Cyber Warrior

Okay. Hi, Adam. How are you doing today?

I'm great. It's a beautiful morning. I'm in Staten Island. A beautiful haze from Canada. Thank you, Canada.

Yeah. Once again, we've got haze. Not as bad as last time. Not as apocalyptic. But I've got to say it's a good day, because you have finally come through with an Israeli security expert, as you promised. So, well done, even though I beat you to it. And I'm never going to let you forget it. But we're cool.

I'm speechless, but I'm sure this is going to cost me somehow, somewhere. So we'll see what it does.

No, it's not going to cost you. I'm giving you a bad time. But the truth is, we have someone great on, an old friend of both of ours. And this is someone who is, what can we say about David? He is, people don't know it, but he is a titan in the security world, a Jedi master, an A-lister, someone who has done a lot of stuff you know about, probably, you've heard about, that he can't talk about, but that you haven't heard of and that you don't know. So, David, great to have you on. Glad you could make the time in your very busy schedule to join us for a little bit.

Thanks, Joe. Thanks, Adam. It's great to be here. It's great to see you again. It's been too long. And thanks for the kind words. I really don't deserve it.

No, you do. Absolutely. And yeah, unfortunately, we couldn't see you this week. It ends up we're filming, right, just as, you know, Cyber Weekend in Israel is wrapping up. Adam and I weren't able to be there with the cool people, but, you know, on LinkedIn, it looked like everyone was having a good time.

Yeah, well, everything looks good on LinkedIn, but no, they were interesting. Yeah, exactly.

They say LinkedIn adds 20 to 30 pounds to your picture.

Then I should send someone a gift for it on LinkedIn. Cyberweek was a great event, great conference, great venue for meeting people and catching up and also just getting exposed to some pretty interesting stuff that's going on now in the industry. It's too bad that you couldn't come, but next year you have to come.

Okay, we'll make it next year.

I keep trying to convince my wife that we need to do a family trip, but she's afraid. Every time I want to go to Israel, she's like, we're supposed to spend time with family, not everybody else. I have like 20, 30 people to see.

You can spend time with your extended cyber family.

Yes, that's what it is.

There you go.

All right. So David, why don't you tell us a little bit about yourself and your background to the extent that you'd like to.

Sure thing. So, David Walshavsky, born and raised in Tel Aviv. Like many of my peers, I am a graduate of a military unit called 8200. Some of you have heard about it. It's the Israeli equivalent of the American NSA or the British GCHQ. And many of the technologies and startups and cyber defenders that the world knows and heard about and uses are graduates of that unit. And we can talk extensively as to why that is. But more to the point, I'm currently VP of Enterprise Security and Adversarial Tactics at a company called Cygnia, which is basically an incident response and cyber consultancy firm. And we do two things in life. 50% of the time, what we do is incident response, day in, day out. Multiple threat actors across multiple arenas and multiple sectors. mostly doing battle against some of the more well-known threat actors, some of them nation states, North Koreans, Iranians, Russians, obviously, and Chinese as well. We operate globally. We have hubs in North America, Latin America, Europe, Southeast Asia. and are headquartered in Tel Aviv. Most of our team members are graduates of the unit and adjacent units in the military. And we very much have that military setup and spirit in a way that we leverage and capitalize on what we've done during the military service to better serve our clients, the organizations that we work with. Fortunately, that's just the sad reality today. We're seeing they're under constant attack in an ever increasing fashion by some of these nation state adversaries. So that's in a nutshell who I am, what I do. I live in Tel Aviv with my beautiful wife and two cats, and they have a tendency to join me on some of my Zoom sessions. So if you'll see one of them, that is a valuable member of the team.

no it happens i i think i've locked my cats out of the room here but they have a way of getting through thank you thank you thank you Yeah, exactly. No, that's great. So, you know, I just want to tell everyone, it's like, you know, a lot of what we talk about on the show is kind of the nuts and bolts of security and how a lot of things are not so exotic and not so exciting all the time. But you do the cool stuff. It's hard work and it's tough, but it is the really, you know, some of the really interesting work. So that's cool.

I would argue And this is something that took me a while to internalize, but I would argue that I do the cool stuff that I wish on no one, like the incident response piece, especially if it's a disruptive attack, ransomware attack, attack against critical infrastructure. That happens usually because someone else didn't take care of the boring stuff.

And that's going to be my point, right? I have to imagine that being on an incident response team, being able to go a moment's notice and then having that level of anxiety and that pressure on you to resolve issues in a real world. And what I mean by real world, some of them might be affecting human beings in a way, but some can also cause financial disruption. And that responsibility sits on you and your team in order for you to repel that adversary and hopefully I have that continuation of business and functionality. There's a lot of pressure on you to do that. And even though I love watching it on TV, it always looks romantic. I know in real life, you're sitting there and like, I'm stressed. And I've spoken to you before, when I believe that you're involved in certain situations, and I can tell there's a lot of pressure on you. So God bless you.

