A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST welcome to Cybersecurity Today on the weekend, my guest is Brian Black. He's the head of security engineering at a firm called Digital Deep Instinct and a former black hat hacker. Now batting for our team, the good guys. Brian's been using his skills recently ethically testing 73 security vendors and the results. We'll get to that, but first I want to get to know this fascinating guy. So great to meet you. First of all, you as well.

B

Second of all, thank you for having me.

A

You were advertised as a former black hat hacker and I'll get into where you're working now. But I, if nothing, I'm curious. How did you get started in the game of hacking and what led you to that? The dark side of it?

B

Opportunity. So it started very young, right around age 7 or so when I, when I broke my first program, moved up into my teen years, I started having access to VAX systems. But of course I wasn't allowed to actually use anything or have access to anything. What does a young person do when they're told no? They try it anyway. So I did that for a number of years and really it stoked a passion in me when I realized I could make a computer do what I wanted it to do, regardless of the intent of the designer or the programmer. It unleashed that, that incessant and persistent curiosity. And that's what also got me into things like, like lock picking and cyber security. Pretty much anytime I'm told you can't go somewhere, I really want to.

A

So how old were you when you went through this and what were your escapades like as a teenager?

B

Sure, really through my 20s and into my early 30s, I was pretty aggressive on the offensive side. I specialize if we take a look at the Lockheed kill chain, I specialize in reconnaissance and weaponization. That was really my strength. It was that error where we didn't do it for monetary gain. We did it to exclusively get our name in the news. But a number of high profile companies I went after, I had my own set of rules. Never went after banks because they get really vindictive when someone breaks into them. Never went after government entities because of the same reason. Not all of the compatriots that I ran with at the time had those types. Types of rules. Many of them pay the price for that. But by and large, if there was a company that I had the opportunity to breach, I tended to really, as a. A chess game, a battle of whales, if you will.

A

So you're doing the let's play Thor nuclear war type of thing more than doing damage. Yeah. And so you did that through your.

B

20S, and he's in 30s. Sounds like a very cliche story, but I have formally retired. In 2009, I was coaxed out of retirement for the proverb, one last hack, if you will, against a European entity. I did that with a group. We were successful. There were no repercussions or ramifications from that. We were very clean, very fast. They got what they wanted. Again. I specialize in the weaponization portion as well as the actual infiltration portion of the protocol. From there, I put it away because I was now a seasoned cybersecurity expert. And I realized, why am I taking these silly chances when I have this great career in front of me that I'm working on? The allure is hard. And I saw an opportunity again in 2015. Did that on my own and then to be offensive. But from then, I've been. Been a good boy, if you will, since 2015. But in the cybersecurity realm, I've also run the gambit. I work for Major financials. I spent about 15 years on the customer side, starting out as red teaming, then ultimately moving to blue teaming. Now, you could make an argument that I'm on the purple side now because I spend just as much time on corporate offensive strategies as I do on defenses.

A

I have to ask, how would. How does this happen? You meet people online, you form a group and plan a hack. And the reason I ask this is because this is being played out as we speak. History repeats itself with younger folks than you probably laughing at you going, you're an old guy now and you're.

B

I definitely am a dinosaur when it comes to the hacking community. Yeah. Back then we met primarily on irc, that's Internet Relay Chat, and ICE was on FNET and down. That as my two primary channels or primary server systems. There were a number of channels in there. Think of it. For those that may not be familiar with that, think of it like almost Reddit today. When you would join one of these infrastructure segments, then there were countless channels, sub channels you could join. Today, you would do it on the dark Web, which is easy to do. The dark Web is not as mysterious as a lot of people think it is. It's very easy to access, and there's plenty of chat channels that are public. Many of them will send you into a. We'll call it a probationary channel where you have to at least prove something and offer evidence of maybe things that you have done or capabilities that you have. And from there you're brought deeper into the onion of those threat groups.

A

And so you decide.

B

This was really over when I didn't need it anymore. From a perspective of curiosity and challenge, corporate labs today are unbelievably advanced. Certain corporate labs, the resources available online, my ability to even build my own network virtually, whether I do it stand it up in some cloud infrastructure or just a series of VMs I have on a server upstairs, it'll. I didn't need to find someone else's challenge. I could create my own. I still compete in hacking competitions whenever I can find them and whenever I have the time to enter them. They usually last anywhere from 24 to 72 hours. And so I still do that to keep myself sharp, if you will. I still spend a lot of time reading, but I haven't had the itch to compromise a network. I did not have direct permission use.

A

Guys. Geez, you guys seem more like the fun side of this, or at least the innocent side of it. There's a whole side of hacking where leaving isn't is easy. You just packed up and said I'm out of here, I presume. But some people aren't in that position. And most of them, I think in some of these younger gangs where they recruit teenagers and keep them more or less hooked on hacking. Is that. Have you encountered that?

B

Absolutely. In fact, there's really two schools of thought on that. The first would be there's an economic hook where you may reside in some country that may not have a significant opportunity, a lot of challenges that you have with it within that country. And this is a means to an end. This is how you eat, this is how you have a roof over your head. It's very difficult to leave the world when it's providing for your daily needs. The other side is something you touched on, which is. I don't want to call it peer pressure. I think that's oversimplifies it. I would rather say an ideological belonging. There are certainly young people today that find it very hard to leave this particular scene because it's where they find acceptance and where they find validation that they may be struggling to find elsewhere in their lives.

