Maria Vermazes (12:07)

Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear, there is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger. Yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com Cyber.

John Miller (13:27)

John Miller is CEO and co founder of Halcyon. I recently caught up with him at the RSAC conference for this sponsored conversation about bring your own vulnerable driver attacks.

Interviewer (13:40)

We are continuing our conversations here at RSAC 2025. And joining me here is John Miller. He is the CEO and founder of Halcyon. John, welcome.

Dave Bittner (13:53)

Thank you. Thanks for having me.

Interviewer (13:54)

So before we dig into our topics here, for folks who may not be familiar with the company, give us the brief description of what Halcyon does.

Dave Bittner (14:03)

So Halcyon is the first focused anti ransomware company. So I came up with the idea that even though we're in the most sophisticated state of cybersecurity ever, the ransomware groups keep getting more ground, right?

John Miller (14:20)

Yeah.

Dave Bittner (14:20)

And so my theory was it's because everyone's too generalized, right? If you look at an endpoint, if you look at a network technology, they have to stop everything, everything in a mitre, ATT and CK framework. And my thought process was if we focused on ransomware, took apart what they were doing and tailor built an obstacle for them, their techniques, their tools, we could be more effective.

Co-Host (14:46)

Right.

Dave Bittner (14:47)

So essentially, take a look at the edges of the security landscape where there are cracks that the attackers are exploiting. And instead of trying to build something that's parity that already exists, just focus on those cracks.

Co-Host (15:02)

Right.

Dave Bittner (15:02)

Coming in with another layer, make sure the data doesn't get exfiltrated, make sure that they can't lateralize through an environment, and make sure that if they can affect availability of data, we can always recover it at a speed that's so quick, it's not a big deal anymore.

Co-Host (15:21)

Right.

Dave Bittner (15:22)

I like to tell customers that if a ransomware attack's successful and it just affects a single host and the data doesn't leave that host, and the data that gets encrypted on that host is back in like an hour, is it a big deal? And the answer is always, no, it's not. We can deal with one computer being down, it's all of them being down that turns into a big problem. So we tried to focus on that value prop, not necessarily protecting everything, but being resilient against an attack where if they're successful, you can evict them out and make sure that they never get enough leverage to make somebody pay them.

Interviewer (16:06)

Well, I mean, help me understand your approach to that problem. How much of it is looking at the individual ransomware groups and the tactics, techniques, and procedures that they use, versus looking at the menu of potential weaknesses that the users have.

Dave Bittner (16:26)

It's all ransomware groups. Okay, Right. So that's where we've really differentiated it. I like to call it attacker led growth. Right there, you know, 300, 350 different ransomware groups. And when you look at their tools and tactics and, you know, procedures, they're more much similar than they are dissimilar.

Co-Host (16:46)

Right.

Dave Bittner (16:47)

So the whole thought was it's not like defending against an apt where they have a goal and they will do whatever it takes to get that goal. Ransomware is a business. They're all about roi. So if you watch what they're doing and build the biggest obstacle for that, you break them. They get to a point where they're expending so much effort, they. They're not gaining ground. They literally just pack up and leave. Right. And that's what it's all about. Exploiting the weaknesses of the fact that ransomware is a business. And because of that, you can come at them with business obstacles and break it.

Interviewer (17:26)

As you look at the, the trending lines of ransomware, you know, the evolution of it, I, in My mind, you know, we're seeing less and less encryption and more double extortion. Is that an accurate perception?

Dave Bittner (17:42)

So I wouldn't say less and less.

Interviewer (17:44)

Okay, Right.

Dave Bittner (17:46)

What we found over the last couple years are people are more reserved in paying them. Everybody understands if you pay these guys, it keeps them going.

John Miller (17:54)

Right.

Dave Bittner (17:55)

So everyone you know is trying to get backups, do their own recovery. And what they found is, yeah, that double extortion piece of exfoliant, those files and threatening to leak them gets people to pay. They're definitely groups now where that's all they do. They don't do the lockup at all, but the lockups are still happening. And then what we're starting to see, and you're going to love this, so you add the encryption, the single extortion, then you add the data. Double extortion. Triple extortion comes next, right? Which is. So think about this.

Interviewer (18:30)

Go on.

Dave Bittner (18:32)

And what's left?

Interviewer (18:34)

What's left to extort the actual information.

Co-Host (18:38)

Right.