It's a lot of work. One of the things that we instilled Well, even before that, when we hire team members for Sydney, one of the things that we search for, basically search for two things, attitude and aptitude. You obviously have to have the skills to get a job done or at least learn in time to get a job done. But the aptitude, that's the stuff that will, if you don't have it, that will kill you mentally. As in we have team members that obviously find it difficult to thrive in an environment of almost complete uncertainty. So when we get called in, suppose a company gets hacked, ransomware has been deployed, it's chaos. Their team members are running like headless chickens sometimes, and not it's their fault. No one taught them what to do, all the way from the IT level to security level, security team. up to the executive leadership. We don't exactly teach you this at business schools, right? How to handle a cyber crisis. And so when we arrive at the scene, it's very chaotic. And we have to bring in that sort of calmness, that peace of mind that we'll get the job done. We'll lead you out of this crisis. And we have specialized teams across crisis management, remediation, recovery, forensics investigation, even negotiation. We talk a lot about how we do the negotiation piece with the Federal Actors. It's very interesting. And you have to be able to deal with uncertainty on so many levels. You have to be able, from an executive leadership perspective, I've seen the CEOs, board members, that they didn't know if they will have a company in a few days. And what we say in these situations, your pressure is mine, pressure as well. I'm not, I won't leave until the job is done. And so I will be, every team member should be willing to accept on himself or herself that kind of immense pressure. And as you can imagine, it's, it's, it's, it can be broken. Yeah.

Yeah, it's really interesting on the show. We've talked a lot about how there's the technical side of security and talk about that. And of course, you guys are very skilled in that, really, at the top of Of anyone's game, um, but the psychology of it and the culture and the communication Is so important too and you know, I I think you're very right that that's never more apparent than in an incident because I mean one of the things I love to say about incidents is you know, an old Mike Tyson quote that, you know, everyone's got a plan until they get punched in the face. And that's so true with incidents, especially some of the really big ones of, you know, company extinction level events. That's gotta be a lot. And I think people do come to you to say, you know, bring not just the expertise, but the confidence.

And the calmness. And the calmness as well. It's so important. I've seen, we had a couple of cases where one of the IT team members in the company that was attacked, got a heart attack halfway through the incident, which was pretty brutal. He survived. Yeah, but it's. Wow. And then we had another case where the IT manager, sort of like a nervous breakdown. We had to step in, and again, it's not anyone's fault, as in to say that usually no one prepares you for this. Like you said, you get punched, even if they do have plans, you get punched in the face. It's not something you prepare. And you need the resilience. And resilience, even in Cyber Week, I've attended several sessions where the main topic that was discussed was resilience. We even had a keynote. by a professor, distinguished professor from Harvard, Tal Ben-Shachar, an Israeli that at least taught at Harvard and does research at Harvard. And he is very well known researching positive psychology. Adam Grant was one of his students. And he talks a lot about resilience 2.0 and anti-fragility. So that ability to bounce back, but not just bounce back at the same height, but bounce back higher. It talks a lot about not PTSD. It talks about PTG, post-traumatic growth. And that is something that we see a lot working with some of the companies that we work for for years now, is that we've seen the team members, the executives that led through crisis successfully. They've gone and they manage to bring the company and themselves, their own psyche to a situation where the next time, the next big attack, it's more of a partial, they can shrug it off, at least mentally, because they've lived through that. Some, not as lucky, but it's important that you know that this thing exists, PTG, post-traumatic growth. It's possible to grow in a healthy way out of this. out of these crises.

As an EMT, you know, when I've showed up to New York City 911 calls, I've always had that anxiety. I'm walking into a situation, especially when somebody's dying or it's been a major accident, and you have to provide a calmness. And it's the only way I can associate what you do, Dave, to that. But I've also been in incident response nothing as crazy, and keeping calm, following the protocols and policies and procedures put in place. And we've spoken about that before. When you practice that, when you work it, it's great, it puts you in a better position, but nothing prepares you when it actually happens. And I can only imagine the anxiety. And I will tell you this, Joe, I've been in the ring, and I've been sparring, and when I'm getting overwhelmed, Keeping calm is the only way to survive. Even if you're getting the living crap kicked out of you, you know, you try to remain calm because the more calm you are, the better you're going to handle that attack. So I don't know if that's the same in your incident response days, but that's the only way I can imagine it.

Well, you know, I think there's something to that and having a little bit of training in it because, you know, David, you're saying is they don't treat, they don't teach this in business school and you're, you're absolutely right. I mean, I've, you know, not being full time and, I'm someone who's been dealing with incident response for a long time, but thankfully not being involved in, you know, heavy incidents and stuff. You know, the majority of security professionals really spend their time on the preparation side, you know, as I have, but, you know, I try and it's, it's funny, you know, you put together your plans and you have all these meetings and people buy into it and do everything, but, and you, and you'll even do that tabletop maybe once a year. with your executive group and people who get dragged into this, who don't wanna do it, they're busy, they're looking at their watches, you know, waiting for it to be over and you think to yourself, they don't have any conception of what things are really going to be like. They're really not being trained in the amount of, you know, stress and everything that goes along with it. You know, in business there's competition, but there's not typically, you know, Attacks and and immediate threats and in most cases so yeah, it's it's really interesting How just how different it is?