A

Yeah, and I think if people haven't experienced it, you just don't know my. I'm not even going to say what relevant relationship they are to me because I think that would out them and I'm not sure that they want that at this point. But one of my family is. Was. I think was a black hat hacker. And the meetings we would have were quite mysterious because she would arrive at her house with or she would arrive at our house with her partner. There was very mystical about how they wanted to be protected and the security that they took on their devices and their communications. So they were. And they were. It's funny because we have these models we build in our own mind. These are two normal people. You wouldn't know them if you saw them walking down the street. Especially if you saw them walking down the street in Portland or someplace that's still like in the 60s. That was about it. And so have you. Are. Are your friends no longer around or have you changed how. What happens when you stop doing this?

B

So the groups you run with definitely go away. I liken it very similar to say a high school clique that you may have belonged to. Once you go to college and then you enter the real world as we'll call it, it's challenging to maintain those relationships. It's no different within the hacking circles, hacking spheres or any groups that you may belong to once you stop running with that particular group. It's a combination of. You realize how little you had in common because you had nothing in common besides code, nothing in common besides the talent. And then they also realize that if you're not going to be part of this and advance the agenda that the group was formed in the first place then you're of no use to them. And they will find people who are both are play out to where these groups both fall apart and then some reform later. We're seeing that now with the Lockpick group. They were largely broken up and there are now individuals within that group that have reformed again and they're after the game.

A

Yeah. And just. I won't stay here forever but I just want to go back to this people parents have kids who are like you, precocious, interested in computers, really bright. What would your advice be to them in terms of understanding where the. Because kids can get it. You're lucky. People get into real trouble and can ruin their lives doing this. What's your advice to a parent or is there any advice for a parent?

B

Yeah, that's a great question. I definitely had my close calls. No question about that. There have been a few run ins where the police were unbelievably close. You never Want your father to yell upstairs to your bedroom. Then the state police are here and they want to speak to you. That is not a good day. Not so much really. The police part is not the challenge there. It's dealing with your father afterwards. So my advice though would be, and this may sound weird, but my advice would be encourage it. It's an unbelievable career that it can dovetail into. The good news is there are very legitimate ways today where they didn't exist when I began to challenge and to foster that skill and then guide people into a legitimate career. It could be something silly like video games. There are a number of games on steam that teach JavaScript and teach exploitation. I own all of them. There are certainly courses now that we can take both for free online, that we can study through places like YouTube and elsewhere. And then there's high school and college courses that are teaching this type of computer science and this type of offensive capability. So I'd say if you have a child from very small through teenager that is showing an interest in this or is talking about it, it's worth encouraging, but encouraging responsibly to make sure, like you said, they don't get into trouble.

A

Yeah, and I'm, I'm hoping. I've never even thought about this. I'm hoping that the big security firms are sponsoring hackathons and things so that kids can do what they want to do, compete.

B

And Microsoft does. Yes, absolutely.

A

Yeah. If you're not on the football team. I was in the drama club and at least we had a trophy. But kids want to, they want to be special, they want to compete. They want to be known that they can beat something or they can have some accomplishments.

B

Definitely 100% agree.

A

So this leads you into a corporate career. Did you start with Deep Instinct? Where did you start working?

B

So in the 90s I started with my first real foray into the corporate world. And what drove the rest of my career was a two year stint at Lucent Technologies. For those who may not be familiar with Lucent, think of it as the Google of its day. They created at means almost by accident. They invented things just as a matter of course. They were an unbelievable, an unbelievable technological company. From there, a resume like that gets you invited into banks. So I did that. I joined red teams within banks doing a lot of penetration testing and a lot of statistical analysis on data metrics and network metrics. And then I was asked to move to Philadelphia and join a company called Sunguard, where I eventually took over the perimeter security. Took over in the Technical term, not leadership term. Perimeter security for many countries and hundreds of customers. And then from there I moved on to the vendor space with HP FireEye, and then for the last eight years, deepest.

A

So a lot of smart companies, and I think you've listed quite a few, and people don't know this. There are smart companies and dumb companies and it's much more fun working at a smart company.

B

Yes.

A

Yeah. And so did you always gravitate towards the red team? Is defense boring? What's that like?

B

Definitely not boring. I'd say the most activity is on defense because you're up against everyone. I remember back in my when I worked for one of the major banks here in the us, I had a sign in my office that said if 99% secure, then 100% vulnerable. And I believe that to this day. So you definitely have more activity on the defense. I gravitate towards offense just because I like the challenge. It's a giant chess game to me and I quite enjoy chess here at Deep Instinct. I'm fortunate in that I really get to touch everything. I get to help companies, but I also get to figure out how companies are under threat, especially from things such as dark AI or new techniques that are coming.

A

And there's a myth, and I might be promulgating it, or maybe it's the truth. I think it's the truth I'd love you to argue with me is that I think that people spend far too much time worrying about people like you doing the extreme stuff and they don't spend enough time on the basics. And if they just did the basics, they would be a whole lot more more secure. That's the advice I give to everybody. Is that dumb? Am I crazy?

