Ransomware and Hawaiian Shirts: Another Friday in Cyber Security

Welcome to the Security Cocktail Hour. I'm Joe Patti. I'm Adam Roth. Adam, we have another full plate of fabulous guests today. We are lucky.

I don't know how we got another panel, but wow.

We not only have another panel, but we have a returning guest. Jennifer Gold is back. Hi, Jen.

Hi. Thank you for having me back.

Oh, thanks. It's great to have you on again. And this time you brought friends, which is even better, which is very cool. We've got Roger Hockenberry. Roger, welcome to the show.

Hi. It's great to be here. I think it'll be a lot of fun.

Thanks. And we also have Patrick Orvidson. Patrick?

Hey, thanks for having me. And thanks for putting up with my crap for the next hour.

Well, actually, I was going to say, before you said something, I was so nervous, because to let everyone know, we had a little audio problem before this, and I'm like, please let the audio work. Please let it work.

We also had a little bit of a shirt problem, Joe, too. Nobody told me.

I know, no one told us about the shirts, but we'll get to that in a moment. But first, everyone, please, whatever platform you're on, follow us, like, subscribe, gives us thumbs up notifications, really helps us, and we'd love your feedback in the comments. So please drop one, and we'll probably answer it.

We should bring up the fact that we're starting to get hate messages, so we're looking better.

Yes, we got a hate comment, our first one. It was awesome. I've been looking forward to that.

Oh, did that come upon the release of my most recent?

No, it wasn't yours. It was a different one. It was actually one of the promo clips we do.

That's a great sign. That means you're doing something right when you get a comment.

I know, absolutely. If you're not making anyone angry, I guess you're not trying hard enough or something.

I had a boss who told me you didn't make it until you got a grievance filed against you.

You're not doing good until you get hate mail.

And I was also told basketball is no foul until it's an autopsy.

That's right.

So today's drink is the Hurricane.

Our Hurricanes look different.

We will definitely improvise the glass.

Well, it's hard to find Hurricane glasses. So mine is the Florida Hurricane. with the umbrella shredded and turned the other way because we've had three hurricanes in the past couple months, including one a couple weeks ago. So this is what I'm drinking this evening. So made with rum that is distilled in Key West. I'll try not to say names, I don't wanna know, I don't know if I can, but distilled in Key West. So just a fun drink. And cheers to everyone.

Cheers. Cheers, everyone. Happy Friday.

Happy Friday. Absolutely. So we'll talk about the topic of the shirts real quick, Joe. Yes. In the intelligence community, in the Department of Defense, it is a centuries old tradition. I don't even know. I say that as a joke, that you always wear a Hawaiian shirt on Fridays. because you're supposed to be relaxing. It's the equivalent of the casual Friday. So Pat and I just do it out of habit, I suppose. And we didn't think to tell you guys that this was one of the things. So there, now you've learned something exciting and new, Pat, don't you? It's always Friday, right?

It's always Friday. It's a tradition. We actually have a Dress Like Somebody Day once a year. One of our TDs is always in Hawaiian shirts. no matter what day of the week it is. And so we all come in on Fridays or that day of the year, all dressed to the nines in Hawaiian.

That's right. Or you do a whole thing where you can do the opposite. Everybody will wear a Hawaiian shirt, and one day a guy will wear a full tuxedo. Some people wear a three-piece suit. But it's usually the Hawaiian shirt is the key. You gotta wear the Hawaiian shirt.

So I'm not part of that fraternity, but I will tell you, Joe used to yell at us when I used to work for him. Don't do any hunting on Fridays. It was always at 3.30 p.m. I think we found something. It might be an IOC. I don't know. And Joe's like, why are you hunting on Fridays? Do you remember that, Joe?

Well, that was really just an extension from the general IT rule of don't read anything on Friday. I know.

It's a bad time to make changes. And then it's like 3.30, and then it's 4.30, and then it's 5.30, and then it's 9 o'clock at night, and we're still stuck there on a Friday because we had to go looking for something.

My goal was always be finished one o'clock. Don't answer the phone and don't look at email Yes, sir, that is That is surprise tasking Moments, right?

That's when you know, you're gonna get something see in the Pentagon The real key is to schedule meetings Friday at three o'clock Nobody shows up.

Oh Yeah, it's it's really so that people that have to travel don't come and That's, it's when you want to make a real decision. So if you're like, you're at a program specific point, it's going to be, we're moving forward in our program. We're doing something else. We got to vote on it to get approval. You make it at Friday four o'clock because only the people who are going to be on your side are going to show up. And everybody else is gone. And then you vote and you say, Hey, it passed. And we made a decision to move forward on the program, but you weren't there.

Well, I'll tell you at one point I went to work for a Japanese bank and I tried that trick and you learn it doesn't work with them. You schedule a meeting, they show up. It doesn't matter.

That reminds me of that TV show Night Court. The guy goes, they go, how did you become a judge? He goes, it was Saturday and they called everybody out. Nobody was available. Everyone was playing golf. But because I was available, they made me a judge right away. I was the only one that answered.

Yeah, so that's the secret of getting things done, is make sure you appropriately schedule your meetings in the government. That's the key.

But Fridays is the number one day for, Fridays and holidays, and right before holiday is the highest number of attacks that you see from a ransomware perspective.

Ooh, good factor.

So Friday is ransomware day, so for everyone else, As everyone's winding down, that's usually when you start getting the calls, Friday into Saturday.

That's true. So I don't, I don't know if you know this or not, but years ago, back when I first started early 2000s, they used to release patches on Fridays. Yeah.

That's insane.

We as an agency, we as an agency went to Microsoft and some Linux and all that folks and said, can you do it earlier in the week? and it was moved to Tuesday, right? It was actually moved to Tuesday to give people a chance to patch their systems before Friday, before the weekends, before we had organized crime, right? Reality, and so when all the hobbyists wouldn't go nuts during the weekend.

You know, you bring up a part where I was involved in a very large event of over 50,000 people and I told my boss at the time to not push a change within 12 hours of the event. He goes, no, it'll be fine, it'll be fine. I'm like, no, we don't have enough time to recover. And he pushed the change and we lost connectivity through a very large wireless network. So that's the point. Don't push changes end of the week and don't push changes before a major event.

Yeah.

And I used to always tell people, like you were saying Jen, Fridays, they hit, also holiday weekends. I know everyone wants to get out of here for Memorial Day, but the bad guys know that too. They know we want to get out of here.

Right, and then... Yeah. Right, or right before the holiday, especially if it's cyber fraud and the banks will be closed the next day.

That's right, it won't matter.

And I don't know much about how government works, but it's true, right? You know, when the people that were on call, it's not usually the highest tier people that are on call. It's usually the lowest tier people. I might say it might say low. It's not to disrespect anybody, but it's more the people who are new and they're on call over the weekend. So if you're going to push an attack. You're waiting for that person's on call with a minimal amount of people to support it. Don't get me wrong, people have great plans and incident response and they'll get the right amount of people together. But by that time, that threat actor has made a decent attack. It's a little bit harder, right, Roger and Pat?

I agree because that's part of your operation is to figure out when it's going to be least populated and then figure out when you're going to have the best chance of success and when there's going to be the least amount of potential for response. Because even if somebody are like, well, I'm on call. Well, my response time might be several hours, right? The fastest I can get to anywhere. So again, you're, and there's not, you know, there's not a lot of teleworking necessarily in some areas. So you can't just dial in to do things. You have to go physically to the location. And I would think banks and things would be the same, at least in my experience. Anyway, do you, so Joe, we're like all over the place already.

You would think that people, people would rethink the staffing model, the resourcing model, knowing what we know, but we're still like, yeah, it's the weekend.

Because it's always going to be the same. Nobody wants to do that. And that's, you know, when you're more experienced, you don't need to be on the weekends. I don't know.

