Preparing for 2024: 5 Attacks Targeting You This Year

Show Notes

Curious how the threat landscape is changing in the new year? Hear about the email attacks you need to protect against from guest Mick Leach, a seasoned cybersecurity professional who has led SOC teams at F500 companies and startups alike. In our latest episode, we'll chat with Mick about consistently popular attacks like brand impersonation and credential phishing, as well as new and emerging attacks like payloadless malware and QR code phishing (or "quishing") attacks that are likely coming your way in 2024.

#podcast #ai #2024 #cybersecurity #hacker 

Abnormal Security: https://abnormalsecurity.com/unfiltered

Abnormal Security
Abnormal Security provides the leading behavioral AI-based email security platform

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Support the Show.

Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Chapters

• 0:00: Top Cybersecurity Threats in 2024
• 16:06: Risks and Challenges With QR Codes
• 24:38: Challenges in Adopting Emerging Security Solutions
• 37:45: Generative AI and Its Emerging Threats
• 45:13: Curiosity and Continuous Learning in Cybersecurity
• 52:53: Abnormal Security

Transcript

Speaker 1: 0:00

How's it going, everyone? This is another security unfiltered podcast episode where today we actually talk with Mick Leach from abnormal security. Abnormal security actually sponsored this podcast and again, you know, just to remind you guys, they didn't determine any questions that I can ask them or anything like that. You know, they just believe in what we're doing here at the podcast and they wanted to support the podcast, and so that's how it all kind of happened, right. So, you know, with that, let's go ahead and dive into the episode. I think you guys are going to love it. All right, see you guys, how's it going? Mick, it's really good to have you back on the podcast, and I want to start off with saying you know, if anyone listening hasn't already heard part one of this conversation, essentially I will link it down below. You definitely want to hear about Mick's background and how he got into security, his journey and everything like that, but this is part two where we're picking it up. We're going to be talking about what's coming in 2024. So how's it going, mick?

Speaker 2: 1:10

It's going great, joe. Thanks so much. I appreciate it, boy. We had so much fun in the last one and we just had so much to cover, we had to do a part two.

Speaker 1: 1:19

Yeah, absolutely. I mean I assume we'll probably be doing like parts three and four in 2024 at some point, but you know it's always a good conversation and you know, I think you also appreciate the style of podcasts that this is.

Speaker 2: 1:37

I do. I do Absolutely, yeah, and just the way this one's run. It's so genuine. I love that, you know there aren't questions prepared ahead of time. I love that it's off the cuff and it's natural and genuine. You know that much. I absolutely appreciate.

Speaker 1: 1:55

Yeah, it's. You know it's interesting. When I go on other podcasts, they always like send me a bunch of questions ahead of time, like guys, I really don't care about your questions, right, like you know, just ask me whatever you want to ask me and we'll go from there. Yeah, but, mick, you know we're coming to the end of 2023 here, 2024, right around the corner and you know I always try to prepare my audience for the year ahead, right, because you know really to have a successful year, you have to be planning it out. You know ahead of time For sure, you have to be planning for it, you have to be adjusting. You know your goals, your expectations and whatnot. So what are a few of the top attacks that you see becoming more prevalent or more widely used in 2024?

Speaker 2: 2:49

Yeah, yeah, you're right. I mean, for us to adequately defend our organizations, we really need to understand the threats that are coming at us. You know, especially as many of us are in purchase cycles here at the end of the year, sometimes money becomes available and you've got to use or lose that. I know that was certainly the way things were when I was in, you know, the military and with the government. So you're looking to, you know, elevate your tech stack, elevate your capabilities there at the end of the year in preparation for the next year. And so it's so critically important to look back and understand what you've seen over the last year, but also use that information to sort of forecast what you see coming up. And so, as I look back over what we have seen at abnormal over the last year or two, I think it becomes clear, kind of where the trending is headed towards 2024. And I think it comes down to five major issues that we've got to. We've really got to keep a bead on these ideas. So first, in my opinion, we've got brand impersonation, credential fishing, and we'll kind of unpack these a little bit, but I want to put them up front for you.

Speaker 2: 4:09

Number two payload this malware, right, and so when we say that we're generally talking about, like social engineering attacks, text only social engineering attacks. Number three QR code attacks. They have been on the rise. I anticipate we'll continue to see these as time goes by. Number four VEC or vendor email compromise and invoice fishing, invoice fraud. This is a massive one, continues to be incredibly lucrative and I fear we'll continue to see it. And then the last one, not without leaving it out here generative AI based attacks. Right, you can't hardly have a podcast or conversation, presentation of any kind without mentoring, chat, gbt or generative AI. This one will be no different, and so we'll talk. We'll talk a little bit about that as well. So I think those are the five things that we need to kind of keep an eye on, and willing to certainly unpack those, but, like, pause there and see if you've got any questions.

