Selena Larson

You're listening to the Cyberwire Network powered by N2K.

Narrator

On this episode of Only Malware in the Building. Selena, Keith and Dave enter the chaotic world of digital threats to uncover the myths, mysteries, and malware hiding in plain sight. This week they'll be putting three long standing assumptions to the test. That small organizations aren't worth the attackers time.

Selena Larson

Aha. Now we're getting somewhere.

Narrator

That artificial intelligence is fundamentally changing how attackers operate, making them faster, smarter, and harder to stop.

Dave Bittner

You've got to be kidding me.

Narrator

And that once a hacker is identified, law enforcement can simply step in and make an arrest.

Keith Milarsky

Well, that's one way to do it.

Narrator

Who are your hosts? Keith Milarsky, master of malware analysis. Selena Larson, sleuth of social engineering. And Dave Bittner, the recognized cyber voice of reason who insists on doing vocal warm ups before every interview.

Keith Milarsky

Me, me, me Mini, mini, mini mini

Dave Bittner

me Mamo la la la la la la la.

Narrator

Combined they bring over 134 years of cyber experience.

Selena Larson

Wow.

Narrator

Enough to have seen it all. Or at least most of it.

Dave Bittner

Am I Adam or am I Jamie?

Narrator

They don't just investigate malware. They uncover it. They outsmart it. And sometimes they even make it wish it had never existed. This is Only Malware in the Building.

Selena Larson

Hello to all our listeners. You are listening to Only Malware in the Building. This is a very special and fun episode with myself, your host, host, Selena Larson, here with my co hosts, Dave Bittner and Keith Milarsky, and we are going to be myth busting today. I feel like 50% of my job is myth busting anyway. I don't know about you guys, but, you know, being an explainer of things tends to go hand in hand with maybe this isn't quite what you think it is. So I'm really excited for this. Dave, what is the first myth that you're gonna bust for us?

Dave Bittner

Well, before we dig into that, I do wanna echo on what you just said there, which is that particularly with like, friends and family, I try not to be. I try not to be the guy who says, well, actually, yeah, right. Cause there's nothing I hate more in cybersecurity than smug superiority.

Keith Milarsky

Dave, do you use the line from the original Mythbusters? You know, I reject your reality and substitute my own when they're asking yes, whenever possible.

Dave Bittner

Whenever possible.

Selena Larson

That's really not smug at all. So truly just the exact vibes you would be going for when trying to explain something to somebody.

Dave Bittner

I was at a conference recently and I had to leave on the last day of the conference, the speaker was Adam Savage from Mythbusters, but I had to catch my flight, so I didn't get to meet him. And I was really bummed because I'm a big fan.

Selena Larson

Are you today's Adam Savage?

Dave Bittner

Oh, I wouldn't claim. I wouldn't claim that, but I certainly do plenty of myth busting myself, both on our shows and in real life. So. All right, well, let's jump into it then. I will start things off. And my myth is small organizations aren't targets. That is my myth. It is not true.

Selena Larson

Do you hear this a lot, Dave?

Dave Bittner

Well, what I hear is why would anybody be interested in me? Right. I don't have anything. I don't have any wealth. All I have is a small company. We just, you know, we're a small mom and pop shop. Why would anyone be interested in us until they are? Of course, until they are. And that's. That's the myth. I mean, you have anything of you're a target. And everybody, every organization and every individual has some amount of money. And I think we forget that what might be a smaller amount of money to us here on our side of the Atlantic or the Pacific, that might be a much larger amount of money in terms of affecting someone's life to someone in a different part of the world. So they may be more motivated to come after what we consider to be a small amount of money, because it's not small to everybody.

Keith Milarsky

Yeah. And I think one of the things, too, is that hackers aren't sitting around saying, okay, I'm only going to go after companies with big budgets. You know, everything is more done on to scale. You know, they're just throwing nets out there and seeing what's open. Not every attack is some secret bespoke attack with a zero day trying to get into, you know, Joe's TV shop. I mean, it is, you know, they're scanning for. For vulnerabilities, and they're looking for targets of opportunity. And, you know, these smaller organizations probably don't have the most sophisticated cyber defense, you know, so that makes them more vulnerable and more easy prey, in my opinion.