Well, we, we've changed the, the, the, um, the response model, right? It used to be, didn't have really VPN and you could RDP into something. in the early years, but now you have to carry a football with you. And I mean football, I mean like a laptop that has a VPN, that has Wi-Fi, that has a cellular, that has everything because you can't walk around just with your cell phone anymore. It's very hard to do that with the level of support and security layers. So, you know, if you're not carrying that with you and you're going to an event, you might have to go home first, get into your desktop or your laptop. It's crazy. Sorry, Jen.

Sorry, Jen, we're all, again, but you knew bringing Pat and I into the conversation was gonna go everywhere, right?

Right. That's the great part.

And I'm trying to restrain myself just enough.

I know, we have stories. We have many stories to tell.

But I realized we started going and going in all kinds of directions before we even did intros. So you guys didn't really give your background and you just said that I brought some friends, but I think it'd be great for everyone to know that the friends I brought are from formerly the CIA and NSA and what we're doing now. So I think it'd be fun to do intros, not to take over Joe and Adam.

Absolutely. Well, you know, I'm not going to apologize for being all over the place because, you know, this is the security cocktail hour. And my original concept for this was like you're a bunch of security people talking at a bar. So sometimes the discussion does go all over the place. But you're right. We should know who we're talking about. We have some very esteemed company. So maybe you can all tell us a little bit what you care to release about what you do. And Jen, even though you've been here before, we'll let the ladies go first.

Okay, thank you. And then there's been an update since I did the last show. So I'm now the Chief Information Security Officer for Risk Aperture and working for Roger and with Pat, which is very exciting.

Well, congratulations on the new job.

Thank you.

We should drink to that, everybody. Drink to that, absolutely.

And the hurricane's really strong.

That means things are just going to get better.

And it tastes kind of terrible.

Well, it's the passion fruit at the end. If you put the passion fruit, that's a really strong flavor. So it kind of depends on what rums you choose, too, right? So at least I chose matching rums, that they're from the same company, a dark and a light rum.

Yeah. No, Roger, I've got swill. It's like Bacardi.

Yeah, me too. I want to add a new rule. If you're on the show at least the second time, you're kind of a guest co-host.

You gotta do it that way.

Oh gosh, Adam, that's a lot, putting a lot of pressure on people.

Yeah, Jen's now kind of a guest co-host. She gets like, you know, that honorary title. I don't know.

Thank you. An honorary title. Perfect. Thank you. Pat, do you want to talk about your esteemed background?

Sure, why not? Hi, I'm Pat Harbison. I spent a combined 36 years in the Department of Defense and NSA. I started out as a Chinese linguist. And I rolled into doing threat intelligence. Eventually, I was the senior information assurance liaison to NATO headquarters in Brussels, which was an awesome tour. I was also a founding member of what was called the Network Attack Support Staff. So that's the predecessor, predecessor, predecessor of US Cyber Command. And then I spent a tour at the Pentagon as the executive director for the principal cyber advisor, which means I was the fifth most powerful person when it came to cyber in the Pentagon, which really means I got the Secretary of Defense coffee quite often.

Wait, wait, wait, wait. I'm sorry, Pat. I need to know this. This is important information. How did you like his coffee or she like her coffee?

Black.

Thank you. Thank you. Of course.

That's the only way you should be drinking coffee. Yes.

And then I finished up. I finished up my tour. Running a couple of programs, but the one that I'm actually most favorite of is a program we call DODCAR. And DODCAR was DOD Cybersecurity Analysis and Review. And really what it was, was how do you use threat intelligence effectively to optimize your security stack, right? And from that, we used major investments in the Department of Defense. We saved roughly over $2 billion one year. on honing in on what was the real risk and not what was the flavor of the month. And after that, I went to another startup after I retired and then joined forces with Roger because I believe what we're doing at Risk Aperture is actually, to be honest with you, kind of been the missing link for a long, long time.

Well, I've got to tell you, hearing that, I think the most impressive thing might be that you got DoD to actually save $2 billion. Who else can say that?

It was pretty cool. And it got to the point where even after I left the Pentagon, I was still getting phone calls about, hey, can you do analysis of this and tell us whether we're doing it the right way or not?

I thought you were going to say that they were looking to find out how to get the coffee.

That's a different issue. No, so you have to understand in the government there's basically a little tin can and you have to put money into the tin can before you can take coffee. Nothing is free in the government like that. Everybody has to bring it in and pay for it. It doesn't matter. Even if you go to super crazy places and you think, oh, they'll have coffee. No, there's that little tin cup and you got to put your dollar and your quarter in and have some. So I guess that leaves me, is that right, Joe?

You're up, Roger.

So I started my career for a small company. We were an IBM partner. I used to code assembly language.

Oh, God.

And then I was a product manager. And they basically said, hey, I wrote an assembly code for Citibank as well. But they're just like, hey, we have this new product. We want you to take it over. It's called Internet Dial-Up. Then I was recruited to a really feisty, small startup. We were scrappy, kind of doing our thing. It was called Netscape.

Oh, God.

We did okay at Netscape, I think, in the end. I'll tell you, I've never worked with smarter people in my entire life. Everybody was. So, funny story, you go out to Mountain View to get your sort of orientation. I'm sorry, we're going to have tons of stories tonight, too. And I sit down for lunch, and this is, you know, the very start of the big tech boom, you know, the internet boom. and they have the chef and everything. And I sit down and the people are there, you know, and the guy I'm working with, and we're like, hey, what'd you do this weekend? I'm like, well, you know, just putz around, you know, playing a little golf. And the people across from me, it was husband and wife, they're like, oh, well, we created a brand new scripting language called PearlDap this weekend, and we just published it. And it's like a way to use Pearl and LDAP together. And I'm like, Hmm, maybe I need to up-level my game a little bit. Because it was one of the most mercenary places that you'd ever worked. It was very much a meritocracy. And you had to really work hard to be there. Then I went to Sun for a while. And then Gartner. I was a managing partner there. And then I was at the CIA. They sort of asked me to join to mess things up.

So, Roger, I need to know, what was the first summary language? Was it like a Z80A? Is it 6809? Was it 8088? What was it?

No, I was using an Apple II, right?

That's back... Yeah, it's 6809 or 6509, right?

Yeah, because what happened was I was one of those nerds that I wanted to go to summer school because I, you know, I'm a nerd. And they would offer free programming classes and basic. So I think like when I was in high school, I wrote a program to do, to teach people how to do math. And then I wrote like a little game from scratch using a joystick, which was really incredible to use a joystick at that time on an Apple.

So Roger, you're going to call me a liar. I did the same exact thing that you're talking about. I wrote two things. a program to use to draw things and also to teach math. It's in TRS-80 Microcomputer News back in 1989.

Yeah, so it's, remember you used to get those magazines and they were always messed up? Like they never had the code exactly?

Correctly, yeah, yeah, yeah.

debug it because I had this one it was like this MC Escher thing where you would start and high graphic and you would just plot stuff and supposed to mirror the plot and it never worked and I had to debug it and finally got it to work and I thought like I was like a super genius. It was amazing.

So Roger and Pat, I don't know about you Jen, who's into MUDs? You know MUDs, like the games, the MUDs?

Yeah, like on, like IRC?

Yeah, IRC, MUDs, everything.

I don't know anything about that. Yes. So I may or may not have some familiarity.

MUDs were like the Dungeon Dragons, you hit L, L, L, left, left, left, pick up, yeah. Oh my God.

I'm so old, we would play the game, like man, the big game when I was a kid. Oh, I did that, too. Oh, yeah.

Yeah, yeah. Yes. It was all text.

Why?

Which game? I heard you. It's about Zork.

Do you remember Zork? Of course, Zork. Yeah. Zork was the one I played all the time.

Yeah.

