Preparing for 2024: 5 Attacks Targeting You This Year

1 00:00:00
Speaker 1: How's it going, everyone?

00:00:01
This is another security unfiltered podcast episode where

00:00:07
today we actually talk with Mick Leach from abnormal

00:00:11
security.

00:00:12
Abnormal security actually sponsored this podcast and again

00:00:17
, you know, just to remind you guys, they didn't determine any

00:00:20
questions that I can ask them or anything like that.

00:00:23
You know, they just believe in what we're doing here at the

00:00:26
podcast and they wanted to support the podcast, and so

00:00:29
that's how it all kind of happened, right.

00:00:31
So, you know, with that, let's go ahead and dive into the

00:00:36
episode.

00:00:36
I think you guys are going to love it.

00:00:37
All right, see you guys, how's it going?

00:00:41
Mick, it's really good to have you back on the podcast, and I

00:00:45
want to start off with saying you know, if anyone listening

00:00:48
hasn't already heard part one of this conversation, essentially

00:00:54
I will link it down below.

00:00:55
You definitely want to hear about Mick's background and how

00:00:58
he got into security, his journey and everything like that

00:01:01
, but this is part two where we're picking it up.

00:01:04
We're going to be talking about what's coming in 2024.

00:01:08
So how's it going, mick?

00:01:10
Speaker 2: It's going great, joe .

00:01:10
Thanks so much.

00:01:11
I appreciate it, boy.

00:01:12
We had so much fun in the last one and we just had so much to

00:01:16
cover, we had to do a part two.

00:01:19
Speaker 1: Yeah, absolutely.

00:01:19
I mean I assume we'll probably be doing like parts three and

00:01:24
four in 2024 at some point, but you know it's always a good

00:01:30
conversation and you know, I think you also appreciate the

00:01:34
style of podcasts that this is.

00:01:37
Speaker 2: I do.

00:01:38
I do Absolutely, yeah, and just the way this one's run.

00:01:41
It's so genuine.

00:01:43
I love that, you know there aren't questions prepared ahead

00:01:47
of time.

00:01:47
I love that it's off the cuff and it's natural and genuine.

00:01:51
You know that much.

00:01:52
I absolutely appreciate.

00:01:55
Speaker 1: Yeah, it's.

00:01:55
You know it's interesting.

00:01:56
When I go on other podcasts, they always like send me a bunch

00:01:59
of questions ahead of time, like guys, I really don't care

00:02:03
about your questions, right, like you know, just ask me

00:02:06
whatever you want to ask me and we'll go from there.

00:02:08
Yeah, but, mick, you know we're coming to the end of 2023 here,

00:02:14
2024, right around the corner and you know I always try to

00:02:21
prepare my audience for the year ahead, right, because you know

00:02:26
really to have a successful year , you have to be planning it out

00:02:31
.

00:02:31
You know ahead of time For sure , you have to be planning for it

00:02:36
, you have to be adjusting.

00:02:38
You know your goals, your expectations and whatnot.

00:02:41
So what are a few of the top attacks that you see becoming

00:02:46
more prevalent or more widely used in 2024?

00:02:49
Speaker 2: Yeah, yeah, you're right.

00:02:50
I mean, for us to adequately defend our organizations, we

00:02:56
really need to understand the threats that are coming at us.

00:02:59
You know, especially as many of us are in purchase cycles here

00:03:04
at the end of the year, sometimes money becomes

00:03:07
available and you've got to use or lose that.

00:03:09
I know that was certainly the way things were when I was in,

00:03:13
you know, the military and with the government.

00:03:15
So you're looking to, you know, elevate your tech stack,

00:03:21
elevate your capabilities there at the end of the year in

00:03:24
preparation for the next year.

00:03:26
And so it's so critically important to look back and

00:03:30
understand what you've seen over the last year, but also use

00:03:34
that information to sort of forecast what you see coming up.

00:03:38
And so, as I look back over what we have seen at abnormal

00:03:42
over the last year or two, I think it becomes clear, kind of

00:03:48
where the trending is headed towards 2024.

00:03:50
And I think it comes down to five major issues that we've got

00:03:54
to.

00:03:54
We've really got to keep a bead on these ideas.

00:03:57
So first, in my opinion, we've got brand impersonation,

00:04:02
credential fishing, and we'll kind of unpack these a little

00:04:06
bit, but I want to put them up front for you.

00:04:09
Number two payload this malware, right, and so when we say that

00:04:14
we're generally talking about, like social engineering attacks,

00:04:18
text only social engineering attacks.

00:04:20
Number three QR code attacks.

00:04:23
They have been on the rise.

00:04:25
I anticipate we'll continue to see these as time goes by.

00:04:30
Number four VEC or vendor email compromise and invoice fishing,

00:04:36
invoice fraud.

00:04:38
This is a massive one, continues to be incredibly

00:04:41
lucrative and I fear we'll continue to see it.

00:04:45
And then the last one, not without leaving it out here

00:04:50
generative AI based attacks.

00:04:51
Right, you can't hardly have a podcast or conversation,

00:04:56
presentation of any kind without mentoring, chat, gbt or

00:05:00
generative AI.

00:05:00
This one will be no different, and so we'll talk.

00:05:03
We'll talk a little bit about that as well.

00:05:05
So I think those are the five things that we need to kind of

00:05:09
keep an eye on, and willing to certainly unpack those, but,

00:05:12
like, pause there and see if you've got any questions.

00:05:16
Speaker 1: Yeah, of course, you know, with the, with the text

00:05:21
based attacks, I've actually seen, you know, a good amount of

00:05:28
that already coming through my work email, my personal email,

00:05:33
and it's interesting, you know, I literally had one last week

00:05:38
where you know they were saying like, oh, you know, I'm a new

00:05:41
hire, they told me to reach out to you to resolve some payroll

00:05:46
issue.

00:05:46
Like, one, I'm a security guy, so you're going to the wrong

00:05:50
person.

00:05:50
You know if you are real right.

00:05:53
And two, I'm a security guy so I don't trust you, so I'm going

00:05:56
to delete this email.

00:05:57
You know, like, I hope, if you're real, you know you get

00:06:03
your payroll figured out, but I don't care.

00:06:05
Speaker 2: Right, yeah, no, I'm with you.