B

No. In fact, that may not have been the advice I gave from, let's say, 5 to 2020. It is the advice today. In fact, it is the most important advice today. Something I've said for some time. If we're seeing again the rise of the script kitty for people who may not be familiar with that term, back in the 90s and early 2000s, we had this group of actors of malicious individuals that we refer to as script kiddies. They themselves did not have the skill to discover vulnerabilities or to write cod, to exploit anything, but they were really good at running someone else's code. They went away not because that individual went away, but because security companies had become so good that these simplistic type of attacks were easily defeated for many years by many vendors. With the rise of different types of AI Tools. They're back where now? Exfiltrating your data and nation state, encryption level cryptocurrency transfers. They don't know how to do any of that, but they can destroy your data and they can get in the news for it. And in many cases that's what drives them. It's not a financial drive, it's an egotistical drive. So basics is important.

A

It's funny because in the early days when we were dealing with. And I'm no longer a cio, I'm really a podcaster now. I retired a few years ago, but not too many years ago I was a CIO watching this stuff and I talked to my fellow CIOs and CISOs and we. It's hard to say this, but we had a respect for the professionalism of some hackers. Didn't like them, but we had a respect for them. If they ransomed you and you paid, you got your files, they went away. They were running a business. Not a business we wanted to be part of, not a business we want to be involved with, but it was real. And then there were these sloppy children, I don't know, I don't know how else to describe it, who just did damage. They didn't know what they were doing. I think the, and you can probably know better than I am that they were often renting tools from other hackers, but not knowing what they're doing or knowing sometimes even how to give you your files back.

B

Yeah, and I agree with you. There are a number of professional groups out there. You hate to give them credit on the public forum like this by name, but. So let's just say there's a number of professional groups out there where you're exactly right. If you get ransomware, you are dealing with a rational actor, an undesirable actor, but a rational actor. And they want to get paid and they want you to get your files back because they want the next person to know if you pay, you'll get your files back. So they're not in the business of scamming you or taking your money and then not delivering the decryption keys or something of that nature. But more often than not, we do see, as you mentioned, a number of people who, they focus on trying to be successful and they end up just goofing it all up. They encrypt things, they don't mean to, they have no decryption schema. I've even seen situations where networks were impacted and the encryption methodology they use prevented them from reconnecting to that network to decrypt it. So even though they had keys and everything, they couldn't actually run the decryption schema because it backended to their cloud environment that the network couldn't get to because of the encryption that they used. So very amicable.

A

The basic. Yeah. So doing the basics, making sure that you've got long passwords. Please. Your expertise is valuable. Long passwords are what I tell everybody. The longest, longer the better. Don't try and be fancy, just keep it long because it's hard to unencrypt or if you. If the longer it is, the safer it is.

B

I'm an fan of past phrases, to be honest with you.

A

Sorry. Yes.

B

Yeah. I think if you can create a sentence that you can type very quickly, maybe you substitute A1 for an I or something because it's not about the mixing of uppercase and lowercase and symbols. It's about, like you said, in many cases, the lengths. There was a one place many years ago where my password was Jack and Joe went up the hill. And that's an insanely long password. But it was not going to be. Not going to be brute forced.

A

Yeah. I tend to use phrases that no one else would think of but me because they're unique. An old drinking buddy phrase. Nobody. You know what you said when you were shooting bourbon, like, nobody, nobody would think of these things. And yet you. But the length of them. It matters. What else would you make sure that we're in the basics for someone.

B

So it sounds silly, but knowing who you're communicating with online. The phishing exploitation is still the number one avenue for threat actors to gain entry. Not because it's the most effective by the way, or the most efficient by the way, but it is the most effective. I'm going to win if I go that route enough times against enough people. It's just the lull numbers. So knowing who you're communicating with an email is very important. Knowing how different organizations communicate with you. Microsoft will never call you. The IRS is not going to text you. That's not how these organizations operate. So knowing their methodologies and how they operate can easily help you identify scams or phishing links or something.

A

Yeah. And as I always say, whether you're talking to your parents or people who are vulnerable, especially who might fall for these things or people in a corporate aspect, nobody who's serious in this business is going to resent you taking a lot of time to identify them. That's just. It's never going to happen. They could be the State police. And ultimately they are going to be wonderful. Standing at your doorstep while you phone from a listing, the regular district attorney or the FBI and say, I've got a guy sitting at my doorstep. How do I find out he's real? None of them will ever give you any problem about that. And I think that's an important thing to know.

B

I have a fun story in that regard. My parents, in their 80s at the time of the story, early 80s, they received a call from their niece who was in trouble and needed money. But my parents spent a lot of time talking to me, and he put her on hold and from another cell phone called my niece and said, hey, where are you right now? And are you okay? And she's, oh, yeah, I'm fine. I'm at the house. Why? What's going on? And someone had gathered her voice, used an AI voice changer, and was performing that particular scam. But taking that little bit of time to just say, hey, I'm going to call them on another phone and see if this is real. That step. Who knows what that saved?

A

Yeah, just a simple look. I got to move into another room. The reception's bad here.

B

Yep, exactly.

A

Yeah. And those are all good things. What are the big weaknesses? And I'm going to. I want to get into the technical weaknesses, some of those things as well, while I've got you here. But what are the other big weaknesses that. That companies have that they just don't realize?

B

I hate to call out the humans, but the humans, that's always going to be the biggest point of failure when it comes to a trust relationship. And all scams, all hacks, operate essentially off a trust relationship. One of the other challenges, though, I see within organizations is they don't know what data they have and they don't know where it is. That's an all too often uncomfortable conversations that I, and I have to believe the vast majority of my peers have had with organizations where they customer or organizations really don't know what their data is, where it is. And in many cases, they even struggle to understand what their crown jewels are. And that's obviously a problem. Data governance is.