So now we know we're all. So anyway, I was at the CIA and I was one of the CTOs there and I was working on cloud and working on a lot of really interesting capabilities and data science at the time. And then I left to start my own company, which was called Cognitio. And then we started Risk Aperture. So, I have just been a dedicated technology geek my entire life, without any shame whatsoever, right? And I've worked in the intelligence community, my gosh, 25 years, 26. God bless.

I'll tell you, Roger, you talk about upping your game. When I see like Joe and Roger and Jen and Pat, I'm like, I feel so small, man, I haven't done enough.

Thanks for throwing me in, Adam.

Yeah, you're welcome, Joe.

The thing about the early technology stage was that it was so mercenary and it was very meritocracy. And that nobody cared anything about you except how good your code was. And it was almost, it was a competition daily that you had to go in and write the best code. So I did this thing in Netscape where I was, we were just using LDAP because we had a beautiful LDAP server. And I went to a client and they had about five million customers. And I migrated all five million customers to the newest version of our directory with five batches. 100% of the time. And those scripts are just, to me, they're just like art. And I showed it to one of our CTOs one time at our other company, and he's like, dude, that's beautiful. I'm like, that's the whole point. That's what technology's about. It's not writing all this stupid code that you had to sit there with the little flashing cursor. Now I know how old I am, because now everything is just so driven by point and click. But you had to write really tight code, right? And nobody does that anymore.

Yeah, I know what you mean. I actually, I'm also old enough to have started out as a Unix admin. And I remember you script everything and like the guy who was the king of the admins was the guy who had a bunch of shell scripts and sat there and read the paper all day. He didn't have to do any work.

Oh, man, I love Bash. I love Bash scripting so much. And I love Perl. Perl's like duct tape, right? Perl can do anything. And that's the thing that people don't realize is, you know, and then you look at this new stuff. Like Python I really dig, but Python is so buggy from version to version, and they deprecate stuff so the commands don't work all the time. But it's a great little language. I love it. But you've got to be like, I'm only learning version 3.14 or whatever version because they change it so often. I'm sorry, I still code stuff. I shouldn't say that, but I'm a nerd.

No, when I was working at AQR, the hedge fund, there was this guy and he was on a big kick with Rust. And he's like, do you know Rust? I said, no. He said, learn it. I said, OK, sounds like a good idea. So then I did. And that was fun. But I always love staying really close to all aspects of things, because they all connect. And there's so much creativity to technology, I think, that we don't consider.

Well, no, I think that, so, because I have a lot of musician friends, you can see the guitars, and they all talk about, you know, the evils of certain platforms, like I don't like Spotify, I like Tidal or whatever, but I don't think that people realize that technology is just as creative. It can be just as creative as writing a song, or just as creative as painting, and that same sort of flow state exists, as when you're playing a song or writing a song, that is the same, to me anyway, the same creativity. that goes into writing really good code or creating a platform or creating an idea, I don't really see the delta, personally.

I did some Cisco training down in Herndon, and when I did some Cisco training, I went to a CCIE class. For those who don't know what CCIE is, it's Certified Cisco Internetwork Expert, if I said it right. And the instructors were saying, you know, how many of you are into music? And of course, I didn't raise my hand and I felt inferior. And they said, the people that know music are really good at configuring routers and switches and firewalls. They know how to code and put the right, you know, access list. And I'm like, okay, I failed. But the point I'm making is music is definitely an extension of a certain level of creativity. There's no doubt about that.

No, I think it's the same. And you'll see a lot of technologists or people who play musical instruments or do other things like that. I think it's the math piece potentially, right, overall, as if I were to say something about that. I'm not trying to denigrate anybody's creativity or say that... I just say that there's a par value, in my opinion, of being creative.

Yeah, it's right.

Yeah, there's been many, many studies on what side of the hemisphere of the brain does what. And music, math, languages all come out of one side. So it only makes sense that if you are good at math, you might be good at music. If you're good at music, you might be good at computers, coding, whatever it is, right? But that's one of the reasons why we refer to it as an art, right? Some of this stuff is obviously it's science, but there's an art to what you're trying to do, whether it's coding, whether it's threat intelligence, whatever all it is, right? Understanding the pieces and puzzles and how they all connect together is artistic.

Or whether it's tradecraft, that too.

Yeah, that too. All that stuff, yeah.

It all comes back to that.

Yeah, it really is true that the people that are, that can reproduce the same type of results doing many different solutions or finding solutions for many things, they're like, they're rare. I've seen people write scripts to do things I was like, How did you do that? But now, we used to talk about people that did hacking and we called them script kiddies, but now the people that are writing the scripts today, they're all using ChatGPT.

Yeah, they're using ChatGPT. Remember, you would now, what was it, Lion was one of the little script things that you would buy. So here's the thing, because I think this goes to one of our first topics, is about commoditization. Right? So if you look at the intelligence community or the capacity of the intelligence community or nation state or what we call national technical means, it's become very commoditized. So remember, okay, let's go back, you know, 90s, 2000s. Pat knows a lot about this as well. I want to launch, you know, a DDoS attack. Well, first of all, I got to create a zero day or some kind of malware that's going to infect a series of computers that are connected to the internet. And then I will create a command and control capability on those and then hopefully be able to mass enough compute to launch a DDoS attack against you. But that's going to take years. I mean, months. You're not talking weeks or days. And then when cloud computing started, It was a boon because I could spin up servers and I could start to say, I don't need to launch malware anymore, I can just spin up servers. And I remember when I was at Gartner, we would talk to Amazon and we did a bunch of projects with them. And part of it was, it's hard to tell what's one guy doing day trading being very successful look like versus what does somebody launching malware attacks look like. And you could see attacks start to come out of the various cloud providers, you know, at 50 megabits a second, right, or a half second, 100 megabits a second, because they could just simply take over compute. But so that commoditization, in my opinion, is, compute's basically free, so I don't have to do nearly as much as I had to do 25 years ago to be successful. I mean, Pat, do you, what's your, do you agree, disagree?

No, I agree with that. I mean, it's, It's an interesting story, right? When you start looking at DDoS attacks and the maturation of them and how they've gone, right? You know, I remember looking at cases and people and organizations that were driven out of business, right? Just by, you know, Cloud9 was a famous UK company that was actually driven out of business. They're driven off the web, right? And then the argument back then, a lot of the argument was, well, can you actually see that? And if you can see it, can you stop it? And I'm not talking about the people at the endpoint, right? I'm talking about the internet service providers, the big things like that. And that became a really heavy conversation, right? Does AT&T, Central League, Fire Horizon, whoever the heck. Because I could look at internethealthpulse.net years ago and see the major connections and go, there's DDoS flowing across there. It has to be. And then you talk to them and they're like, no, you're just looking at a spike in traffic. That's not necessarily a DDoS attack.

Yeah, but it's everywhere though, Pat. It's not just that. So it's even just the intelligence function. So let's wind back to like the 60s. So the 60s, you might take all this time to generate and groom and collect an asset. So an asset is somebody who actually spies. Intelligence community agencies don't spy. We get people to spy on our behalf. And you would say, OK, we got this Russian guy. He's in the military and he smuggles out or gets to us 15 pages of the Russian military's order of battle for Eastern Europe. And then people would make a career out of that. Man, we got 15 pages. That's amazing. And we have satellite pictures. Today, I can download the entire thing in 0.001 seconds, right? Or I can find 20 petabytes of all that immediately. It's the same thing. So that's the commoditization, things that were really hard to get. Remember, satellites like the Corona satellite was created because we couldn't get assets in Russia. So we had to see what was going on. So we developed a whole series of technologies just to basically take pictures. So that's where they would have the big rolls of glass film, and they would be ejected from a satellite, fall through the surface, and airplanes would go grab them. And then they would be collected into one kilometer by one kilometer pictures, which are called tiles. So that's even today with Google, you get a tile, right? And that's all the way back in the 50s and 60s with the intelligence community. But now you can go look at Google Earth and look for anything that you want. People, there's a whole website based on, look, we found weird crap on Google Earth, right? And they update it all the time. So there's this thing called a light table. You can see that the Uvar-Hazy Center is backed by one of the space shuttles. It's back behind that. And you would get this tile, and you would stick it on this light table. It was like a 3D effect thing that you would look and that's how you would do your intelligence gathering. It's all done by Esri now and other companies. So that's what I mean in the commoditization curve. So it's easy for anybody to act as an intelligence agency almost. So that's like Bellingcat. Bellingcat's come up in the news in the last year or two. Because they actually do the same function as the director of analytics or analysis. And they do the same thing as open source. And they basically just use open source capabilities to create the same exact kind of product that an intelligence community funded by the government does. And I'm not saying it's equal, because it's not. But it's getting very close to a particular level of expertise. I mean, Pat, you're... That's you, unless you guys have a question, but about your thoughts, because that's what I see happening.