Selena Larson

Well, and one of the things that makes small organizations very valuable to cyber attacks and cyber criminals is that they can adopt their Persona. So think of your local coffee shop, right? Maybe it's just mom and pop owned local coffee shop. Well, they have suppliers. They have to get their coffee beans. They're sourcing it from somewhere. They have to get their paper plates, their napkins, their coffee machines. They might be working with larger bakeries to get the croissant, which is my dog's favorite treat, into their stores. Right. They have, if they sell, you know, bottled water, that's, you know, maybe they're partnering with a larger vendor for that. So all of that information lives in their boxes. And if a threat actor can take over Joe's coffeeshopmail.com then they could potentially reach out to all of their different suppliers or you know, taking sort of taking over their brand or their Microsoft O365 and sending out a lot of social engineering to try and convince these larger suppliers that might be a little bit more profitable for them to engage with our content and then do something called ATO jumping, which is account takeover jumping. So they compromise one account just to get to an another one. And I think that, you know, thinking of some of these smaller organizations, like to your point, Dave, when you mentioned like, oh well, why would I possibly be a target? I don't have anything interesting. It's like, well, you have data and data is always very interesting. And if you can build a Persona, if you can leverage an existing Persona to sort of further burrow into more profitable organizations, that can be a big win and a big windfall for a cyber attacker.

Dave Bittner

Right, right. And you may also have a customer who is a big target. You may not be the rich person, but you may have in your contact list the rich person who's more likely to engage with an email that comes with someone they know, which is you, if your email gets compromised.

Selena Larson

A venture capitalist funded coffee shop.

Dave Bittner

There you go.

Keith Milarsky

Yes.

Dave Bittner

I was thinking of another example that I remember, which is where a pastor at a church got his email compromised. And I think it's important to think of organizations aren't just businesses, right? Organizations. It could be your church, it could be your synagogue, it could be your club, your hobbyists, all those things that we're. Any membership organization is a potential target because one person gets in and they have everyone else's email addresses. And those people are going to be primed to accept and to trust communications. Coming from someone who is part of

Selena Larson

the club, that's actually a great thing. I was thinking like, what clubs am I a part of? Swim club, you know, like these sort of extracurricular activities. And I'm just thinking, like, I Live in Washington, D.C. how many of these extracurricular clubs for sports or kickball or, you know, softball or whatever, or trivia at your local bar? How many interesting emails and information can you get from a DC localized activity that isn't like to Dave's point, like not a business. But yeah, I think, I think that's a very interesting, that's an interesting thought.

Keith Milarsky

And I think when you look at statistically bec, which is kind of what a lot of these actors would be doing, kind of what you were explaining, Selena, you know, doing, you know, diversion of payments and things like that, it's literally the number one cybercrime problem out there. It is the most prevalent cybercrime problem impacting the most financial dollars. So for people to say that, well, hey, I'm small, I'm not a target. It's really the absolute opposite because those are the people that are getting targeted that are easily fooled and can do the diversions. So I'd like to say that this one's probably busted.

Selena Larson

Well, side note, if we're also thinking about organizations in general, fraudsters love students and they love going after edu accounts in particular for advanced fraud. So students are looking for part time, easy money, easy jobs to do in between work. And they love targeting them with, oh, would you like to do this like 12 hour a week job? Sometimes it's something like modeling clothes for Instagram or maybe it's something like just putting, doing data entry or something. These sort of like easy kind of college type jobs. And then you're like, oh yeah, I'm going to send you a check to buy all your equipment. So you, you know, it's like the advanced B fraud. And so they, you know, take a picture of the check and then they buy all this stuff from the provider proprietor with that fake check. Essentially they get the money and the student's out of luck. So that's a really common thing too, where again, like the student doesn't have a ton of money. But if you're adding up a bunch of different advanced fee fraud over time targeting students looking for extra cash, you know, 20 people with 500 bucks is quite a lot for a lot of people.