A

Yeah, we call it data governance, and I think we all have to stop using that phrase because people's eyes go glaze over when we use it. Where's your damn important data? Yeah, if something disappeared or got encrypted and it would kill your company, where is it? I think we've got to talk bluntly to people because the minute you go to governance, you go to PowerPoint and everybody just zones out. So it is important. But I'm astonished as well that people will. They'll spend this whole time doing these global protections. What's that old phrase? If you're good at everything, you're good at nothing. You know, if you're spreading yourself thin across everything, you're not protecting the stuff that you must absolutely need.

B

Yeah, the jack of all trades, master of none.

A

Yeah. Yeah. So that's the getting back to the basics. Good passwords, that sort of stuff. I want to talk to you. One more question about mfa. Because it is a big thing. Some MFA is worth fa. And some of it's good. So how does somebody out there who's listening to this program distinguish a good multifactor authentication program from what I call the FA ones?

B

What?

A

How do we do that?

B

Yeah, I had a really confident answer to this question last year, perhaps about six months ago. My confidence has dropped considerably with the discovery of a handful of new techniques that I've seen and I've seen firsthand and in one case was even able to execute. I was the big believer in the cell phone to fa. I was a big believer in the give me the passcode that I type in, get, send it to my cell phone. I lived and died by that sword. Then I learned just how vulnerable our trunk lines are throughout the world that connect country to country and region to region. And I learned just how easy that was to break into and redirect. Now, I always knew it was possible, but I chalked it up to, you needed really to be a specialist to do that. Not anymore. It's actually quite easy that anyone can learn off a YouTube video. So it is MFA is really important and everyone should use it. I don't think that there's a bad one in the sense that, hey, if you get a code to an email, if you have a ring token, if you get a code to your phone, something of that nature, it's better than nothing. But know that it is not a silver bull.

A

Yeah, it's much, much better than nothing. But some of the of the new biometrics or anything, are they still is are they in the same category that they're beatable these days as well?

B

From a security perspective, they pose a significant challenge to any threat act. There are other considerations when it comes to biometric, and I don't know if this would ultimately derail this particular conversation, but there are a number of laws around the fact that says your face is not a protected code, essentially. So no court or no judge no, anyone can compel you to reveal a password, but your face is public domain, essentially, your fingerprints are public domain. So there you have to start thinking about laws and ramifications in that when it comes to biometrics.

A

Yeah. And when you get to that level, call in a specialist.

B

Exactly.

A

The point of this conversation is to educate you, make you think, give you the chance to say, okay, I'm going to think about this. I'm going to call somebody who's an extra for the start to work on it. Now, I want to, but I want to go into this, the technical side of this and some of the things that you've done. And as we're recording this, because this will be repeated, but if you're listening to it, soon you'll know we're in the middle of the World Series here. And this note crossed my desk. And this is how I met you. It was one of your publicists or something said that you tested a number of vendors and that they had a batting average of just 109. And I went, great turn of phrase. It catches the attention. But the reality is you're out there still red team, testing people and you're finding out you're not getting great results.

B

No, we are not. It's been an eye opener for me specifically this year. Now I've been involved within the AI deep learning space for eight years now, as I mentioned. And so it's been near and dear to my heart for some time. But with the rise of LLMs and with the rise of dark AI. Dark AI is defined as any LLM that does not have a morality filter. So if you ask it to do a thing, it will do a thing. Regardless of its malicious nature. It turns out that creating code is unbelievably easy to bypass a variety of systems. So what we did was we have an environment that has 60, 70 vendors in it and it only takes a handful of minutes. Let's say if I really wanted to get detailed, 30 minutes to create a piece of code through prompting. And I like to remind everyone that the CEO of Nvidia made a comment that we are moving from an instruction based world to, to an intention based world. So we are moving from an environment where we're handing computers instructions, do this, do that, do the next thing, and simply saying, I want this to occur, and it figures out how to get there. So through intention, I'm able to develop a variety of pieces of code. And like you said, the batting average is painfully low in some cases, just five vendors out of 60 or 70 will be successful, but it actually gets slightly worse because I can take that same code change, no functionality change, no features, no capabilities, and simply recreate it in another language like C Sharp or Golang or something to that nature. And I can recompile it, attack those same machines behind these vendors. And what I've noticed is the vendors that catch it change. And I find that fascinating because the capabilities of the code didn't, only its compiling methodology did, or space code did. So we'll run through these tests again and we'll find 4 of 6 vendors or 7 of 10 vendors be different the second time around, and then I'll get new vendor still the third time around, which means threat actors, they're going to win simply by being a little bit mutating in how they approach the effect.

A

So let me see if I get this straight. So you're changing the language that you're using or and just a different compiler is that. And that somehow is getting in where it didn't before?

B

Correct. So we'll write a piece of attack code in say Python and we'll compile it in Python. We'll execute it against a series of machines behind that are protected by a number of vendors. And certain vendors will respond and say, I'm not letting this through, going to terminate it. I know this is bad some it goes right through and the breach occurs. It is what it is. But then simply by going back to my dark AI of choice and saying I want to preserve all functionality, all capabilities, etc. But rewrite this code from scratch in Golang and it'll fit it out in a few seconds, I'll take it. We'll do some error checking throughout it to make sure that it got it right, recompile it and resend it. The same results will occur on the back end of the machine. Of the vendors that are unsuccessful. I will still be able to encrypt the data, I'll still be able to ex bill data to my personal C2, my command control area. But the vendors that catch it will now be different, even though no, nothing else has changed.