No, if you're talking about the commoditization, I completely agree. I mean, there is a reason, right, there is a reason that Congress is pushing very hard on the intelligence community to move further and further into open source intelligence, right, what we call OSINT, right. The fact of the matter is, that stuff is as good as Right. And in some cases better than what the intelligence community has. Right. Because the intelligence community is restricted by a lot of different laws and a lot of different things. Right. Some private company is not restricted by those same laws and effects.

But we would have the same argument all the time. It's like, well, why do I want to spend a lot of money and time to convert Jennifer's asset when I can just convert her telephone?

It doesn't cost me anything. Yeah, I mean, that's a completely, you know, that's a different topic, right? There's commoditization where the availability has become so much commercial. But if you want to talk about the interconnected or the hyper-connected internet, right? and the impact it's had on intelligence gathering. Yeah. I mean, there's, there's, you know, there is no need for a Jason Bourne. Sorry. There's not right. It makes for a really good movie, but you don't need it right at all.

So I think it's interesting too. So you're, you both have this government perspective and I've essentially come up through the financial sector. but have OSINT skills and have been focused on developing and building out threat intelligence in a meaningful way and understanding human and trying to pull this together from the other side of it. And the capabilities and what you can do are incredibly powerful, and how you get creative with it and the different things you can find. And it's fascinating. It really is a very, very interesting field. And then You have all of these other forms of intelligence that have evolved, certainly like the ad intelligence, the social media intelligence, all of this data that you can pull from.

But that's the thing, Jen, is that when you see stuff, it is basically this capability that grows. So I did this speaking engagement maybe eight, nine years ago, maybe a little longer. And I told the crowd at the time that every company was going to become a data-driven analytic powerhouse. and that was the only way to gain competitive advantage in the market space, is that your ability to collect and exploit data was going to drive your success. It didn't matter whether you made steel, or if you made routers, or it didn't matter what vertical you were in, or if you sold insurance. I told him, I said, you're a technology company that uses intelligence, who happens to sell insurance? And that's just the product you happen to vend that day. And I think that speaks to this commoditization, right?

I do want to make a subtle point, though, right? One of the key differences, and it's rooted in how they're built and funded, right? The intelligence community is not a monetary generating organization. No. Right? Private companies are, and they should be. So don't get me, you know, I'm not arguing that. But what I'm going to say is, the difference is, is the intelligence community does have a level of rigor, right, that they have to meet before they produce an intelligence report. So there are some checks and balances they go through before they actually generate it. That's why it takes them a few extra days compared to organization. And the second thing is this, is the intelligence community actually decides collectively what the hell they're going to call something. So there's a reason that the Chinese groups are bolt typhoon salt typhoon and whatever the latest typhoon is, right? You you want to go out cozy bear cozy this whatever it is, right? Yeah, you know, right salt China, Cozy's, Russia, da da da. You go on a Microsoft release or a Palo Alto release or somebody else release, you're like, are they talking about the same group of people? Who the heck are they talking about, right?

That's so funny you say that because we were talking about that with all these different threat intelligence companies, some using APT numbers, some using names. You know, we often wondered, there's no chart. If there is, it's not officially, you know, sanctioned by anybody. Oh, you're talking about Cozy Bear. Oh, I think it's APT 36, but you're not sure.

Yeah.

So there's no standard.

MITRE tries to do that. If you're familiar with the MITRE tax, you have to go into it, right? If you deep, deep, deep dive into it, they try to do that, but they can't keep up with it. Don't get me started on that kind of, you know, the standards issues between private companies, public is going to be the thing that breaks public private relationships. It's just going to make it unwieldy.

OK, hold on. We've got a lot going on. Who's up?

I have to ask something, because I've been wanting to get this since we even started preparing the show, which is, you know, you're talking about, you know, I've been a customer of intelligence, but of the, you know, commercial intelligence, those firms that produce it. And one of the biggest questions we always have is, you know, how good is it? And I can tell you, at least me and many people have made the assumption that it's not as good as what the government has.

Oh, it's not.

Are you saying it's getting closer, though, because of the OSIN exploitation?

It is getting closer, but you have to remember, from a nation perspective, and we're the wealthiest nation on earth, the United States, We have the ability to pursue information that is not, that other countries, it's just not economically feasible. And we don't count the cost. There's no way to say an intelligence operation can be benchmarked. What you're looking at is, is the outcome and the result worth the money that you spent? And so you just say that getting this information or getting this advantage for our leadership to make better decisions is worth this much money. But I think most companies need to start adopting that kind of thing. Free intelligence that you get every day in your email is worthless. Because it's just repetition of other pieces of data that's reposted from other places.

Like stock tips. It's stale.

It's stale. Basically I just delete every bit of it because it doesn't mean anything. There's a couple that I'll read, but unless you're actually paying for it and there's a value to it and that you see what they're doing behind the scenes. So what you want to ask is, Okay, if I'm going to pay you $10,000 a year, $100,000 a year, $1,000,000 a year, I want to know what your methodology is, I want to know what your discipline is, I want to know how you're validating. Because remember, in large data, the thing that's always missing, because Pat and I did a whole thing with this, was about veracity. So, one of the things you have to understand is that a lot of data is, a lot of sloppy intelligence is gathered by people self-validating. They'll say, oh, somebody posted something, but somebody else reposted. Well, that's a validation of that. It's not. It's not a secondary or tertiary piece of data that comes and triangulates. So, what a lot of these companies do, and they're like, well, I'm just going to post you know, my daily cyber update. Well, first of all, nobody reads it because it's too much to ingest. Secondly, none of it's really relevant to me as a company. And I really don't know where the hell it comes from. So how am I, how do I know it's not somebody trying to influence my decisions? So there is no value in free.

Well, and it's, and that's, it's funny, right? Because Joe and I have had this conversations when I worked for Joe. when we're looking at threats, threat intelligence companies, some of them regurgitate other people's threat intelligence and others have poisoned it purposely to show attribution to the original company. The other part is all these companies like, hey, we're XYZ Threat Intelligence. We got 8,200 people working for us. We have NSA, we have CIA. It doesn't necessarily What? Go ahead.

Yeah, right. Exactly. And, but when it comes to what they're actually doing, they're completely opaque. It's like, okay, you got smart people.

That's the thing is you got to look, you got to delve into it. If I'm going to start making business decisions based on some piece of spam I get in the morning, I'm probably not in the right position to make that decision. Second thing is, you've got to really start delving into, does this company that I'm getting information from actually understand my vertical and what I do? And what is their process for collecting data, right? So they, while there's commoditization curve that occurs and it's much easier, the barrier of entry for you becoming an intelligence agency is very low. I can do that tomorrow if I really want, or Jen can or Pat can. But that doesn't necessarily mean our information's correct, right? And that's the value. Yeah, Pat, I'm sorry.

