02:49.113 --> 0:02:51.783 of a play in words. My background is actually almost 0:02:51.783 --> 0:02:56.793 exactly 24 years in security. So about the same time. Yeah. Yeah. 0:02:56.793 --> 0:03:01.353 So so it's not uh, it wasn't originally I my 0:03:01.353 --> 0:03:03.213 whole career has been in security and then I sort 0:03:03.213 --> 0:03:06.993 of transitioned into AI. So I think we probably have 0:03:06.993 --> 0:03:11.253 a lot to talk about there. Um, I think it's 0:03:11.253 --> 0:03:13.953 the right framing because I like to think about what 0:03:13.953 --> 0:03:17.283 are the attackers doing, what techniques are they using and 0:03:17.283 --> 0:03:20.463 inside of what context like global context, like you said, uh, 0:03:20.463 --> 0:03:25.593 geopolitical context. And that's why I find threat intelligence so fascinating. 0:03:25.593 --> 0:03:28.413 And yeah, maybe we can sprinkle some AI in there, but, uh, 0:03:28.413 --> 0:03:32.733 not necessarily if it doesn't belong. Right. Um, so so 0:03:32.733 --> 0:03:35.313 what would you say the, the primary things that are 0:03:35.313 --> 0:03:38.163 happening right now, what are the trends like what are 0:03:38.163 --> 0:03:41.403 attackers doing? Why are they doing it? Who who are 0:03:41.403 --> 0:03:44.043 these different groups. What does that look like? 0:03:44.973 --> 0:03:47.883 Well, I guess if I had to summarize it in 0:03:47.883 --> 0:03:52.863 just one phrase, it's like the internet is a mess. Mhm. 0:03:53.253 --> 0:03:56.583 It's a lot of everything and there is more of 0:03:56.583 --> 0:04:00.603 everything on a daily basis. Um, we, we do this 0:04:00.603 --> 0:04:06.873 quarterly thread reports. Uh, that they're very interesting for us specifically. Right. 0:04:06.873 --> 0:04:10.893 And we, we're thrilled when we see, um, you know, 0:04:10.923 --> 0:04:15.153 law enforcement agencies and uh, we even got like, you know, 0:04:15.153 --> 0:04:19.173 United Nations and the Senate and a lot of other like, uh, 0:04:19.443 --> 0:04:22.023 very important, you know, organizations coming to us and saying, oh, 0:04:22.053 --> 0:04:24.363 you know, we're reading your third report and it's very awesome. Like, 0:04:24.363 --> 0:04:27.363 we have these questions which, you know, it's fascinating, but 0:04:27.363 --> 0:04:30.033 we do this primarily for us to understand the trends. 0:04:30.033 --> 0:04:32.553 And one of the things that we just, uh, see 0:04:32.553 --> 0:04:37.923 regularly is that there is a, uh, the regular constant 0:04:37.923 --> 0:04:42.993 increase in the number of unique malware that we see, uh, 0:04:42.993 --> 0:04:45.123 on a, on a per minute, right. So, for example, 0:04:45.123 --> 0:04:47.973 I'm just looking at the last listings we have. Uh, 0:04:47.973 --> 0:04:50.913 if you look at where we were about a year ago, 0:04:50.913 --> 0:04:57.843 we were seeing from December 2022 to February 23rd, 1.5 0:04:57.843 --> 0:05:00.993 unique hashes per minute. That's what we see with our telemetry, right? 0:05:00.993 --> 0:05:04.173 Based on our products. And right now, the last number 0:05:04.173 --> 0:05:11.073 I have is about 3.7 unique hashes per minute. Mhm. Uh, 0:05:11.073 --> 0:05:15.153 targeting uh targeting you know our customers. Right. But it's 0:05:15.153 --> 0:05:20.013 obviously everybody has different visibility, different angles. Uh, but this 0:05:20.013 --> 0:05:22.743 definitely tells you that there's a lot more, there's a 0:05:22.743 --> 0:05:25.533 lot more of unique malware that is being thrown out 0:05:25.533 --> 0:05:30.483 there to organizations per minute. What else do we see? 0:05:30.873 --> 0:05:34.053 I usually say attackers are lazy, right? When? When something works. 0:05:34.533 --> 0:05:35.853 Why would you change it? 0:05:35.883 --> 0:05:36.873 Yeah, absolutely. 0:05:37.653 --> 0:05:39.483 In many cases it's a business for them, right? If 0:05:39.483 --> 0:05:43.503 we're talking about cybercrime, uh, so we still see a 0:05:43.503 --> 0:05:49.533 lot of old school stuff like the phishing attacks. Right. Uh, with, uh, 0:05:49.533 --> 0:05:53.943 you know, embedded, uh, links or embedded, uh, PDFs. We're 0:05:53.943 --> 0:05:56.313 seeing a lot of PDFs again, like these things coming. 0:05:56.343 --> 0:05:57.183 Oh, interesting. 0:05:57.603 --> 0:05:59.283 Come and go. Like, we haven't seen PDFs for a 0:05:59.283 --> 0:06:01.293 long time. Now we're starting to see a lot of 0:06:01.293 --> 0:06:04.953 PDFs again. And this usually has to do with, you know, 0:06:04.953 --> 0:06:09.063 maybe some defenses that Microsoft has built into, uh, into 0:06:09.063 --> 0:06:11.553 office lately that, you know, maybe sometime it will be 0:06:11.553 --> 0:06:15.033 bypassed again and there will be a resurgence in, you know, 0:06:15.033 --> 0:06:20.973 maybe macros or, uh, or other weaponized, um, uh, office documents. 0:06:21.063 --> 0:06:25.563 And we also see a clear trend in the use of, uh, 0:06:25.563 --> 0:06:31.023 cross-platform malware. Again, with this premise of attackers. See if 0:06:31.023 --> 0:06:35.253 I can obtain more return on investment by crafting a 0:06:35.253 --> 0:06:40.053 piece of malware that will will work across different platforms windows, 0:06:40.053 --> 0:06:44.253 Linux and Mac OS by using, uh, you know, uh, 0:06:44.253 --> 0:06:50.613 go or, you know, rust or other, um, cross-platform languages. 0:06:51.093 --> 0:06:52.893 I'm going to be doing that. Right, because I'm going 0:06:52.893 --> 0:06:56.463 to be able to reach out to a larger, uh, 0:06:56.463 --> 0:07:00.423 population or get more victims. So there's just like, you know, 0:07:00.873 --> 0:07:03.213 a brief summary of 50,000 foot overview of some of 0:07:03.213 --> 0:07:04.113 the things that we see. 0:07:05.053 --> 0:07:07.543 Okay, that that makes sense. Yeah. I'm looking at the report. 0:07:07.543 --> 0:07:10.873 I pulled it up when you mentioned it. Uh, interesting. 0:07:10.873 --> 0:07:13.453 And you got some breakdown by industry as well. 0:07:15.353 --> 0:07:17.903 Yeah, I'm showing, by the way, some numbers that haven't been, 0:07:17.903 --> 0:07:19.943 you know, published yet at this time that we're having 0:07:19.943 --> 0:07:23.453 this conversation, but we publish very soon. So yeah, I'll 0:07:23.453 --> 0:07:24.623 give you a heads up on that. 0:07:25.403 --> 0:07:29.933 Yeah. Very cool. What about like, origins or types of attackers, like, 0:07:29.933 --> 0:07:34.073 you know, hacktivists versus like a government versus, you know, 0:07:34.643 --> 0:07:37.433 I don't know attacker types. Is it like is it 0:07:37.433 --> 0:07:40.973 Eastern Europe? Is it Asia? Is it us versus us 0:07:40.973 --> 0:07:42.743 like those types of things? 0:07:43.793 --> 0:07:47.273 That's that's a good question. And again, like if you 0:07:47.273 --> 0:07:51.623 look at this from a global perspective, unbiased perspective, you're 0:07:51.623 --> 0:07:55.163 going to see that everybody's attacking everybody right. Everybody has motivation. 