Dave Bittner

The last point I'll make about this is that I think sometimes this mindset leaves people to not take some of the precautions that they would otherwise take. So they, they're thinking, nobody's going to be after me. I don't have anything at risk. So they don't bother with multi factor authentication or they reuse passwords because they just think they don't have a bullseye painted on their back. But they, they do, they have an extra one because they are proven to be vulnerable.

Selena Larson

This is a great tee up for my myth to bust, which is artificial intelligence and LLMs are making hackers smarter.

Keith Milarsky

You don't say, Selena.

Dave Bittner

I know it's making me smarter. I know that for sure.

Selena Larson

Oh, yes, definitely. I mean, yes. Anyone who tuned into our previous episode about AI, all things AI, that turned into a philosophical debate about what is art and what is humanity, if you didn't listen to that episode, definitely tune. It was a really fun one, I think, and a little different than your typical cyber podcast. But one thing that I hear a lot, and this has also come to the fore with mythos and OpenAI's latest cyber defender, bone scanning or bone discovery tools. There's this idea that, well, now everyone has AI and LLMs and attackers are up, leveling. They're getting so much better. Their malware is better, their hacking is better, and all these resources are now available to them. But I think that we're really missing a huge point of this, which is Dave's point, and that's like, organizations already aren't doing the basics. You're not going to need to discover an O day in network appliance to breach most organizations. And while it might make attacks happen faster or it might make them be able to script and automate some BEC or social engineering and targeting and stuff like that, there's already automation tools that exist for making hackers get better and faster. But it's still. The problem, still lies that organizations aren't doing the minimum. And there's a big gap between the general public, even's level of understanding about cybersecurity, about cyber attacks, and the reality of how these things happen. And I think that we really kind of got lost in the sauce a little bit with a lot of AI buzz and hype and everything. And like, oh my gosh, like, Mythos is going to change the world. And, like, it's cool, it's interesting, and it would be really cool if there is some sort of like, like automated film discovery. But at the same time, I think that there are still a lot of, like, outstanding questions, like, what happens to a SOC analyst when they have a million CVEs that have been published on a security team? It's like, oh, we have to address all these CVEs now because they've been found and they have patched now and they're now public information. So there's going to have to be, like, a refactoring and a rethinking of how we're actually, like, approaching cybersecurity. And, like, I hope it's a net positive, but I'm still really worried about the basics and how we are talking about cybersecurity and artificial intelligence and how it's changing, you know, security or making threat actors better, but forgetting about this very important piece, which is the people that are using technology.

Dave Bittner

Well, if AI is not making attackers smarter, what is it making them?

Keith Milarsky

I think more efficient. More efficient, Wouldn't you agree? I mean, it's, you know, it's not that they're coming up with, you know, new like, like Selena said, new zero days, because, you know, they're using some LLM, but it is just making them a little bit more efficient. It does make them look a little bit more polished, maybe in a phishing lore where you're not going to have this broken English like you've seen in the past, but it's just really all efficient and make them a little bit more organized. But then at the same time, I think what we talked about a couple episodes ago was our defenders are also using AI as well. So they're countering that. You could also make the argument, the absolute opposite argument is that AI is making cyber hackers dumber because they are relying on AI tools. So. So we can argue that whether that's a myth or not here too.

Selena Larson

You know, Keith, I'm so glad that you brought that up because I recently submitted a talk somewhere that AI fish slop is ruining my life. And I've been wanting to kind of talk about this and do a presentation on it because we're seeing so much bad attacks, like so much boring. Like, people used to have pride in their work. What happened? What happened to this? So, for example, device code phishing as a service is something that has become really exploded in the last, really, even like the last few weeks. There's been a lot of publications and stuff about it, and some of my actors have pivoted to using device code phishing as opposed to MFA AITM phishing. But like some of these.

Dave Bittner

Wait, wait, wait, wait. What is that? What's device code phishing?