Yeah, you're starting to delve into the pyramid of pain, right? What is good intel, right? So first off, bone to pick, right? A lot of the intel providers talk about these are all, we have 80 billion collection points, right? And all of our collection points are different than our competitors. That's baloney, right? So first off, their collection's one of two things. Their collection is either from customers, customers endpoints are pulling data off of that, right? Or they're leasing computers out in the wild, right? And do you think that companies that are leasing computers out in the wild aren't leasing them to multiple different companies? My sneaking suspicion is that it's 80% overlap, right?

Easily.

So when you have 80% overlap, if I come out and say, hey, guess what? Red Panda is going to attack Jen, and Roger comes out and says, Red Panda is going to attack Jen, because we're both looking at the same data. But I now verify my report by saying, Roger just said it. In the Intel community, we call that circular reporting, right? But there's no validity to that data because it hasn't been vetted or validated or anything like that. We're just bouncing ideas off each other saying, hey, we're good.

Right. So prior to this, and I think we spoke about this on the last program, Joe and Adam, because of all of these things and because all the data is stale, and you get inundated with data. And if you have, IOCs are helpful in terms of blocking, but indicators of compromise means someone's been compromised. And my focus has always been, that's a failure. I want to get to the left of that. I want to figure out what's happening beforehand, understand that, and then prevent it to the best of my ability. Why are they being targeted? What is it about them that's attracting cyber criminals? And so I was really focused on pulling people in. A lot of the people from the team I was on were from DC3, which you guys are probably familiar with IC3, and then there's the DC3 version, and human, and just getting embedded in these different groups and being able to monitor some of this activity from an old-fashioned intelligence standpoint and looking at things in the planning and reconnaissance stages. and then understanding how they're targeting specific organizations and then correlating all of that using, you know, what you've determined around the patterns and the technology and methodologies that you put in place and then the proper validation and reporting of these things. But I think we've really what we call threat intelligence is not actually threat intelligence. And it's a disservice because it's just keeping us behind in this very reactive position where we're not getting ahead.

That goes back to what we were just talking about, is what's the standard? Who has the standard for threat intelligence? What does that really mean? And I'll give you another example. Joe and I, we would do an RFI, and we would want to know, okay, we're involved in a certain merger and acquisition. And during that merger and acquisition, we wanted to know whether or not there was possibility of somebody trying to compromise. Uh-oh. I think Rob's laughing, but we want to find out how somebody compromises something. Are they looking for us? Are they coming for us? And you would ask that question. And you would think that the absence of the delta of it, that nothing has been heard, means that nothing's going on. And that's not necessarily true. But then I would ask these threat intelligence companies, hey, how are you getting your intelligence? Oh, we can't talk about it. It's because you don't really do anything possibly.

First of all, it's okay to tell you what my methodology is. It's not that you're going to replicate it because you don't necessarily have the skill. But it's okay to say that we have this kind of cell and this is the data that we typically collect. This is our validation process to create veracity. This is how we look at a report that's going to be specific to you, right? It has to be tailored. You know, the stuff that I see coming through is just, I'll look at it every once in a while. I get some tailored stuff from the government from other places. But I think that, you know, what you have to say is, what decision am I trying to make? And you're always going to say, I want my company or my enterprise to be safe. But safety isn't necessarily the same as recovery or remediation. And what are the biggest problems I'm going to have, right? And what are the attack vectors? people looking at me, but all that is based on your company, right? So you always have, we call it, there's two things, it's institutional debt and technical debt. So how you operate as an institution creates one circle in a Venn diagram, and then how you operate with your technical debt creates the other piece, and that overlap is where your risk really lies. And that's what you're really trying to defend against. So it's not just, first of all, you never know, how do I defend against the zero day when I don't know what zero day is going to be released tomorrow? That's bullshit. I don't like that. Like almost every company that we look at is utterly tactical and looks at known attack. We catalog known attack factors. Well, they're already fucking known. I'm not allowed to say that.

That's fine. That's fine.

That's the half of the hurricane. But the problem is, well, known ones are already typically patched, right? Or they're not patched, or it's usually human factors. But if you only have a tactical capability that's looking for an anomaly that's already known, then you've lost part of the battle.

So two things on that I want to address, right? The first one is, You can use that Intel, right, if you use it correctly. Right. Right. And one of the ways to use that correctly is, believe it or not, heuristics. Yeah, right. So you take you take you take the minor heat map and you sit down and you look at I don't care what you look at, look at 50 good reports, right? And I'll categorize good reports as it's got the adversary TTPs, it's got the adversaries matter of exploitation, you've got what the adversary exfil, right? 89%, 89% all required some type of command line access. That's what it needed. Right? So if you have a good Intel group that's looking at trends, not just blocks, but trends, you know off the top of your head, I better lock down whatever command line access I have, command.exe, Windows PowerShell, whatever the Mac version is, whatever it is. Right? I'm going to put A back around that, and I'm going to lock that down. Guess what? I just stopped a crap load of zero days. Right?

Well, I think that's cool. But, you know, it kind of gets back in my mind to something we talked with Jen about last time is, you know, when you talk about trends, they're kinds of general trends. When I was, you know, director of a security group, what I really wanted to know was, you know, can I get any insight into what's coming at me and get it before, not the stale IOCs, not the general view. It's like what can be as focused as I can.

That was the second point I was getting at, right, was what I would call indications of warning. So when you take the 1920s risk formula, right? Risk equals threat plus vulnerability plus impact, right? Threat is actually broken down into two other things. One of it is capability, no problem, right? That's what we spend all our time looking at. But the other part is of intent. Commercial intelligence organizations cannot get intent.

Well, it's harder for them to get there. But I think that's the problem is contextualizing the intelligence for themselves is the issue. Because you have to remember that, you know, what's important, you know, what are the things that are most important? My intellectual property, right? Things that we're doing from a building perspective.

Crown jewels.

Yeah. Well, I don't like to call it crown jewels as much because I think that's tired a little bit. But for example, like if you watch like McDonald's, McDonald's is a real estate company, right?

I was just going to say that earlier. Go ahead. Yeah.

It's a real estate company. And they do a ton of research into where they're going to place their restaurants. And you'll notice that as soon as a McDonald's is built, a Burger King or a Wendy's or something appears, because Burger King and Wendy's just say, well, we're going to build wherever McDonald's is built, right? So that's the part that they're trying to get to. So that's an intelligence capability. It's like, well, I got to keep them, in order for me to keep ahead of the competition, it and or what companies don't see is that nation states like a Russia or China are very interested in that because commoditization of IP they're using them as free research and development so if you've created something that's interesting and you're selling it well if they can just commoditize it and sell it well you know wherever they sell it in their markets or even back to us it behooves them just to steal it from you.

So I agree with you, but that's on the impact side. When you're sitting in Joe's desk, in Joe's seat, and he wants to know who's going to attack me, part of that is intent. So if I'm a CEO of a bank, I don't care about the Joint Cyber Advisory about Volt Typhoon. They're going after electric grids. I don't care. But if I'm an electric grid owner, I care about that. right? And I've got to tailor my defenses based upon who is going to attack me and the intent that they're going to attack me. And again, throw on the impact in there, I'm not discounting that, right? But what I'm saying is don't spend money on stuff that doesn't matter. And the only way you can figure that out is, the only way to figure that out is, who's going to attack me and how are they gonna attack me and why are they attacking me?

Why are they going to attack me? What makes you appealing to them? And when you talk about intent too, so I always go back to this and say that, I started out as a psychology major, and I always go back to the fact that understanding psychology and behaviors has been very helpful in this career, and looking at intent and examining cybercriminal behavior, and I'm extremely interested in those patterns, the behavioral patterns, how they occur, the sequencing in which they occur, and monitoring that activity and then making sense out of it. being able to inform an organization so that they can take action in advance of being attacked, and also why they're appealing, understanding that, monitoring that type of chatter, and providing that intelligence to them, but doing it in a way that, to your point, contextualizes it. for their business? How is it meaningful to them unless it's meaningful on the business terms and what they care about? So it's really important to start doing things with more, that are just more specific to organizations, more meaningful. We can't afford to have this flood of data. Sorry. I'm sorry.