0:07:55.163 --> 0:07:58.613 And cyber is just a weapon. It's just the how right. Uh, 0:07:58.613 --> 0:08:01.073 but this has been done. If we look at governments, 0:08:01.073 --> 0:08:04.283 for example, this has been done for many years, uh, 0:08:04.283 --> 0:08:06.833 you know, in other areas. And it's still, you know, 0:08:06.833 --> 0:08:08.873 done in other areas. And that's why there is not 0:08:08.873 --> 0:08:13.463 only like cyber threat intelligence or CGI, but also human intelligence, right, 0:08:13.463 --> 0:08:18.263 or open source intelligence and, you know, physical threats. And so, um, 0:08:18.263 --> 0:08:23.123 but from a, from a CTI perspective, Cyberthreat intelligence, uh, we, 0:08:23.153 --> 0:08:25.223 we have seen, you know, in the past that there 0:08:25.223 --> 0:08:29.723 was a clear distinction between the so-called apts, the advanced 0:08:29.723 --> 0:08:36.323 persistent threat nation, uh, states, um, attacks where the motivation 0:08:36.323 --> 0:08:41.663 is stealing intellectual property or doing espionage. And, and then 0:08:41.663 --> 0:08:43.763 the other world on the other side of the spectrum, right, 0:08:43.763 --> 0:08:47.303 which is cybercrime. So this is the criminals are just 0:08:47.303 --> 0:08:49.133 going after the money for financial gain. 0:08:49.343 --> 0:08:49.793 Yep. 0:08:50.453 --> 0:08:52.973 Um, and then the hacktivists. Right. That's kind of the 0:08:52.973 --> 0:08:55.043 other group, uh, the people that are just like going 0:08:55.043 --> 0:08:57.293 to hack into a company. And just because I don't know, 0:08:57.293 --> 0:09:00.383 you sell, you make profit by selling records or music 0:09:00.383 --> 0:09:03.713 and that's bad, right? That's evil. Right? Like that. Um, 0:09:03.713 --> 0:09:05.783 they want to make a statement, right? A political statement 0:09:05.783 --> 0:09:11.123 or socialist statement. These lines are more blurred than ever. Uh, 0:09:11.123 --> 0:09:15.053 one of the reasons of that is because we, um, 0:09:15.053 --> 0:09:18.653 we're more interconnected, right? And everybody has more of a 0:09:18.653 --> 0:09:22.583 digital presence. And also because these weapons that attackers are 0:09:22.583 --> 0:09:27.503 using in the past were like hard to craft or, uh, 0:09:27.503 --> 0:09:30.143 it require a lot more skills maybe to do these 0:09:30.143 --> 0:09:33.113 things these days. A lot of these are public, right. 0:09:33.113 --> 0:09:35.633 And there's been a lot of, uh, red teaming tools 0:09:35.633 --> 0:09:38.393 that have been leaked. Cobalt strike is one of the 0:09:38.393 --> 0:09:41.663 common offenders, right. In that in that list, uh, but 0:09:41.663 --> 0:09:44.753 also Metasploit, a bunch of other frameworks that are frameworks 0:09:44.753 --> 0:09:47.423 are open, uh, they're available that people can just like, 0:09:47.423 --> 0:09:51.923 go and modify. There's a lot of rats. One of, uh, 0:09:51.923 --> 0:09:54.443 the rats, the remote access tools that we have been 0:09:54.443 --> 0:09:58.793 discussing in one of our recent reports is a zinc rat. 0:09:58.943 --> 0:10:02.213 And anybody can go online and just look at the 0:10:02.213 --> 0:10:04.583 source code of a sink rat and then maybe modified 0:10:04.583 --> 0:10:10.463 and use it, uh, for these, uh, nefarious purposes so that, um, 0:10:10.463 --> 0:10:14.453 availability of these tools, attackers, weapons. Right. Makes it a 0:10:14.453 --> 0:10:17.033 lot more difficult because sometimes you may have an apt 0:10:17.033 --> 0:10:21.143 a nation state using these tools. And it's very hard 0:10:21.143 --> 0:10:27.293 to attribute exactly who's behind this unless you have more information, 0:10:27.293 --> 0:10:31.073 you know, you have context, geopolitical context in many cases, 0:10:31.073 --> 0:10:34.583 and you can understand the motivation behind why somebody is 0:10:34.583 --> 0:10:35.333 doing this. 0:10:36.143 --> 0:10:39.233 Yeah, that makes sense. So it's all kind of blurring together. 0:10:39.563 --> 0:10:41.903 I've seen that a lot with a lot of Russian 0:10:41.903 --> 0:10:46.613 groups where someone was like, oh, apt related or whatever, 0:10:46.613 --> 0:10:52.013 but really it's kind of like a cybercrime group, but 0:10:52.013 --> 0:10:54.533 they are kind of given a little bit of a 0:10:54.563 --> 0:10:56.783 go ahead by the government to not come after them 0:10:56.783 --> 0:10:59.123 because they seem to be doing good things for the country, 0:10:59.123 --> 0:11:02.543 but it's not a formal relationship. So it's like, are 0:11:02.543 --> 0:11:05.543 they affiliated? Are they not affiliated? It's it's hard to say. 0:11:06.173 --> 0:11:10.913 Right. You have initial access brokers now, right? You have affiliates, uh, contractors. 0:11:10.913 --> 0:11:16.073 Like I could be an independent contractor and offering my services. My, uh, 0:11:16.073 --> 0:11:18.743 you know, my skills, my time, uh, on behalf of 0:11:18.743 --> 0:11:20.543 different groups. And one day, I could be working for 0:11:20.543 --> 0:11:23.093 a cybercriminal group that has financial gain. The next day, 0:11:23.093 --> 0:11:25.883 I could be working as part of a, um, you know, 0:11:25.883 --> 0:11:29.423 maybe a nation state or some other type of, um, uh, group. 0:11:29.423 --> 0:11:32.363 We have also seen and this is a trend that 0:11:32.363 --> 0:11:38.873 we've seen recently, commercial organizations behind some of these campaigns. Um, and, 0:11:39.683 --> 0:11:42.953 you know, large multinationals that that might be in the 0:11:42.953 --> 0:11:46.523 process of a merger and acquisition and, you know, there's 0:11:46.883 --> 0:11:49.613 the traditional way of doing a due diligence, uh, by 0:11:49.613 --> 0:11:52.763 looking at, you know, the financial health of an organization 0:11:52.763 --> 0:11:57.443 that is also like unofficial ways of doing due diligence. Sure. And, uh, 0:11:57.443 --> 0:12:00.323 it's interesting we're seeing some of that. Uh, so when 0:12:00.323 --> 0:12:02.573 I say that the internet is a mess, it's it 0:12:02.573 --> 0:12:03.293 really is. 0:12:03.923 --> 0:12:08.363 Yeah. Interesting. And what are some of the specific techniques 0:12:08.363 --> 0:12:11.423 or tactics that people are using? It seems like with, 0:12:11.423 --> 0:12:14.543 with proliferation of AI, it seems like spearfishing is one 0:12:14.543 --> 0:12:17.093 of the things that's getting really easy, really easy to 0:12:17.093 --> 0:12:19.913 target specific people, especially if you put in a whole 0:12:19.913 --> 0:12:24.263 bunch of context information about a particular target. You can 0:12:24.263 --> 0:12:27.623 really make the email compelling. One of my favorite examples 0:12:27.623 --> 0:12:30.863 of this is somebody who just, uh, has a big ego. 0:12:30.893 --> 0:12:33.173 I don't know, sometimes happens in security, but you could 0:12:33.173 --> 0:12:35.093 just be like, hey, I saw your last talk. It 0:12:35.093 --> 0:12:39.353 was amazing, right? I really agree with your point about this. 0:12:39.353 --> 0:12:43.103 And I wrote an article about your talk and I'm 0:12:43.103 --> 0:12:44.943 going to. Actually send it on to the New York 0:12:44.943 --> 0:12:47.793 Times or something. You send that in a phishing email, 0:12:47.793 --> 0:12:49.983 like you're going to get a lot of security people. 0:12:50.433 --> 0:12:55.683 And it's one thing to handcraft that email, right? But 0:12:55.683 --> 0:12:58.383 that's pretty difficult. But what if you have a crawler 0:12:58.383 --> 0:13:01.203 who can pull all the security people and then pull 0:13:01.203 --> 0:13:03.723 all the people who have given talks recently, then you 0:13:03.723 --> 0:13:06.783 could pull a particular point out of the talk and 0:13:06.783 --> 0:13:09.333 then craft the email and send it to them. Well, 0:13:09.333 --> 0:13:11.733 now you can maybe do that at scale, you know, 0:13:11.733 --> 0:13:15.063 at the level of like a criminal organization or even 0:13:15.063 --> 0:13:17.823 at the level of like an apt group for like 0:13:17.823 --> 0:13:21.573 government to target more important people. So I feel like 0:13:21.573 --> 0:13:24.093 that is one of the use cases that's getting really bad. 0:13:24.093 --> 0:13:26.433 Are you guys seeing a lot of spear phishing type stuff? 