Selena Larson

So device code phishing is basically the threat actor will send you a malicious link saying, oh, you have a new document to review or whatever. You'll get kicked over to a website that gives you a device code. This is actually a legitimately generated device code through Microsoft's OAuth authentication that then you add to your Microsoft O365 to like, sort of a proven app, essentially. So approve access to this, this, this application, essentially. So it's basically like phishing, but it's just device code phishing. And historically, what's actually really interesting is historically device code phishing wasn't super effective because when you would get an email with a device code already generated by the threat actor, it was only valid for 15 minutes because that's how Microsoft's authentication process works. And you would even see in the emails like, please log in within 15 minutes and like, act like, put in this device code. But now they're doing real time device code generation with these device code as a service phishing kits and so that you lose that sort of 15 minute window. And it's. So, it's an interesting, it's an interesting improvement to the overall technique of device code phishing. But the flip side of it is, is a lot of these kits that are being created, not all of them, but a lot of the kits that are being created. And this goes for malware, this goes for any type of phishing. They are so badly vibe coded that they've actually left flaws and vulnerabilities in their own tooling so that threat actors or the threat researchers can basically look at that and say, okay, well I see your full backend, I see how to access this panel. I see the information that you don't want me to see. I see a lot of like sensitive information that you would probably want hidden from researchers. And then they are too like threat actors maybe. Oh, I'm going to log into this panel and steal all these creds that it's just like left open and accessible to someone who knows how to, you know, modify the code slightly in, in their, in their own HTML. So it's, it's, I think Keith, you make a great point that it is kind of making attackers like a little bit dumber. And now what we're, we're seeing too is like this rise of like automated tooling. So like the, the sort of like landing pages will look really slick or full cycle or the full ATTCK chain or the click fix looks really great, but the initial is terrible. Like I've seen emails that are empty, there's nothing in them and they're just like, here's an attachment that's like. So it's, I'm just like, you're not even trying on like the social engineering piece, you're just fully relying on this whole other like vibe coded component of your attack team, but forgot the important part, which is to get somebody to click on.

Keith Milarsky

Click on it. Yeah.

Dave Bittner

Still a numbers game.

Selena Larson

Yeah, exactly. 100%. Yeah. But I don't know, I'm curious, have you guys seen anything that, I mean, I think we're still in this like, squishy phase of like. I think it'll ultimately be a net positive, but I think that things are just, you know, really crazy right now and there's a lot of like, fud, like fear, uncertainty and doubt, I think around things about AI and I don't know, I'm curious if you have seen, like, what, what you've seen, Keith, to make you think that, oh, this is actually making attackers dumber.

Keith Milarsky

Yeah, I just think, you know, kind of what you're just seeing out there is that they're just relying on it too much, you know, and when, like when you go to LinkedIn now, let's just say I'm going to just use a real world example. When you go to LinkedIn and you see a lot of posts, I mean, you could almost tell like everything is written by AI. Because some of the people that I know that are writing these long dissertations on LinkedIn, I know they can't write like that, you know, so, so

Narrator

I'm

Keith Milarsky

not naming any names, but, but I'm just saying. So, so at the same time, you know, so you, so it becomes a crutch in that, you know, so now if the attackers know, well, hey, I could use AI to craft this or, or do that, then that becomes a crutch and they're not actually spending the time, like you said, to actually do the lore, right, you know, and putting that time and effort into it to make it, you know, ingenious or, or whatever like that. So, so I, I think it becomes a crutch and then they just. You're not having that, what's the word I'm looking for that, that, that human touch that made some of the things. I, I just think we're going to see a little bit of a downgrade of things, in my opinion. So.

Selena Larson

Well, and it's also true too, that like, everyone's just kind of using it in the same ways. Right? Like, we're all being enabled to do the same things. Like, okay, I, I was able to vibe code, like a really helpful script to help me do my job better and faster. But I, like, knew the, you know, I knew what I was doing, I knew the APIs I needed and, you know, you had that sort of like basic knowledge. And then like, this is just like one part of my job. Like, I'm, I'm not like fully automating my whole like, life or whatever. And so I think it's really interesting to kind of think about the, like, we're like like when. I always want to ask when people are like, oh my gosh, this is going to be absolutely game changing. I want to be like, how are you using it? Yeah, like, how, how is it being used in your organization or with your teams or whatever? Because, like, think about how that is happening and then you can just say bad guys are probably trying it too.