Yeah, one of the reason why we Hire team members and we have global teams Now we our preference is to hire military veterans or veterans of organizations that Encountered crisis situations in the past. Uh, you said thankfully I have used back to what you said. Thankfully, I haven't been in this heavyweight attack or such a destructive attack, I would say, be careful what you wish for, but don't be thankful as in, yeah, I wish that anyone, at least once, me in this situation, well, hopefully it will be resolved for the better, right? But there are learning opportunities. You have to be optimistic, right? There are learning opportunities almost everywhere. And it's not that I've started this being this calm, reserved individual. I've certainly lost my nerve a couple of times. I've been in situations where a small slip-up would bring about a lot of damage. And it's important that you have strict control as much as you can over the situation, but accept that there's a lot of uncertainty and other things that you can't control. I'll give you one example. We had an incident, a ransomware incident. This was one of the more prolific groups. We won't talk about the location or the industry, but in that incident, ransomware has been deployed. We got in, we conducted the forensic investigation. We knew exactly what had happened in a matter of, I think, 48 hours. We had the entire timeline, almost the entire timeline from start to end. It's very amazing work by the investigation team, the forensics team. Set out to remediate and recover the environment. We had a backup. The problem was that the way that it specifically answered them spread itself. He had, even though it was deployed, it was via GPO. Yeah. So it had a way to deploy manually, but also a semi-autonomous as in there was a risk in someone in the environment might do something, you know, inadvertently trigger the ransomware again. And it was very close. It almost happened that one of the technicians, one of the team members that was helping us recover all these assets, this is a very, very complex, heavy OT environment. He accidentally triggered the ransomware again. In a way that didn't cause, we built compensating controls around it, as in it couldn't spread. But had we not been able to, had we not thought of this in advance, had we not thought of the secondary territory controls, making sure that this is as tight as possible, including working the team members, you know, 18, 20 hour days, so that we can minimize uncertainty to as much as we can, And we could have found ourselves in a situation where we lose elements of the environment again, and we lose some of the backups again. And so you have to be in these situations, on top of things as much as you can. The cost is that some of the team members, you really drive them to work, to bring them almost to the edge, if not to the edge. Also, this was... Height of Corona, height of COVID. And this was before vaccines were out. This was before the vaccines were out. We're all on site, masks on. Add that element of complexity as well. And at the end of the day, we're successful. We covered the environment successfully. And pretty much in a minute, a few days, it's a very complex environment. We were surprised how fast we got it back up and running. So all in all, it was extremely grueling. And some things could have gone really, really sideways. And every hour, I keep asking myself, pardon my French, how can I fuck this up? How can this go sideways? How can this go sideways? So you got to live that tension. You got to bring the calmness to it, but you also got to live that tension. You can't be too calm. Always keep reminding yourself that things can go sideways pretty quickly.

Yeah, that's something I wanted to ask you about. And you mentioned it earlier. You're dealing in a situation like that with a very low margin for error, particularly in an incident like a ransomware incident. There is someone potentially in the network watching everything that you're doing as defending, watching the things you're putting in place. It's very difficult. But you talked about earlier also about it could be, and we've talked about this on the show, someone gets in or you have an incident because of one mistake. one tiny thing the attackers look for any sort of any sort of weakness yeah any vulnerability any weakness they're going to go in and exploit it and it seems like even after you've you know worked the incident started to clean it up they're still going to be looking um it's a very challenging environment so i want to ask you you know are we are you still seeing where a lot of the incidents are caused by big mistakes or by smaller issues that managed to get exploited?

I would argue, this is our experience, Signia's experience, my experience. I would argue that the majority of incidents is usually not a big failure or one big catastrophe. The majority of the incidents that we face, a series of small mistakes. Usually it's bad IT practice. Rarely is it a vulnerability. It could be maybe on the outside on the way in, but once inside the environment, the game is how quickly can the threat actor leverage misconfigurations and identity and access management and network segmentation. That's the vast majority. of the internal attack surface in a nutshell. That's not to say that, you know, vulnerabilities don't matter. It's not to say that patch management is not an issue, but one thing that we see today is that CSOs are overly concerned with things like vulnerability management and patch management, where in reality, most of the internal attack surface that is abused in these types of situations are not vulnerabilities. Especially when we see a lot, many of the incidents that we respond to, the disruptive ones, ransomware or wiper attacks, in OT, heavy OT environments. And it should stop being surprise by now, but it always strikes me, it's kind of astounding to me how easily threat actors can move from IT to OT. And when you do the forensic investigation, and we ask, hey, and many of these organizations would say, well, what do you mean? We've segregated that. That cannot happen. But it did. And in most cases, what we find is there are so many avenues, so many paths threat actor can leverage, can take moving from that IT to OT. It's so convoluted. What we try to do is to do away with that IT versus OT mentality. I almost fantasize about a day where the world will be that OT security is not a thing. We just deal with security because it's almost impossible nowadays to distinguish between the two.

Right. And just to let everyone know, OT is what we're talking about here. OT is the operational technology that we've talked about before, things like building management systems, stuff that is outside of the traditional IT computer environment. Traditionally, they were kept separate, but now they're being linked to the point where, as David is saying, it doesn't make sense anymore to treat them separately. And in fact, it seems that that distinction is historical, it's not real anymore, and it's being exploited. And if you're not gonna really acknowledge The reality of the situation, the way it is, you can't secure it. And the bad guys take advantage right there.

