Lawrence Pingree (14:49)

It harkens me back to when I was at Gartner. So I introduced some of the concepts in generative AI, specifically generative AI runtime defense. And I think everyone knows now that AI has an upside and a downside. Right? It's basically dual use technology. And in being dual use, it can be used for defending and it can also be used for the offense and the lay of the land in terms of AI is over the last 18 months we went from the introduction to, you know, the market of, you know, ChatGPT and know, the GPT craze. And over the last maybe six months, you know, we've been transitioning into the AI agentics and AI agents. And this is giving rise to, you know, lots of integrated software use cases. And so what's really, you know, I think both fascinating as well as, you know, a bit scary is that the attackers are now capable of leveraging AI. Obviously there was a big scandal yesterday about the new model out of China. And it was always my belief actually that the open source GPTs would eventually win the race because open source generally wins over time. But we've gone into this phase where software can be hyper powered by Agentix. And what's happening is the broad distribution of models, the various use cases, they're getting better and better. We went from simply chatting with an AI and getting really kind of wonky results sometimes and good results other times to now where the error rate or the hallucination rate in AI is roughly maybe one and a half percent, you know, in the larger, you know, foundational models. Which means they're better at what they do. Right. And a lot of people don't realize that the technology behind the scenes, they created entire towns out of AI and Agentix. Right. So they had little creatures running around throwing parties, telling where people wanted to go for the party. They have some pretty amazing superpowers. When you use Agentix, what are some.

Dave Bittner (17:25)

Of the areas that you are specifically concerned about that you think security professionals should have their eye on?

Lawrence Pingree (17:31)

I mean, there's. When I started doing research into AI at Gartner, I was really concerned about this notion of an arms race between the attacker and the defender. And what I mean by that is if you're using ML or if you're using These advanced AI models to both defend and to do offense, it's kind of an arms race, you're in this race condition. And my worry, at least back then, was that the attackers would readily be able to use these models to generate malware hyperscale attacks with multiple dimensions in multiple domains. So for example, rather than just simply pulling up a port scanner like NMAP and then having to go grab tools and compile them that the attackers of the past had to do, we have hyper automation that's possible to do multi stage and multi step attacks. And the other thing I was concerned about is all of the breached data out there being used to contextualize attacks down to the individual level. Right. So if you look at like the phishing attacks of, you know, five or six years ago, they were generally pretty easy to figure out, right? You know, mouse over it, you could look at the URL, you could see that it was kind of broken English or broken other language. And today now we have, you know, contextualized based text messages coming to us with our family, our co workers, names in them, maybe using your boss and saying, hey, you know, this is a CEO, I'm trying to reach out, I need you to do something. So it's gotten a lot more advanced and contextualized and at the same time that, you know, that historical error prone phishing email looks like it's real live people sending a message in native languages.

Dave Bittner (19:43)

What are your recommendations then? I mean, for folks who are interested in exploring this, what's a good way to begin?

Lawrence Pingree (19:50)

I think that when it comes to the tech provider community, well, first of all, you can start looking for preemptive cyber defense technologies. Dispersive does it at the network layer. We randomize traffic, we randomize keying, and we have preemptive measures of hiding the attack surface which differentiate us. But the idea behind preemptive cyber defense is that it can be applied in many different layers. It can be applied in software to randomize parameters that are being used for an application so that script kiddies, when they go out to various databases like exploit DB or something, they can't just use it, compile it and it works. That's the static realm that we're in today. We need to be able to prioritize things like defense within the endpoint operating system. Randomizing memory better, you know, making it, you know, kind of neutering these attacks with the preemptive measures and you know, to rotate back into, you know, the things like AI. You know, these kinds of attacks are possible because AI's greatest superpower is that it models things. Right. And how do you defend against modeling? You have to randomize. So just to illustrate this, if we were on, again, the battlefield, which I think of the cyber war as the battlefield, a moving target is very difficult to hit. Okay. So you ask any soldier, if somebody's standing still, it's easy to hit them and they start running. It's harder to hit them if they start running randomly and changing direction. Up, down, left, right. You know, then it becomes an NP hard problem.

Dave Bittner (21:36)

Right.

Lawrence Pingree (21:37)

So you need to understand that randomization is the Achilles heel of modeling, and that's really the superpower of preemptive cyber defense, or at least one of them.