Speaker 1: 5:16

Yeah, of course, you know, with the, with the text based attacks, I've actually seen, you know, a good amount of that already coming through my work email, my personal email, and it's interesting, you know, I literally had one last week where you know they were saying like, oh, you know, I'm a new hire, they told me to reach out to you to resolve some payroll issue. Like, one, I'm a security guy, so you're going to the wrong person. You know if you are real right. And two, I'm a security guy so I don't trust you, so I'm going to delete this email. You know, like, I hope, if you're real, you know you get your payroll figured out, but I don't care.

Speaker 2: 6:05

Right, yeah, no, I'm with you. It always cracks me up how we in security end up getting kind of the end of being the dumping ground where a lot of different kinds of attacks end up landing on our plate. And I laugh, I think, really, did you think that I, insecurity, was going to have access to change your payroll? You know, come on, that's, don't be silly. But but nevertheless, we do inevitably get targeted for these kinds of things, and gone are the days are, you know and we touched a little bit about this in our last one but gone are the days when attackers are sending you know malicious attachments and malicious links as the primary way to compromise you. They know that. You know everybody's got a security email gateway, or you know Microsoft's native 365 controls are really sound, and so they're great at catching that kind of overt malicious activity.

Speaker 2: 7:00

So now what we're seeing is this shift to where threat actors are simply trying to start a conversation with you. If they can simply get you to reply, then they can go a little bit further, right? We've seen ones where a pretty common one is where they purport to be from. You know the. You know we've seen the best buy genius ones, genius bar or whatever you know a geek squad excuse me, where they send that and say, oh, you've been charged for this. If you have any questions or if you feel there's this was done in error, please reach out to our contacts. You know our support center at the phone number below right, and so if they can just get you to start that conversation, that's usually where they can take it. You know three or four more steps.

Speaker 1: 7:54

Yeah, I wonder if they're evolving their attack pattern based on the technologies that are out in the field. Right, because you know in the military that's what you do and you know this is no different. Right, where you have solutions that are saying, oh, you've never talked to this person before and they're asking for this information. You know it's probably a bad idea to respond to them. Well, they're trying I guess they're trying to even just start that conversation, build that rapport with your solution in the background, right, and bypass all of that. How does so? How does abnormal fit into that? This isn't like a softball question or anything like that that I was pitched ahead of time. Right, like I'm genuinely wondering you know, how do you, how do you guys stack up against something like that?

Speaker 2: 8:50

Yeah, Well, and that's what makes us, I think, unique or at least the next gen generation of email security solutions, right, Ones that are using artificial intelligence at their core. It's not something has been bolted on, it's actually at the core of the way the solution works, in that it is consuming so many signals, right. And it's beyond just taking in the headers of each email, right. Traditional security mail gateways do a great job of pulling that in. Microsoft, Google's native security controls. They do a great job of evaluating those headers. But there's so much more. There's so much more signal to to those messages than just that.

Speaker 2: 9:36

Unfortunately, in the past, security solutions just really didn't have a way to consume the message body. But with the advent of natural language processing, computer vision, deep learning, you know algorithms for machine learning, we've been able to really dive into the message body, teach our systems how to read it and understand it, kind of parse all of the parts of the message body, understand what's being communicated and then say wait a second. This is unusual behavior, right? This is something I've never seen before. It's a person you've never spoken with, or at least an address, an email address that you've never corresponded with in the past, Even if it's someone that you'd know and speak with often, maybe the tone has changed, Maybe it's more formal or less formal than it's ever been before. You know, it's those signals that abnormal security is able to pin in on and really understand and then say, okay, this, this is not normal, right, this is abnormal activity, and so that's when we can flag it and and move forward from there.

Speaker 1: 10:49

And is it able to also, you know, look at other other customers of yours, right, and say like, oh, I saw this at 10 other customers and you know it was the same situation, so we're going to block it or filter it out, right? Sure Does it? Does it have that capability as well?

Speaker 2: 11:09

Absolutely yeah, and that's what was so powerful when I think it was CrowdStrike was one of the first to kind of start using crowdsourced information and say, well, if I've learned this and this and this from these other customers, maybe I can retrain my models to look for those kinds of behaviors across all organizations, and abnormal absolutely does the same thing in that.