0:13:27.303 --> 0:13:29.913 Well, we have seen reports right over the last couple 0:13:29.913 --> 0:13:33.483 of years of a specific threat actors. I'm thinking, for example, 0:13:33.483 --> 0:13:35.943 North Korea, that that has been involved in this type 0:13:35.943 --> 0:13:40.953 of targeting, cyber security researchers specifically, uh, specifically working for 0:13:40.953 --> 0:13:43.683 certain companies that may have access to certain information that 0:13:43.683 --> 0:13:48.003 might be useful for, for them. Uh, but, yeah. And and, 0:13:48.003 --> 0:13:50.463 you know, we have actually data that supports what you're saying. 0:13:50.463 --> 0:13:54.723 For example, uh, in our report, uh, the report that 0:13:54.723 --> 0:13:57.123 we released, uh, a few months ago, we again, we 0:13:57.123 --> 0:13:59.403 do this every quarter. Right. But we have seen an 0:13:59.403 --> 0:14:03.813 increase since last year, coincidentally or not, with the release 0:14:03.813 --> 0:14:07.203 of ChatGPT and all these, uh, generative AI tools, we 0:14:07.203 --> 0:14:12.753 have seen a surge in phishing attacks against Japan. And, 0:14:12.753 --> 0:14:15.063 you know, Japan is a very interesting, uh, area because 0:14:15.063 --> 0:14:17.373 we usually see some malware in Japan that we don't 0:14:17.373 --> 0:14:20.463 see in other places. Again, everything is is every region 0:14:20.463 --> 0:14:24.543 has like, their own characteristics. Right? But in Japan we 0:14:24.543 --> 0:14:27.813 have seen like for example, uh, Emotet, some variants that 0:14:27.813 --> 0:14:30.033 we haven't seen anywhere else. And, you know, they come 0:14:30.033 --> 0:14:33.873 and go. But now with these tools, guess what? Like, 0:14:33.873 --> 0:14:37.023 everybody can speak fluent Japanese, right? Yeah. And Japanese is 0:14:37.023 --> 0:14:40.233 not really easy, right? At least for for us foreigners. 0:14:40.233 --> 0:14:43.713 And it's just a very particular region of the world. Now, 0:14:43.713 --> 0:14:48.123 these has opened up the possibility of any threat actor 0:14:48.123 --> 0:14:52.803 out there to craft really, you know, legit looking, uh, 0:14:52.803 --> 0:14:56.493 phishing emails to, to target this specific area of the world, 0:14:56.493 --> 0:14:59.583 which is also, you know, a wealthy country with a 0:14:59.583 --> 0:15:04.053 lot of industries and could be profitable. So, yes, the 0:15:04.053 --> 0:15:07.413 data supports that attackers are using generative AI for these 0:15:07.413 --> 0:15:09.213 type of, um, purposes. 0:15:09.783 --> 0:15:13.743 Yeah. It's a really interesting point that you make. So 0:15:14.193 --> 0:15:16.623 you've probably seen this conversation a million times in your 0:15:16.623 --> 0:15:19.383 career because you've been doing this so long. It's like 0:15:19.833 --> 0:15:22.803 somebody talks about how, you know, you can't hack Linux. 0:15:22.803 --> 0:15:27.153 Linux is the most secure operating system. Windows is so insecure. 0:15:27.153 --> 0:15:29.373 And I'm guilty of this. Back at, you know, 20 0:15:29.373 --> 0:15:31.833 years ago, I used to think I was on the 0:15:31.833 --> 0:15:34.623 most secure operating system because I only run Linux or 0:15:34.623 --> 0:15:39.183 I only run whatever. And it's like, actually, if people 0:15:39.183 --> 0:15:41.703 actually pointed a little bit of the attention that is 0:15:41.703 --> 0:15:45.093 pointed at windows for the last 20 years, and they 0:15:45.093 --> 0:15:49.723 pointed that at Linux it would be a nightmare. It 0:15:49.723 --> 0:15:54.133 would be an absolute nightmare. And the reason windows appears 0:15:54.133 --> 0:15:57.643 to be so bad because it's so targeted. And so 0:15:57.643 --> 0:16:00.043 the point that you bring up about Japan is really interesting. 0:16:00.043 --> 0:16:04.963 It's like maybe they're very vulnerable to spear phishing, but 0:16:04.963 --> 0:16:07.333 no one's been able to get the email through because 0:16:07.333 --> 0:16:10.303 they don't speak Japanese. So now you have an area 0:16:10.303 --> 0:16:14.203 that's not hardened against these types of attacks. But the 0:16:14.203 --> 0:16:16.213 door is now open where it was closed for the 0:16:16.213 --> 0:16:17.203 last 20 years. 0:16:18.103 --> 0:16:20.503 It's a window of opportunity. Right. And that's that's one 0:16:20.503 --> 0:16:23.473 of the key things in the whole impact equation. If 0:16:23.473 --> 0:16:25.573 we look at risk management oh now we're going to 0:16:25.573 --> 0:16:27.853 put people to to sleep. Now risk management. 0:16:28.123 --> 0:16:29.713 Not me I'll be awake. 0:16:31.093 --> 0:16:33.193 But uh but yeah the impact right at the end 0:16:33.193 --> 0:16:35.473 of the day it's all about that. You can usually 0:16:35.473 --> 0:16:39.163 say you can just like, try to protect against everything 0:16:39.163 --> 0:16:41.623 you need to define. What is that? What is the 0:16:41.623 --> 0:16:45.193 problem you're trying to solve. Right. And it can't be everything. 0:16:45.193 --> 0:16:48.973 You cannot protect all of your assets. Um, like in 0:16:48.973 --> 0:16:50.953 the physical world, you have to assume, okay, you know, 0:16:50.953 --> 0:16:54.673 some things can go and it's okay. You just, you know, 0:16:54.673 --> 0:16:57.133 go and replace them. But other things can't, right? Because 0:16:57.133 --> 0:17:00.253 they have a high value to us. Yeah. Uh, that's 0:17:00.253 --> 0:17:03.043 what we need to, to define and. Yeah. Linux. Uh, 0:17:03.043 --> 0:17:05.293 I remember a couple of years ago we released a 0:17:05.293 --> 0:17:09.553 paper on symbiote, which was a Linux implant that we 0:17:09.553 --> 0:17:15.313 saw targeting organizations in Latin America, especially financial organizations. And 0:17:15.313 --> 0:17:17.863 it was a very interesting piece of software, right, of 0:17:17.863 --> 0:17:22.243 malware in this case, uh, doing command and control over DNS, etc.. 0:17:22.243 --> 0:17:25.543 We see a lot of web shells right on Linux, uh, 0:17:25.543 --> 0:17:31.543 servers essentially, um, uh, program, um, programs that are supposed 0:17:31.543 --> 0:17:35.743 to run, uh, commands or do execution on these, uh, boxes. 0:17:35.743 --> 0:17:37.333 And think about it like the cloud. What is the 0:17:37.333 --> 0:17:40.033 cloud made out of, right? Linux box boxes. Yeah, yeah. 0:17:40.933 --> 0:17:44.563 And and we have everybody has more cloud presence. So absolutely. 0:17:44.563 --> 0:17:46.723 I had a conversation a few days ago about the 0:17:46.723 --> 0:17:50.623 importance of looking at these, uh, systems. You know, miter 0:17:50.623 --> 0:17:55.543 has a miter attack matrix for Linux. And, uh, if 0:17:55.543 --> 0:17:58.753 you look at the government, uh, agencies, the documents, recommendations 0:17:58.753 --> 0:18:01.453 from NSA, from CSI, everybody says, you know, you need 0:18:01.453 --> 0:18:06.253 to look at these, uh, systems because they're often overlooked. 0:18:06.253 --> 0:18:11.083 People do not run endpoint protection on them. And, you know, 0:18:11.083 --> 0:18:14.383 you trigger memories. Uh, I'm probably all right. But you 0:18:14.383 --> 0:18:16.873 probably remember this when setting up Linux systems back in 0:18:16.873 --> 0:18:19.003 the day. And all ports were open by default. 0:18:19.003 --> 0:18:19.903 Oh, absolutely. 0:18:19.903 --> 0:18:23.323 You have to close them like manually. Yeah. Uh, so 0:18:23.323 --> 0:18:26.563 there's a lot of implicit trust that sometimes we put into, 0:18:26.563 --> 0:18:31.303 into these systems making assumptions that are not necessarily true. Yeah. 0:18:32.143 --> 0:18:35.173 Yeah. I just I really love that idea of, um, 0:18:35.623 --> 0:18:39.013 language being a barrier that has stopped attacks from getting 0:18:39.013 --> 0:18:44.353 through before and with Lmms open opening up. Translation. So 0:18:44.353 --> 0:18:47.683 that barrier comes down. What about, uh, deepfakes? Are you 0:18:47.683 --> 0:18:50.923 seeing much around that where it's easier to convince people 0:18:50.923 --> 0:18:51.583 of things? 