Dave Bittner (21:48)

Is it fair to think of this, at least in part, as kind of making it so that you're not the low hanging fruit? In other words, you know, if you're doing preemptive defense, there's no, there's no silver bullet, right? There's no 100% perfect thing. But if you're doing this and someone else isn't, I guess to your analogy, you're the person running around zigzagging while the shop next door might be running in a straight line or even standing still.

Lawrence Pingree (22:16)

I think you're spot on, Dave. I mean, so one of the problems is. And then I'll just talk about what we see. Over the last 18 months, you've had what, Palo Alto firewalls be owned by the Chinese backdoored. I mean, a lot of those firewalls are configured to be able to do man in the middle inspection of traffic. Nothing wrong with that. But the problem becomes, then the Chinese can literally snarf your packets, your credentials right off the wire and go use them. Right? Same thing with Fortinet. We've had a big. You know, there was a big story the other day on Fortinet where the configurations could be accessed and downloaded by threat actors. And I think the vulnerability existed from back in 2022. The other big thing that people forget is that whether it's a zero day or a disclosed vulnerability with a patch, that vulnerability likely existed in all of history as long as that code existed. Right? And so if we don't think that threat actors are literally stacking a huge list of zero day attacks that they don't want to ever give to anybody, we're lying to ourselves. Right? So we have to start taking preemptive measures. So, for example, if you want to prevent a firewall attack, you have to hide the management plane, right? So you need to separate the control plane. And the data plane. And some of you have probably heard this, but what that means is your management should be done elsewhere, right? It should be in a protected environment separate from data transactions. The ideal attack surface is one that doesn't exist, right? And in network security land, if we look at the standard VPN technologies like SSL or IPsec, you know, the sad thing is that most of the time even service providers do this where they configure them in such a way that basically people can roam around the whole planet and still get to that port or that protocol. And that's for flexibility, agility, all of that. But the problem is that exposed attack surface becomes the next zero day.

Dave Bittner (24:30)

That's Lawrence Pingree from Dispersive. We'll have a link to their recent report in our show. Notes.

Lawrence Pingree (24:45)

Foreign.

Dave Bittner (24:51)

And now a message from our sponsor. Zscaler, the leader in cloud security enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler Zero Trust AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement connecting users only to specific apps, not the entire network continuously verifying every request based on identity and context simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security.

Troy Hunt (26:07)

This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify, the global commerce platform that supercharges your selling. Wherever you sell with Shopify, you'll harness the same intuitive features, trusted apps and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period@shopify.com tech. All lowercase, that's shopify.com tech.

Dave Bittner (26:42)

And finally, Troy Hunt, the mastermind behind have I Been Pwned? Is on the verge of banning resellers. And honestly, who can blame him? Have I Been Pwned? The go to site for checking if your email has been pwned, stolen and floating around the dark web offers paid API access to bulk check data breaches. But some crafty resellers have been buying the subscriptions at doll1100 and flipping them and doubling the price. Worse, despite making up less than 1% of users, resellers account for 15% of support tickets and take five times longer to assist. Frustrated with endless pricing disputes and bizarre refund requests, Hunt says he is very, very strongly inclined to kick them out. He's still mulling over a solution, maybe automation to save. Have I been pwned from reseller induced headaches while keeping legit customers happy? Stay tuned. And that's the Cyberwire. For links to all of today's stories, check out our daily brief briefing@thecyberwire.com a quick programming note we will be observing Washington's birthday in the US this coming Monday. Have no fear, we will have some great content on your Cyberwire Daily feed. While we're out on our publishing break, be sure to check out Research Saturday and my conversation with Nati Tal, head of Guardiolabs. We're discussing their work, deception ads, fake captcha driving, infosteeler infections, and a glimpse to the dark side side of Internet advertising. That's Research Saturday. Do check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our Executive Producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.

Troy Hunt (29:30)

Hey everyone, grab your favorite mug and put the kettle back on the stove. Because afternoon cyber tea is coming back this season, I am joined by an all star team of thought leaders and industry experts to dive into the critical trends that are shaping the future of cybersecurity. We will explore how these technologies are revolutionizing the way we work, the way we live, and the way we interact with the world around us. And as always, we will be bringing you thought provoking discussions and fresh perspectives on what is driving the future of cybersecurity and what leaders can do now to protect their teams. Tomorrow, new episodes will be coming to you in February every other Tuesday, so Subscribe now, wherever you get your favorite podcasts.