Dave Bittner (18:39)

So in double extortion, they have the information. They say, if you don't give me money, I'm going to leak it. Right. Triple extortion is. I'm going to read the data and make money off of that.

Co-Host (18:50)

Right.

Dave Bittner (18:50)

So imagine they compromise a giant corporation.

John Miller (18:54)

Yeah.

Dave Bittner (18:54)

And this is. Everyone loves talking about AI at rsa. What happens when you can take an entire company's email school and have an LLM read every email and then answer your questions?

Co-Host (19:06)

Right.

Dave Bittner (19:07)

All the chat logs. We're now at a point now where there was so much data that they couldn't really make use of it.

Co-Host (19:13)

Right.

Dave Bittner (19:14)

You're looking for a needle in a haystack, but with AI, it's like go through every piece of. Of hay and separate out all the needles. So I think you're going to see more and more of, you know, more attackers, more aggressive attacks, and then them trying to figure out what they can do to essentially increase the pain.

Co-Host (19:34)

Right.

Dave Bittner (19:34)

How do I get more leverage if you're not paying now? How can I make it more painful to make sure that you pay?

Interviewer (19:41)

There's a term that you shared with me that I want to be sure we touch on.

John Miller (19:45)

And.

Interviewer (19:46)

And it's bring your own vulnerable driver. By O V. D. Explain that for us.

John Miller (19:53)

Unpack that.

Dave Bittner (19:53)

All right, so before I unpack that, I. I saw a LinkedIn post this morning.

John Miller (19:57)

Yeah.

Dave Bittner (19:58)

And somebody's been going around RSA graffiti tagging, right. And it was funny because 10 years ago there was this whole, like, AB is dead. Right. Do you remember that? Yeah, I think it was one of the semantic attacks came out. He was like, av is dead. And then everyone jumped on it. What they're tagging is EDR is easily bypassable and bring your own vulnerable driver attacks are the easiest, most common way for EDR to be bypassed in a ransomware attack today, as well as APT attacks. And so what bring your own vulnerable driver is is the attackers are figured out. Instead of going out and finding a zero day and writing an exploit, I can take an old Windows driver that's still signed and valid. And in the Windows catalog, where someone's already found a vulnerability, they've already published PoC code. The manufacturer responded, they came out with a new version. But the problem is you can still load that old version.

Co-Host (21:01)

Right.

Dave Bittner (21:01)

They don't block it because if they block. Blocked it, people that hadn't upgraded yet and kill them. So what they do is when an attacker gets in, they'll actually bring a vulnerable driver with them. If. If there's one not present, they'll then load that up into the system, exploit it to get kernel privileges, and then disable the edr.

Co-Host (21:24)

Right.

Dave Bittner (21:25)

And it's something that the EDR can't really protect against. It's a problem with Windows that architecturally can't really be solved because nobody updates everything in real time.

John Miller (21:34)

Right. Right.

Dave Bittner (21:35)

And so we were the first company to come out with. How do we. What are the best ways to protect the EDR?

Co-Host (21:41)

Right.

Dave Bittner (21:42)

CrowdStrike's amazing product. It's very expensive.

John Miller (21:45)

Yeah.

Dave Bittner (21:46)

How do you make sure that it's on delivering that protection in an attack when you actually need it? And so we rolled out what we called sidekick protections, like Batman and Robin. George Kurtz is Batman. I'm Robin.

John Miller (21:59)

Young Ward.

Dave Bittner (22:00)

Yeah, I'm this Young Ward. And it's not just CrowdStrike, it's Defender. It's Palo Alto at Sentinel One.

John Miller (22:06)

Right.

Dave Bittner (22:07)

But actually watching for the signals of these attackers coming in and attacking the ER to convict them and shut them down, or if they get all of the way to actually terminating the process, be the one that's sitting there watching it being like, CrowdStrike just got disabled. Something bad's going on.

Co-Host (22:26)

Right.

Dave Bittner (22:26)

Where that level of signal hasn't existed yet.

Co-Host (22:30)

Right.

Dave Bittner (22:31)

It's very much following what the attackers are doing and trying to figure out the best way and very focused features to really defeat kind of that 80%. I always joke with my team that we have like 10 different layers of protection and we shot for 80%. And I'm like, 10 layers, 80%, that's 800% efficacy. I can live with that.

Co-Host (22:54)

Right.

Dave Bittner (22:54)

But it, it very much. I was at a talk last night and George Kurtz was talking about the, the crash, the unpleasantness.

Co-Host (23:05)

Right.