Speaker 2: 11:34

In that regard, now, each to be clear and this is what makes us, I think, unique is that the models are trained for each company specifically. Each one is different because a large financial services institution would be very different than, like a large university, right, a large public university. The kinds of communications that you see, the kinds of emails that you see, back and forth, are very different, the users and their level of awareness and training very different between a college and like a bank. So it's important that each model is trained for each company. But then you can use some overall guidance, overall understanding about what anomalous behavior looks like in general across all customers, and that's where you see that crowdsourced information really benefit the university or the bank.

Speaker 1: 12:33

Hmm, yeah, it's really interesting. Can we talk about payload list exploits, right? So what are those? Is that just a text email that's trying to start that conversation?

Speaker 2: 12:48

Yeah, so in the email world, anytime we talk about payload list malware, what we're really talking about is social engineering. So it's just that note. Hey, bill, we talked about this last time. Hey, bill, it's Bob. Give me a call when you get a minute. Right, he's really seeking to start a conversation. Get you to pick up the phone and call someone, because when you do that, you can sidestep the rest of your tech stack. Right, you lose a lot of the defenses that you have already brought to bear in your tech environment.

Speaker 2: 13:21

I think QR code attacks are similar in that regard because, as you and don't mean to pivot, but I think there's these two stories are somewhat related in that, like when we see QR code phishing attacks, there's not a ton of things that can detect and resolve a DNS entry from a QR code today. There's just not a lot of tech stacks, there's not a lot of solutions in our stacks that can do that. Abnormal, I think, is relatively unique in that we can and that's a pretty big differentiator for us. But in either case, the reason that I think we're seeing threat actors pivot to using QR codes and emails is A there's nothing that can defend against it, or very few things that can defend against it. But B? How would you scan a QR code on your email, on your corporate email, on your desktop, right on your laptop, or whatever the case may be? How are you going to scan it?

Speaker 2: 14:23

You're going to pick up your phone and you're going to scan it with your phone, right? Well, once you've done that, you have sidestepped all of your corporate email security controls, all of your corporate security controls, entirely right, unless you've got an MDM solution on your phone, which is pretty advanced. Many folks with bring your own device today don't have a ton of security controls on our user's phones. So you don't have EDR, you don't have your internet gateway, you've lost most of your security controls, and now you've got a user interacting with a potentially malicious website on their phones, and so that's where you start to see a lot of credential harvesting those kinds of things there, because they've tricked you to go someplace you shouldn't on a device that your company can't protect.

Speaker 1: 15:25

Yeah, phones are a very interesting threat surface for any company out there. Even if you have an MDM solution, you have a company, so you have a company device and they manage it and whatnot. Even then, you're still heavily reliant on the architecture of the phone. Hopefully the developers didn't create something that is insecure in their architecture and whatnot. Not that Android has ever done that right.

Speaker 2: 16:02

Or Apple or any of them, right, I mean yeah.

Speaker 1: 16:06

Well, I always bring up Android because when I was getting my master's in cybersecurity, it was very hands-on course, or very hands-on degree, and a part of it there was a mobile security course and in that course there was a lab that you had to get root on an Android or an iPhone. You had to choose a vulnerability and choose your platform right, and so I chose some Bluetooth vulnerability. The iPhone had been patched for several months so it was never going to work on that, so I literally spent about 36 hours trying to get it on an iPhone that I would never get it on. And then, as soon as I switch to Android, I get root in 20 minutes. I'm not a very good hacker, I'm very poor, I can spell the word and that's it. But I got root on this thing in 20 minutes and I'm like my reaction was oh, this is really bad. If I can do this, sure yeah.

Speaker 2: 17:17

And that's the thing is a lot of what we're seeing in terms of hackers trying to convince users to leverage their phones. They don't even need to compromise the phone itself. They don't need to hack the phone or its operating system, they just convince you to go to a URL that you ought not to go to. That looks a lot like something that you're used to logging into every day. Maybe it's your OctaPortal, maybe it's your Microsoft 365 portal, maybe it's your Facebook account. We've seen a lot of different brand impersonation attacks lately that work this way. No joke.

Speaker 2: 17:58

Last night, my wife gets a phone call talking about brand impersonation. My wife got a phone call from USAA. Having been in the military, that is the bank that we use, as most veterans do it's a great organization Gets a call purportedly from USAA. Here's the thing they spoofed their phone number so it showed up on her phone as USAA and they said, hey, we see some unusual charges. This is not the first time we've gotten these kinds of calls. We get them periodically. I think we probably all have gotten the call from the bank that says, hey, starting to see some really unusual stuff. Are you in Miami, florida, right now? I'm like I wish, but I am not. I'm in Ohio and it's freezing. So they said, yeah, we saw somebody charge $2,000 at Walmart, $5,000 at Best Buy.