0:18:52.593 --> 0:18:56.703 Well, it's a natural next step, right? And I remember 0:18:56.703 --> 0:18:58.953 months ago I was in a close meeting with some 0:18:58.953 --> 0:19:05.133 government agencies and, um, the head of this agency who 0:19:05.133 --> 0:19:07.473 was mentioning that they were really seeing these type of 0:19:07.473 --> 0:19:11.763 deep fakes, uh, with, uh, you know, calls, uh, where 0:19:11.763 --> 0:19:14.613 they were imitating the voice of somebody and using that 0:19:14.613 --> 0:19:18.003 to essentially for financial gain. Right. The typical business email compromise. 0:19:18.003 --> 0:19:21.093 But now with with voice. And that's what we're seeing 0:19:21.093 --> 0:19:25.293 on the news right now. We're seeing these, uh, deepfakes 0:19:25.293 --> 0:19:28.083 using voice, using video, like jumping on a on a 0:19:28.083 --> 0:19:30.183 zoom call. Oh, it's it's a CFO calling. 0:19:30.183 --> 0:19:32.313 Yeah, I saw that one. That was so crazy. 0:19:32.943 --> 0:19:41.193 Exactly. And, uh, it's just, again, one more iteration on, um, 0:19:41.193 --> 0:19:43.533 something that we have known for a long time, you know, 0:19:43.533 --> 0:19:49.203 same motivation. Just the tools are changing. And with the, um, the, the, uh, 0:19:49.203 --> 0:19:52.653 democratization right, of these tools, as they become more available 0:19:52.653 --> 0:19:55.023 to people out there, these things are going to just, 0:19:55.023 --> 0:19:58.653 you know, make the environment, the internet, even a lot more, uh, 0:19:58.653 --> 0:20:00.423 noisier than they are. It is today. 0:20:01.173 --> 0:20:04.083 Yeah, absolutely. And then you have the issue of, like, 0:20:04.383 --> 0:20:08.613 if you have a whole bunch of AI bots or 0:20:08.613 --> 0:20:12.483 agents operating and they're, they're taking all these actions against APIs, 0:20:12.693 --> 0:20:14.883 how how do you know if it's a real human 0:20:14.883 --> 0:20:17.403 on the other side, or if that's automation or it's 0:20:17.403 --> 0:20:19.623 AI or it's an agent or some sort? 0:20:21.273 --> 0:20:23.493 That's a good question. And that's actually one of the 0:20:23.493 --> 0:20:26.463 the uses of, uh, of email. Right. One of the 0:20:26.463 --> 0:20:28.683 best things that we can use ML for is to 0:20:28.683 --> 0:20:34.023 create patents. And, uh, by looking at the behavior of, uh, 0:20:34.023 --> 0:20:37.863 the normal behavior of a, of how users interact with 0:20:37.863 --> 0:20:41.973 an application, uh, you would, you know, kind of, uh, 0:20:41.973 --> 0:20:45.993 infer whether that's normal or not, because typically these botnets 0:20:45.993 --> 0:20:48.933 will behave in a, in a different, in a different way. Um, 0:20:50.223 --> 0:20:53.943 as usual, you know, it's we usually talk about attackers 0:20:53.943 --> 0:20:57.633 tools or attackers weapons. Sorry. And I like to talk 0:20:57.633 --> 0:21:01.653 also about defenders weapons because, you know, this is at 0:21:01.653 --> 0:21:03.873 the end of the the day, we're talking about technology 0:21:03.873 --> 0:21:07.113 that can be used for good or for evil. And 0:21:07.113 --> 0:21:10.233 many times we just focus on on the tools itself. 0:21:10.233 --> 0:21:12.903 But we don't talk that much about strategy. Right. Um, uh, 0:21:13.023 --> 0:21:14.883 somebody that has been doing this for a long time, 0:21:14.883 --> 0:21:17.313 I started on the what we call the red side. Right. 0:21:17.313 --> 0:21:18.273 The red teaming. 0:21:18.273 --> 0:21:19.203 Yep. Same here. 0:21:19.473 --> 0:21:22.173 Hackers and pentesting and all of that. I'll tell you 0:21:22.173 --> 0:21:24.783 what you got boring. You got at some point where 0:21:24.783 --> 0:21:26.733 it was boring because it was easy to get into 0:21:26.733 --> 0:21:28.473 the organizations. 0:21:28.473 --> 0:21:30.393 And you come back to the customer the next year 0:21:30.393 --> 0:21:31.743 and they haven't fixed anything. 0:21:32.193 --> 0:21:35.823 They don't care. Yes we know. Yeah. For a water 0:21:35.823 --> 0:21:37.863 plant in a, you know, country in Europe, I'm not 0:21:37.863 --> 0:21:41.613 going to say more. And uh, I, I joined, you know, 0:21:41.613 --> 0:21:44.493 I connect to the network 9:00 and by noon I 0:21:44.493 --> 0:21:47.523 already had local admin and one of the boxes that 0:21:47.523 --> 0:21:50.733 control the OT environment. Right. So that's it. At that point, 0:21:50.733 --> 0:21:51.993 you know, you're a consultant. What do you do? You 0:21:51.993 --> 0:21:55.083 write the report, take screenshots, do everything. I create my 0:21:55.083 --> 0:21:58.143 own local admin account right on that box. So I 0:21:58.143 --> 0:22:00.243 was called six months later to come back and do 0:22:00.243 --> 0:22:02.943 a retest. Hmm. Guess what? The first thing I checked 0:22:02.943 --> 0:22:04.833 is that is that my user, you know, is still 0:22:04.833 --> 0:22:06.453 there on that box. 0:22:06.453 --> 0:22:08.343 Oh, yeah. Nice. Nice. 0:22:08.403 --> 0:22:11.763 Six months later. So that's that was probably the defining 0:22:11.763 --> 0:22:14.163 moment for me when I was like, you know what, 0:22:14.493 --> 0:22:17.103 I need to I need to help these people in 0:22:17.103 --> 0:22:18.933 a different way. So that's when I moved to the 0:22:18.933 --> 0:22:22.233 cyber defense side. And I find fascinating to talk about 0:22:22.233 --> 0:22:26.643 several different strategy because, you know, you cannot fight these 0:22:26.643 --> 0:22:29.073 people because at the end of the day, the other 0:22:29.073 --> 0:22:31.803 side of the spectrum is not AI, right, or bots. 0:22:31.803 --> 0:22:36.153 It's people doing this. You cannot fight that with just tools, 0:22:36.153 --> 0:22:39.693 with just products, right? You need those. You need the weapons, 0:22:39.693 --> 0:22:43.263 but you also need the strategy, the human brain to. Yeah. 0:22:43.593 --> 0:22:46.893 And what you're doing and justify why you're doing something 0:22:46.893 --> 0:22:51.063 and change tactics if needed. Right. Like in any sports 0:22:51.063 --> 0:22:53.913 game you get to, you get to change tactics. If 0:22:54.093 --> 0:22:55.713 they're not working. Yeah. 0:22:56.253 --> 0:22:58.803 Yeah. Interesting. You mentioned a water plant. I had an 0:22:58.803 --> 0:23:04.923 eye opening assessment as well, assessing a water system for uh, 0:23:04.923 --> 0:23:09.483 for a state. Um, yeah. Really really interesting. We seem 0:23:09.483 --> 0:23:12.993 to be, uh, brothers. También hablo espanol. 0:23:13.293 --> 0:23:17.763 So también si si si podemos seguir en espanol. Si quieres. Si. 0:23:18.333 --> 0:23:19.803 It won't be very smooth. 0:23:19.923 --> 0:23:20.163 Uh. 0:23:20.673 --> 0:23:26.193 My vocabulary is bad, but you'll play though. Um, so 0:23:26.193 --> 0:23:30.393 what about supply chain attacks? Are you seeing that or 0:23:30.393 --> 0:23:34.443 do you have that stuff in your, uh, in your report? 0:23:34.443 --> 0:23:36.693 Is it one of the things you talk about, like, like, 0:23:36.693 --> 0:23:40.593 essentially it seems to be getting worse and worse like these. 