Dave Bittner (23:06)

And he was like, it was a Swiss cheese problem where there are always holes. And he was like, there was the one time where all the, all the layers went together. You could see all the way through. Right, right. So it's. How do you come in with those multiple layers where even if somebody's going to get through, you know, on the other side there's a layer. On the other side there's a layer, so on and so on. It's all about defense and depth.

Interviewer (23:28)

Well, so help me understand, you know, as a comparatively non technical person, how does it work? Are you looking at behavioral things? Are you, how do you make sure all of it?

John Miller (23:40)

Yeah.

Dave Bittner (23:40)

So the best way to think about us is we fill this spot between where an EDR ends and you have to go to backups, to recovery.

Co-Host (23:49)

Right.

Interviewer (23:50)

Okay.

Dave Bittner (23:51)

So after an antivirus, or edr, whatever, takes a look at something and says, this is good, let it run. We come in behind them and we take a second look. So we have a pre execution engine that, this is going to sound crazy, runs on machine learning models. They're just trained on ransomware. Nobody else has done that for some reason. So it goes to run, we take a look at it and say, do we think this is ransomware? If we think it's ransomware, we kill it.

Co-Host (24:16)

Right.

Dave Bittner (24:17)

If we're not sure, we'll let it run. And then we have a behavioral engine. And what we do behaviorally is we look for data exfiltration and stop it. We look for him attacking the edr, we look for him tampering with backups. And then we look for the actual ransomware encryption behavior. They start encrypting files and deleting stuff. And so if it gets that far, we'll actually stop the encryption. What really makes us unique is when that encryption starts to run, we capture and copy the keys, we tokenize them and we cache them. We don't know if they're good or bad yet, but we know they could be. So let's hold onto it for a little bit. And if it's ransomware, we'll stop it. There's a stage that comes in where there's an attacker on your network on that host with admin credentials. So we come in, we have a team called Rise. It's a 24 by 7 SoC, and in real time, right within 60 seconds, they'll start evicting that attacker. They'll start looking at what account is it using, how did it get there, Push them out, and then at the same time recover that endpoint. So we always say within minutes of getting the attacker out of the network, everything's restored. If something was encrypted, it's decrypted. It makes networks the most theoretically resilient we can come up with to a ransomware attack.

Interviewer (25:40)

Where do you suppose we're headed with ransomware? Like, what's, what's next?

Dave Bittner (25:45)

Not to a good location, I'll tell you that. The barrier to entry to ransomware is really low.

Co-Host (25:52)

Right, right.

Dave Bittner (25:53)

You said that you're not a technical guy. I could teach you how to be a ransomware guy in two hours.

Interviewer (25:58)

My retirement plan, John.

Dave Bittner (26:01)

So I, I don't know if this is a good thing to say. Belize has no computer crimes laws.

Co-Host (26:08)

Right.

Dave Bittner (26:09)

So if you want to retire down to Belize, they speak English there, run a ransomware empire, just focus on hacking Russian companies, and I think everyone will be okay with it.

Interviewer (26:17)

Yeah, I mean, I, I mean, I'm being flippant about it, but I think that's a really important point, is, is that the barrier to entry is practically zero.

Dave Bittner (26:26)

And it keeps getting easier and easier and easier.

John Miller (26:29)

Yeah.

Dave Bittner (26:29)

And so what we're seeing is the actual attackers are growing. We're getting more people that are willing to do this because, well, you're not. You might not be willing to be a hacker to go hack someone for a thousand bucks for $20 million.

Co-Host (26:43)

Right.

Dave Bittner (26:43)

Like, and if your sophistication is admin level, you can crush it. And there's no real. I mean, the FBI is doing a great job, but the problem is the majority of these people are in Russia and there's very little they can do there.

John Miller (27:01)

Right.

Dave Bittner (27:03)

So you've got all of these threat actors coming online and countries where they normally didn't have offensive cyber stuff going on before, and then on top of it. I hate to say it, but critical infrastructure, the Colonial Pipeline attack proved that you can attack American critical infrastructure. You can get paid for it, and you can get away with it.

Co-Host (27:27)

Right?

Dave Bittner (27:28)

So now we have, like, you can do whatever you want. Everyone that wants to do it can do it. It's super easy. You're going to get money and nobody's going to try to arrest you. It's full on a recipe for disaster.

Co-Host (27:40)

Right.