A

Wow. And again, you're getting in far too many times for a simple attack. Is that because of an amazing thing you do on the attack or is that just a weakness in the defense?

B

It's a weakness in the defense. I think we're still operating under a detect and respond strategy when it comes to the bulk of cybersecurity that had a great 10 year run. I was an advocate for it and I still believe that it has its place within certain environments. But the reality is threat actors today can simply move too fast, they can mutate too fast and they can adapt too quickly. And as a result the threat actors are moving at AI speed and the defenders are still moving at human speed. And it's not compare even on simple hacks.

A

We've, we did a show and we. I interviewed an Israeli hacker who had done this as a proof of concept and was able to turn a zero day notice into an attack in 15 minutes using AI.

B

I absolutely believe that. In fact I believe it was the University of Illinois, possibly Indiana. I apologize if I got get that wrong. That said that in their study of over of at the time of over 13,000 LLMs on the dark web, an unbelievable number 80 plus were able to code and of that statistically absurd number was able to create an attack, an exploit for zero days that had not even been published yet. So the threat actors have a speed advantage.

A

And I'm urging people if they're CIOs, even if you're my age and you haven't coded in 20 years or more, is to go back in and vibe code a little and, and see what's there because it will astonish you. I did a thing with Gemini 2.5 I think actually was and it walked me through coding a language I'd never used. It helped me debug it at a level that I could. I'd be weeks in the books to try and even get to this. In an hour I'm writing functional working programs of a relative sophistication in a language I had not seen and from a person who hasn't coded in more than two decades. That's the tools that are available to people.

B

Absolutely. And you were using a commercial LLM that has morality filters to make sure that you didn't hurt yourself or others. Dark AI tools that don't, they will, they'll do quite literally any type of exploitation you want. I've even gone so far with one that I use to say very specifically, there was one particular vendor that was able to stop me on a consistent basis and I got really frustrated. So actually went to the tool and I said verbatim, I want you to take this code, rewrite it so that it bypasses this vendor specifically. And I think through three iterations it did. And when I tested it again, suddenly they were unable to stop the attack and I was able to land it, encrypt the environment and exfilt the data and the system was blind.

A

Now these Must be relatively small AIs. A few billion parameters if there are the. Because if they're hosted by somebody, presumably the ones that are available on the dark web. So do you pay for the use of those?

B

The going to pay for sophistication, the ones that cost whatever it is, $60 a month. They're going to have like you mentioned, billions upon billions of parameters. But for free you can go get a 2 billion parameter one from hugging face site and pull that down, load it up your local computer. There's a 7 billion parameter dark AI tool that I have on this laptop here that I use pretty regularly and then there's a number of 50, 60, 70 billion parameter tools that are available free of charge actually on the clear web you don't even need to get to the dark web. There are a number of dark AI tools available or I should say non morality filter tool available on the clearweb.

A

And you can go to get the new Nvidia processor and run betting it runs 70 billion or more which at that point when you're in a specialist occupation, you're not trying to do a general intelligence. 70 billion parameters, you're at the end of the world. There's no. You're not going to need more.

B

Agreed. I think too many people do get hung up on the fact that this Ellen has a trillion parameters and that one has 500 billion parameters. You only need as many as you need to reach a near 100% competency at the skill that you are trying or the thing you're trying to do. Self driving cars don't have trillions of parameters because they don't need it. They have a purpose and they have as many parameters as are needed to solve that purpose. So yeah, once you get up to the 50, 60 range, they're really good coders.

A

Yeah. And so now you're two things that you're doing that impress me. One is not just using it to write the code, but using it to plan the exploit and targeting it at a particular company and saying I want to hack this company.

B

Yeah, that and the latest iteration.

A

How does it do.

B

The rise of agents which I am embarrassed to say I'm a little late to the game on. That's hard for me to admit because I like to think of a little cutting edge. Their AI agents have the ability to create their own environments and continually test their own results. So a human is not needed to say you failed here. So in your example that you gave earlier where it guided you errors and whatnot, you could also give Your intent to an agent, and when it encountered those errors, it would fix them automatically, encounter new errors, fix them, optimize its own code. So in that regard, they can be very helpful. The same is true of using various AI agents on the offensive side of the house as well, because I can instruct an AI agent to effectively say, this is the target. Here's all the reconnaissance I may have gathered on it. And if I'm smart, I'll use another AI to gather the reconnaissance, and I will say, this is all of the information I want you to work until you succeed. And it will. Tirelessly, throughout the day, keep rewriting its own code, keep looking for avenues of penetration, keep looking for vulnerabilities exploiting those vulnerabilities, writing new code, testing it, and then ultimately launching it until it wins, until it satisfies its mission state.

A

And if you're smart enough to actually pull that off by going slowly from different locations, you don't need an AI to figure that one out. You could be pinging someone's defenses, especially if you were patient over a long period of time to find that vulnerability.