I'm really excited to tell this story. So story time, right? So way back when, I was still in uniform. Like I said, I was a Chinese linguist. But I was part of an experimental program to get put into a cyber threat. This is before we even called it cyber. And I wrote a report based upon a Chinese hacking group. And what they were doing, they were hacking their way around the world. This is just web face-to-face. They were just doing web face-to-face. And they were doing this thing around the world. And in the chatter, just in regular IRC chat, right? The US hacker group was starting to say, they better not come here. They better not come here, right?

Beautiful.

And they started, you know, it started being like this whole argument over at this website back then. But so I wrote a report that basically listed out, I plotted out how many days it would take to get there and everything else like that, right? And I wrote what's a predictive report that's saying on the 4th of May, it may happen on the 4th of May because there's Chinese significant cultural significance. It may happen on this day because of Chinese cultural significance. So I factored in some of the culture aspects to it, right? I published that report in October. right, saying it was going to happen in May, it went on a speaker circuit, start talking to everybody and everything else like this about it, because it was the first time that we had a predictive report. And it was awesome. Until, until a stupid pilot ran into the EP3. So, so believe it or not, the hacker war still happened. But everybody blamed it on the EP3 that happened two and a half months after I wrote the report that these are the dates that was going to happen.

Well, I'm sorry. I I might be in office. What's EP three? Yeah, you gotta translate that for us.

Oh, I'm sorry. It was a navy spy plane that the Chinese collided with.

Oh, oh, okay. Yeah. Don't you remember that they had to land in China and then they sent the plane back to us in pieces after? Yes. Yeah. Yes.

I have a lot of friends on that plane too by the way. I remember that because because we were like arguing with them about getting it back and we wanted to get back intact and we don't know what we got back because it was all whatever, pulled apart.

That's okay, but if you did that to them, the Russian, some guy defected with one of their, you know, a MiG-25 or something, and we returned it to them in pieces, right, after we took over.

Yeah, I saw that movie with Cleve Eastwood.

Actually, if you go to Wright-Patt Air Force Base, you'll find some other airplanes sitting in hangars that were torn apart.

Right, yeah, I mean, there's a whole different, that's a whole different topic off-topic.

Yeah, but let me just tell you this, Roger and Pat and Jen, And I don't consider myself really an intelligence threat guy. I've never really did it at that level, especially your level. But for somebody like me, and maybe Joe, and Joe was more knowledgeable on threat intelligence, you guys have a different perspective because you have a different level of training and exposure. And because of your exposure, you might not see it the way I see it. For example, for me, when I was looking at stuff, we didn't have that level of, of complication. For us, it was, oh, Adam, go find out whether or not you can work with one of our threat intel companies to find out whether or not you can do an RFI to see whether or not they're aware of a merger and acquisition we might be doing. Look for chatter based on our firm on specific dates. And I might not even know all this stuff because I wasn't privileged to all of it. So go find out about something you don't know. But you guys... Go ahead, I'm sorry, John.

I was going to say, you're right. And, you know, you're kind of getting to the thing where we're in the, you know, rubber meets the road thing of running the security group. A lot of things we get like that were tactical. And, you know, the executives would like to say, Find out about this, find out about this, ask a question. Okay, that's useful. But, you know, the deeper stuff that I think we've been talking about also are, you know, the trends and, you know, it's like, okay, where should I be focusing my program? I know I have these threats. which are the ones that the people out there are interested in? You know, I know I have this, I hate to say crown jewels, but I have all these various jewels. Which ones are they trying to steal? You know, that kind of thing.

But that's the problem that we see in the world, and that's sort of what Risk Aperture is doing. But we want to contextualize it for you and say why. But I think that for most companies, they focus so tactically on the moment. Right? And then all the products that they buy are very tactically focused. All of them are magic wands, right? It's not a black hat. And everybody has their magic wand. You need to do this SecDevOps magic wand. You need to do this, you know, two-factor authentication magic wand. You need to see how many computers are on your network magic wand. I mean, those are all valuable. Don't get me wrong. But it's really not a strategic view of cyber. It's not saying, how am I really managing risk? in the enterprise. And that's the problem that I think most people have, is it's always been looked at as, oh it's just some technical geek dude who used to play, you know, Hitchhiker's Guide on the computer on his Apple II. That's the problem, right? And the problem is it's not people in their basements anymore, it's not kids. This is a business. Cybercrime is a huge business. And it has all the markings of a typical market vertical. There's innovation that occurs. There's mergers and acquisitions that occur. There's innovation that occurs. There's investment that occurs, and they're all looking for the return on that investment. It is just a new market vertical, and I don't think people take that seriously enough, and they don't look at it as, They're like, they just keep in their head, oh, it's just Roger sitting in his mom's basement with his computer and his headphone, you know, listening to Rush and doing whatever. That's so far gone, right? That's like just noise now, that people, this is a serious business that makes tons of money, and why wouldn't they target you?

Yeah, the interesting thing is, right, if you go and you talk to the CFO or whatever it is, right, from, I don't care, any manufacturing company, And you say, hey, read in the paper today that there's a conflict brewing between Elbonia and somebody else, right? How is that going to impact us down the road, right? They'll pull out spreadsheets, apply everything else like that and have it laid out, right? You know, there's a train strike coming from Canada. How is that going to affect our supply chain and our resources? And they'll have all that laid out. The reality is what they don't understand is that same scenario is affecting their cyber risk. It is.

Right.

And it's just not factored into the business aspect of it.

Right.

No, for a risk aperture, we call that outside pressure.

Right.

So what we're doing, and Roger can better articulate it than I can, especially after the hurricane.

That's a business skill, doing it after the hurricane. They did that in a movie once. They made you drink and code. But go ahead.

And let me just rewind before I even finish with that statement. I have to rewind for a moment, because Adam, you said IRC, it's still alive and well and fully in use by cybercriminals. They love IRC. So in case you get nostalgic just sharing that information. But looking at what the outside pressures are, and one of the biggest things I've always felt in my career is, why are we so siloed? Why aren't we looking at the risk in terms of how it comes together cohesively. We look at the little pieces, but we don't look at the whole story. And it seems really uninformed and not a great approach to looking at how we navigate in the world. And so are we considering the geopolitical pressures and the context there and how that may impact what's happening? Are we considering and the targeted threat intelligence. And we can get a lot of information now utilizing predictive analytics and data science. It's incredibly advanced and there's so much more that we can do in such a meaningful way.

Yeah. I got one better for you and Roger and Pat and Jen too, right? Think of it this way. We talk about all these different things, the environment, the different things that are happening geopolitically and what might affect it, but sometimes there's no rhyme or reason other than the fact that somebody just wants to do something. Somebody wants to pick a place. Somebody's, and maybe I'm wrong guys, but what we don't think about is A lot of the times, yeah, I follow the MITRE and I did two-factor authentication, I locked down my command line, but did you lock down that camera system that you have? Did you lock down your IoT devices? Because you might protect everything in your network, but did you Look at your third party stuff. Did you look that stuff, right?

Oh, but so that's another great topic about what we're doing on the third party side. And Roger can speak to that more eloquently than I can.