0:23:40.593 --> 0:23:43.293 The breaches keep happening and you keep realizing, oh, wait, 0:23:43.293 --> 0:23:46.083 but they're vendors. Oh, but what about their vendors? And 0:23:46.083 --> 0:23:47.673 it's like, how do you secure the chain all the 0:23:47.673 --> 0:23:48.363 way down? 0:23:49.023 --> 0:23:51.553 Yeah. No, absolutely. And I think we have a. We 0:23:51.553 --> 0:23:54.493 have a paragraph there or a comment on, on these uh, 0:23:54.493 --> 0:23:57.793 in the, in the latest report that we're publishing. Um, 0:23:57.793 --> 0:24:00.673 and we talk about the secure by default approach, rather 0:24:00.673 --> 0:24:03.313 the government, especially here in the US with the, uh, 0:24:03.313 --> 0:24:07.033 executive order, uh, they're trying to push for these, right? 0:24:07.033 --> 0:24:10.663 Cisa pushing for these as well, especially with, um, you know, 0:24:10.663 --> 0:24:14.863 protection of critical infrastructure. So, so important. But other countries 0:24:14.863 --> 0:24:17.863 as well, the United Kingdom, Canada, EU, the G7, they're 0:24:17.863 --> 0:24:22.543 all issuing guidelines on, on, uh, on on this topic 0:24:22.543 --> 0:24:25.063 of like creating secure software. But but here's the thing. 0:24:25.303 --> 0:24:28.783 Are we ever going to fix that problem? No. There's 0:24:28.783 --> 0:24:32.383 always going to be something. Right? Can we do something 0:24:32.413 --> 0:24:35.263 to fix it and use, you know, you know, for example, 0:24:35.263 --> 0:24:38.593 programming languages that make better use of memory. Yeah. So 0:24:38.593 --> 0:24:41.923 we have less buffer overflows. Yes. Absolutely. Right. Technology is 0:24:41.923 --> 0:24:44.833 going to help there. But we're never ever going to 0:24:44.833 --> 0:24:48.283 end up creating like 100% secure software because there's no 0:24:48.283 --> 0:24:50.143 such a thing in the world. Right? There's no 100% 0:24:50.143 --> 0:24:54.613 secure with anything. Yeah. Um, but so that's, that's what the, 0:24:54.613 --> 0:24:59.953 the laws and regulations are pushing for in my team as, as, 0:24:59.953 --> 0:25:02.833 you know, researchers, uh, what we do is to analyze 0:25:02.833 --> 0:25:04.633 what we, what we're seeing out there. And what we 0:25:04.633 --> 0:25:08.143 see is attackers obviously doing the supply chain attacks in 0:25:08.143 --> 0:25:12.613 the SolarWinds style. This is like very highly targeted attacks 0:25:12.613 --> 0:25:15.733 that we don't see on a daily basis. Right. Mhm. Um, 0:25:15.883 --> 0:25:22.483 but you also see. Like pseudo supply chain attacks. What, uh, 0:25:22.843 --> 0:25:25.993 what we see is, uh, for example, imagine these small. 0:25:27.063 --> 0:25:29.913 Company in. I'm going to pick a, I don't know, 0:25:29.913 --> 0:25:32.043 another region of the world that say, the Nordics write 0:25:32.043 --> 0:25:36.213 something about language. Uh, so you have, you know, Finnish 0:25:36.213 --> 0:25:38.913 and Swedish and Danish and not a lot of people 0:25:38.913 --> 0:25:41.793 out there in the world speak these languages. So there 0:25:41.793 --> 0:25:45.393 is this little company out there that they have this freeware. Right. 0:25:45.393 --> 0:25:48.933 And it's a dictionary of, uh, Nordic, you know, terms, 0:25:48.933 --> 0:25:52.203 something like that. And a lot of companies that want 0:25:52.203 --> 0:25:54.813 to do business with the Nordics, they actually download this 0:25:54.813 --> 0:26:01.203 freeware software. So let's put the bad guy hat on. Right. So, uh, 0:26:01.203 --> 0:26:04.143 if I want to target these organizations, what do I do? 0:26:04.143 --> 0:26:07.983 Very simple. I just either attack this website and replace 0:26:07.983 --> 0:26:11.493 that freeware dictionary with something else that is, that has 0:26:11.493 --> 0:26:14.073 an extra piece of code in it, right, to compromise 0:26:14.073 --> 0:26:17.673 these organizations that are going to be downloading it. Or 0:26:17.703 --> 0:26:24.753 I try to, um, um, essentially clone that side, right? 0:26:24.753 --> 0:26:28.653 Scrape it, clone it, and instead of, uh, Nordic. Dictionary.com 0:26:28.653 --> 0:26:35.553 is Nordic. Dictionary.com. Yeah. And or Nordic. Uh, hyphen dictionary.com. 0:26:35.553 --> 0:26:38.613 And I'm going to be, uh, cloning all of that. 0:26:38.613 --> 0:26:41.643 And I'm going to be serving this type of dictionary 0:26:41.643 --> 0:26:45.153 that has this extra code. We see that a lot. And, 0:26:45.153 --> 0:26:48.123 you know, through emails now we get the phishing factor 0:26:48.123 --> 0:26:51.753 right through or any other type of communications. Hey, download this, 0:26:51.753 --> 0:26:56.313 use this little thing. Uh, now we're targeting specific location 0:26:56.313 --> 0:27:00.243 specific region. It's not really a supply chain attack as we, 0:27:00.243 --> 0:27:03.873 you know, think of it, but there's a lot of that, uh, happening. 0:27:04.113 --> 0:27:08.463 Interesting. And where do you see these attacks sort of going, 0:27:08.493 --> 0:27:12.003 I guess involving AI or not involving. I guess it's 0:27:12.003 --> 0:27:16.563 probably the biggest switch. So what happens with threat intelligence 0:27:16.563 --> 0:27:22.413 when both the attacker and the defender are powered with AI? Like, 0:27:22.683 --> 0:27:26.043 does everything get faster, like the window for attack and 0:27:26.043 --> 0:27:31.443 the winter window for fixing things? Uh, closes faster? Uh, 0:27:31.443 --> 0:27:32.193 what do you think? 0:27:33.483 --> 0:27:36.753 You know, that's a that's a good question. And from 0:27:36.753 --> 0:27:39.633 a technology perspective, I like to assume that everybody has 0:27:39.633 --> 0:27:42.423 access to the same. Right. Um, it's just a matter 0:27:42.423 --> 0:27:46.563 of how well you can implement something like we all 0:27:46.563 --> 0:27:49.143 have access to pretty much the same type of knowledge 0:27:49.143 --> 0:27:52.953 about technology. Uh, the difference is, you know, how fast 0:27:52.953 --> 0:27:56.613 can you do something, build it or weaponize it and 0:27:56.613 --> 0:28:00.183 how effective it is, how well built it is. And 0:28:00.183 --> 0:28:04.883 tested proved. And even if you if you assume that 0:28:04.883 --> 0:28:07.193 everybody has the same weapons. Right. So it's a it's 0:28:07.193 --> 0:28:11.123 a Sam zero kind of a game. The difference is 0:28:11.123 --> 0:28:14.573 on the tactics and the strategy, right? The human, the 0:28:14.573 --> 0:28:17.903 humans behind it. So that's why I think I love 0:28:17.903 --> 0:28:20.573 to talk about the human in the loop. Right. When 0:28:20.573 --> 0:28:24.533 we talk about AI. Uh, the brain, somebody that can, 0:28:24.533 --> 0:28:27.263 you know, observe what's going on, assisted by these bots 0:28:27.263 --> 0:28:31.043 or AI and then make a decision based based on that. 0:28:31.223 --> 0:28:34.313 For a small, for a lot of small organizations that 0:28:34.313 --> 0:28:36.713 will probably require some sort of a, you know, a 0:28:36.713 --> 0:28:39.653 third party, uh, a partner, somebody that can help, right, to, 0:28:39.653 --> 0:28:42.323 to provide that guidance. But there's never going to be 0:28:42.323 --> 0:28:46.163 a substitution for the business itself, knowing the business like, 0:28:46.163 --> 0:28:49.763 you know, your business, right? A manufacturing plan, they know 0:28:49.763 --> 0:28:53.363 their business. They they know things that nobody else is 0:28:53.363 --> 0:28:55.733 going to be able to know. So I think that's 0:28:55.733 --> 0:28:59.723 that's where the key of this is, is making security accessible, 0:28:59.723 --> 0:29:04.163 making intelligence accessible to those making the key decisions. This 0:29:04.163 --> 0:29:06.863 is not just the SoC analyst, right. Or the incident 0:29:06.863 --> 0:29:09.623 responder or the threat hunter, which is, you know, probably 0:29:09.833 --> 0:29:13.313 at the level that we operate, um, that we like, right, 0:29:13.313 --> 0:29:15.383 because we like technology and the toys and all that. 0:29:15.383 --> 0:29:18.053 But but no, more importantly, it's to making these intelligence 0:29:18.053 --> 0:29:22.913 accessible to decision makers, to the sea level executives so 0:29:22.913 --> 0:29:26.603 they can understand what's happening right in, in with their business, 0:29:26.603 --> 0:29:30.143 for example. Um, we do a lot of business in Asia-Pacific, 0:29:30.143 --> 0:29:34.913 and we see manufacturing plants in Taiwan that are being 0:29:34.913 --> 0:29:39.533 targeted with very specific pieces of malware that have geofencing. 