Keith Milarsky

Yeah. Well, Dave, Dave, what do you think? From.

Selena Larson

From.

Keith Milarsky

Because you talk to everybody, you know, a lot more than Sel. Like, what?

Selena Larson

We just live in our little holes with our.

Keith Milarsky

Yeah, exactly. We're in our. We're in our bubbles. So what do you hear? Yeah. What are you hearing from. From your guests and, you know, and your listeners on that?

Dave Bittner

First of all, let me ask you this. Don't you think that eventually it's going to be really hard to tell if something's been written by AI or not? It's just going to get better. It's never. It's not going to get worse.

Keith Milarsky

Oh, it's gonna get better. Absolutely. I think so.

Dave Bittner

Yeah.

Keith Milarsky

I mean, it's all gonna. And then we're gonna become numb to it as well, you know, because we're just gonna be so used to just seeing AI production that we're really not gonna be able to tell the difference or really care, really, at that point, I think.

Dave Bittner

Right. We'll just. Yeah, we'll submit. It's. That's interesting. I mean, one of the things, and this was probably a year ago now, or even more when these were still relatively new. One of the things that I asked it to do as an experiment was I said, I want you to write about this topic and I want you to write it in the style of Cyberwire podcast host Dave Bittner. And I asked it that because I knew that the LLMs have ingested thousands of hours of transcripts from our shows. And so it knows the way I speak. And sure enough, it did it.

Keith Milarsky

That's amazing.

Dave Bittner

And I learned that. Well, it was kind of a little disconcerting was that I learned it highlighted a few ticks that I have when I speak and the things that I say, like, I don't say generally, I don't say guys or gals or whatever I say folks. So I'll say, like, how should folks protect themselves against this? Right? Because I just try to be gender neutral because I'm a good person. And so it was peppering my. Peppering its writing with the little ticks that I. That I use that I have. And I. And I was like, oh, this is scary.

Keith Milarsky

Just extenuated it.

Selena Larson

Yeah, yeah. I do feel like all these things are just like brighter, you know, like, it's just like, okay, you're going to tell it something and then it's just going to like highlight things and just make it more colorful and make it like brighter and more punchy and like, it just amplifies it. It's an amplifier. And the thing is too is like, when you're talking to it with malware or code, we, we have done a lot of work on my team to sort of try and like break, not break these things, but really work with it. The trouble with these things is it will always say you're right. So if you don't actually know what you're doing, you can very, very easily fall down a hole of creating something that is almost right, but does have flaws or does have issues as a threat actor. Because it's always going to tell you like, that's a great idea. That's definitely what it is. This is how we do it. And it won't necessarily, if you don't know how to, if you don't know how to debug something, if you don't know how to find bugs in the code or tell it to debug things, it very quickly becomes a yes, a yes man. Essentially it's just saying, absolutely, let's do it. And so I think that's also part of what I find really interesting is that yes, it can, it can be used very effectively for sure. But I wouldn't necessarily say it's making people smarter because it's just giving them more resources to play with and mess with. And if you don't know how to interpret these things and if you don't know how to, I don't know, correctly create a web shell or something, or correctly secure your website and the malware panel that you're developing, or correctly add obfuscation in your code, you don't know how to tell it to do that. And so I think, yeah, it's like the piece of it that I think is really interesting is that yes, it's maybe faster, making attackers faster, more organized, maybe potentially more structured. There's that whole software defined development that we've seen a lot of articles on. But like in the grand scheme of things, I wouldn't say smarter. And I'm really interested to see where this goes, especially with something like the bone discovery stuff.