00:06:07
It always cracks me up how we in security end up getting kind

00:06:12
of the end of being the dumping ground where a lot of different

00:06:15
kinds of attacks end up landing on our plate.

00:06:17
And I laugh, I think, really, did you think that I, insecurity

00:06:22
, was going to have access to change your payroll?

00:06:24
You know, come on, that's, don't be silly.

00:06:26
But but nevertheless, we do inevitably get targeted for

00:06:30
these kinds of things, and gone are the days are, you know and

00:06:33
we touched a little bit about this in our last one but gone

00:06:36
are the days when attackers are sending you know malicious

00:06:42
attachments and malicious links as the primary way to compromise

00:06:47
you.

00:06:47
They know that.

00:06:48
You know everybody's got a security email gateway, or you

00:06:51
know Microsoft's native 365 controls are really sound, and

00:06:55
so they're great at catching that kind of overt malicious

00:06:59
activity.

00:07:00
So now what we're seeing is this shift to where threat actors

00:07:05
are simply trying to start a conversation with you.

00:07:09
If they can simply get you to reply, then they can go a little

00:07:14
bit further, right?

00:07:15
We've seen ones where a pretty common one is where they purport

00:07:20
to be from.

00:07:21
You know the.

00:07:22
You know we've seen the best buy genius ones, genius bar or

00:07:26
whatever you know a geek squad excuse me, where they send that

00:07:31
and say, oh, you've been charged for this.

00:07:32
If you have any questions or if you feel there's this was done

00:07:36
in error, please reach out to our contacts.

00:07:39
You know our support center at the phone number below right,

00:07:44
and so if they can just get you to start that conversation,

00:07:47
that's usually where they can take it.

00:07:49
You know three or four more steps.

00:07:54
Speaker 1: Yeah, I wonder if they're evolving their attack

00:07:58
pattern based on the technologies that are out in the

00:08:02
field.

00:08:02
Right, because you know in the military that's what you do and

00:08:08
you know this is no different.

00:08:09
Right, where you have solutions that are saying, oh, you've

00:08:13
never talked to this person before and they're asking for

00:08:16
this information.

00:08:17
You know it's probably a bad idea to respond to them.

00:08:21
Well, they're trying I guess they're trying to even just

00:08:24
start that conversation, build that rapport with your solution

00:08:28
in the background, right, and bypass all of that.

00:08:32
How does so?

00:08:34
How does abnormal fit into that ?

00:08:36
This isn't like a softball question or anything like that

00:08:42
that I was pitched ahead of time .

00:08:43
Right, like I'm genuinely wondering you know, how do you,

00:08:47
how do you guys stack up against something like that?

00:08:50
Speaker 2: Yeah, Well, and that's what makes us, I think,

00:08:52
unique or at least the next gen generation of email security

00:08:56
solutions, right, Ones that are using artificial intelligence at

00:09:01
their core.

00:09:01
It's not something has been bolted on, it's actually at the

00:09:05
core of the way the solution works, in that it is consuming

00:09:10
so many signals, right.

00:09:12
And it's beyond just taking in the headers of each email, right

00:09:17
.

00:09:17
Traditional security mail gateways do a great job of

00:09:20
pulling that in.

00:09:21
Microsoft, Google's native security controls.

00:09:25
They do a great job of evaluating those headers.

00:09:29
But there's so much more.

00:09:31
There's so much more signal to to those messages than just that

00:09:35
.

00:09:36
Unfortunately, in the past, security solutions just really

00:09:40
didn't have a way to consume the message body.

00:09:44
But with the advent of natural language processing, computer

00:09:48
vision, deep learning, you know algorithms for machine learning,

00:09:54
we've been able to really dive into the message body, teach our

00:09:58
systems how to read it and understand it, kind of parse all

00:10:02
of the parts of the message body, understand what's being

00:10:06
communicated and then say wait a second.

00:10:09
This is unusual behavior, right ?

00:10:11
This is something I've never seen before.

00:10:14
It's a person you've never spoken with, or at least an

00:10:17
address, an email address that you've never corresponded with

00:10:20
in the past, Even if it's someone that you'd know and

00:10:23
speak with often, maybe the tone has changed, Maybe it's more

00:10:27
formal or less formal than it's ever been before.

00:10:30
You know, it's those signals that abnormal security is able

00:10:34
to pin in on and really understand and then say, okay,

00:10:38
this, this is not normal, right, this is abnormal activity, and

00:10:44
so that's when we can flag it and and move forward from there.

00:10:49
Speaker 1: And is it able to also, you know, look at other

00:10:55
other customers of yours, right, and say like, oh, I saw this at

00:10:59
10 other customers and you know it was the same situation, so

00:11:03
we're going to block it or filter it out, right?

00:11:06
Sure Does it?

00:11:07
Does it have that capability as well?

00:11:09
Speaker 2: Absolutely yeah, and that's what was so powerful when

00:11:12
I think it was CrowdStrike was one of the first to kind of

00:11:16
start using crowdsourced information and say, well, if

00:11:21
I've learned this and this and this from these other customers,

00:11:24
maybe I can retrain my models to look for those kinds of

00:11:29
behaviors across all organizations, and abnormal

00:11:32
absolutely does the same thing in that.

00:11:34
In that regard, now, each to be clear and this is what makes us,

00:11:38
I think, unique is that the models are trained for each

00:11:43
company specifically.

00:11:44
Each one is different because a large financial services

00:11:49
institution would be very different than, like a large

00:11:53
university, right, a large public university.

00:11:55
The kinds of communications that you see, the kinds of

00:11:59
emails that you see, back and forth, are very different, the

00:12:02
users and their level of awareness and training very

00:12:06
different between a college and like a bank.

00:12:08
So it's important that each model is trained for each

00:12:13
company.

00:12:14
But then you can use some overall guidance, overall

00:12:17
understanding about what anomalous behavior looks like in

00:12:21
general across all customers, and that's where you see that

00:12:25
crowdsourced information really benefit the university or the

00:12:31
bank.

00:12:33
Speaker 1: Hmm, yeah, it's really interesting.

00:12:36
Can we talk about payload list exploits, right?

00:12:42
So what are those?

00:12:44
Is that just a text email that's trying to start that

00:12:47
conversation?

00:12:48
Speaker 2: Yeah, so in the email world, anytime we talk about

00:12:51
payload list malware, what we're really talking about is social

00:12:56
engineering.