0:29:39.533 --> 0:29:43.483 So they're only going to execute. If they execute within 0:29:43.483 --> 0:29:48.253 that region. Right. In that that geolocation. Those are geo coordinates. 0:29:48.403 --> 0:29:51.253 So what that means is that it's highly targeted, of course. 0:29:51.253 --> 0:29:54.553 And who has a vested interest in what's happening in 0:29:54.553 --> 0:29:57.913 manufacturing plants in Taiwan? Well, you can think of a, 0:29:57.913 --> 0:30:00.673 you know, one country, for example, that that has extensive 0:30:00.673 --> 0:30:04.123 operations in terms of, uh, uh, espionage in the, in 0:30:04.123 --> 0:30:08.383 the region. Yeah. Um, well, if you're an executive of 0:30:08.383 --> 0:30:10.483 a manufacturing company in the US and you want to 0:30:10.483 --> 0:30:12.553 open up a plant in Taiwan, don't you think that 0:30:12.553 --> 0:30:15.523 you would like to know that? Right. But the thing 0:30:15.523 --> 0:30:20.623 that that affects your business operations, um, we have seen 0:30:20.623 --> 0:30:23.383 threat actors going back to Russia right? In the past, 0:30:24.223 --> 0:30:28.273 targeting law firms here in the US, looking at mergers 0:30:28.273 --> 0:30:33.703 and acquisitions and using that information to play the stock exchange. Mhm. So, 0:30:33.913 --> 0:30:36.283 so all of these things have implications in the, in 0:30:36.283 --> 0:30:39.853 the real world. And I think that that's something that 0:30:39.853 --> 0:30:43.423 I'm particularly I want to say obsessed with. But, but 0:30:43.423 --> 0:30:46.273 I try to work with and it's trying to make 0:30:46.273 --> 0:30:53.383 this type of intelligence more. Digestible, more, um, strategic. Right, 0:30:53.383 --> 0:30:55.663 for those that are making these type of decisions. 0:30:55.963 --> 0:31:01.573 That's interesting. I, um, I, uh, built the, uh, security 0:31:01.573 --> 0:31:06.493 measurement program over at Apple, uh, for a number of 0:31:06.493 --> 0:31:10.153 years in the past, and that was a big part 0:31:10.153 --> 0:31:12.313 of my I also was in the military. So I 0:31:12.313 --> 0:31:15.223 was thinking in these same exact terms that you're describing. 0:31:15.223 --> 0:31:20.863 So I was thinking data. Information and then, uh, insights 0:31:20.863 --> 0:31:25.033 and then intelligence. And at the very top of that 0:31:25.033 --> 0:31:27.523 is the decision maker. So I'm trying to figure out 0:31:27.523 --> 0:31:30.133 what is the most work that I can do for them, 0:31:30.133 --> 0:31:33.613 to enable them to make a decision. So they're not 0:31:33.613 --> 0:31:38.263 processing logs, they're not even looking at log summaries, which 0:31:38.263 --> 0:31:40.843 would be like the next level up, but instead they're 0:31:40.843 --> 0:31:44.323 being told a story. Um, so it's a narrative. So 0:31:44.323 --> 0:31:48.463 the narrative is something like, you know, um, this enemy 0:31:48.463 --> 0:31:52.933 tends to attack between the hours of two and 3 a.m., right? 0:31:52.933 --> 0:31:55.903 They tend to come in a small group of 3 0:31:55.903 --> 0:32:00.553 to 4 people wearing dark clothing. They carry light weapons. 0:32:00.553 --> 0:32:04.273 They don't come on full moon. But tonight is not 0:32:04.273 --> 0:32:06.463 going to be a full moon. It's actually a new moon. 0:32:06.463 --> 0:32:12.013 So there's no moon whatsoever. So therefore we think it 0:32:12.013 --> 0:32:16.033 might happen tonight. And here's why we think that. Right. 0:32:16.033 --> 0:32:18.553 So that brings them all the way up to the 0:32:18.553 --> 0:32:21.793 decision point. And that's what that's my favorite type of 0:32:21.793 --> 0:32:25.543 threat intelligence where it it gives you data but it 0:32:25.543 --> 0:32:28.243 doesn't drown you in the data. It actually does analysis 0:32:28.243 --> 0:32:30.193 that brings you right up to the point that they 0:32:30.193 --> 0:32:32.983 can make a decision. So what does that look like 0:32:32.983 --> 0:32:36.433 for you? I see this report here which looks quite good, 0:32:36.433 --> 0:32:39.733 but what else do you have within your philosophy and 0:32:39.733 --> 0:32:43.243 your product that helps you do that for the decision maker? 0:32:44.623 --> 0:32:46.963 Yeah. So so when we look at for example, this 0:32:46.963 --> 0:32:50.713 report is it's a mix. Right. We have some more, um, 0:32:50.713 --> 0:32:55.093 narrative in the beginning. Um, high level introduction. Uh, so 0:32:55.093 --> 0:32:57.673 I said before, we have, you know, from people in 0:32:57.673 --> 0:33:01.873 the Senate to, uh, uh, you know, CSOs reading these 0:33:01.873 --> 0:33:04.723 to also city analysts. So one of the things that we, we, 0:33:04.723 --> 0:33:07.183 we do is to, you know, do like a high level, 0:33:07.183 --> 0:33:09.793 you know, executive summary for anybody out there that wants 0:33:09.793 --> 0:33:12.403 to share these type of things with, with, uh, executives 0:33:12.403 --> 0:33:15.163 just know they're not going to read a lot of things, right. 0:33:15.163 --> 0:33:18.823 If anything, they may just steal a few infographics. Um, 0:33:19.033 --> 0:33:22.453 and one page. Right. No more than that. So we 0:33:22.453 --> 0:33:25.393 try to to stick to that rule, uh, and then 0:33:25.393 --> 0:33:28.093 we go into more statistics. Uh, a lot of people, 0:33:28.093 --> 0:33:31.183 you know, love to see these, like, trends. Uh, this 0:33:31.183 --> 0:33:32.923 also gives us the opportunity to talk to, you know, 0:33:32.923 --> 0:33:37.123 media and journalists. They love the numbers. Yeah. And and 0:33:37.123 --> 0:33:42.433 it helps right to, to also identify trends. And then 0:33:42.433 --> 0:33:45.883 we look at cyber attacks per industry. So for example, 0:33:45.883 --> 0:33:48.523 if you are in what we call critical infrastructure, right. 0:33:48.523 --> 0:33:51.283 And this could be, you know, hospitals, this is a 0:33:51.283 --> 0:33:55.363 manufacturing plant. This is a power plant. Uh, what are 0:33:55.363 --> 0:33:58.963 some of the top threats for your industry? Right. Sure. 0:33:58.963 --> 0:34:01.183 If you're in health. What do you want to look at? 0:34:01.393 --> 0:34:03.103 If I'm if I'm in healthcare, I don't want to 0:34:03.103 --> 0:34:07.123 see all these, you know, malware that is targeting financial organizations, 0:34:07.123 --> 0:34:09.253 for example. Because that's not what I may what I 0:34:09.253 --> 0:34:13.093 may see. Mhm. And it's also very interesting talking about trends. 0:34:13.093 --> 0:34:18.073 What we have seen is that, um, traditional cybercrime against 0:34:18.073 --> 0:34:22.243 financial organizations tend to reuse the same malware over and 0:34:22.243 --> 0:34:27.223 over again. Mhm. It's less targeted versus attacks against healthcare 0:34:27.223 --> 0:34:30.643 and government local governments. We're not talking about you know 0:34:30.643 --> 0:34:34.453 the large large government facilities in many cases we're talking 0:34:34.453 --> 0:34:40.153 about small government, you know, estate uh, agencies uh, or 0:34:40.153 --> 0:34:45.373 schools even. Right. Education. Yeah. And we see more highly targeted. Right. 