Speaker 2: 18:58

And my wife was like no, that's definitely not us. And they said, ok, we're going to send you a text message. Need you to log in at the link on the text message and file a report? And so the text message comes in. It's not from the numbers we're used to seeing, which may or may not mean anything, but the URL was telling it was not USAA, although it did have you as USAAsomethingco. It was a long string, I think it was retail online, resell online, 06 or something along those lines.

Speaker 2: 19:40

And I was like whoa. My wife's like, oh no, this feels weird. And the guy's like, no, it's OK, just click the link and log into your account there and you can file the abuse report. And I was like no, no, and thankfully she refused to do so. The guy hung up on her. We had a call in USAA back and it was not them, it was the bottom line. So they're getting more and more brazen and they're getting more and more sophisticated. I think getting these calls not terribly interesting. Getting the call plus the text message was a little more interesting, but getting the call that was spoofed from their actual, correct phone number, then doing the rest of the things, made this one particularly interesting. So, yeah, these are the kinds of things we're up against folks.

Speaker 1: 20:40

And it's almost unfair to the 99% of the population that isn't in cybersecurity. That's almost unfair even for cybersecurity professionals. They are taking the basics of an attack. They're taking four or five basics of an attack. They're stringing them all together and they're making it look like a real legitimate thing. And I'm going to be honest, it's a pretty good chance that I probably wouldn't even notice anything until I get to the login page. If the login page looks weird, then I would be catching it, but I'd still click on that link probably. And I'm in security.

Speaker 1: 21:27

We put ourselves into this. It's terrible predicament where we just spent, you know, two or three years right Of having everyone at a restaurant scan the QR code Precisely. It's very simple, it's very convenient, but there's no way to know just by looking at a QR code of if it's malicious or not. You know, like and this is coming from security professionals like, until I get to the website, I have no way of knowing if that's real or not. You know, and like you, you can so easily, you know, swap out. A menu has all the same exact stuff, different QR code on there. Or, you know, they tape the QR code to the table. Okay, well, I could just tape one on top of it, like it doesn't even have to be that creative. Yeah, it's. It's a, it's a unfair, it's an unfair situation. You know. If I'm saying it's unfair for us, it's like because my wife would 100% like she'd be messaging me as she's clicking on it and like logging in. It's like. No, like you know, we don't need to be doing that.

Speaker 2: 22:37

Yeah, yeah, you're right, I mean COVID. The last three years with COVID has has just been training the world's population that QR codes are safe to click on.

Speaker 1: 22:49

Yeah.

Speaker 2: 22:50

Or safe to take an image of. And you know I was. I was in Columbus. I think I mentioned this in our last one. If you know, just forgive me, but you know we were in. I was in Columbus, ohio, not long ago and went to was that an event? And parked at a parking parking lot where you have to shoot a QR code to pay all of the parking meters down there. They don't accept coins anymore. The only way you can pay for them is to shoot a QR code. That's on the parking meter. And there were bad guys not at this one, but there were bad guys that were going around and pasting new ones, new QR codes over those and they had done their research right. They made a very similar looking domain where you were able to put in all of your, all of your information and, and and quote unquote pay, pay your parking. But they just siphoned that money off, right.

Speaker 1: 23:46

So it's horrible.

Speaker 1: 23:48

We, we almost need like a you know, an overarching body right to step in and give what a QR code you know should look like and whatnot. Right, because what we really need with the QR code is the URL under the QR code. You should be going here, you know. So if you scan this thing, you know this is where you're going. If it goes somewhere else, you're not at the right place, you know. And if it doesn't have that URL, then you should know oh, I shouldn't be scanning it, you know like it should be an approved sort of thing. Yeah, I, I can see us going that way in like 20 years. You know, with how slow the government moves with everything, I mean, they'll probably start talking about QR codes in 15 years.

Speaker 2: 24:38

Yeah, and the challenge I think there is that it actually just advocates for more obfuscated URLs, because then you know you're you're trusting my aunt or uncle or grandma to look not only at the QR code and understand what to do with it which, thankfully, covid taught them what to do with it. Unfortunately, then, even if we put the expected URL at the bottom, you know what's to say, that's, even if they match. I mean, what's to say? That it's not malicious anyway. You know, if you, if you have like a high entropy, you know URL one with lots of zeros and numbers, and they'll just look at it and go matches is probably fine, it's not fun. Don't go there, right?