00:12:56
So it's just that note.

00:12:59
Hey, bill, we talked about this last time.

00:13:01
Hey, bill, it's Bob.

00:13:01
Give me a call when you get a minute.

00:13:03
Right, he's really seeking to start a conversation.

00:13:06
Get you to pick up the phone and call someone, because when

00:13:09
you do that, you can sidestep the rest of your tech stack.

00:13:13
Right, you lose a lot of the defenses that you have already

00:13:18
brought to bear in your tech environment.

00:13:21
I think QR code attacks are similar in that regard because,

00:13:27
as you and don't mean to pivot, but I think there's these two

00:13:31
stories are somewhat related in that, like when we see QR code

00:13:35
phishing attacks, there's not a ton of things that can detect

00:13:40
and resolve a DNS entry from a QR code today.

00:13:46
There's just not a lot of tech stacks, there's not a lot of

00:13:49
solutions in our stacks that can do that.

00:13:51
Abnormal, I think, is relatively unique in that we can

00:13:54
and that's a pretty big differentiator for us.

00:13:58
But in either case, the reason that I think we're seeing threat

00:14:02
actors pivot to using QR codes and emails is A there's nothing

00:14:07
that can defend against it, or very few things that can defend

00:14:10
against it.

00:14:10
But B?

00:14:12
How would you scan a QR code on your email, on your corporate

00:14:17
email, on your desktop, right on your laptop, or whatever the

00:14:20
case may be?

00:14:20
How are you going to scan it?

00:14:23
You're going to pick up your phone and you're going to scan

00:14:25
it with your phone, right?

00:14:27
Well, once you've done that, you have sidestepped all of your

00:14:33
corporate email security controls, all of your corporate

00:14:37
security controls, entirely right, unless you've got an MDM

00:14:41
solution on your phone, which is pretty advanced.

00:14:44
Many folks with bring your own device today don't have a ton of

00:14:51
security controls on our user's phones.

00:14:53
So you don't have EDR, you don't have your internet gateway

00:14:59
, you've lost most of your security controls, and now

00:15:04
you've got a user interacting with a potentially malicious

00:15:08
website on their phones, and so that's where you start to see a

00:15:14
lot of credential harvesting those kinds of things there,

00:15:17
because they've tricked you to go someplace you shouldn't on a

00:15:20
device that your company can't protect.

00:15:25
Speaker 1: Yeah, phones are a very interesting threat surface

00:15:30
for any company out there.

00:15:32
Even if you have an MDM solution, you have a company, so

00:15:38
you have a company device and they manage it and whatnot.

00:15:41
Even then, you're still heavily reliant on the architecture of

00:15:48
the phone.

00:15:48
Hopefully the developers didn't create something that is

00:15:54
insecure in their architecture and whatnot.

00:15:56
Not that Android has ever done that right.

00:16:02
Speaker 2: Or Apple or any of them, right, I mean yeah.

00:16:06
Speaker 1: Well, I always bring up Android because when I was

00:16:08
getting my master's in cybersecurity, it was very

00:16:11
hands-on course, or very hands-on degree, and a part of

00:16:16
it there was a mobile security course and in that course there

00:16:21
was a lab that you had to get root on an Android or an iPhone.

00:16:27
You had to choose a vulnerability and choose your

00:16:30
platform right, and so I chose some Bluetooth vulnerability.

00:16:34
The iPhone had been patched for several months so it was never

00:16:41
going to work on that, so I literally spent about 36 hours

00:16:46
trying to get it on an iPhone that I would never get it on.

00:16:48
And then, as soon as I switch to Android, I get root in 20

00:16:56
minutes.

00:16:57
I'm not a very good hacker, I'm very poor, I can spell the word

00:17:03
and that's it.

00:17:03
But I got root on this thing in 20 minutes and I'm like my

00:17:09
reaction was oh, this is really bad.

00:17:13
If I can do this, sure yeah.

00:17:17
Speaker 2: And that's the thing is a lot of what we're seeing in

00:17:22
terms of hackers trying to convince users to leverage their

00:17:26
phones.

00:17:27
They don't even need to compromise the phone itself.

00:17:30
They don't need to hack the phone or its operating system,

00:17:33
they just convince you to go to a URL that you ought not to go

00:17:37
to.

00:17:38
That looks a lot like something that you're used to logging

00:17:41
into every day.

00:17:42
Maybe it's your OctaPortal, maybe it's your Microsoft 365

00:17:46
portal, maybe it's your Facebook account.

00:17:48
We've seen a lot of different brand impersonation attacks

00:17:53
lately that work this way.

00:17:56
No joke.

00:17:58
Last night, my wife gets a phone call talking about brand

00:18:02
impersonation.

00:18:03
My wife got a phone call from USAA.

00:18:05
Having been in the military, that is the bank that we use, as

00:18:14
most veterans do it's a great organization Gets a call

00:18:18
purportedly from USAA.

00:18:20
Here's the thing they spoofed their phone number so it showed

00:18:24
up on her phone as USAA and they said, hey, we see some unusual

00:18:31
charges.

00:18:32
This is not the first time we've gotten these kinds of

00:18:34
calls.

00:18:34
We get them periodically.

00:18:36
I think we probably all have gotten the call from the bank

00:18:39
that says, hey, starting to see some really unusual stuff.

00:18:42
Are you in Miami, florida, right now?

00:18:44
I'm like I wish, but I am not.

00:18:47
I'm in Ohio and it's freezing.

00:18:49
So they said, yeah, we saw somebody charge $2 at

00:18:54
Walmart, $5 at Best Buy.

00:18:58
And my wife was like no, that's definitely not us.

00:19:02
And they said, ok, we're going to send you a text message.

00:19:06
Need you to log in at the link on the text message and file a

00:19:12
report?

00:19:12
And so the text message comes in.

00:19:16
It's not from the numbers we're used to seeing, which may or

00:19:21
may not mean anything, but the URL was telling it was not USAA,

00:19:27
although it did have you as USAAsomethingco.

00:19:30
It was a long string, I think it was retail online, resell

00:19:37
online, 06 or something along those lines.

00:19:40
And I was like whoa.

00:19:42
My wife's like, oh no, this feels weird.

00:19:44
And the guy's like, no, it's OK , just click the link and log

00:19:48
into your account there and you can file the abuse report.

00:19:53
And I was like no, no, and thankfully she refused to do so.