0:34:45.373 --> 0:34:50.893 Because they're going after specific, uh, objectives. Mhm. So that's, 0:34:50.893 --> 0:34:53.383 that's the idea of uh, this is data that I 0:34:53.383 --> 0:34:55.423 would like to have to be able to build my 0:34:55.423 --> 0:34:59.083 threat model. And then finally something that we would like 0:34:59.083 --> 0:35:01.993 to include, there's a geopolitical analysis and common. So we 0:35:01.993 --> 0:35:06.793 have people that are experts in geopolitical analysis uh looking 0:35:06.793 --> 0:35:09.343 at what's going on. Like for example, a few months ago, 0:35:09.343 --> 0:35:15.013 December 23rd, uh, the US. Japan and South Korea. They 0:35:15.013 --> 0:35:19.003 signed an agreement to defend against North Korea attacks. Mhm. 0:35:19.573 --> 0:35:22.153 That's that's on the news. Right. So you see that 0:35:22.153 --> 0:35:23.893 how is that going to influence what we're going to 0:35:23.893 --> 0:35:26.113 be seeing in Asia Pacific over the next few months. 0:35:26.143 --> 0:35:30.073 Well there's definitely an impact right. Yeah. Um so if 0:35:30.073 --> 0:35:34.003 you're operating again you have business in that area. You 0:35:34.003 --> 0:35:37.543 want to have that type of context and information. And 0:35:37.543 --> 0:35:40.363 then the rest of the report is more maybe a 0:35:40.363 --> 0:35:43.213 little bit more, uh, technical. So if you want to 0:35:43.213 --> 0:35:46.513 learn more about the CVEs that are getting exploited, uh, 0:35:46.513 --> 0:35:51.313 this is more like the information that a SoC may consume, 0:35:51.673 --> 0:35:55.333 you know, threat hunters, uh, maybe incident responders, uh, at 0:35:55.333 --> 0:35:57.223 a more tactical level. 0:35:58.253 --> 0:36:02.453 Yeah, that makes sense. Uh, so looking for like a 0:36:02.453 --> 0:36:06.773 year or two, do you expect AI advancements to help 0:36:06.773 --> 0:36:08.513 attackers or defenders more? 0:36:10.963 --> 0:36:13.993 Again, very good question. I think that eventually it's going 0:36:13.993 --> 0:36:18.193 to be a net net right. For for everybody, for 0:36:18.193 --> 0:36:20.533 both attackers and, and defenders. I think the key it's 0:36:20.533 --> 0:36:23.713 going to be not that much on the technology but 0:36:23.713 --> 0:36:26.773 how you use it when you. But I love to 0:36:26.773 --> 0:36:29.563 talk about the factor of time. If you look at 0:36:29.563 --> 0:36:35.653 an attack chain. Mhm. Some people just they, they believe 0:36:35.653 --> 0:36:37.963 there's always going to be like a cyber bullet right. 0:36:37.993 --> 0:36:42.133 Uh silver bullet sorry a cybersecurity silver bullet that. Oh 0:36:42.133 --> 0:36:44.443 this is the only thing I have to install. Right. Just. 0:36:45.433 --> 0:36:47.863 Install these. And sometimes vendors, you know, the marketing could 0:36:47.863 --> 0:36:50.683 be a bit, you know, confusing and could give you 0:36:50.683 --> 0:36:53.803 the illusion that if you just do this, you're going 0:36:53.803 --> 0:36:55.363 to be you're going to be good. No, it's a 0:36:55.363 --> 0:36:57.343 lot more complicated than than that. That's why you need 0:36:57.343 --> 0:36:59.593 the human factor. But if you look at an attack chain, 0:37:00.283 --> 0:37:02.713 you know, we usually say this thing that attackers, they 0:37:02.713 --> 0:37:04.633 have to be the right ones and defenders. We have 0:37:04.633 --> 0:37:07.333 to be right all the time. Uh, well, if you 0:37:07.333 --> 0:37:10.033 look at it from an endpoint perspective, then yes. Right. 0:37:10.033 --> 0:37:13.663 And we see attackers are trying different things and that's 0:37:13.663 --> 0:37:16.033 what we try to build, you know, predictive models. And 0:37:16.033 --> 0:37:19.453 you know, you had shield in your, in this, uh, 0:37:19.453 --> 0:37:22.753 your show talking about the math behind all of these 0:37:22.753 --> 0:37:25.333 and why these predictive models work. So we have to 0:37:25.333 --> 0:37:28.393 be right there every single time and how we do that. 0:37:28.393 --> 0:37:30.673 But if you look at attack Chain, you step out, 0:37:30.673 --> 0:37:34.483 you zoom out as a defender. All I need to do. 0:37:35.293 --> 0:37:39.823 Is to detect the presence of the attacker once. Mhm. 0:37:39.883 --> 0:37:43.513 That's right. So I have a whole attack chain I 0:37:43.513 --> 0:37:46.513 have like all the way from the attacker is, you 0:37:46.513 --> 0:37:49.213 know maybe doing some reconnaissance or trying to get some 0:37:49.213 --> 0:37:52.993 information from my organization to the initial access, which could 0:37:52.993 --> 0:37:55.003 be email or it could be, you know, some sort 0:37:55.003 --> 0:37:59.053 of exploitation of a service all the way to the 0:37:59.053 --> 0:38:02.773 attacker's objective. Right? Which is what either to hold hostage 0:38:02.773 --> 0:38:06.553 of your environment or to where the valuable data is. 0:38:06.583 --> 0:38:11.473 This takes time, right? Sometimes in a targeted attack, it 0:38:11.473 --> 0:38:14.083 could be. It could be days. It could be weeks. 0:38:14.653 --> 0:38:19.573 So you have multiple opportunities across that attack. Interesting. Successful. 0:38:19.693 --> 0:38:21.343 So that's why I say, you know, we don't talk 0:38:21.343 --> 0:38:24.613 that much about cyber defense strategy. But if you look 0:38:24.613 --> 0:38:27.313 at it from that perspective, all I need to do 0:38:27.313 --> 0:38:31.783 is to have the right sensors and the right, uh. 0:38:33.953 --> 0:38:34.223 And. 0:38:34.583 --> 0:38:39.023 You know, policy enforcement points in the right places to 0:38:39.023 --> 0:38:41.933 be able to disrupt that activity. As long as the 0:38:41.933 --> 0:38:44.963 attacker doesn't get to the final, you know, stage of 0:38:44.963 --> 0:38:48.563 the attack. Those actions and objectives I'm I can win. 0:38:48.563 --> 0:38:50.903 I love I love that I've never actually heard that 0:38:50.903 --> 0:38:55.553 put in a positive light. You're basically inverting the whole thing, saying, yeah, 0:38:55.553 --> 0:38:59.033 the the attacker only has to be right once, but 0:38:59.033 --> 0:39:02.063 look how many opportunities the defender has to see what 0:39:02.063 --> 0:39:05.513 they're doing because they have to go through this whole chain. 0:39:05.513 --> 0:39:09.053 And those every point on that chain is an opportunity 0:39:09.053 --> 0:39:10.013 to detect. 0:39:10.823 --> 0:39:14.033 Exactly. And look, it's like the physical world, right. It's 0:39:14.033 --> 0:39:16.853 not that hard if I, if I'm trying to protect 0:39:16.853 --> 0:39:21.173 a defend my, my, my house, right. My home and 0:39:21.173 --> 0:39:22.583 I have my valuables, I'm not going to put them 0:39:22.583 --> 0:39:24.923 like close to the, to the front door where somebody 0:39:24.923 --> 0:39:28.313 could just smash the door and grab it and quickly leave. 0:39:28.313 --> 0:39:31.133 If I do that and I get stolen, like, look, it's, 0:39:31.133 --> 0:39:34.133 you know, shame on me. Yeah, I have a really, 0:39:34.133 --> 0:39:38.363 really poor defensive security detector, right? I put my valuables 0:39:38.363 --> 0:39:41.693 next to the front door next to a perimeter window. Yeah. Uh, 0:39:41.843 --> 0:39:43.613 what do you do? Like a bank does, right? You 0:39:43.613 --> 0:39:47.363 have the safe in the basement. And what you do, 0:39:47.393 --> 0:39:52.373 you architect with a lot of preventive mechanisms. Those are walls, right? 0:39:52.373 --> 0:39:55.073 The access control systems, then. But do you know that 0:39:55.073 --> 0:39:57.503 in the absence of any detection response, what's going to happen? 