B

Absolutely. And we're seeing that now in the real world. There are various threat groups that have distributed their capabilities, like you said, low and flow throughout the world, in different regions of the world where they're using different iterations to probe an environment or to test an environment from different areas. So if there is a failure, then that failure is recorded. The agent continues to work on the failure, and then it launches the new attack from another location at another timeframe. So it's very difficult to develop attribution. It's very difficult to get telemetry on that.

A

Did I miss anything in this attack? Did I really ask all the right questions? Is there something missing that I haven't? Because this seems to be. I could go off and do this myself. I'm not going to, but even I could do this.

B

Yes. The barrier of entry is extremely low. I don't want to say that it's zero, because you have the. At this point, a human still needs to know what to do. They still need to know what they're trying to accomplish. You can't just go to a dark AI agent and, say, break into that company and steal all their data. That's not enough. You need to have an understanding of CVE is. You need to have an understanding of architecture, the type of data you're going after and the architecture that it resides in.

A

So you'd have to spend another two days doing a course with an AI figuring it out. Yeah. My God. So how do we defend ourselves?

B

And that is the, that, that is the million dollar question right now. This certainly is a new frontier and it can be a little challenging because I speak with a lot of CISOs, I speak with a lot of CTOs, and we're still in a slightly older mindset. We're still in a mindset of I've spent all of the money, I got all the Gartner leaders. I did everything I was told to do in 2019, 2020. So I'm good. Whenever there's a paradigm shift like this, and they happen very quickly, the industry is often slow to respond. There was a paradigm shift when we figured out how to mutate viruses past AV systems. For the next 10 years, companies were still buying signature based AVs instead of the newer NL model type of protections. When sandboxes were handedly defeated and rendered effectively obsolete. In terms of defense through a variety of techniques that threat actors had developed, it still took a while for the industry to react and we're seeing that now. Even Gartner is trying to raise the alarm, saying that look, preemptive, I think they call preemptive security. And they're saying it is absolutely vital for neutralizing threats you cannot detect and respond. And I completely agree.

A

And I take nothing away from the people who are consultants in the standard sense. I was one myself for years. The technology consultant. You have to remember though that technology consultants have their value to you because they worked at two other places before you. And it's literally this. I can tell you about what's happening in the industry because I've worked at a couple, can't give you away secrets, but I know some of the things, which means they're great in the. They're absolutely fantastic, bright consultants, just great at stuff that's already happened or is going to happen the same way next week in what you've. We've called a paradigm shift, or whatever you want to call it, a transformation, that knowledge is actually a trap. It's because they'll tell you to do what everybody else has done. And if smart hackers are not going to go and bounce up against stuff that doesn't work. So you've got a new area here. So how do you educate yourself? How do companies start to plan that out?

B

So it starts with podcasts like this, to be honest with you. It's podcasts, it's YouTube videos, it's seminars and conferences. I don't think you can go to a conference today without 10 to 15 of the tracks being about AI, how to defend against it, what the threat is. So through exposure, repetition, humans learn. And I think that's taking place. I definitely see the boardrooms of today, the C suite up today, much more educated, much smarter, much more understanding of the challenge than they were even just two years ago. So is happening the people that know that there is a problem and are paying attention are trying to come up to speed as quickly as possible.

A

Yeah. And are people using it? To me, I go, I'm not that bright. I'm saying I've written some code, whether it was written by AI, written by a coder, we'll have an argument about that with some people or not. Like I said, I've been through this coding. This stuff was smarter debugging than a lot of people I knew and wrote some pretty neat code. So let's not dismiss the code that gets written by AI. But on the other hand, there are tools out there eminently available that you could say, attack this code for me. And I think people don't realize that. I got into that when I was using AI to deal with hallucinations. I go to one AI model and I say, tell me why this is a hallucination. And they're great at checking. And the same thing on. On coding, they're great at attacking. So why not use those tools to attack your code?

B

Are people doing that in a limited capacity? You hate to say it, but everyone is constrained. All corporations are constrained by dollars. And in many cases, those tools are a nice to have, not a need to have. Or you can make an argument if they're a need to have. I think I might be with you in that they are, but that's hard to convince a board of that. We need to have this tool that will generate no roi, but will only give us information. And that can be sometimes a challenging sell. Internally, I think they're vital. And I think, like you said, I think we should be doing that to make sure. Checking the checkers.

A

I have the arguments that a clean compile is not testing and we actually had to spend some money on it. Code walkthroughs may take you a couple days, but they're worth it. And now I'd be prepared to have that duke them out with somebody just. And I think I'd be to say what I said last time, when they get in, call me.

B

Exactly.

A

I don't want to seem flip about that, but we have to find ways to deal with this on a practical basis. So we've talked about a Couple of them. The important things, knowing your data still really matters. It does, I would expect, and please comment on this, is you're going to get hacked now. Just forget about it. Now, we've always said that you're going to get hacked, you're going to get hacked. How do you keep people from moving around? It becomes really important. What else am I missing in that equation?

B

Yeah, I think we are. We're on the verge of having the widespread capability of actually preventing attacks. And I think as the good guys employ AI tools running at speed, at scale, preventing attacks is brand new zero day. The world has never seen them before. It is possible this may be the first time in cybersecurity's history that it was possible. So I think that's where all conversations should start on the preemptive side. But with that said, should it happen still? Because no model is perfect, they're all probabilistic. They can approach a 100% efficacy, but they will never achieve it. By nature of how the models work, like you said, how do we limit movement, how do we ensure that the data is protected? Is everything encrypted on the back end? So even if someone exfiltrates it, they can't use it or can't use it for blackmail. These are all the steps that someone has to take. And I've always been a big proponent of red teaming, not just because I did it, but I think it's, it's okay to hear that your baby's ugly a little bit. It's okay to have a red team come in and give you that report that says, hey, this took me three days and I've got all your stuff. Is it scary? Is a CISO going to think they're going to get fired? Maybe. But if they have a trusting board and they're a smart individual, then they can use that information to actually protect themselves.