Speaker 1: 25:31

Yeah, it's, it's an interesting world that we have now created for ourselves. We've kind of backed ourselves into this corner, you know, and I feel like almost the attackers are evolving quicker than than the population is, you know, and yeah, that's typically, that's typically what you see right, but they're I mean they're even evolving faster than most companies, you know, and some, most of the time, most solutions out there. They're evolving faster than most solutions can keep up with. How in the world do we stay on top of this thing?

Speaker 2: 26:11

Yeah, well, I think maybe that's where the larger companies really kind of dig themselves in a hole, because you and I have both worked at big Fortune 500 companies before. And how quickly could you purchase and install a brand new solution that you've never had before, right, one that's maybe emerging tech? You know it takes forever to get through all of the layers of red tape and analysis and you know and those are good things right, that's not a bad thing we're doing. You know lots of vendor, you know vendor risk. So we're evaluating each of these vendors to ensure that they're they're doing their own security, so that we don't have a supply chain compromise. So those are good, good things.

Speaker 2: 26:57

However, I think that the industry, like the vendor side of things, are coming up with solutions very quickly. I think there's lots of very smart people coming up with and solving very real problems very quickly, and they're getting on them. They're getting to market just in time to start solving the problems as they, as they're hitting scale. The challenge is, big companies are averse to to hiring, to buying and using some emerging tech, and so, even though the solutions exist, there's a reluctance to purchase it right, either the company's too small, it's you know, oh, it's only a hundred hundred users, right, a hundred employees. It's only been around for 18 months. You know, let's sit and let it bake for a little while and make sure it's good. Or maybe maybe the solution is still a little buggy. Fine, I've seen that I bought buggy solutions before in order to get in on the front end of a really good idea. But that's the problem, I think, as we look at big, gargantuan, monolithic companies, they're risk averse in terms of their even their new solutions, their new security solutions.

Speaker 2: 28:14

I know that we at abnormal struggled with that early on because we had a really good idea. The tech was there, we were confident about it. Certainly, I bought it and used it for a year before I came here and and knew that it was good. But there were still a lot of big companies that were like, ah, let's just see how this shakes out for a little while longer first, and you're like, man, we've, we've got the solution to the. You know, we've got the cure, you know, to the, the, the problem that ails you. But, um, you know, too many folks just are unwilling to try it.

Speaker 1: 28:47

Yeah, that's a very real. It's a very real issue in the security industry. You know, right now, where, even even fairly recently, right, the company that I work for, you know they had a super old, you know, McAfee EDR. Right, They've had it since it came out, you know and going with another solution, like Crowd Strike or whatever it might be Sure, that's a multi-year endeavor, you know, of convincing them like, hey, this thing works just like McAfee, it does it better. You know, this is why it's better. All these things, you know, and it's repeating that same story over and over and trying to get some of these companies to like kind of catch up is is. It's challenging and I think a part of it is a lot of these, some of these executives. They've been burned by new cutting edge tech that only creates, you know, more headcount. It only creates more incidents, more issues.

Speaker 1: 29:59

I used to work for a company and they brought in a newer, privileged access management solution over a tried and true solution that the industry recognized as the top tier vendor, and that whole experience was just absolutely terrible. Every single day was another hurdle. I mean literally every single day. Our solution was on the verge of going down, and the only reason why it didn't go down was because I grew to identify all of the early warning systems and I had a very close relationship with the guys that managed the load balancers and so I could be like, hey, switch over traffic, here I'm having issues. I mean, this was every day.

Speaker 1: 30:47

You know like how does that play out to executives minds? You know because and I think about that, because you know now that now that see so right, that was dealing with all those issues saw it firsthand. He went to another company and the very first thing that he said was one, we're not hiring anyone that managed that solution, not hiring anyone that bought that solution at that other company, and we're also never going to entertain anything from this company going forward. It doesn't matter how good their solution gets reviews and things like that, we're not going with it.

Speaker 2: 31:25

Yeah, it, sadly that's. You know, it's a tale as old as time. Right, you get bit just once. You know, once bitten, twice shy, I think. They always say and cybersecurity solutions are no different. You know, I think there's stories for both sides, but it takes you know how many times can you be successful in your success, but one failure and you've ruined it all. I think that's the story for CISOs. You know, there are lots of times the solutions are great, they're sound, the capabilities are all there.

Speaker 2: 31:57

I remember, you know, even as you know, as a big insurance company at the time, and we had we were moving, we were at least considering to move from Cisco, kind of the big upper right quadrant guy that had been around forever and just handled all networking.