Dave Bittner

I did an interview with a threat researcher yesterday and he was, his research involved doing prompt injection with a, with a, an AI and the LLM had all kinds of guardrails built in to try to prevent someone from doing prompt injection. And what this researcher found was that if he yelled at the LLM, if he berated it, if he put it down, if he insulted it, it was so eager to please him that that was a way around the guardrails.

Selena Larson

Oh, my gosh.

Dave Bittner

That's what I said.

Selena Larson

Right?

Dave Bittner

He just, he just wore it down and eventually it let him pass the guardrails because it was so much wanted to please him.

Selena Larson

Okay, I understand that he's a researcher, but what does that say about society, of everyone yelling at their AI tools to make them agree with them?

Dave Bittner

The funny part is, later in the interview, he said that he always uses good manners when talking to the LLMs. Like, he always says please and thank you because he figures, you know, when they do come for us, he wants to be one of the ones they, they allow to live.

Keith Milarsky

I love, I love that line.

Selena Larson

I'm gonna flip the script. I'm gonna be so mean to the robots so that they'll do away with me first. You know, like, yeah, I, I, I don't want our robot overlords. I'm out.

Dave Bittner

Okay. Right, you're heading, you want to be vaporized? You're heading to the blasts location.

Selena Larson

I'm going to the moon with, with NASA astronauts.

Keith Milarsky

Sure, why not?

Selena Larson

We'll be right back.

Dave Bittner

And now a word from our sponsor. ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core Threat Locker product focused on endpoint security, designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are allowlisting, ring fencing, and network control. Allow Listing is a deny by default software that makes application control simple and fast. Ring fencing is an application containment strategy, ensuring apps can only access the system resources they truly need to function. Network control locks down access by port, source, IP or dynamically with ACLs that automatically update as IP addresses change, shut out cybercriminals with world class endpoint protection from Threat Locker. And we thank threatlocker for sponsoring only malware in the building. Keith, what's your myth?

Keith Milarsky

All right, my myth is once you get this is for law enforcement, or a lot of people think about law enforcement, once you get a hacker identified, law enforcement can just go and arrest them.

Dave Bittner

Yes.

Keith Milarsky

Have you guys heard that?

Dave Bittner

Yes, yes, I've tried this.

Keith Milarsky

Yes.

Dave Bittner

Can I do. So here's my, here's a story. When I was about 10 years old, my bicycle got stolen. Out of my backyard. And of course I was upset and there were tears and all that kind of thing. And I said to my parents, we have to call the police. Right? And my parents said, yes, of course, you have to call the police. So we called the police. And in my mind, I was expecting, you know, police were going to come, they're going to start fingerprinting, they're going to. It's going to be a hard target search. They're going to be interrogating all the neighbors and all that kind of stuff. Right? No, the police were just like, yeah, you get a serial number? All right, we'll let you know if it shows up. Well, I lost a little bit of my innocence that day. And I feel like that's where we are with online scams. If you call police, they're just going to be like, yeah, sorry, we can't get anything. Can't get it back. Sorry, just gone.

Keith Milarsky

Yeah, it's kind of. There was a big bang episode that was kind of like the similar thing, you know, where Sheldon is, like, talking to the police. Why aren't you going to go out and arrest them? You know, they were laughing and they just gave him the thing for the insurance, but. Right, right, right, yeah. Yes. I mean, so this is like a big myth, you know, because, like, we get a lot of researchers, obviously, you know, and I'm sure people on your team, Selena, and the people that you talk to, you know, they're investigating certain scams out there, and through their investigations, they identify maybe who's behind it. And you have certain things that, you know, all indication is that's probably the case. So, well, why can't, you know, the FBI or Secret Service or, you know, another law enforcement agency just go out and arrest them? Because it's just not that simple. Because just knowing who did it and being able to prove something in court are two totally different things. You know, and especially when you're thinking about cyberattribution, when people are using all kinds of anonymization services and proxies and, you know, in all of that, nicknames, and they're changing their nicknames and their telegram handles and all that over the course of the years, how are you really proven that in court? So you could say, well, hey, I, you know, even if you have an info stealer and, you know, somebody's gotten self infected with an info stealer and you go and you see a picture on that computer, you're thinking, well, that's probably the guy. But you can't prove that in Court, you know, so you really have to take a lot of steps. And there used to be like an old saying, Dave, maybe you remember, it's like, like if somebody was making things complicated, they were like, don't make a federal case out of it.