00:19:59
The guy hung up on her.

00:20:00
We had a call in USAA back and it was not them, it was the

00:20:04
bottom line.

00:20:05
So they're getting more and more brazen and they're getting

00:20:10
more and more sophisticated.

00:20:11
I think getting these calls not terribly interesting.

00:20:17
Getting the call plus the text message was a little more

00:20:22
interesting, but getting the call that was spoofed from their

00:20:24
actual, correct phone number, then doing the rest of the

00:20:30
things, made this one particularly interesting.

00:20:34
So, yeah, these are the kinds of things we're up against folks

00:20:37
.

00:20:40
Speaker 1: And it's almost unfair to the 99% of the

00:20:44
population that isn't in cybersecurity.

00:20:46
That's almost unfair even for cybersecurity professionals.

00:20:49
They are taking the basics of an attack.

00:20:56
They're taking four or five basics of an attack.

00:20:59
They're stringing them all together and they're making it

00:21:02
look like a real legitimate thing.

00:21:04
And I'm going to be honest, it's a pretty good chance that I

00:21:12
probably wouldn't even notice anything until I get to the

00:21:16
login page.

00:21:17
If the login page looks weird, then I would be catching it, but

00:21:21
I'd still click on that link probably.

00:21:23
And I'm in security.

00:21:27
We put ourselves into this.

00:21:28
It's terrible predicament where we just spent, you know, two or

00:21:34
three years right Of having everyone at a restaurant scan

00:21:38
the QR code Precisely.

00:21:40
It's very simple, it's very convenient, but there's no way

00:21:44
to know just by looking at a QR code of if it's malicious or not

00:21:49
.

00:21:49
You know, like and this is coming from security

00:21:51
professionals like, until I get to the website, I have no way of

00:21:56
knowing if that's real or not.

00:21:58
You know, and like you, you can so easily, you know, swap out.

00:22:03
A menu has all the same exact stuff, different QR code on

00:22:07
there.

00:22:07
Or, you know, they tape the QR code to the table.

00:22:10
Okay, well, I could just tape one on top of it, like it

00:22:13
doesn't even have to be that creative.

00:22:15
Yeah, it's.

00:22:17
It's a, it's a unfair, it's an unfair situation.

00:22:22
You know.

00:22:22
If I'm saying it's unfair for us, it's like because my wife

00:22:26
would 100% like she'd be messaging me as she's clicking

00:22:31
on it and like logging in.

00:22:33
It's like.

00:22:33
No, like you know, we don't need to be doing that.

00:22:37
Speaker 2: Yeah, yeah, you're right, I mean COVID.

00:22:39
The last three years with COVID has has just been training the

00:22:45
world's population that QR codes are safe to click on.

00:22:49
Speaker 1: Yeah.

00:22:50
Speaker 2: Or safe to take an image of.

00:22:52
And you know I was.

00:22:53
I was in Columbus.

00:22:54
I think I mentioned this in our last one.

00:22:56
If you know, just forgive me, but you know we were in.

00:22:58
I was in Columbus, ohio, not long ago and went to was that an

00:23:02
event?

00:23:03
And parked at a parking parking lot where you have to shoot a

00:23:08
QR code to pay all of the parking meters down there.

00:23:11
They don't accept coins anymore .

00:23:13
The only way you can pay for them is to shoot a QR code.

00:23:17
That's on the parking meter.

00:23:19
And there were bad guys not at this one, but there were bad

00:23:22
guys that were going around and pasting new ones, new QR codes

00:23:27
over those and they had done their research right.

00:23:29
They made a very similar looking domain where you were

00:23:36
able to put in all of your, all of your information and, and and

00:23:40
quote unquote pay, pay your parking.

00:23:43
But they just siphoned that money off, right.

00:23:46
Speaker 1: So it's horrible.

00:23:48
We, we almost need like a you know, an overarching body right

00:23:54
to step in and give what a QR code you know should look like

00:23:59
and whatnot.

00:24:00
Right, because what we really need with the QR code is the URL

00:24:05
under the QR code.

00:24:07
You should be going here, you know.

00:24:08
So if you scan this thing, you know this is where you're going.

00:24:12
If it goes somewhere else, you're not at the right place,

00:24:15
you know.

00:24:15
And if it doesn't have that URL , then you should know oh, I

00:24:19
shouldn't be scanning it, you know like it should be an

00:24:21
approved sort of thing.

00:24:23
Yeah, I, I can see us going that way in like 20 years.

00:24:30
You know, with how slow the government moves with everything

00:24:33
, I mean, they'll probably start talking about QR codes in 15

00:24:37
years.

00:24:38
Speaker 2: Yeah, and the challenge I think there is that

00:24:42
it actually just advocates for more obfuscated URLs, because

00:24:49
then you know you're you're trusting my aunt or uncle or

00:24:53
grandma to look not only at the QR code and understand what to

00:24:58
do with it which, thankfully, covid taught them what to do

00:25:01
with it.

00:25:01
Unfortunately, then, even if we put the expected URL at the

00:25:06
bottom, you know what's to say, that's, even if they match.

00:25:11
I mean, what's to say?

00:25:13
That it's not malicious anyway.

00:25:15
You know, if you, if you have like a high entropy, you know

00:25:20
URL one with lots of zeros and numbers, and they'll just look

00:25:23
at it and go matches is probably fine, it's not fun.

00:25:27
Don't go there, right?

00:25:31
Speaker 1: Yeah, it's, it's an interesting world that we have

00:25:35
now created for ourselves.

00:25:37
We've kind of backed ourselves into this corner, you know, and

00:25:42
I feel like almost the attackers are evolving quicker than than

00:25:47
the population is, you know, and yeah, that's typically, that's

00:25:51
typically what you see right, but they're I mean they're even

00:25:55
evolving faster than most companies, you know, and some,

00:26:00
most of the time, most solutions out there.

00:26:03
They're evolving faster than most solutions can keep up with.

00:26:06
How in the world do we stay on top of this thing?

00:26:11
Speaker 2: Yeah, well, I think maybe that's where the larger

00:26:15
companies really kind of dig themselves in a hole, because

00:26:20
you and I have both worked at big Fortune 500 companies before

00:26:23
.

00:26:23
And how quickly could you purchase and install a brand new

00:26:27
solution that you've never had before, right, one that's maybe

00:26:30
emerging tech?