Speaker 2: 32:16

You know everything. And there was a small plucky upstart called Palo Alto networks and had a completely different take on firewalls and the way they were going to do things and there was even a concept of layer seven firewalls and we're like, no, that's impossible, you can't, no, it's, it'll never work, it'll never take. And you know, fast forward. Now you see the pretty, pretty deep market penetration there. So you know, there there are. There are good, good news stories on that on one side and then certainly bad news stories on the other side, but it all it takes is one time of getting bit to make you go. Man, let's just stay with the upper right quadrant stuff that's been around for a while, that's been shook out. Other people trust right, even if it puts us behind the eight ball or behind behind the the innovation curve.

Speaker 1: 33:09

Yeah, yeah, that's a good, that's a good point and it's a. It's a difficult one to defeat, honestly. But you know, something that I have found that tends to help is when I'm doing a POC, when I'm, you know, evaluating a product, I always like to get other successful deployments with with other customers, right, current customers on that came from other solutions. You know, and I'll specifically ask you know for customers that migrated from whatever solution we currently have. Right, that went with this other new solution. And the reason why I do that, you know, I tell the vendor straight up hey, don't join that call. You know you can send the invite but do not join it. If you have to start it, you know, just transfer host permissions to me, whatever it might be, because I want to hear, I want to hear the horror stories, you know. I want to hear about your bad, bad, bad, bad, bad, bad, bad, bad, bad, bad, bad, bad experience with that other solution. And I want to hear about, you know, if there was any challenges deploying this other solution. Right, Because every vendor is going to say, oh, it's a great solution, it's turnkey. I've heard that, you know, on every call I've ever been on, right, and it's, it's, it says a lot when you actually go into the solution and it actually is turnkey, you know, like it actually there I think it was actually abnormal solution when you know, I heard turnkey and I'm like, okay, turnkey in that industry is, you know, not real right.

Speaker 1: 34:45

And then we went and did it and I was confused. I was. I had the, you know, the solutions engineer on the call and I said, okay, what's next? It was no, there's nothing else to do, like just let it work. Like no, what, what am I going to get out of that? It was no, just wait. You know, that was like even for someone like myself, like an experienced security professional that I've, I like to feel like I'm on the cutting edge of stuff. You know, I know what's out there. Even for me it was like, oh, this is weird, this is different, you know.

Speaker 2: 35:22

Yeah, no, I know exactly what. I had a similar experience right Before I came here, you know, plugged. I remember that feeling of plugging it in and thinking, okay, so it's connected, now the integration is complete. That went faster than I expected. But now you know when do we start the configuration? Right, because I come from the world of secure email gateways. Where it's, there's a heavy configuration. You've got to start setting up a block list and allow lists and keyword searches and so that you can start finding evil. And I remember distinctly him, you know, saying that's it. Now we just sit and we wait and it learns and tomorrow we'll find evil. And I was like, no, now there's got to be more. And he was like, nope, just trust me, go home and then tomorrow let's get together in the morning and we'll see what's what.

Speaker 2: 36:20

All right, the next day I was horrified at what all it had found, that was slipping through my existing tech stack, that I'd spent a lot of time and money had never been told. No, you know it was. It was a security defenders dream come true. You know anything, you want anything you think we need, you tell us and we'll buy it. And it's been three years, built in that tech stack, only to have abnormal come in and go. Yeah, it's really good. However, here's all the stuff that's slipping through your current tech stack, that nothing is catching, and these things are being delivered to your users in boxes. Today I was like no man. I was just gutted.

Speaker 1: 37:05

So yeah, let's let's talk about the, the AI threats, the LLM, the generative AI. I mean, I can say the buzzwords, but I don't know what any of that means. I couldn't name an LLM if you put a gun to my head, you know, like I could not do it. So what? What are these? I guess let's start with what they are right. What's the biggest threats with them and how can organizations protect themselves against those sorts of threats?

Speaker 2: 37:41

Yeah, and I'm glad you brought this up right. That was number five on our list, right? Generative AI, and? And it is an emerging threat, to be sure, but at its core, generative AI is really nothing more than a next word predictor. You know, at its to oversimplify things, but that's what it's doing, right. You feed it information and it produces net new content as a result of what you, what prompts you gave it. And so generative AI is being used to create all of the other, the other types of attacks that I talked about.

Speaker 2: 38:18

The biggest difference is that it's coming in scale A, it's making it a little more. I won't necessarily call it more sophisticated, because you and I, as English speaking security professionals, could craft. To give me 20 minutes, give you 20 minutes we could craft a very realistic looking spearfishing message. You know we could do our homework using the world's greatest hacking solution, linkedin, and then you could cross reference with like Facebook and figure out, you know, pick a target, see what they're up to, see what they're into, and you know we could write a very good, very realistic, very effective fishing message, spearfishing message. The difference being so generative AI can do the same thing, the difference being it can do the same thing for a non English speaker and it can level that playing field and it can do it at scale. Whereas it would take us maybe 1520, maybe 30 minutes to do a really good job, generative AI can do this thousands per minute, and that's the real danger there.

