A

Hello, everyone, this is Tom Uren. I'm here with another Risky Business News sponsor interview. I have with me today Damien Luke of Nebuloc. Damien is the founder and CEO. G', day, Damien. How are you?

B

G', day, Tom. I am well. How are you?

A

I'm very well. Nebulock makes AI agents that do security work. Is that a fair one phrase description?

B

Yeah, I'd say AI agents that automate threat hunting and detection engineering, but it all is security work at the end of the day.

A

Okay, great. So one of the things that I found very interesting a couple of months ago was the OpenAI. And, well, in this case, Anthropic produced a threat report. But both companies have produced threat reports where they've talked about what threat actors are doing on their platforms, how they're using AI and what they're doing. And it's quite interesting. I think Anthropics was the most recent that I've seen, at least, and the evolution is quite rapid. I'm wondering from the perspective of someone who's trying to use AI from a security point of view. You must have read that report. What did you think? What do you take out of it? And I guess later on we'll get into what you do about that.

B

Yeah. It is a unsurprising but shocking realization to understand. Not just like, yep. Not just how. How fast bad guys have figured out how to use AI, but truly the breadth of capabilities. Right. Anthropic did a great job. And I think this is a great piece of technical writing because these are a bunch of different threat actors and threat groups, one of which they actually classify themselves the. The cyber extortion Cyber Criminal Gang GTG 2002, along with Chinese nation state and North Korean remote work fraudsters. Just the. The speed and scale. So what I really took out was, you know, it's not people are just using AI to automate the entire kill chain. Right. To accelerate the velocity and veracity of tailored access operations. But everybody's doing it and they're doing it really, really fast. I think one thing that I really took out was not just. It was people who knew how to use AI, used it, but they actually called out. There was one particular North Korean threat group that relied on AI to carry out their entire operations.

A

Yeah, yeah, you remind me that in the report, it had a part where it said that basically these North Koreans were so technically inept that they were like, asking it how to use Outlook.

B

Yep.

A

But that spoke to me about opening the aperture of threat actors, opening the number of threat actors who could potentially do something damaging. So one of the things you mentioned is that it's threat actors are very quickly incorporating AI into their attacks. I guess you would have the security perspective. How quickly do you think defenders are picking up AI? I mean, I guess you've started an entire company to do it, but yeah.

B

I would say it's an ongoing process. Right. I feel that there are very tech forward leaning organizations, but based on what I've seen in the market and also just general privacy regulations and tech adoption, particularly at large enterprises that buy in three to five year cycles, we're still at the very, very beginning in terms of widespread AI adoption. And I think quite frankly a lot of it is a lot of people like to talk about using AI when it comes to implementing it. That's a much scarier prospect when you give a system that you don't truly understand access to everything. I think people are much more reticent about that.

A

Yeah, I guess the privacy thing is an interesting one in that there's a lot of, I guess very reasonable and understandable concerns that you have to address. But that just means it takes time. Whereas for a threat actor it's I don't care about privacy. Yeah, I don't have any red tape to try and figure out. And I guess also from a threat actor's perspective, it's like they can see the pot of gold at the end of a rainbow and it's the rainbow's not even that far away. Whereas from a defender's perspective is that, well, you know, if I employ AI, there was that survey where, you know, most projects fail. And so I guess you must be trying to counter those kinds of understandable but annoying impediments all the time.

B

Yeah, 100%. And I think a big part of it is all around enablement. And when you deal with a large non deterministic system, the best thing to do is not do everything all at once, but focus on specific use cases. And to your point, you're right, like threat actors don't have GRC that they need to get approval from before they push the next threat vector. They can just kind of see what works and go from there.

A

And so going back to that report, there was a whole lot of detail about what threat actors were doing. How from a security point of view, do you get your magic AIs? Like what do you do with that information to make your product better? Or does it, is it just I need to get better? Or is there specific things that you take away that you can do with that.

B

Yeah. I think something that we tend to skip when it comes to implementing AI is still recognizing the value of the human right and our ability to reason. So back to first principles. If I have an attacker that can automate sophisticated attack kill chains at speed, what's the thing that changes? It's probably similar to like most of our email inboxes now that people have AI automated outreach like our inboxes are going to get a lot fuller. But there are telltale signs in terms of EM dashes in the copy that you get that let you know that maybe a human hasn't written that. So, so when we think about threat actor kill chains, there are a few great examples of things to look for. Right. One is in terms of downloads, like high entropy file downloads. So just speed in terms of, you know, if several files are being downloaded microseconds apart, that's not a human doing that.

A

Right.

B

If scripts are being run and there is a question around like is it an automation script or is it AI based? But if you see someone logging into 10 or 20 different machines within seconds of one another, that's a very great indication that something is automated versus the system administrator who's trying to do administration at 2 o' clock in the morning is doing that system by system by system. So the first dimension to consider is time. Right. And we should think about the fact that attacks are going to happen much faster than they have ever before.

A

Right? Right. So is that if you've got a legitimate system administrator, they're probably not automating a whole lot of weird things to do it really quickly unless they've done it like that forever.