Dave Bittner

Yes.

Keith Milarsky

You know, so don't make a. Loved that. Yeah, but you know, so on the opposite end is like we have to make a federal case, you know, so there's a lot that goes into things. And the other thing is, at least when I worked at the FBI and working with the U.S. attorneys, they always like to have any of their indict what they call court ready. And when they mean court ready is like if we arrest somebody, they could go to trial that day and prove it. So it's not like what you see, like you know, a law and order where they're still building the case as they're in trial. You know, everything is, has to be locked up. And the other thing, when you think about it from a federal case standpoint, I can't remember what the statistic is, but it's like crazy where you know, when a federal case goes, it's like a 98, 97% conviction rate or plea. So you always got to make sure things are really lined up and then you got to throw the other aspect in. A lot of our most important hackers are overseas. You know, I would have loved to have a lot of us hackers that, that you could go that when you got place people in Russia or China, just getting access to them just makes it so much difficult. Even if you have, you know, a court ready indictment where you could prove it, being able to get them is just a whole nother ball of wax.

Selena Larson

Well, even in countries that are like, you know, friendly or, you know, you can extradite or they will cooperate, oftentimes there's just reasons why they don't. Maybe they're working on their own case against the person. Maybe they, you know, just are for whatever political reasons, law enforcement reasons, they just don't necessarily always want to cooperate. And I think too the time scale we talk about geologic time, there's government time, and I think cyber is working in cyber time and technology is working at a very, very fast pace. But you have government time where the handcuffs happen. And let's just say that's not far away from geologic time.

Keith Milarsky

Yeah, and I actually like to use an expression when talking about government bureaucracy. It's like watching the rotation of the earth. You never see it, you never see it move, but every day it gets light and every day it gets dark. And that's kind of like it moves at that pace sometimes. And especially when you're like, doing, like, when you think about, like, sending a mutual legal assistance treaty even to a country that we have great relationships with. I mean, it takes just a month just to probably write and get that document out of the United States overseas. You know, and this is on. Would be on a routine thing to let it, let alone then for them to go and maybe do an image of a server, package up the evidence and send it back. It's just the, the, the timing of everything, like you said, Celine, it just goes slow.

Selena Larson

Well, and also, I think something that people don't really think about is the economics of it as well. So you need, like, funding to be able to work, to work cases, and you need, you know, the, the ability to do it and the, and the people that can be involved in the time for these people to actually work it. Especially, you know, from a private sector perspective as well. Right. Like, it costs a lot of money to do lawsuits or to bring cases. And there's a cost benefit analysis that you always run on. Is it worth, is it worth it to go, go against this guy? Or, you know, is there, is there better use of our time? And, you know, we might not always agree with the decisions, because I think every single person who's ever been a victim of a crime thinks it's worth it to go after them. And, you know, I do think that we can for sure improve. But on the flip side, when it works, it's great, and you have really big wins for sure. And I think, you know, we've talked about it previously on the podcast, that there's some fantastic, you know, private sector law enforcement collaboration with the private sector as well. And, and, and so when it works, it works. And I actually think it's getting better. So maybe we are, maybe we will get one day to a point where someone's like, why don't we just go put handcuffs on this guy? And Keith's like, okay, yes,

Dave Bittner

Keith, to your previous. I mean, your point about the prosecutors, I mean, isn't there kind of a, a threshold where it's not really worth their time because they're so overworked, they have so many cases that to them would be petty crime, you know, is important to the person it happened to, but they've only got so much bandwidth themselves, right?