But what you're going to understand is that most of the time from a cyber perspective, your weakness comes from third party, right? And third party doesn't just mean the HVAC dude from the Home Depot or Target Attack. Third party now means like CrowdStrike, right? Or SolarWinds. So when you're a SaaS provider, you're like, well, I'm going to use all the SaaS provisioning tools because they seem to be cheaper. You're like, well, I'm going to be sending my data to SAS. I'm going to accept all these updates in the APIs. Well, you lose control of that. So you're only as good as, hopefully, the engineers at CrowdStrike are. Not to be mean to them, but they had an issue. It's not a cyber issue, let's say. But they had, let's say, an attack of incompetence. So now I'm reliant on them. upon a company having the skill sets and the capabilities to do something that I have outsourced to them. And I have to rely on the competency of those people to do their job in order for my enterprise to continue to operate.

I want to pick on one thing real quick, Adam, because all the points that people are making are valid and they're very, very good, right? And it's important to understand all those things. The point I want to pick on is that how you segued from somebody just wants to do something and do I have my webcam locked down? Do I have this thing locked down, right? Yeah. So there is a distinct difference in skill level from somebody who's just going to do something and go after your webcam, as opposed to somebody who's going to do something and go after your third party to infect you, to somebody who's sitting in their basement just trying to do something, right? Like Roger said, Because cybercrime has become so institutionalized, right? They have HR departments, they have all these things that go on with it, right?

Occasions, yeah.

You don't have to worry per se from the guy who's just going to a girl, whatever it is, sitting in their mom and pop's basement that's doing something because they're trying something out. Is it going to cause you problems? Yeah. But I'm telling you, if you have a basic patch management system, you're probably okay against that, right? What you're not okay against is the organized crime aspect of it, whether it's state sponsored or whether it's just a really good Lazarus group or somebody like that, that's really trying to generate funds, right? That's two different things, but it's important to understand the differences because you can get caught chasing the low-level guys really easy and not understand that your bigger issue really is coming from a different vector.

Let me ask you this then, as someone who may be in charge of it. Should I be more worried? I probably know the answer, but how do you feel about the difference between worrying about you know, kind of the ransomware, the big guys where you're, you know, if you get on their radar or whatever, they're like, okay, they're going after you. Versus, you know, the little things, the opportunistic things. Because I can tell you that, you know, when you're in cyber security, you know, you hate to say, yeah, I got to focus on this, we got to worry about this, the kid in the basement. But when you get popped by one of them, God, it's embarrassing. And it's just, it's brutal. brutal, not only to you personally, but to the reputation of the organization. And executives worry about that a lot.

Well, that's the commoditization. So me sitting in my basement using stolen credit cards to spin up Amazon servers to rainbow attack you, I have that ability now. So you do have to worry about them just as much as you have to worry about organized crime. That's the problem. So where do you spend time and resource? Basic hygiene is the most impressive thing you can do, right? Just getting that stuff down is the easiest thing. But then starting to think about, okay, well, what do I do with whatever the analog to ScriptKitties are today? Because they're even more sophisticated than they used to be, and they share information on Discord, etc. so they're trying to probe around because there is still that that ego problem that you have which is They they wanted to show on discord still that I got into your system. They're not really nefarious necessarily But they have the equal value of a highly coordinated cyber cell And you've got to take your time and make sure that you're thinking about all of them

What about the kid in the hotel with the Amazon stick that connects to your network and compromises it?

The most impressive thing is typically like an open Wi-Fi port. It's really simple stuff that screws you in the end, right? Yeah.

Well, it's so funny because we've had so many people on and we believe it too. We say like, you know, what's the best thing you can do to improve your cybersecurity? What's the best thing? And I like the basics. Patch, get your accounts under control, look at your perimeter, you know, the real basics.

The last time I looked at a macro sense of that, it was a neighborhood of 80%.

Yeah, I was just gonna say that, yeah. You're limiting 80% of the attacks.

That's exactly right.

Well, okay, so Roger, Jen, Pat again. If somebody wants to get into your network and has money, let's just say it's a threat actor. Is it 100% chance of getting in?

Yes.

If somebody wants to get in, they're getting in.

That's what we think.

However, you have the ability to make that more difficult and less appealing to them. It's the same thing as having a security system or a lock on your door. It's a suggestion. It's an annoyance. It's something that is a If they're going to get in, they can get in. They can take the door off. They can do whatever they're going to do. It just becomes that much more difficult based upon your security.

And it raises awareness, right?

Yes.

And I think what a lot of people... Go ahead.

I'm sorry. It comes down to a time factor, right? Can you keep them out long enough where they get bored and decide to go get somebody easier? Yeah. That's what it comes down to.

And that goes back to being a government agency. When you're a government agency, and you have unlimited pockets to a certain extent, and you need to accomplish a goal for a certain reason, you probably can do it if you really want to put all that effort into it.

Yeah, so think about it. So you may decide that we want to target X. That could be a 10-year project. That could be five years, that could be 20 years. So what you have to remember is that the biggest difference if we come down and still in that commoditization curve, is the government has, the intelligence community has the ability to be patient. And I don't think a lot of criminals do because they're looking for the score, they can't be that patient. So they'll take bigger risk overall. And for most companies, if you just focus on remediation, and you focus on recovery and identification. You can never stop anybody who's dedicated. Somebody will eventually come around whatever moat you have built because you consider yourself a castle. They will find a way to get behind the castle wall. So now what you're saying is, okay, somebody, you have to always wake up. If I'm a CISO, I would wake up every day and think, I have between 2 and 20 people in my network who I don't want in my network, at a minimum. There are people in my network today. And depending on the size of my enterprise, it might even be more than that, especially if I'm a global company. I have to wake up and go, there is somebody trying to do our company harm internally, and they are already in my network. What am I doing about it?

Yeah, I was talking to, story time, I was talking to a buddy of mine. They had five major manufacturing locations, and their headquarters is in the state of Maryland. I'll leave it at that, right? Commercial company. Brilliant, brilliant sock guys, brilliant CISO, top notch, all the way around, right? And they start seeing anomalous traffic on the network. some weird anomalous traffic. They couldn't figure out what it was, right? And so they start doing the investigation. They start tracing. They start doing all kinds of things. They eventually track it down. They eventually find a Raspberry Pi that's been hooked up to their indoor garden to regulate their water system. It was put in and deployed by a janitor. Yep.

So Joe and I had something similar like that, where we saw what we thought to be, I want to say anomalous traffic, and it was a certain employee using like a PlayStation or something like that.

You see that a lot too. It used to be a long time ago, when I was at Netscape and Sun, that people would have you know, porn servers or something on the network.

Watching that too.

And they would have other things that they were using, you know, company bandwidth basically to create another thing. So that's still the bigger problem, right? So again, if you take nothing out of this whole whatever, how long we've been talking. I would warn people that their intelligence gathering has got to be contextualized better. But more importantly, you must understand somebody's already in your network looking to cause you harm. Someone is. Once you're past like 20 employees or something, right?

Do we want to segue into zero trust now?

No, we don't want to talk about that bullshit.

I was going to say, we want to bash on that crap for an hour.

I've gotten thrown out of Joe's office many times for telling Joe, Joe, you know, you realize somebody's probably on our network right now. Out. Out. Out. Well, it's because you did it Friday at three o'clock.

Come on. Yeah. Come on. Pat, it's zero trust unless I have to trust you, then I guess it's not zero trust anymore.

I don't even want to get into it. It's another hour, dude. It's another hour.

But it does bring up something very important that I don't want to get too deep into. But it's like, yes, people are going to get into your network. Yes, it's going to happen. You can use the intelligence to avoid it. But the detection is so important. Yes. And the response. I mean, there are so many people who think, oh, someone gets in, it's game over. Not even close. You got to find them, you got to make it not only hard for them to get in, but hard to move around once they get in, so you can catch them. And yeah, those guys working for the company, they got a quota, they got to pop a couple people in there eight hours, and they might get a little hasty.

I finally found the audience to ask this question. I just realized it. This is the question I've been trying to ask for a long time. What do you guys think about packet capture for detection?