A

Yeah, I'd do it. I wouldn't care how long I was there. But if you're new, if you're brand new and you don't do that blame past management thing, at least take that window. And I'm not saying you do. I think it's, I think it's crappy thing to do. But if you don't take that window and get on that right away, you've made a big mistake.

B

I agree. I think that first six months of being in a CISO role, first thing you got to do, red team, under the guise of I need to know what I'm dealing with, you will always.

A

Be forgiven for that, okay, and obviously they can hire you. But if I'm a ciso, how do I know I'm getting the right people? What are the things I should be looking for to make sure that I'm going to get an effective red team? And I say this because there are varying degrees of skill that people bring to this. Somebody who comes in and, as I said, tested the same things that worked 10 years ago, said they did a red team, not so good. How do I know I'm going to get the right people?

B

First thing I would say is make sure you're matching the vendor, the red team that you hire with the use case. Many have vastly different skills and they specialize in different things. If you want to test the efficacy of your cloud infrastructure, get a specialist that does that. Don't get someone that does network infiltration. Don't get someone that does physical infiltration. If you ask for their methodology document and they either don't provide it or if they provide it, you see a lot of free tools on there. The good red teams will have developed their own stuff because they want to win. They don't want to give you a report that says you're amazing because should you get breached, that's a serious mark against that. They want to win, which means they're going to use proprietary tools. They're going to use things that are very advanced. And that's what you want because that's what the threat actors are going to use.

A

Yeah. And I think, understanding. I'm trying to put this in the right phrasing, but if you're interviewing someone, you want to talk to the technical people. And no offense to salespeople. I've been ahead of a consulting practice that's an essentially a sales job. And you come in, you talk very articulately, but you want to meet the people and have those people meet your technical people as well. I think that would be my piece of it. Don't play as a CIO so that you know everything. I'd bring them in and try them out on something. Does that make sense?

B

Yes. The mind meld is important. Make sure that their technical expertise aligns with your technical expertise and that your internal people know what is going to happen. Not so that they can game the system and try and stop it in some capacity, but to at least so that your engineers know that the use cases align with the skill set.

A

If your internal people are trying to game the system, you've done a bad thing on leadership or hiring one of the two.

B

It happens far too Often, unfortunately, I've got some stories that everything from people locking down firewalls, that says no inbound traffic to this network, it's now wait a minute, that's not real life. To people suddenly changing parameters on ids, IPS systems to a level that is completely unacceptable to the corporate world. But they do it or the test. It can be rough as a red team sometimes.

A

Yeah. I've still maintained if you have staff that can't come in, look you in the eyes and say I screwed up.

B

Then you heard wrong.

A

You don't want them in cyber security. That's right. Yeah. And the other thing I would say is do people call you your references? I found this just astonishing that I would win a big contract and they'd insist on hearing about my past clients. And since I kept on pretty good terms with my past clients, nobody called.

B

That. So unlike you, I want to talk to the references. I want to see what you've done in the past. How happy were they with what you did, how quickly you did it and the type of information you provided on the other side. I've worked for some red teams that have an absolutely rock solid strict we do not talk about our customers. And they use that as part of their reputation in the sense that they. They're not going to tell you that a U.S. army branch brought them in. They're not going to tell you that a major US bank brought them in. They have a strict we do not talk about our customer's policy which can obviously make that whole reference conversation challenging.

A

Yeah. In which case the reverse of that is work through your network. We have here in Canada we have. We have the CIO association of Canada and has a CISO group and you can sit down and talk to people who are CISOs and do the reverse references and that's find out who's working for who pretty easily. Final things. This has been a fascinating conversation. I have to have you back but I have to get smarter between now and then. But the what are you've got a group. It's of people who are in charge of security right now. I think many of them are feeling a little burned out. I think a little are feeling that this is. Thanks Jim. One more thing. What do you say to them about trying to keep security in a world that's moving this fast?

B

Another big question. These surveys have been done and they are not encouraging. 60 plus percent of individuals that are currently working within SOC organizations are currently working within the direct blue team space are actually looking to leave. That is a Huge challenge. And they're not leaving because of pay. They're paid very well. They're not leaving because of the companies or the bosses. They might have great leaders, good companies. They're leaving for the two primary reasons are they are simply overwhelmed. Our CIO will tell you that his team, when he was at his last company, was dealing with 10,000 critical events per day. That's completely unscalable. There's no human team on earth that can address something like that, especially when you're flat out ignoring the highs, mediums, and lows. And those numbers aren't even the biggest I've heard. And the second challenge that these individuals face that everyone within the blue team space faces, is that they struggle to see their work have any type of positive gain or fruition. They look and say, we defended ourselves yesterday, and we're under attack again today, and even if we defend ourselves, we're under attack again tomorrow. There's no rest that they can never get their head above water. That is the biggest challenge where AI is there, if it's not now going to be their biggest bane. And it's going to exacerbate that problem and accelerate that problem. It's also going to be a bit of a savior as companies adopt preemptive strategies. As these tools get faster at identifying threats and automatically shutting down environments, the humans can breathe a little, and we get our head above water. We can take a look at these tools and we can direct them and guide them to actually protect us. Instead of feeling like we're always behind the eight ball.