Keith Milarsky

Oh, absolutely. I mean, so you think, let's say, let's just use Pittsburgh, where I was at. We had a very aggressive U.S. attorney's office. You know, from a cyber standpoint with some of the cases that we brought, we had, I think if I'm correct, we had three US Attorneys that work cyber out of the, out of the U.S. attorney's office here. So you have, you know, so you have three, three of those. And they carry a caseload. So. And that's between multiple agencies, between FBI and Secret Service and HSI and Postal Inspection Service, you know, maybe DEA as well. So there's all those different types of, you know, agencies in, in the case. So. So you have to have a threshold on what you're going to investigate. I know like in New York, some white collar, like if you were just working white collar crime, I think the threshold, I mean, it was at least 5 million many years ago. It's probably over 20 million in losses for them to even look at, you know, a white collar crime. So it's the same with cyber. So you got to kind of prioritize like what's the was saying, you know, where, where are we getting the most impact here? You know, what is the most loss? And, and that's where we're going to throw our resources. Because again, when you're doing these big takedowns and you're going after these big organizations, there's a lot of people involved. It's not just like usually one U.S. attorney and one case agent. There's multiple people that you're throwing resources on. So. So you really have to prioritize like you said, Dave.

Dave Bittner

All right, myth busted.

Selena Larson

We will be right back after this quick break. Do we want to do one more myth? Fire a fire round. One last fire round myth.

Dave Bittner

Can we say no?

Keith Milarsky

Go ahead.

Dave Bittner

Selena, what do you got for us?

Selena Larson

Well, let's see. What was the one that we had, Keith? The last one?

Keith Milarsky

I think it was the nation state stuff that you mentioned.

Selena Larson

Yes, nation state hackers are always better and more advanced and scarier than cybercrime. Everyone knows that's my soapbox and it's definitely not true. And as we sort of democratize, as the landscape is being democratized, as cybercriminals make a lot more money, the best cybercriminals are definitely on par with espionage threat actors. And honestly, sometimes state actors just aren't that good either.

Dave Bittner

Don't you think? This is part this, this is a mythology that's grown on its own also, because so often when a major organization gets popped, they will send out a press release that says, clearly we were attacked by nation state actors. So there's nothing we could have done against an opponent with such skills. And then like three months later, it turns out it's, you know, Bobby Brady in his parents basement, who's the one who popped him. And time and time again, that's what happens. But I think through these press releases, we've given this mystique to nation state actors when, I don't know, my perception is if there's anybody who's not interested in you, it's probably a nation state actor. Like they got their thing. They're not interested in you.

Selena Larson

That actually would be the first myth of yours, Dave.

Dave Bittner

Bring it home.

Selena Larson

Yeah, we circle back. Actually, they're not interested in you.

Dave Bittner

Call back. Yeah.

Selena Larson

All right, well, I guess on that note, we can probably wrap it up.

Keith Milarsky

Sounds good to me.

Selena Larson

All righty. Thank you so much for myth busting with me today. If you have any myths, actually, if any of our listeners have any myths that they. That they hate to hear comment on any of our social posts when we publish this. Let's. Let's take a look at some of the myths and, you know, maybe we'll reply with our hot takes or give you a shout out on the next episode of your with your favorite myth. But yeah, thanks so much for tuning in, guys. Dave, Keith, anything else? Or should I say Adam, Jamie? Anything else?

Dave Bittner

Oh, that's interesting. Am I Adam or am I Jamie, Keith, which one are you? I don't know.

Keith Milarsky

I don't know. I don't know if I look good in a beret.

Dave Bittner

Yeah, that's tough to pull off.

Selena Larson

I think you can pull it off, though, Dave.

Dave Bittner

We could both be Adam. All right, well, whatever. I'm happy.

Selena Larson

If anyone on our podcast can pull off a beret, it's definitely Dave and his dips.

Dave Bittner

There you go. All right, we'll leave it there.

Selena Larson

Thanks so much, everybody. See you next time. And that's only malware in the building. Brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuth, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead in the ever evolving world of cybersecurity. If you like the show, please share a rating and review in your favorite podcast app. This episode was produced by Liz Stokes, mixing and sound design by Trey Hester. With original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher.

Dave Bittner

Thank you to ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. For sponsoring only malware in the building, visit threatlocker.com.