Dave Bittner (27:42)

I, I always used to say that security is only limited by the amount of people that have the skill and the motivation to do it right. Like a great example was when Heartbleed came out years and years ago. It wasn't like the Internet broke. And I'm like, it's, it's not, not that a thousand new attackers came online that day to exploit that vulnerability. And what we're seeing now is just a I above linear rise and the actual people that are willing to do this and have the capabilities to. And then on top of it, the sophistication of these attacks is going over kind of nation state levels now where nation states have rules, there are things they're allowed to do, there are things that they aren't allowed to do. Criminals have no rules. Right. They get to do whatever works best. And yeah, I think the next five to 10 years are going to be not great.

John Miller (28:44)

That's John Miller, CEO and co founder of Halcyon. And finally, one of the challenges of having this particular job that this podcast host has is keeping track of all of the names of different threat actors. You got your Cozy Bears, you got your Volt Typhoons, you got your Salt Typhoons. Everybody has different names for things. Well, we've been seeing a lot of coverage of a collaboration between Microsoft, Crowdstrike, Google's Mandiant and Palo Alto Networks to join forces to try to clean up this messy, confusing world of hacker group names. Joining me here is Maria Vermazes from the T Minus Space Daily Podcast and also colleague here at N2K. Maria, welcome. Hi.

Guest (29:52)

Thanks, Dave.

John Miller (29:54)

So let's dig in here. When you saw this news come across, what was your initial thought here?

Guest (30:02)

Well, the very first thing, honestly, was the XKCD comic about there are 14 competing standards. And now everyone agrees that there needs to be a new standard that covers everyone's cases. And the update is now there are 15 competing standards. So I feel like I should just paste that comic on my wall because it applies so often. It feels like a good move. I mean, it's a noble thing that they're trying to achieve and certainly they're huge players in the space, so maybe everyone will follow their lead. I'm sure that's their hope. But I have some concerns about how this will actually work.

John Miller (30:40)

Well, there's been a little confusion. I've seen some reporting interpreting this that all these groups are going to adopt Microsoft's naming conventions and Microsoft uses different types of weather for different groups. But that doesn't seem to be the case. When you look at how CrowdStrike is describing this and some of the other folks, it seems as though this is just going to be a Rosetta Stone where everyone gets to keep their own names, but we have a handy spreadsheet to cross reference.

Guest (31:14)

And good luck, everybody. And good luck to whoever has to maintain that. That's gonna be such a nightmare going forward, let alone just at the starting point. So it's. Again, I just. I have so many questions about how this is gonna work.

John Miller (31:32)

Well, as our Cyberwire editor here pointed out, Tim Nodar said that Mitre has been doing this. There's an online source called Malpedia that.

Guest (31:42)

Does this, so why not use that? I don't understand. Why do we have to make a new competing standard? I don't get it.

John Miller (31:50)

Yeah, yeah. Again, I think coming from a position of good faith and trying to address something that everybody recognizes is a problem. But is this a step forward? I don't know.

Guest (32:06)

Time will tell, Dave. Time will tell.

John Miller (32:09)

I guess I'm stuck between wanting to be supportive of everyone's good faith efforts here, but left scratching my head as to how this is actually going to change anything and be particularly helpful.

Guest (32:25)

We'll see. I mean, I'm just. Yeah, I'm just feeling a bit of preemptive pity for the person who has to maintain this moving forward to keep track of all the different group names that everyone's gonna be using. Because if it's not, just they're not coming in and saying, this is the law, everybody. Because good luck with that. Honestly. Yeah, this is what we're calling it. Everybody else, shut up. No. You know that people are going to want to put their own stamp on things. Different groups are going to want to name things their way and. What a mess.

John Miller (32:56)

Well, let me just close out by saying and suggesting to all of these organizations who are going at this, if you really want to help, and this is a selfish request, include phonetic pronunciation guides for all of these. Yes, please. Because as the people who often have to decide how these things are pronounced, you know, is it Kakbot or is it Quackbot? I don't know.

Guest (33:21)

And you put a Q without a U. How are we supposed to figure this out?

John Miller (33:24)

Yeah, right, exactly. And all the lite speak stuff and all that kind of stuff. So if you want to add something to these that could be helpful to those of us who have the responsibility of actually saying these names out loud, include phonetic pronunciation guides. We will be forever grateful and we will forgive you for the redundancy that this new standard seems to be introducing to the ecosystem. All right, Maria, thank you so much for joining us. As they say, time will tell. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August this year. There's a link in the show Notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Hey, everybody. Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites. And they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.