I did it. I did an interview with a company and a person asked me, you know, what would you do? We have three different networks. And, you know, how would you handle these three different networks? One's a manufacturing network. One's a gaming network. When I say gaming, more like casinos. And I said, well, you know, I need to understand more about what we're talking about. Are these IOTs? What type of devices? I said, but typically, And I said, we'll do a micro segmentation. We'll create a gateway network. You can only log into the network using your Active Directory credentials at the same time. You put EDR. You can't put EDR on IoT. So I went through this whole convoluted but extremely detailed answer. And I say convoluted because I didn't have enough facts. And I think I talked myself out of the job because it was so intense of a design that the person didn't understand it. They wanted to, they wanted to, I personally think they wanted to show their superiority. But when I said, you can't put EDR on IOT, so you put this, you do not put the IP addresses on there. You even put, you know, physical security, watching the equipment to make sure nobody infiltrates it. You do this, you do this, you do that. And the person's like, thank you for the answer. So the point I'm making is, the point I'm making is not one size fits all. You know, if you can't put EDR, and you can't put an agent on an IoT device, you have to do things from the network standpoint. But don't ever dismiss the physical aspect of watching the equipment as well to make sure that there's no physical penetration too. There's a lot of weird things you can do, but hey, I get it.

Yeah, it's a highly complex environment. And unfortunately, there are misconceptions as to how to defend such complex environments. It's not, it's tempting to say back to basics, credential hygiene, but in reality, when we see the majority of threat actors, I'm not talking about the apex predators, every now and then you hear about how another nation state will manage to use a vulnerable PLC and inject something in the federal. It's tempting to talk about these stories, there's something, there's a sexy element to them, but that's a distraction. What matters is how the vast majority of the organizations that are susceptible to these attacks, the attacks that they face, the threats that they face, are completely different in nature. It's certainly possible to prevent these attacks, or at the very least mitigate them significantly, and that you don't have to do anything magical about it. This is more about back to basics.

And I want to just add, when I thought POC, I'm thinking like power plants, I'm thinking dams. My lack of maturity and understanding did not think about manufacturing. I slapped myself on the wrist for that, but I didn't think of a manufacturing plant.

So David, along those lines and talk about the attacks that you're seeing now, what's happening? What's hot? I mean, is it still a lot of ransomware? I know everyone's talking about AI security, but I've got to think there can't be many attacks just yet. But what are you battling these days?

I would say in the attacks that we respond to, the type of threats that we face and the organizations that we work with globally. Pretty much we're seeing three trends. One is that threat actors seem to be, at least from our experience, seem to be targeting, more and more targeting of OT-heavy organizations. And it sort of makes sense in a way, right? Because you would want to attack, if your goal is monetization or sabotage, you will want to attack organizations that are more susceptible to disruptive attacks. Certainly critical infrastructure, but not only.

Well, in those attacks, are you seeing that the OT, the manufacturing and the control systems, is the ultimate target or they're using that as a way to get into the IT systems that probably hold more data?

It's a great question. There are nuances to this because it's not that the ultimate goal is that maybe that PLC, that SCADA, that DCSS, whatever. The ultimate goal is to stop the business from operating. And there are so many ways to get it done. You don't have to You don't have to have this very sophisticated toolkits. You don't have to have this very complex toolkits or malware framework to bring an OT organization down to its knees. It's enough that the ERP system or the SAP system is done in many cases. And that's why it's so convoluted because you have so many OT Systems that are highly dependent on systems that can find in the IT environment and I and I'm very careful in using these air quotes But I do it purposefully because again we need to do away with the thinking that we'll have this beautifully segregated Environments this usually doesn't happen now.

Yeah, right Yeah, the OT stuff that scares me is more along those along the line of medical equipment whether it's the medications rip Whether it's, well, you know, some of the equipment that's maintaining life-saving equipment in hospitals. That's what scares me. I also understand, like, you know, dams and power plants are also important. And believe me, that's one of the biggest things I worry about. Logic bombs that are inside of these power plants where a nation-state can activate them if they get upset. Because that attack, and I wrote a paper on ethical warfare. That attack is what scares me. You're far removed. You're not boots on the ground. It's even more removed than being a drone pilot. If you decide that you want to hurt people and increase the medication or lessen the medication given to patients at a hospital, you can cause real life death or real consequences.

Theoretically, it's possible, but I wouldn't bet on those attacks. happening anytime soon because it's far simpler and far more damaging to just deploy something that's easy to deploy when this disrupts hospital operations or whatever it is that companies has in their OT environment. And to your point, yeah, healthcare is way more complex because this is much more convoluted and the margin for error is extremely low. We even had this case, not really an incident, but we were called in to investigate. This was a tragic incident that a patient died on the table because a system stopped functioning. And yeah, yeah. And in a way that was very bizarre. This was an anomaly. No one, this has never happened before. And There was an investigation, or they brought in the vendor to investigate it. And they called us to assist to make sure that this is not anything cyber-related, because this really was a dissolved tragedy, incident. And the results of the investigation was, of course, that this was not a result of a cyber-attack. It was operated in a way that sort of caused a malfunction. I believe these were the results. And that's that. Now, it's the first time that we were called in to assist in such an investigation, but it's interesting that, and we expect that this will happen more and more often because there's certainly more awareness now that this is possible. But again, if you're a threat actor that managed to get inside a hospital network or networks, your ability to create damage, to really, really hurt the hospital, its employees, the patients, You play a wiper. It will cause a lot more havoc, a lot more damage. I will argue it will risk lives, just enough that elective surgeries are canceled. And we have these attacks at home and we've dealt with them in different regions. It's a mess.