0:39:57.503 --> 0:40:00.563 Somebody's going to, you know, come with a huge drill 0:40:00.563 --> 0:40:04.943 or explosives or it's just a matter of time. But 0:40:04.943 --> 0:40:07.643 if you architect with the right sensors and you also 0:40:07.643 --> 0:40:13.763 in parallel, you add security cameras, right? You know, motion sensors, um, 0:40:13.763 --> 0:40:18.413 you know, thermal sensors or vibration sensors, whatever. And you 0:40:18.413 --> 0:40:20.213 orchestrate all of that in a way that you can 0:40:20.213 --> 0:40:23.513 have a fast response with the big guys, with the 0:40:23.513 --> 0:40:27.653 big weapons showing up quickly, you're effectively now building a defensible, 0:40:27.653 --> 0:40:31.913 secure architecture that where you have prevention, but also in parallel, 0:40:32.033 --> 0:40:35.483 you know, sensors for monitoring, for visibility, for detection and 0:40:35.483 --> 0:40:39.083 for response. When you combine all of these things, which again, 0:40:39.083 --> 0:40:43.943 is technology plus people and processes then have a lot 0:40:43.943 --> 0:40:46.913 more chances to be successful. And all you need is 0:40:47.123 --> 0:40:50.333 once right, the attacker will have to commit the perfect 0:40:50.333 --> 0:40:54.263 crime and to be, you know, right every single time 0:40:54.263 --> 0:40:59.573 to bypass absolutely everything you have architected with. And that's usually, 0:40:59.573 --> 0:41:01.313 you know, it usually doesn't happen. 0:41:01.763 --> 0:41:05.483 Yeah, I really love that positive spin on it. Like 0:41:05.483 --> 0:41:08.213 I said, I've never actually heard it put that way. Um, 0:41:09.323 --> 0:41:12.533 so what about the short term though? I feel like 0:41:12.533 --> 0:41:16.133 in the short term that AI attacks are so new with, 0:41:16.133 --> 0:41:19.493 you know, deepfakes and spearfishing that the attacker is going 0:41:19.493 --> 0:41:22.313 to be able to move faster to use all these techniques. 0:41:22.523 --> 0:41:25.583 But I agree with you that over time it's going 0:41:25.583 --> 0:41:29.063 to equalize. In fact, because the defender has more context, 0:41:29.063 --> 0:41:32.993 I think it actually might switch towards the defender maybe later, 0:41:33.233 --> 0:41:37.343 but it'll mostly equalize. Do you agree that though early on, 0:41:37.343 --> 0:41:40.733 like the next couple of years, the attacker might have 0:41:40.733 --> 0:41:42.953 the advantage because they could just move so fast and 0:41:42.953 --> 0:41:45.593 they don't care about like production readiness? 0:41:46.493 --> 0:41:50.003 Yes. And that's typically the case. Right. We on the 0:41:50.003 --> 0:41:53.363 defender side we have to now look at how we 0:41:53.633 --> 0:41:57.803 responsibly use this technology. Right. And yeah that may involve 0:41:57.803 --> 0:42:01.853 like lost regulations. And that's that's always like you know 0:42:02.153 --> 0:42:05.573 uh slow. Yeah. Uh, in the meantime there's, there's things 0:42:05.573 --> 0:42:08.063 that we urge people to do, which is like, you know, 0:42:08.063 --> 0:42:11.603 to protect themselves with products that are using, you know, 0:42:11.603 --> 0:42:15.293 the latest and greatest technology. Um, you know, we we 0:42:15.293 --> 0:42:19.463 all know that defending with signatures is like playing whac-a-mole. Yeah, 0:42:20.243 --> 0:42:22.463 but but still, we see a lot of companies out 0:42:22.463 --> 0:42:24.743 there that they feel safe because they have a traditional 0:42:24.743 --> 0:42:27.173 antivirus just defending with signatures. Right. Or. 0:42:27.173 --> 0:42:29.753 Well, maybe that's why PDFs of attacks are coming back, 0:42:29.753 --> 0:42:34.613 because the malware detection stuff like antivirus, old antivirus can 0:42:34.613 --> 0:42:38.033 only hold so many signatures. So as they move through time, 0:42:38.033 --> 0:42:39.863 they kind of take out the old ones. Maybe they 0:42:39.863 --> 0:42:42.623 took out some PDF ones. So now the attacker goes 0:42:42.623 --> 0:42:45.953 back to the PDF ones. Right? Right. Yeah. 0:42:45.953 --> 0:42:49.043 So so yes, it's uh, it's always an arms race. 0:42:49.703 --> 0:42:52.883 But that's why it's important to raise awareness. Uh, that's 0:42:52.883 --> 0:42:55.823 that's why it's important to have that's what we try 0:42:55.823 --> 0:42:58.973 to do with these reports. Right. To communicate. Look, this 0:42:58.973 --> 0:43:02.063 is what's happening. And, you know, these are the tools 0:43:02.063 --> 0:43:04.313 and this is the strategy, the tactics that you should 0:43:04.313 --> 0:43:06.443 be using. And. 0:43:06.713 --> 0:43:07.883 Um, but. 0:43:07.883 --> 0:43:13.323 But yeah, just assume that attackers, they know. Like, you know, 0:43:13.323 --> 0:43:16.173 the products that are out there and how the majority 0:43:16.173 --> 0:43:18.603 of people use them. So I'm always a big proponent 0:43:18.603 --> 0:43:22.983 of like add your own little strategy there. Right. Mhm. 0:43:23.583 --> 0:43:26.043 You know that attackers are going to go after your 0:43:26.043 --> 0:43:29.613 organization and do reconnaissance and scrape your website like add 0:43:29.613 --> 0:43:32.613 a little decoy somewhere, something that will give you an 0:43:32.613 --> 0:43:36.033 early warning, something that will help you to get that 0:43:36.033 --> 0:43:39.693 indicator towards the beginning of that attack chain. That can 0:43:39.693 --> 0:43:43.083 give you an advantage over the adversary that takes the 0:43:43.083 --> 0:43:46.713 adversary by surprise. How many times will the adversaries, you know, 0:43:46.713 --> 0:43:49.683 take us by surprise? How many times can we get 0:43:49.683 --> 0:43:52.983 them by surprise, by doing something that they were not expecting? Yeah. 0:43:54.563 --> 0:43:56.603 I think that's that's an area where we still have 0:43:56.603 --> 0:43:59.903 to to do more and. Well, that's what I hope 0:43:59.903 --> 0:44:03.203 that we are contributing with these type of, uh, applications. 0:44:03.653 --> 0:44:07.763 No. That's perfect. I think that is a good place 0:44:07.763 --> 0:44:10.313 to start. But where can we learn more about what 0:44:10.343 --> 0:44:13.733 you and your team are doing and, uh, your latest research, uh, 0:44:13.733 --> 0:44:15.623 when is it going to come out and when can 0:44:15.623 --> 0:44:16.613 we get a link to that? 0:44:17.513 --> 0:44:21.113 Sure. So, uh, of course, uh, the best way to, uh, uh, 0:44:21.113 --> 0:44:22.823 you know, look at our reports is to go to 0:44:22.823 --> 0:44:26.903 our website, blackberry.com. Uh, we have a section for our, uh, 0:44:26.903 --> 0:44:30.503 threat research, a threat center. And it's typically, you know, 0:44:30.503 --> 0:44:33.263 front in the, in the in the main page. Uh, 0:44:33.263 --> 0:44:35.723 there's going to be a link to, to our reports. Uh, 0:44:35.723 --> 0:44:38.963 but also, you know, I'm very active on social media, LinkedIn, um, 0:44:39.113 --> 0:44:42.533 you know, x, uh, my handle is about security. 0:44:42.533 --> 0:44:44.633 So that's also, oh, very nice username. 0:44:46.283 --> 0:44:47.813 I still don't know how I got that one. But again, 0:44:47.813 --> 0:44:49.973 like this is an advantage of being on this field 0:44:49.973 --> 0:44:53.453 for a long time, right. Yeah. About security and, um, yeah, 0:44:53.453 --> 0:44:55.733 I'm happy to, uh, connect with any of our, you know, 0:44:55.733 --> 0:44:58.673 the audience here. And, you know, you have a fantastic show. 0:44:58.673 --> 0:45:00.923 So thanks for for having me. 0:45:00.923 --> 0:45:03.533 Yeah, absolutely. Thanks for coming on. And we'll put all 0:45:03.533 --> 0:45:05.813 those links, uh, in the show notes so people can 0:45:05.813 --> 0:45:07.903 find them. Thanks a lot. 0:45:08.533 --> 0:45:09.343 Excellent. Thank you. Danny.