00:26:31
You know it takes forever to get through all of the layers of

00:26:36
red tape and analysis and you know and those are good things

00:26:40
right, that's not a bad thing we're doing.

00:26:42
You know lots of vendor, you know vendor risk.

00:26:45
So we're evaluating each of these vendors to ensure that

00:26:50
they're they're doing their own security, so that we don't have

00:26:54
a supply chain compromise.

00:26:55
So those are good, good things.

00:26:57
However, I think that the industry, like the vendor side

00:27:02
of things, are coming up with solutions very quickly.

00:27:05
I think there's lots of very smart people coming up with and

00:27:10
solving very real problems very quickly, and they're getting on

00:27:13
them.

00:27:13
They're getting to market just in time to start solving the

00:27:17
problems as they, as they're hitting scale.

00:27:20
The challenge is, big companies are averse to to hiring, to

00:27:27
buying and using some emerging tech, and so, even though the

00:27:33
solutions exist, there's a reluctance to purchase it right,

00:27:37
either the company's too small, it's you know, oh, it's only a

00:27:40
hundred hundred users, right, a hundred employees.

00:27:43
It's only been around for 18 months.

00:27:45
You know, let's sit and let it bake for a little while and make

00:27:49
sure it's good.

00:27:50
Or maybe maybe the solution is still a little buggy.

00:27:52
Fine, I've seen that I bought buggy solutions before in order

00:27:57
to get in on the front end of a really good idea.

00:27:59
But that's the problem, I think , as we look at big, gargantuan,

00:28:05
monolithic companies, they're risk averse in terms of their

00:28:10
even their new solutions, their new security solutions.

00:28:14
I know that we at abnormal struggled with that early on

00:28:16
because we had a really good idea.

00:28:18
The tech was there, we were confident about it.

00:28:21
Certainly, I bought it and used it for a year before I came

00:28:23
here and and knew that it was good.

00:28:26
But there were still a lot of big companies that were like, ah

00:28:29
, let's just see how this shakes out for a little while longer

00:28:32
first, and you're like, man, we've, we've got the solution to

00:28:37
the.

00:28:37
You know, we've got the cure, you know, to the, the, the

00:28:40
problem that ails you.

00:28:41
But, um, you know, too many folks just are unwilling to try

00:28:45
it.

00:28:47
Speaker 1: Yeah, that's a very real.

00:28:48
It's a very real issue in the security industry.

00:28:53
You know, right now, where, even even fairly recently, right

00:28:58
, the company that I work for, you know they had a super old,

00:29:04
you know, McAfee EDR.

00:29:07
Right, They've had it since it came out, you know and going

00:29:12
with another solution, like Crowd Strike or whatever it

00:29:16
might be Sure, that's a multi-year endeavor, you know,

00:29:22
of convincing them like, hey, this thing works just like

00:29:25
McAfee, it does it better.

00:29:27
You know, this is why it's better.

00:29:29
All these things, you know, and it's repeating that same story

00:29:34
over and over and trying to get some of these companies to like

00:29:38
kind of catch up is is.

00:29:41
It's challenging and I think a part of it is a lot of these,

00:29:45
some of these executives.

00:29:46
They've been burned by new cutting edge tech that only

00:29:51
creates, you know, more headcount.

00:29:54
It only creates more incidents, more issues.

00:29:59
I used to work for a company and they brought in a newer,

00:30:03
privileged access management solution over a tried and true

00:30:10
solution that the industry recognized as the top tier

00:30:14
vendor, and that whole experience was just absolutely

00:30:19
terrible.

00:30:20
Every single day was another hurdle.

00:30:23
I mean literally every single day.

00:30:26
Our solution was on the verge of going down, and the only

00:30:28
reason why it didn't go down was because I grew to identify all

00:30:33
of the early warning systems and I had a very close relationship

00:30:37
with the guys that managed the load balancers and so I could be

00:30:41
like, hey, switch over traffic, here I'm having issues.

00:30:44
I mean, this was every day.

00:30:47
You know like how does that play out to executives minds?

00:30:50
You know because and I think about that, because you know now

00:30:56
that now that see so right, that was dealing with all those

00:31:00
issues saw it firsthand.

00:31:01
He went to another company and the very first thing that he

00:31:05
said was one, we're not hiring anyone that managed that

00:31:08
solution, not hiring anyone that bought that solution at that

00:31:12
other company, and we're also never going to entertain

00:31:16
anything from this company going forward.

00:31:18
It doesn't matter how good their solution gets reviews and

00:31:22
things like that, we're not going with it.

00:31:25
Speaker 2: Yeah, it, sadly that's.

00:31:27
You know, it's a tale as old as time.

00:31:29
Right, you get bit just once.

00:31:31
You know, once bitten, twice shy, I think.

00:31:33
They always say and cybersecurity solutions are no

00:31:37
different.

00:31:38
You know, I think there's stories for both sides, but it

00:31:41
takes you know how many times can you be successful in your

00:31:45
success, but one failure and you've ruined it all.

00:31:47
I think that's the story for CISOs.

00:31:51
You know, there are lots of times the solutions are great,

00:31:55
they're sound, the capabilities are all there.

00:31:57
I remember, you know, even as you know, as a big insurance

00:32:03
company at the time, and we had we were moving, we were at least

00:32:06
considering to move from Cisco, kind of the big upper right

00:32:11
quadrant guy that had been around forever and just handled

00:32:15
all networking.

00:32:16
You know everything.

00:32:17
And there was a small plucky upstart called Palo Alto

00:32:21
networks and had a completely different take on firewalls and

00:32:26
the way they were going to do things and there was even a

00:32:29
concept of layer seven firewalls and we're like, no, that's

00:32:31
impossible, you can't, no, it's, it'll never work, it'll never

00:32:35
take.

00:32:35
And you know, fast forward.

00:32:37
Now you see the pretty, pretty deep market penetration there.

00:32:42
So you know, there there are.

00:32:45
There are good, good news stories on that on one side and

00:32:48
then certainly bad news stories on the other side, but it all it

00:32:51
takes is one time of getting bit to make you go.

00:32:53
Man, let's just stay with the upper right quadrant stuff

00:32:56
that's been around for a while, that's been shook out.

00:32:59
Other people trust right, even if it puts us behind the eight

00:33:03
ball or behind behind the the innovation curve.