Well, but you're saying that for the most part when it comes to the hospitals there, at least so far, haven't seen a lot of people going in or attackers going in and trying to hurt people. It's more that they're trying to disrupt them as a business to monetize that.

There could be exceptions and there could be attacks. We've never heard of that. That was the case. But I would say that rule of thumb is look for the monetization. We'll talk about AI in a second, right? And we'll touch on this aspect as well. Look for monetization. If the threat actors have no way to monetize out of this situation, then an attack would either be politically motivated or geopolitically motivated, or it's the stuff of Hollywood, and then probably less likely to happen.

So somebody in my family, I want to be a little bit anonymous here, was having chest issues and we rushed that person to the hospital to only find out that their pacemaker was overclocked and no one knows who brought up the rate, the beats per minute. They brought it back down and thankfully that person's okay. But my point is, let's forget about even ransomware attacks or any type of threat actors. Sometimes we don't manage the IOT devices that are remotely controlled that can be changed with audit logs. At least they claim they don't know who did it. They know it was done. They just don't know who it is because anybody can log in from any hospital to that vendor as long as they have that information for that patient. So it did happen. We have documents to show that. We just don't know who did it. But thankfully, they're OK. But that's the point I'm making. If you can get into a portal, even if it's not an attack, who's controlling that IoT medical device?

That's a big attack surface. That's a big attack surface. And for years now, it's been demonstrated that these machines are susceptible. I remember reading papers as far back as 2014, 2015. of how they can attack these. They have the pacemakers, defibrillators, and also for the new, what's it called? We have those machines for the glucose monitors, right? The continuous glucose monitors. Yeah, yeah.

Oh, the insulin pumps.

Yeah, we have these demonstrations. And again, it's very tempting to talk about these. And I'm sure some attacks have been conducted. But the vast majority of it, if you cannot find monetization or hence the monetization or potential monetization should probably not be exploited en masse.

So follow the money. It gets back to that, I guess with everything. Okay. So you're talking about the penetration through the exploiting OT. What other evil things are you seeing out there?

Many of the attacks that We've responded to, excuse me, in the past, say, 18 months, more and more attacks that are conducted by governments or proxies of, against private sector organizations. We've known ever since the start of the war in the Ukraine, that many of these groups, especially the Russian speaking one, sometimes they operate on behalf of, you know, this from the counter leaks, but also from other fairly intel that we have. and they operate on behalf of, sometimes not even for monetization. And we know that it's in the interest of some of these governments to attack private sector organizations. What we have with oil and gas, or LNG, that started the war, communications, if you remember the attack, that's at the beginning of the war. But ever since then, we've seen many attacks conducted by foreign adversaries against private sector organizations in the West, not only in the West, and the various ends. So, we can go through some of that, but this is more concerning to me because we're seeing this, the lines are getting blurred. It used to be able, we could have, you know, you remember this, right? Fred Hinto thinks you have this triangle and you have a hacktivist and then the cybercrime, whatever level. And then there's a nation sponsored, nation state sponsored, whatever that means, as if there's a huge sponsorship on a football game. It doesn't work like that. And at the very top, you have the nation state threat actors, the apex predators. Even then, it gets kind of nuanced. Now, nowadays, the lines are getting very blurred for various reasons, but it's definitely we're seeing highly talented individuals that are moving in between those levels in the pyramid. And the technology at their disposal really makes a difference.

So Dave, are you saying that the next Super Bowl, there might be a threat group that sponsors a commercial or something?

Probably not the American Super Bowl. Actually, this is not Jokes aside, we've seen some of these groups, some of these ransomware threat groups, we've seen them post. They're looking for penetration testers and they're looking for whatever roles they have. And by the way, we know this for some time now, that many of these groups, they operate like a business. They have their own HR departments, they have marketing.

You have real support there. I know that for a fact.

They have guarantees. There was one group I saw on the forums where they actually promised health. That's mental. And so this is, we can joke about it all day, but think about it for a second. And this is not me making a moral, taking a moral stance. This is just an observation. But think about it for a second that for you and I have this amazing ecosystem. In Tel Aviv, in the valley, we have opportunities. For many of the young, talented individuals, especially in that region of the world, that area of the world, they don't have a lot of opportunities. And some of these threat actors, they're seen as entrepreneurs. It's amazing. They live the life of an entrepreneur, and they're glorified. And it's not to stick it to the enemy. They've seized on a business opportunity. So again, not a moral stance, just an observation, obviously.

Well, it is interesting to see what's happening there, as we've seen in, you know, unfortunately, a lot of other, you know, enterprises, they get big, they get, you know, they get professional, they have codes and everything. it's interesting, from what I understand, a lot of the ransomware, big ransomware operators will call their victims their customers and want to make sure that they have a good reputation sometimes and you're like, wow, they're so impressive, they're so great and then you remember, you know, they're criminals and I will make a little bit of a judgment. It's kind of like watching The Sopranos or something or The Godfather, how these guys are They're so cool, this is so interesting, they're so capable, and then you remember and you get a scene that shows, yeah, but they're criminals. These are not good guys.