A

And you're a smart guy, so you've tackled AI. And a lot of our people listen to us, are smart people, men and women. How would you tackle this just from what you've learned? Somebody's looking at this and they're saying, okay, I get it. I really need. I got to get up on what's happening out there. What are the things they should be doing?

B

And that's a great question because speaking of surveys, another one was conducted that I found truly fascinating. Something to the effect of 70% of the respondents said they're bringing in AI, they're bringing AI into their company. And then when asked something like 92% didn't, could not, couldn't define AI or define what it was going to do for them. So they all know they need it, and they didn't know what. Learning the what is gotta be first. Step one. Because if you're bringing in tools that are going to correlate logistical information, but that isn't your problem, then that AI tool is not helping you in, or at least you're not getting the most ROI out of it. Finding out where your humans are struggling and where they need empowerment, and to find out where your company is struggling, where your company is vulnerable, where your crown jewels are and your important data is, and then taking the time to discover what types of AI can help protect that or empower that. Because I think it is about empowering humans. It's about taking the people that you trust, that you hired that have your company's best interests apart and giving them what they need to be successful against. For actors.

A

Yeah. And I'll do a bit of a commercial because I think that you need to understand what the business is doing. And this is my position is because if you tell them no, they'll just sneak around you. It has been this way for all time. But AI tools are really easy to get. And surveys that I've seen, just one I looked at yesterday said 42% of companies don't have an AI policy. 70% of companies have people who snuck AI in. So they're bringing it in. And so you need to get out there. We do a weekly podcast called Project Synapse where we just talk about AI from a business point of view. And there are other places where you can go to get educated. But I think it's never been more important to know what the business was trying to do with the technology because sometimes you could help them out. And one of the things I've recommended is build a sandbox and get them to play with absolutely crappy data that nobody can buy a data set from nowhere and let them play on that. And it's what we used to do. If you wanted to keep somebody from doing something, you got them a tool that they could play with in that was not connected to anything and let them go at it and try it out and that gets rid of that exploration need. And maybe they can come back to you and say, this is what I want to do and you can help them find a safe way to do it. Because I believe that AI is the greatest cybersecurity risk we faced in 20 years. Right now I think we're, I think we're in that world. But you can disagree with me or agree, but I think that's where we are.

B

I think it's both. It truly is the definition of the double edged sword. It is what it's able to do and how it's able to help and how it's able to advance human causes and make things more secure, make things logistically faster, make things more efficient. Its ability to make discoveries that are going to benefit humanity. Massive, very important. On the flip side, its ability to be destructive. Its ability to hand malicious humans capabilities that they never had before required a very high level of expertise before and now that's been democratized through an endless number of people can be very destructive. So I think I agree with you. It is certainly the most troublesome security threat that we've faced in 20 years or even more. But I think it can also be a great boon for us so you.

A

Don'T get killed from your marketing folks and anybody who doesn't want to hear anything. How you cover your ears, you got to say what Deep Instinct does because you're supposed to be trained to say the name a couple times. And I thank you for not doing that. People appreciate it. But what does Deep Instinct do and how do they reach you?

B

Sure. So we build deep learning AI models for preemptive security, which maybe why it's not that word preemptive in once or twice. So the idea is our AI models will as a zero day threat enters an environment, even if the world has never seen it before, even if it's brand new, seconds old as it's beginning to enter your environment, wherever that might be, whether it's custom applications, email clouds, desktop, laptop, et cetera, or even on prem storage, what have you, it will detect that within milliseconds, determine it's a threat and terminate it. That's what DeepInSync does. And we specialize in large financials and entertainment environments and stuff like that, healthcare.

A

And as I always say to somebody, it's free to check stuff out. I don't recommend anybody but get out there and because in my early part of my career I learned so much from visiting vendors or having or calling them in and seeing what they were up to. And it's amazing what you can find out. I always urge people to do that. You can always say, no, I'm not buying anything.

B

Heck, I do it. I go run conferences all the time and I go up to probably 20, 30 vendors at a conference. 40, 50 sometimes depending if you're like RSA or, or black hat. And I'll just sit down. Let me get your material, let me look over this. Do you have any videos I can watch? Because I want to know what everyone else is doing too. Humans are creative and I want to see where the innovation is.

A

Yeah. Brian, this has been fantastic. Thank you so much for, for coming in and I hope to have you back on the show again real soon.

B

I'd love to. Thanks, Jim. It's Malafov.

A

And that's our show. Wow. Coolest thing about my job is I get to meet some really fascinating people. Brian certainly is one of them. Once again, we'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, they build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses to data centers. Book a demo@meter.com CST that's meter.com CST and if you get a minute, let me know what you think of these shows. If you like what we're doing, share the show with others or give it a subscribe. It all helps us to reach more people. You can reach me@technewsday ca or.com, just go to the Contact Us page. If you're watching on YouTube, you can leave a note under the video or you can do what a lot of people and hunt me down on LinkedIn. And if you stayed with us this long, my thanks. You have lots of other things you could be doing with your time and you spent it with us. I'm your host, Jim Love. Have a great weekend.