Adam's favorite topic.

This is your favorite topic? You don't have anything else going on in your world?

I just got a thing about Acacapture. The most East to West, North to South.

The problem is that most companies don't have the right technology to do it. First of all. Absolutely. Yeah, we know that. It has to be FPGA enabled, right? So we're not, that's getting way down into weeds and stuff. Because I like NVIDIA very much. I love their product, but recursive is recursive. capture an FPGA card will help you sort of look at things further down the line before they get into your network and you can do better anomaly detection.

So, let me ask you a question. Hold on.

Pat hasn't.

Pat's going to say something. As long as you're not as long as you're not encrypting traffic in transit. Yeah, that's right. It doesn't matter.

Well, we know we know about that that we know about that but my is if you had a company, and I'm not talking the company you have now, and you had enough money, no, no, no, but a company like, let's say you had manufacturing, and you had the money, would you do packet capturing?

I mean, I would look at this maybe a potential thing that I would look at as part of a SOC. I'd be more interested in data coming in or going out of my enterprise. A lot of it's going to be encrypted anyway. I'd be more interested. There's other things I would be interested, let's say.

Yeah, that's it. Seriously, that was always the argument with Adam. It's like, yes, it can work. Yes, it may be a good thing. But everything's a matter of priorities. And when you have something that expensive, it means we're not doing a lot of other things.

It would not be my first dollar. Yeah, it wouldn't be my first dollar. But it would be something like I would pick up a couple things to put into a router to look at some stuff and experiment with it and think about it. But from a bigger stock perspective, you're looking for, it's just anomaly detection, right? Yes. But the problem there is that you've got to understand your company better. and where your perimeters are. A lot of really large companies don't even understand. Shadow IT takes over so much. We did a project with a company, and they actually, they thought they only had one IT department, they had five. And one of them was deployed into the Amazon cloud, which we really liked. Their architecture was really good, but nobody knew about it.

Could have been worse.

They had other problems.

All right, everyone, this is our longest episode. This has been fun. We could probably go on for another hour and a half, but we're getting up here to a last call where we kind of put out our final thoughts. And I guess also at the end of the show, you know, we'll emulate Howard Stern and say we're going to do the plugs now. Did you guys want to talk a little bit about risk aperture or just say where you are at least?

Yeah, so as a company what we're doing is we're helping contextualize risk for the executive, right? And we're helping you come up with how do you manage cyber strategically? Let's get out of the tactical weeds, let's stop talking about magic wands, let's start talking about what are the threats that we're going to face. to plan for that, how do we remediate and recover faster, and how do we understand how that institutional and technical debt, outside pressure, all comes together to create what the risk appetite for your company is. I guess that's probably pretty close, Jen, or Pat, do you agree?

No, I think we're just taking the culmination of our experience in the field and our different perspectives and bringing it together to look at risk holistically and in a meaningful way for organizations. And also distilling that information so it's consumable. And so people can understand we're quantifying and qualifying the risk for companies, which is really a huge gap that

exists right now, you can't move cyber programs forward if you can't quantify what the risk is.

And you do it very, very well. You know, I can say you do have a lot of experience and thank you so much for sharing it with us. You know, the time has really flown by. I'm sure we could talk a lot more. Thanks again.

Don't ever get Pat and me started. Don't ever get Pat and me started.

Yeah, I think we've gotten you started, but we're nowhere near, like one to ten, we're on number two or three.

That's why I like the company so much, because we have people like Pat and Jack, and David and Whitney, and people who just really are good at what they do, and you would be surprised It's our internal chat that we use. It's lit up even, it's even deeper than this. I mean, today we had, it was the one that we were talking about today, the article that you had, and then we were talking about how the second death was messing up. It just got crazy.

It's so good, though. I love these conversations so much.

The Office of Cyber and Emerging Technologies. Oh, yes, that's right. We had deep opinions about this. And paying ransomware or not paying ransomware. And you can't tell people to not pay ransomware when the cops never show up anyway. It's too late.

That's a whole other discussion.

Actually, actually. Let me defend the cops. No, it's not. The cop's job is not to protect. No, it's not. It's been decided by the Supreme Court. That's right. It's only to catch criminals. That's right. Right. Until somebody hacks you at random, and encrypts your drive, they've done nothing wrong.

But Pat, if we could even just conclude on this thought and just share your mob analogy, which I love so much today.

I'm a Jersey guy. Come on, let's hear the mob analogy.

I loved it. It was perfect. So let me caveat this, because we're kind of veering left of this. Let me caveat this, because we're kind of veering left of this. A lot of the growing trend right now in cyber is blame the victim. Now in cyber is blame the victim. The victim got hacked, so we're going to go after the CIO of the SEC. We're going to go after the CIO of the SEC. Stop paying ransomware. New insurance companies are enabling ransom groups by paying ransoms. Blah, blah, blah, blah, blah. Blah, blah, blah, blah, blah. Blah, blah, blah, blah, blah. But when the mob goes into a neighborhood and starts extorting people by breaking their stuff unless they pay protection money, we don't go in and hammer the shop. We go after the mob. If you really want to have that quote-unquote moonshot, how do we protect cyberspace? Let's get a moonshot together that really talks about how you go after ransomware. Because I'll tell you, it's not outlawing Bitcoin. We're never going to do that. It's not going to be about stopping people from paying ransom. One of the companies in the article paid a $5 million ransom, and now they're paying a $65 million class action suit.

But the company was still viable and running, and doing all the stuff that they're supposed to do if they're paying the $5 million. So the $65 million, it's just punitive.

It doesn't do anything. So the whole thing is a mess. It's just a mess.

When your next episode of Cocktail... Actually, that's something I have a lot of thoughts on.

We can go on for another couple of shows on that. Absolutely.

We actually have, plugging in a future episode, we have a professional ransomware negotiator coming on in a future episode.

Even though I bashed them really, really hard, you need good cyber control. You do. More importantly, you need good cyber control. You do. More importantly, you need good cyber control.

Well, that's it. We're not bashing it. We want it to be better, to be honest. Absolutely. That would be great. Yeah.

Yeah.

Go ahead. I'm sorry, Jen.

No, just to go back to the original point. So I think what we've done here is we've taken all of our experience and we've created what it is that we want to exist in this marketplace to make a difference and to be impactful. So it's, it's a really exciting place to be.

Yeah. I would, yeah, I was going to say, I would argue you need like the basics and I know some of you might say no, but the DOPs and the, uh, deceptive technology and the MFA and all the standard things that we talk about, you need that. You still need it, I think, in my opinion.

That's table stakes, right? That's table stakes.

Yeah.

That's the stuff that keeps the noise down and keeps the 80% out. Yes. So I think you do need good threat intelligence. You need good contextualization. And you need to be able to make better decisions about the risk appetite of your enterprise and what you're going to do for it. It's all about your culture at the end of the day. Yep. Right? And your culture dictates what you do.

Well, Roger, Jen, Pat, thanks again. This has been tremendous fun and a fabulous discussion. Really good. And we had good drinks. Must have had good drinks. I'm going to have to mix up another one now that I don't have to stay awake for the next hour.

So, Joe, to our audience, do you want to see the part two of this? Yes, give us comments. Send us feedback. Leave us comments. We want to know whether or not Roger, Jen, and Pat are coming back on to tell you some more stories. Maybe a guitar, obviously look, wine shirts. Or send your hate mail.

And then we'll know we're really popular. Or hate mail.

Great. That'd be great.

Oh yeah, absolutely.

Adam and I could use hair tips.

Yeah, that's true too. Thanks again.

Oh, and Pat and I just put out a paper on Shadow AI. So you mentioned Shadow IT. People can check out our write up on Shadow AI.

Very cool. All right. Okay. Thanks everyone. And thanks for listening and watching. Thank you. See you next time.

Thank you. Bye.