It's tough. I always had an issue with these shows because they get you to sympathize with people who, at the end of the day, profit from other people's misery. So maybe we shouldn't, but when I look at these, when we suddenly have this experience negotiating with some fanatics, and this is quite the experience. Obviously, at the end of the day, there are humans behind that, behind the support chats, websites. And at the end of the day, you're dealing with people who call themselves businessmen. They have a reputation to maintain. And they will say themselves, we have correspondents, right? They say reputation is more important than money. At the end of the day, it's kind of like this, because reputation is what gets them the money at the end, because if the victim...

Right, that said, it's a very clever inversion of it, right? Their code of honor and their reputation is about making money, it's not about any moral sense, that's interesting.

What assurance do they have that they'll get the decryption keys and the FedEx that will make good on the world, not to publish the data. Reputation, that's it. That's it. They cannot afford to lose a reputation. If ransom was, at least for the top-tier FedEx, what we had, and this happens quite often, is that we come and we are called in to assist. The company was hacked. Ransomware was deployed. All right. We start negotiating with a FedEx actor. and they will identify as one of these targeted threat actors. But via the negotiation and the way that we negotiated and via the forensic investigation, we quickly learned that they are not who they say they are. And this is critical. This is critical. By the way, sometimes it can even be as simple as, you know, take the English, the conspired in English most of the times, and then take that, and it's obviously Google translate from Chinese. Okay, so wait a minute, you're not the Russian FedEx that you claim to be. Happened to us more than a couple of times. This is very important. It's why it's critical to have that ability in your toolkit. You want to be able to negotiate and do the forensic investigation in conjunction. This is amazing. We can gain really valuable insights and intel on who they are and then help executive leadership make that informed decision, whether to pay or not to pay, which is not an easy one.

Okay, so let me let me ask you this as a person who puts himself in very precarious dangerous situations I don't know if I can ask you this but the anonymization of yourself of you in the company when you typically Negotiate or deal with these threat actors Do you keep an anonymous?

uh identification do you let them know who you guys are or how does that work we'll keep we won't discuss much of the tactics of how we do things but obviously we don't ever ever identify as right it's not something that you do you you yeah yeah i'll i'll i'll help you out that i don't know your procedures but i do know they generally

And just to let everyone know, when you get a big ransomware attack, they ask you for millions or tens of millions of dollars. You don't just pay it. There's a negotiation and there are typically people who you can hire who are professional, believe it or not, professional negotiators who know how to deal with these groups. Some of them even get to know them and know some of their buttons. But then on the other side, of course, you don't want to tip off who's doing your negotiation because a lot of the groups, they don't like that. They obviously don't like you calling in help. And so especially competent help. And so that can actually make the, not only be dangerous for the people involved, but that can sour the negotiation. It really is amazing. And there have been groups that have threatened and said, if you bring in a professional, if you bring in a security consultant, we will not negotiate with you.

For some of these, it's boilerplate template in the ransomware. Don't bring in. So far. Right.

Well, I'm not going to discuss CTPs, but I wanted to make sure our audience, I put that out on purpose. Um, I, you know, I realized that, you know, Dave might be doing negotiations and the, uh, Oh, nice to see you again, Dave. Oh, we dealt with you three weeks ago. Yeah. Let's read and negotiate this one now too. I mean, I'm sure people's paths cross. I know that the industry is big and I know there's a lot of threat actors, but I, But some of these big threat actors, I'm sure, cross paths with the same incident response people more than once. I would have to believe that.

I've seen this happen with other companies where there was this, to me, I believe, unhealthy relationship in the way that they, yeah, in the way that, again, these are other companies, not us, not Cigna, but I've seen elsewhere where other companies worry negotiators that identified as, and they have this sort of correspondence, as if seeing a long-lost, not a long-lost friend, but someone that they have a relationship with on a quarterly basis. It certainly facilitates some of the interaction, but I think it is ultimately unhealthy or detrimental. It can be detrimental to you, and remember, we have one goal. In these situations, we have only one goal in life. To bring back business to normal operations as fast as humanly possible. That's it.

This reminds me of that movie, Proof of Life, where they're doing the negotiations and they know who they're negotiating with.

well, it also makes me think of and maybe this is a little a little too television, but some of the Situations where you know, even if it's if it's a neighbor, you know that the cops know the crooks They know who they are and they do and they may even develop a certain relationship, but you have to remember These are the bad guys. This is the adversary They're not someone you want to be friendly with and you certainly don't want to get in a position where they do get to know you and they can take advantage.

And that's an interesting point, Joe, right? In some countries, depending on where you are, law enforcement, I'm not saying they're always brought in, but there might be a kind of requirement to bring them in. And then you have to deal with the law enforcement, dealing with the negotiators, dealing with the threat actors, dealing with the caterers. I mean, I'm kind of being funny, but there's a whole procedure of things that have to happen. And sometimes that makes it so muddy.

OK, so that's some heavy stuff. And we are getting deep into the discussion here. Did we want to talk a little bit about AI that we mentioned? And I kind of suspect I know what you're going to say with some of it. But what are you seeing in incident response with it these days? Or what's on your mind as far as that goes?

We didn't sit on our thumbs when that thing came out. So end of last year, chat GPT, generative AI. and caught most of us by surprise. And it was clear to us that this thing will explode in a bad way. I'm not talking about AI existential risk. That is a different topic, probably a different podcast. But even though I have a lot to say about that, we immediately realized that we should be more concerned of the short-term societal risks and more to the point, how threat actors will leverage that. That's one aspect of it.

So yeah, it's a great tool for them.