Speaker 2: 39:34

So that that's the first big thing. But the second big thing that generative AI is enabling is not only is it doing that at scale, but it can do it with a unique sender address every time, a unique recipient address, a unique subject and a unique message body each and every time that it runs. That would take us forever to do manually, but generative AI can do that trivially, in moments. And now, if you think about how most of our security solutions work, right, they're looking for similar senders, similar recipients, message bodies or subjects, some sort of thread to tie all of the attacks together as part of one campaign, and none of those things are present. So that that's terrifying in terms of scale. It just means that what you, what you've been facing is, is only we're only going to see it's it's the tip of the iceberg in 2024. We're going to see that the scale of that those attacks just quit, you know, quintuple over the next year. It's crazy to think about.

Speaker 1: 40:55

Yeah, it's interesting. You bring up, you know, linkedin and it's a good platform for professional networking and whatnot right. But I feel like the professional side of it almost gives the illusion that you can be a little bit more open with where you work and what your title is, what your job description is, all those sorts of things I noticed when security were bombarded with job opportunities everything that you could think of. Ever since I took my employer names off of my LinkedIn I left the titles, but I took most of the descriptions. I took the company names off. As soon as I did that, it decreased by 90, 95%. I don't think people can put it together.

Speaker 1: 41:57

He took it off because he has a podcast and he doesn't want it to conflict or anything like that. It's interesting the amount of information that you can gain just from platforms that people have willingly put out there and opened up. I've been pretty tempted and I think I actually have disabled Facebook before because there's just too much out there and I need to control the information a little bit better. It's coming to a phase where all of that's coming to fruition to be combined together with this generative AI to craft the perfect thing for each person, because we're giving them all the information that they need.

Speaker 2: 42:47

Absolutely, yeah, absolutely. In fact, the internet is forever. If you don't think so, use the Wayback Machine, because you talked about updating your LinkedIn and removing things. I know lots of folks that are wisely doing the same thing. The challenge is the internet is forever and with the Wayback Machine, I can still go back and see what it looked like three years ago, two years ago, last week, prior to when folks started scrubbing and being at least aware of that that was even necessary. I can go back to your Instagram account and I can see the pictures prior to when we all started going. Maybe I shouldn't be posting all of this here and I'll start scrubbing this and you can still go back in time. That's what makes the internet such an interesting and terrifying place at the same time.

Speaker 1: 43:47

Yeah, it's an interesting world that we live in. If you had to maybe give guidance to someone that's trying to either get into IT or security or maybe they're already in security and they're trying to augment their career, make themselves more valuable in the field and whatnot Based on the five items that you mentioned previously, what would you recommend that they focus on to become more proficient in those areas?

Speaker 2: 44:24

Yeah, so great question. So let me answer it in two parts. Number one as an individual, how can we level up and become? A add the skills we need to be successful? And B, how can we continue to keep them sharp once you do have those skills? I think the answer is the same to both of those, which is you've got to build your own personal testing environment. You've got to have some sort of testing environment at home. It can be virtual. Build your own lab, spin up some VMs so that you can start testing things. You can start because that's how you're going to learn best.

Speaker 2: 45:13

I've been doing this a long time and the folks for me that I've hired that ended up being wildly successful all had a couple of things in common. Number one they were insatiably curious like potentially to a fault, but they were insatiably curious. They just had to understand how something worked. We can do a lot with that in the security world. The second thing is that they're tinkers. Every person that has been wildly successful for me is the same kind of person that goes home and goes. Not only do I want to understand how it works, but I have to see it, I have to try it. I have to fire off these exploits at a vulnerable system while I collect the logs and a packet capture. Then I want to take a look at the packet capture with wire shark or T-shark. I really want to dig in and understand. How did it work? What does it look like on the wire? How can I write rules and alerts that can detect this kind of activity? Those kinds of people are incredibly successful. That is, I think, the number one thing. Build a home lab, figure out what that looks like. There's lots of really good tutorials on YouTube. John Strand, I think, has done a couple of really good ones from Black Hills Information Security. One of my mentors the people that I look up to Mick Douglas is another. There's some folks that are doing some really interesting things. They all say the same thing You've got to roll up your sleeves and you've got to get in there. On an individual perspective, that's how we can do that, I think.