00:33:09
Speaker 1: Yeah, yeah, that's a good, that's a good point and

00:33:12
it's a.

00:33:13
It's a difficult one to defeat, honestly.

00:33:17
But you know, something that I have found that tends to help is

00:33:21
when I'm doing a POC, when I'm, you know, evaluating a product,

00:33:25
I always like to get other successful deployments with with

00:33:32
other customers, right, current customers on that came from

00:33:36
other solutions.

00:33:37
You know, and I'll specifically ask you know for customers that

00:33:40
migrated from whatever solution we currently have.

00:33:43
Right, that went with this other new solution.

00:33:47
And the reason why I do that, you know, I tell the vendor

00:33:51
straight up hey, don't join that call.

00:33:53
You know you can send the invite but do not join it.

00:33:56
If you have to start it, you know, just transfer host

00:34:00
permissions to me, whatever it might be, because I want to hear

00:34:03
, I want to hear the horror stories, you know.

00:34:06
I want to hear about your bad, bad, bad, bad, bad, bad, bad,

00:34:07
bad, bad, bad, bad, bad experience with that other

00:34:10
solution.

00:34:10
And I want to hear about, you know, if there was any

00:34:13
challenges deploying this other solution.

00:34:15
Right, Because every vendor is going to say, oh, it's a great

00:34:18
solution, it's turnkey.

00:34:19
I've heard that, you know, on every call I've ever been on,

00:34:22
right, and it's, it's, it says a lot when you actually go into

00:34:29
the solution and it actually is turnkey, you know, like it

00:34:32
actually there I think it was actually abnormal solution when

00:34:38
you know, I heard turnkey and I'm like, okay, turnkey in that

00:34:41
industry is, you know, not real right.

00:34:45
And then we went and did it and I was confused.

00:34:48
I was.

00:34:49
I had the, you know, the solutions engineer on the call

00:34:52
and I said, okay, what's next?

00:34:54
It was no, there's nothing else to do, like just let it work.

00:34:57
Like no, what, what am I going to get out of that?

00:35:01
It was no, just wait.

00:35:03
You know, that was like even for someone like myself, like an

00:35:08
experienced security professional that I've, I like

00:35:11
to feel like I'm on the cutting edge of stuff.

00:35:13
You know, I know what's out there.

00:35:15
Even for me it was like, oh, this is weird, this is different

00:35:21
, you know.

00:35:22
Speaker 2: Yeah, no, I know exactly what.

00:35:24
I had a similar experience right Before I came here, you

00:35:29
know, plugged.

00:35:29
I remember that feeling of plugging it in and thinking,

00:35:32
okay, so it's connected, now the integration is complete.

00:35:36
That went faster than I expected.

00:35:38
But now you know when do we start the configuration?

00:35:42
Right, because I come from the world of secure email gateways.

00:35:46
Where it's, there's a heavy configuration.

00:35:48
You've got to start setting up a block list and allow lists and

00:35:52
keyword searches and so that you can start finding evil.

00:35:55
And I remember distinctly him, you know, saying that's it.

00:36:01
Now we just sit and we wait and it learns and tomorrow we'll

00:36:06
find evil.

00:36:06
And I was like, no, now there's got to be more.

00:36:10
And he was like, nope, just trust me, go home and then

00:36:15
tomorrow let's get together in the morning and we'll see what's

00:36:19
what.

00:36:20
All right, the next day I was horrified at what all it had

00:36:24
found, that was slipping through my existing tech stack, that

00:36:28
I'd spent a lot of time and money had never been told.

00:36:31
No, you know it was.

00:36:33
It was a security defenders dream come true.

00:36:36
You know anything, you want anything you think we need, you

00:36:40
tell us and we'll buy it.

00:36:41
And it's been three years, built in that tech stack, only

00:36:44
to have abnormal come in and go.

00:36:46
Yeah, it's really good.

00:36:49
However, here's all the stuff that's slipping through your

00:36:53
current tech stack, that nothing is catching, and these things

00:36:56
are being delivered to your users in boxes.

00:36:59
Today I was like no man.

00:37:02
I was just gutted.

00:37:05
Speaker 1: So yeah, let's let's talk about the, the AI threats,

00:37:13
the LLM, the generative AI.

00:37:16
I mean, I can say the buzzwords , but I don't know what any of

00:37:19
that means.

00:37:20
I couldn't name an LLM if you put a gun to my head, you know,

00:37:27
like I could not do it.

00:37:28
So what?

00:37:29
What are these?

00:37:30
I guess let's start with what they are right.

00:37:33
What's the biggest threats with them and how can organizations

00:37:38
protect themselves against those sorts of threats?

00:37:41
Speaker 2: Yeah, and I'm glad you brought this up right.

00:37:43
That was number five on our list, right?

00:37:45
Generative AI, and?

00:37:46
And it is an emerging threat, to be sure, but at its core,

00:37:53
generative AI is really nothing more than a next word predictor.

00:37:58
You know, at its to oversimplify things, but that's

00:38:02
what it's doing, right.

00:38:03
You feed it information and it produces net new content as a

00:38:08
result of what you, what prompts you gave it.

00:38:11
And so generative AI is being used to create all of the other,

00:38:15
the other types of attacks that I talked about.

00:38:18
The biggest difference is that it's coming in scale A, it's

00:38:23
making it a little more.

00:38:24
I won't necessarily call it more sophisticated, because you

00:38:30
and I, as English speaking security professionals, could

00:38:35
craft.

00:38:35
To give me 20 minutes, give you 20 minutes we could craft a

00:38:39
very realistic looking spearfishing message.

00:38:43
You know we could do our homework using the world's

00:38:46
greatest hacking solution, linkedin, and then you could

00:38:51
cross reference with like Facebook and figure out, you

00:38:55
know, pick a target, see what they're up to, see what they're

00:38:57
into, and you know we could write a very good, very

00:39:01
realistic, very effective fishing message, spearfishing

00:39:05
message.

00:39:05
The difference being so generative AI can do the same

00:39:11
thing, the difference being it can do the same thing for a non

00:39:15
English speaker and it can level that playing field and it can

00:39:20
do it at scale.

00:39:21
Whereas it would take us maybe 1520, maybe 30 minutes to do a

00:39:25
really good job, generative AI can do this thousands per minute

00:39:31
, and that's the real danger there.