Hey, this will 10x your engineers. Everyone is a coder now. I remember that demonstration by Greg Brockman from OpenAI, where you can scribble how you want your website to look like, and it will create a website for you. Because now GPT-4 is multimodality, and you can just show the picture. And it was clear to us this will be abused. And we started seeing that. So we started seeing, threat actors that we knew, or at least we thought we did. And suddenly, they sort of 10x'd themselves. The phishing emails, well articulated and en masse. And we saw better code, I would say, better result. This is a complex, maybe another statement here, in a sense that the way that this technology is not inherently good or evil. That's a given. It's the way I use it. And so we think about this technology that just empowers you to do this amazing stuff and think about all the, and I really use that term carefully, democratization of technology. It's a conversation with someone very executive, someone at the top of the hierarchy of one of the big tech vendors that is at the forefront of bringing AI to the masses. And he told me that they have these conversations with the US government and especially members of the National Security Council and similar agencies. And he told me that They talk to them about how great and they're pushing this economy forward and they care about democratization so that everyone have access and the government agencies that this is not democratization, this is proliferation. And I agree with that sentiment. As in, it's one thing to go and chat to PT and now please write me a ransomware. And it will probably say, as an open large language model, I cannot blah, blah, blah. But then you can probably jailbreak it, and it will give you something. At least there's an audit. At least there's an audit.

It's easy to get around. It's trivially easy.

It's nothing different entirely. When now many of these tools are open sourced, and you can pretty much run inference on a laptop without any guardrails, without any audit logs, thread actors can build their own version of chat GPT. And we suspect because we built this ourselves. So we suspect that in no show time, I like to abuse the abuse, but you know, the Microsoft copilot branding, which I like, and I believe that they're doing some amazing stuff on the defensive side. We'll talk about that. But yeah, we may witness an attacker copilot. Why not? It's possible these days because You know, ever since the Lama, the meta Lama weights got leaked, and with the Lama CPP project that allows anyone to run inference on their laptop. And we've seen this Cambrian explosion of fine-tuned large language models. And anyone can run inference, and anyone can do stuff. Not the equivalent of chat GPT, but not that far from it. So I'm, yeah.

So I'm pretty good and the open source is getting closer quickly. That's true.

I, I have the, yeah, I have experts in chat GPT. Uh, when I need to know about jailbreaking, I go to my kids, my kids know how to jailbreak chat GPT for everything. And my kid, my son is so proud of himself. He did some of his homework with chat GPT. Meanwhile, he's like an honor roll. He's going to a specialized high school. My other child just graduated a specialized high school.

That's a, that's a, by the way, that's to me, that's scary. I don't have kids, but I'm, this is, this is, this is not cyber related, but, uh, when we discuss short term societal risks, I don't want to live in an age where, when the first instinct the child has is, Oh, you know what? Someone asked me a question. I'll ask. That's not a healthy society. Now that's the, that's the short, you know, that's a, that's a short path thing. If you've seen the movie Wally, they end up. on these floating devices, very thinking for themselves, right? So this is like the vision of the future. We lose the ability to think critically. But let's say it's a distraction. The thing that worries us, and we're seeing that, we're seeing that threat actors can leverage it quite easily to 10x their operations. And this will happen. Now, fortunately, we have companies like Microsoft, like Google and others, who are pushing the envelope on bringing those capabilities to the masses. So Microsoft announced the security co-pilot, Google announced the Google AI Workbench. And I am optimistic about us defenders having these abilities. It will take some time, but I'm optimistic.

Yeah. Yeah, that's what I worry about, the speed, because I kind of equate where AI is, and I don't know, maybe this is a tortured analogy, to kind of where automobiles were, maybe in the 1910s or the 1920s or something, where they built these things that could go 80, 90 miles per hour, whatever. People didn't know how to drive them. They didn't have brakes. They didn't have any safety systems. They didn't have roads and stoplights and everything. And it took a while for things to catch up. And I think here with AI, we need to catch up quickly to put some of those safety systems in and to train people how to use it correctly before things get out of hand.

We can laugh about how Europeans regulate very quickly, or at least as compared to the US. But I don't think I've seen in the past, with regards to the, I'm always referencing the EU AI Act, the draft, the new draft that was approved, I think it was last week or two weeks ago. I haven't seen any regulator respond as quickly as we've seen with the EU AI Act. Now, some of the things that they've passed is draconic. It really is. But there are some issues. But this was a pretty quick response. I'm hoping that this is a step in the right direction. It's not about stifling innovation. It's about making sure that we put guardrails in place. But any regulation that we'll adhere to here in the State the West, EU, the US. It's not relevant for China. It's not relevant for Russia. It's not relevant for other countries that will just, you know, they have no interest in adhering to this regulation.

Well, even any regulations that are done need to be well considered in a lot of aspects. And unfortunately, government regulations, especially when they're put out very quickly, are often not well considered. and can have consequences, so we'll say.

Yeah. By the way, I haven't fully answered your question, because we've talked about how threat actors can leverage AI to further their own. But one aspect that's almost orthogonal to this one that we've been researching is AI as an attack surface. And we've had lots of conversations CISOs, CIOs, heads of engineering at various companies, where they are rushing in, rushing to embed large language models and generative AI into their pipelines, whether that's the CICD pipeline or further up the stack, but in the production environment. And they'll open up this whole new attack surface, virtually uncharted territory. And it's very interesting to explore that territory because we've already seen some minor demonstrations, prompt injection. It's just the tip of the iceberg. But you can imagine, it's almost like the start of the internet. People are finding out the first cross-site scripting, in a way. So you can only imagine this will get worse and worse.