Speaker 2: 46:56

At a corporate level, how can we defend against the kinds of things we're seeing today, those five example attacks that I have seen trending up over the last year, which is indicative of them continuing to just explode in 2024. I think it comes back to this, especially when we talked about scale in terms of generative AI. It's using good AI to fight bad AI. That's what it's going to come down to, because the volume is too great, the number of signals is too great for us as humans to parse and analyze and connect all of these dots together. As we're searching for new security solutions as you go through 2024, as you're looking to renew or buy new solutions, replace old things, look for the plucky upstarts. Look for the small guys that are disrupting the industry, the ones that are using generative AI, that are using AI or ML at their core Not something they bolted on, but they're actually using machine learning algorithms to process vast amounts of data and understand anomalous activity and spot that. Those are the solutions that you need to be evaluating. Yes, they may not have been around a long time. Yes, you might be taking a small chance.

Speaker 2: 48:30

Do talk to other people. Do talk to ask the vendor for a reference. I've been on both sides of that conversation. Joe, you were talking about it a moment ago. I've been on both sides. I've been the one requesting that conversation and digging in saying, really, what was the like? The vendor's not here. Tell me the truth. Was it really as smooth as they say you can get to the bottom of that. I've also been on the other side where I've been saying, hey guys, this actually works. I've been very happy with it. Now I'll tell you, because they're not here. These are the things that you'll have to overcome, or maybe they were a little clunky, but it's a good solution. I have no reservations. I've been on both sides that use those as you evaluate new emerging technologies.

Speaker 1: 49:16

Yes, that's a good point. The curiosity is maybe the biggest thing in security. That you need to be successful Right, because you always need to be learning. I was actually talking to someone not too long ago. They wanted to get into cybersecurity and they were asking for the best way to do it. I said well, look, the first thing that you have to understand is that you're always going to be learning. You always need to be in a mentality of, hey, I'm always working towards a certification, I'm always working towards learning more about a topic or whatever it might be.

Speaker 1: 50:03

And that stopped them right there in their tracks and they said well, that's not what I wanna do. I kinda wanna just like, learn everything and then be done with it. You know I'm like, well, that's not really how the world works. You know, like Certainly this world, yeah, like you know, I guess maybe school teaches us. You know in some way like, hey, you learn all these things and you're done. You know you in school. You know you get your PhD right, if you go all the way through, you get your PhD and that's considered to be done. It would be dumb for you to get another PhD If it didn't relate in some way, you know. But even then it's a stretch.

Speaker 1: 50:49

But in security especially, you know, there is no end to this thing. Like I've spun up, you know, so many labs at home and destroyed so many domain servers Like it's insane, right, I got a really good backup process that I learned from trial and error, oh yeah, and then, you know, when I wanted to specialize in the cloud, first thing I did I opened up a free tier AWS account, you know, and Azure and GCP, and went through it right and after enough, you know random three, four $500 bills of things that I thought that I had spun down when I didn't. I have learned to go with other services so that they can handle all of that and I'm not worried about it, you know. But it's always. It's always a journey, you know, and it's that's what it is.

Speaker 2: 51:48

Yeah, you've never in cybersecurity, I think, in life. You know you've never arrived, you've. It's the point is the journey, and so you know. I think cybersecurity is no different. You've got to learn to embrace the fact that you won't know it all. You'll never know it all, but you should continue to strive to learn more every day. I love that, the YouTuber smarter every day and just his approach to learning and trying new things, sometimes failing miserably along the way before learning and mastering something new. You know, we just all need to adopt that approach.

Speaker 1: 52:27

Yeah, yeah, absolutely. Well, mick, you know I really enjoyed our conversation. I'm definitely gonna have to have you back on in the future, but we're at the top of our time here, so before I let you go, how about you tell my audience you know where they can find abnormal, where they can find you if they want to learn more?

Speaker 2: 52:46

Yeah, absolutely. You can hit me up at Mick at abnormalsecuritycom. That email will get to me. You can find out more. You can go to abnormalsecuritycom slash demo. You can see a short recording of what our UI looks like, how the product works. If you go to abnormalsecuritycom slash risk, you can sign up for a free risk assessment and we can integrate with your environment. Test outs how things are going in your environment. Again, that's read only We'll sit and learn for a week and then give you a report of all the things that are slipping through your current tech stack and at that point buy us, don't buy us, right? It's up to you. Figure out what makes sense for you at that time.

Speaker 1: 53:29

Awesome. Well, thanks, mick, and I hope everyone listening enjoyed this episode. Bye, everyone. Thanks.