00:39:34
So that that's the first big thing.

00:39:36
But the second big thing that generative AI is enabling is not

00:39:42
only is it doing that at scale, but it can do it with a unique

00:39:47
sender address every time, a unique recipient address, a

00:39:51
unique subject and a unique message body each and every time

00:39:57
that it runs.

00:39:58
That would take us forever to do manually, but generative AI

00:40:03
can do that trivially, in moments.

00:40:06
And now, if you think about how most of our security solutions

00:40:10
work, right, they're looking for similar senders, similar

00:40:15
recipients, message bodies or subjects, some sort of thread to

00:40:20
tie all of the attacks together as part of one campaign, and

00:40:26
none of those things are present .

00:40:27
So that that's terrifying in terms of scale.

00:40:33
It just means that what you, what you've been facing is, is

00:40:38
only we're only going to see it's it's the tip of the iceberg

00:40:41
in 2024.

00:40:42
We're going to see that the scale of that those attacks just

00:40:47
quit, you know, quintuple over the next year.

00:40:50
It's crazy to think about.

00:40:55
Speaker 1: Yeah, it's interesting.

00:40:55
You bring up, you know, linkedin and it's a good

00:41:04
platform for professional networking and whatnot right.

00:41:08
But I feel like the professional side of it almost

00:41:16
gives the illusion that you can be a little bit more open with

00:41:20
where you work and what your title is, what your job

00:41:23
description is, all those sorts of things I noticed when

00:41:29
security were bombarded with job opportunities everything that

00:41:34
you could think of.

00:41:35
Ever since I took my employer names off of my LinkedIn I left

00:41:43
the titles, but I took most of the descriptions.

00:41:47
I took the company names off.

00:41:48
As soon as I did that, it decreased by 90, 95%.

00:41:54
I don't think people can put it together.

00:41:57
He took it off because he has a podcast and he doesn't want it

00:42:02
to conflict or anything like that.

00:42:03
It's interesting the amount of information that you can gain

00:42:09
just from platforms that people have willingly put out there and

00:42:15
opened up.

00:42:15
I've been pretty tempted and I think I actually have disabled

00:42:21
Facebook before because there's just too much out there and I

00:42:26
need to control the information a little bit better.

00:42:28
It's coming to a phase where all of that's coming to fruition

00:42:36
to be combined together with this generative AI to craft the

00:42:42
perfect thing for each person, because we're giving them all

00:42:45
the information that they need.

00:42:47
Speaker 2: Absolutely, yeah, absolutely.

00:42:48
In fact, the internet is forever.

00:42:52
If you don't think so, use the Wayback Machine, because you

00:42:58
talked about updating your LinkedIn and removing things.

00:43:02
I know lots of folks that are wisely doing the same thing.

00:43:06
The challenge is the internet is forever and with the Wayback

00:43:10
Machine, I can still go back and see what it looked like three

00:43:13
years ago, two years ago, last week, prior to when folks

00:43:18
started scrubbing and being at least aware of that that was

00:43:22
even necessary.

00:43:23
I can go back to your Instagram account and I can see the

00:43:29
pictures prior to when we all started going.

00:43:32
Maybe I shouldn't be posting all of this here and I'll start

00:43:36
scrubbing this and you can still go back in time.

00:43:39
That's what makes the internet such an interesting and

00:43:42
terrifying place at the same time.

00:43:47
Speaker 1: Yeah, it's an interesting world that we live

00:43:52
in.

00:43:52
If you had to maybe give guidance to someone that's

00:44:01
trying to either get into IT or security or maybe they're

00:44:04
already in security and they're trying to augment their career,

00:44:11
make themselves more valuable in the field and whatnot Based on

00:44:15
the five items that you mentioned previously, what would

00:44:20
you recommend that they focus on to become more proficient in

00:44:23
those areas?

00:44:24
Speaker 2: Yeah, so great question.

00:44:26
So let me answer it in two parts.

00:44:29
Number one as an individual, how can we level up and become?

00:44:34
A add the skills we need to be successful?

00:44:37
And B, how can we continue to keep them sharp once you do have

00:44:42
those skills?

00:44:43
I think the answer is the same to both of those, which is

00:44:50
you've got to build your own personal testing environment.

00:44:56
You've got to have some sort of testing environment at home.

00:45:00
It can be virtual.

00:45:02
Build your own lab, spin up some VMs so that you can start

00:45:08
testing things.

00:45:09
You can start because that's how you're going to learn best.

00:45:13
I've been doing this a long time and the folks for me that I've

00:45:17
hired that ended up being wildly successful all had a couple of

00:45:21
things in common.

00:45:22
Number one they were insatiably curious like potentially to a

00:45:27
fault, but they were insatiably curious.

00:45:30
They just had to understand how something worked.

00:45:34
We can do a lot with that in the security world.

00:45:37
The second thing is that they're tinkers.

00:45:41
Every person that has been wildly successful for me is the

00:45:45
same kind of person that goes home and goes.

00:45:47
Not only do I want to understand how it works, but I

00:45:50
have to see it, I have to try it .

00:45:52
I have to fire off these exploits at a vulnerable system

00:45:57
while I collect the logs and a packet capture.

00:46:00
Then I want to take a look at the packet capture with wire

00:46:04
shark or T-shark.

00:46:05
I really want to dig in and understand.

00:46:07
How did it work?

00:46:08
What does it look like on the wire?

00:46:11
How can I write rules and alerts that can detect this kind

00:46:14
of activity?

00:46:15
Those kinds of people are incredibly successful.

00:46:19
That is, I think, the number one thing.

00:46:23
Build a home lab, figure out what that looks like.

00:46:26
There's lots of really good tutorials on YouTube.

00:46:29
John Strand, I think, has done a couple of really good ones

00:46:33
from Black Hills Information Security.

00:46:35
One of my mentors the people that I look up to Mick Douglas

00:46:41
is another.

00:46:42
There's some folks that are doing some really interesting

00:46:45
things.

00:46:45
They all say the same thing You've got to roll up your

00:46:48
sleeves and you've got to get in there.

00:46:51
On an individual perspective, that's how we can do that, I

00:46:55
think.

00:46:56
At a corporate level, how can we defend against the kinds of

00:47:01
things we're seeing today, those five example attacks that I

00:47:04
have seen trending up over the last year, which is indicative

00:47:10
of them continuing to just explode in 2024.