Well, I think it's not just a matter of the ways to exploit it and trick it and attack it in those ways. I also worry about the general reliability of it. So many people are jumping in. I love the term hallucination. Somehow someone came up with the term of hallucination, which to me is a euphemism for when the AI is wrong. when it's being used in a way that it shouldn't be used. It is not good at answering certain questions, and it's just plain wrong sometimes. And that's something that can probably be exploited, too, in a lot of scenarios.

Yeah. Yeah, definitely. By the way, I had an interesting conversation with various CISOs that they were charged, or they were asked, or at least they were told that they need to somehow solve or at least address issues that have to do with bias and ethics within the products that the company make. And with security people, yeah, yeah. And this was amazing to me. This was amazing to me because, you know, where's the delineation between, okay, as CISOs, we are in charge of securing the company, the organization against cyber attacks. But why, the CISOs ask, why am I responsible for making sure that our chatbot doesn't do something it shouldn't, not something unsafe from a security perspective, but something that reply in a way that insults the customer.

Yeah, that's a good question.

Because somebody has to take the responsibility. I'm not saying it's right, but somebody has to take the responsibility. So why not throw it on the person or people that are utilizing or the predominant consumers and supporters.

So this was a very heated debate. And some said, yeah, yeah, yeah. And so CISOs and CIOs had a very heated debate and they said, look, we get it. but we don't know who, inside the organization, we don't know who to turn to. And someone said, Leo, we have risk functions. This is a risk, not a cyber risk. Risk functions should somehow address it. Yeah, but they use the chat bot. And so this very, very heated debate and who's responsible, because you think about it, it's a question of the attack sectors. If you use a prompt injection, which to us almost immediately, when it's localized, we think about a cyber attack, right? Prompt injection. Then, oh yeah, security, no. But if a prompt injunction leads to the chatbot behaving in a way it shouldn't, but not in a way that leaks information or allows a threat actor way inside, then is it a security issue? So one way to answer is, and some CISOs were very adamant on this, no, no, we have to draw a line in the sand. I don't wanna handle this risk as well. Another group of CISOs, they said, you know what? Maybe times are changing and maybe the role of the system will change accordingly as we take charge of this technology as well. And it's difficult to answer. This is a difficult one. I'm still struggling with this myself.

Yeah, it is interesting. I mean, you know, from from my perspective, just hearing it, you know, it doesn't seem to me like it's the realm of the of the sea. So it almost seems like it's more, you know, compliance and, and operational controls. If we're going to get either a person or a tool, we need the process to ensure That it's effective that it's that it's controlled. I mean, you know machines Don't have ethics it there is no such concept, you know people to Organizations have to follow those codes.

Let's do is steer away from compliance in order because I married to one and I don't want to get hurt. I

That's right So we've been talking for for quite a bit and I think we're getting to last call here as we call it Um, and david we had I think two final adam had two final questions For you So adam, what have we got?

Well, I I was gonna ask you about zero days i'm not sure oh, yeah on the table for discussion My answer was surprised

A couple of, I would say, how many zero days I found? I would say a couple of critical ones, but I would then argue that, referencing part of the previous discussion that we had, that zero days these days, I'm not belittling, I'm not diminishing the role they play, but in almost nine times out of 10, in the major incidents that we respond to, it's not a zero day. It's not even the nation, the ones that are conducted by the more advanced nations. It's not necessarily zero days. It's a series of misconfigurations. And taking advantage of the complexity of the environment allows threat actors to complete their mission objective. Got it. Thank you.

And this is probably what our audience has been waiting for this whole entire hour. conversation podcast, where is your go-to place for shawarma and falafel?

I am not a foodie, so maybe I'm not the person to ask, but there is a nice place right around the block that makes decent shawarma. A great neighborhood place. There you go, a neighborhood place. That's great. I don't want to... Free advertising, but this is a business.

No, I don't want to say where you live, but that's cool. Your favorite place is the neighborhood place. That's so down home. That's so cool. That's awesome, you know?

And, you know, the focus should be on eating healthy and low-carb diets. Not necessarily the best source of information for shawarma.

Yeah, well, you know what?

Adam's getting right on that, the low-carb dad.

I'm okay, but my thing is, I'm learning, and my wife showed me, you cut the pita, you put in a little hummus, you put in some shawarma meat, then you put in the pickle, and you eat it. It's good.

There you go. Okay, we'll have to do a food series at some point.

I may recommend Cyber AI Warrior The Return of the Jedi for a second episode.

I'm more of an Emperor Palpatine fan.

Yes, sir. Thank you.

This has been great. Well, David, thanks so much for joining us. It's always great to see you. And certainly, it's always great to get your insights, especially as you're coming fresh off a big conference. And you know what's going on, so it's great. Great to hear. And I'll also say, hearing the, you know, for people like us who have to defend, it's really important to know what the attackers are doing and what they're having success with, so that we can defend against it. So it's not just fun to hear, it's very important, and we appreciate it.

Thanks. Thank you.

Okay, great. Take care.