00:47:14
I think it comes back to this, especially when we talked about

00:47:17
scale in terms of generative AI.

00:47:20
It's using good AI to fight bad AI.

00:47:24
That's what it's going to come down to, because the volume is

00:47:29
too great, the number of signals is too great for us as humans

00:47:34
to parse and analyze and connect all of these dots together.

00:47:38
As we're searching for new security solutions as you go

00:47:44
through 2024, as you're looking to renew or buy new solutions,

00:47:49
replace old things, look for the plucky upstarts.

00:47:54
Look for the small guys that are disrupting the industry, the

00:47:58
ones that are using generative AI, that are using AI or ML at

00:48:03
their core Not something they bolted on, but they're actually

00:48:08
using machine learning algorithms to process vast

00:48:13
amounts of data and understand anomalous activity and spot that

00:48:17
.

00:48:17
Those are the solutions that you need to be evaluating.

00:48:22
Yes, they may not have been around a long time.

00:48:26
Yes, you might be taking a small chance.

00:48:30
Do talk to other people.

00:48:32
Do talk to ask the vendor for a reference.

00:48:35
I've been on both sides of that conversation.

00:48:38
Joe, you were talking about it a moment ago.

00:48:39
I've been on both sides.

00:48:41
I've been the one requesting that conversation and digging in

00:48:44
saying, really, what was the like?

00:48:45
The vendor's not here.

00:48:47
Tell me the truth.

00:48:47
Was it really as smooth as they say you can get to the bottom

00:48:51
of that.

00:48:51
I've also been on the other side where I've been saying, hey

00:48:54
guys, this actually works.

00:48:56
I've been very happy with it.

00:48:57
Now I'll tell you, because they're not here.

00:48:59
These are the things that you'll have to overcome, or

00:49:03
maybe they were a little clunky, but it's a good solution.

00:49:07
I have no reservations.

00:49:08
I've been on both sides that use those as you evaluate new

00:49:13
emerging technologies.

00:49:16
Speaker 1: Yes, that's a good point.

00:49:17
The curiosity is maybe the biggest thing in security.

00:49:24
That you need to be successful Right, because you always need

00:49:28
to be learning.

00:49:29
I was actually talking to someone not too long ago.

00:49:35
They wanted to get into cybersecurity and they were

00:49:40
asking for the best way to do it .

00:49:43
I said well, look, the first thing that you have to

00:49:46
understand is that you're always going to be learning.

00:49:49
You always need to be in a mentality of, hey, I'm always

00:49:53
working towards a certification, I'm always working towards

00:49:59
learning more about a topic or whatever it might be.

00:50:03
And that stopped them right there in their tracks and they

00:50:08
said well, that's not what I wanna do.

00:50:10
I kinda wanna just like, learn everything and then be done with

00:50:14
it.

00:50:14
You know I'm like, well, that's not really how the world works.

00:50:17
You know, like Certainly this world, yeah, like you know, I

00:50:22
guess maybe school teaches us.

00:50:24
You know in some way like, hey, you learn all these things and

00:50:28
you're done.

00:50:28
You know you in school.

00:50:31
You know you get your PhD right , if you go all the way through,

00:50:35
you get your PhD and that's considered to be done.

00:50:38
It would be dumb for you to get another PhD If it didn't relate

00:50:43
in some way, you know.

00:50:45
But even then it's a stretch.

00:50:49
But in security especially, you know, there is no end to this

00:50:55
thing.

00:50:55
Like I've spun up, you know, so many labs at home and destroyed

00:51:01
so many domain servers Like it's insane, right, I got a

00:51:06
really good backup process that I learned from trial and error,

00:51:11
oh yeah, and then, you know, when I wanted to specialize in

00:51:14
the cloud, first thing I did I opened up a free tier AWS

00:51:18
account, you know, and Azure and GCP, and went through it right

00:51:23
and after enough, you know random three, four $500 bills of

00:51:29
things that I thought that I had spun down when I didn't.

00:51:32
I have learned to go with other services so that they can

00:51:36
handle all of that and I'm not worried about it, you know.

00:51:39
But it's always.

00:51:42
It's always a journey, you know , and it's that's what it is.

00:51:48
Speaker 2: Yeah, you've never in cybersecurity, I think, in life

00:51:50
.

00:51:50
You know you've never arrived, you've.

00:51:54
It's the point is the journey, and so you know.

00:51:59
I think cybersecurity is no different.

00:52:00
You've got to learn to embrace the fact that you won't know it

00:52:06
all.

00:52:06
You'll never know it all, but you should continue to strive to

00:52:09
learn more every day.

00:52:10
I love that, the YouTuber smarter every day and just his

00:52:14
approach to learning and trying new things, sometimes failing

00:52:18
miserably along the way before learning and mastering something

00:52:21
new.

00:52:22
You know, we just all need to adopt that approach.

00:52:27
Speaker 1: Yeah, yeah, absolutely.

00:52:29
Well, mick, you know I really enjoyed our conversation.

00:52:32
I'm definitely gonna have to have you back on in the future,

00:52:36
but we're at the top of our time here, so before I let you go,

00:52:40
how about you tell my audience you know where they can find

00:52:42
abnormal, where they can find you if they want to learn more?

00:52:46
Speaker 2: Yeah, absolutely.

00:52:47
You can hit me up at Mick at abnormalsecuritycom.

00:52:50
That email will get to me.

00:52:51
You can find out more.

00:52:53
You can go to abnormalsecuritycom slash demo.

00:52:56
You can see a short recording of what our UI looks like, how

00:53:01
the product works.

00:53:02
If you go to abnormalsecuritycom slash risk,

00:53:06
you can sign up for a free risk assessment and we can integrate

00:53:09
with your environment.

00:53:10
Test outs how things are going in your environment.

00:53:12
Again, that's read only We'll sit and learn for a week and

00:53:17
then give you a report of all the things that are slipping

00:53:19
through your current tech stack and at that point buy us, don't

00:53:23
buy us, right?

00:53:24
It's up to you.

00:53:25
Figure out what makes sense for you at that time.

00:53:29
Speaker 1: Awesome.

00:53:29
Well, thanks, mick, and I hope everyone listening enjoyed this

00:53:32
episode.

00:53:33
Bye, everyone.

00:53:34
Thanks.