B

Correct. And I think back to how you would view a system administrator's activity. The other key piece in terms of preparing defenses is to go back to the source of truth. So one thing that was very clear in Anthropic's write up is everyone was writing attacks to bypass your detection systems. So if I can't detect it, I have to be able to see it. Well, thankfully we do all of this logging and log storage. So that's really the pot of gold that everybody's had this whole time. We just have become so reliant on our detection systems that we haven't thought to look at the actual data. So when I think of what's changed or what we can do, the next thing is like, okay, compress timelines, but look at the logs because the data is there.

A

Right? Right. So it's really pointing out to you that you've Got a source of data that will tell you what's happening. And I guess traditionally logs have been used after the fact, after an incident's gone down. And so this is much more trying to use logs, I don't know, proactively, I guess.

B

Yeah. And maybe like prioritizing the right logs to look at. I think again, back to logging like as soon as I. I don't know about you, Tom, but when I think about logs, I just think of like a massive data lake where everything gets dumped without any thought, rhyme or reason. Perhaps this encourages us to think more proactively about, okay, if I know what an attacker is going to go for, like a domain controller, maybe I want faster, better indexed access to my domain controller logs. Maybe I want to have some sort of early detection or heuristics in place just to trip me off when something is going a bit different than what I'm expecting. So if I catch that system administrator doing something that's automated, great, it's proof that my heuristics worked. But in the off chance that Damian the sysadmin's account's been compromised and he's doing something he shouldn't at 2am well then I catch Damien, or Damien the threat actor, you know, red handed.

A

So forgive my ignorance, but isn't that something that a seam could or should do?

B

No, it's a good question. I think it's certainly what a seam can do if managed. Right. I think the challenge is because there's so much data within a SIEM and seems tend to be, to your point, a bit of an afterthought for most organizations it's just a place to dump my logs. But all of my enforcement I'm going to do in the tool itself, like my edr, we don't really do it. So you can. And I think the real focus, at least what we've done here at Nebulon, is using the data that you've collected, be it in a SIEM or an EDR or wherever your logs go, and helping streamline and automate and ultimately create better, faster detections using the data that you already have. Because you're totally right, like people do have that tool, they just don't necessarily use it the way that they might want to or should now.

A

Right, right. So what I'm thinking is that Maybe the top 1% of organizations have their SIEM set up in a really good way. And for the rest of organizations it's we'll query our seam once we've been popped. I guess what Nebuloc is trying to do is bridge that gap and say, well, let's have something like a human do those queries faster, more regularly and try and pick up things in a more real time fashion.

B

Yeah. In fact that's exactly what we're doing is leaning forward and having it be continuous. The way that we do it is it's a case continuous hunting process. So every single hunt is event driven. Every single action that we take is something that allows people to know in real time exactly what's happening. Because back to the top 1%, maybe I do run detections as code that I've written and they have business context and we're business aware. But even then those detections are only as good as when you wrote them and your environment may change over time. And then for the other 99% it's a different story entirely.

A

Yeah, yeah, I guess I'm coming from the perspective of trying to understand what AI is really doing. And in that example it's making it a lot easier for people who either don't have the resources or don't have quite those top skills to do the same thing that the best of the breed is doing, I suppose. Which is it? A democratization? I guess.

B

Yeah. Or like a nefarious democratization in the, in the threat actor version. But yeah, exactly. And I think just like how if I can automate elements of the kill chain, I can also automate elements of my defense. Right. AI is great at some things and not great at other things. It's still like not great at math, but it is really good at orchestrating workflows and taking feedback that you give it. So reinforcement learning, human feedback, fine tuning and then using that to accelerate workflows.

A

Yeah. I'm wondering from an attacker's perspective, one of the dynamics is that it's pretty easy to know if you're right or wrong because either you've got somewhere or not. But from a threat hunter's perspective, it's a lot more. Maybe this is a threat or maybe it's not. And so are those the sorts of challenges that you're having to deal with?

B

Yeah, and in fact that's something that we've been really deliberate about in the year plus that we've been building, which is understanding how good an agent can work in one shot and also providing feedback and shepherding it as it goes through that next step. Because it's really easy, I think in any threat hunting or data analysis perspective to get to something that's interesting. But like then what is Interesting, bad interesting or good interesting? You know, so that's been something that we've really worked through. Right. Why we have threat hunters in our engineering team and why we have threat hunters building agents is because really what we found is you have to kind of coach it through and then have it get to a certain point, try again. Get to a certain point, try again. But just like how threat actors can quickly iterate on the kill chain side, we can quickly iterate on the hunting side to improve the agent's flow over time.

A

Right. When you're describing, I've heard AI described as like a million interns, and that description sounded exactly like, you do this step and think about it, is that right or wrong? And it's just like an intern who never learns. So you're always having to ask it the same questions. But I suppose because it's a computer, you can automate the asking of the questions and happy times. I suppose.

B

Yeah. Or I mean it's. It's also like a very self effacing, pragmatic intern. Right. So it'll also look at what it's done, evaluate itself, or you can evaluate it and try and find ways to improve. Again, like it's not a perfect system, which is why it's good to see where it goes and where it went right and where it went wrong. Because that allows you in turn to refine how you're building it or what orchestrate the next step. Or maybe you don't need one agent, but two agents for different workflows because you found something that's too complex for the AI right now to do. All in the context of one agent. Yeah.

A

Damien Luke, CEO and founder of Nebuloc. Thanks very much for an interesting conversation that makes me worry about the future of work.

B

Thank you, Tom. The pleasure is mine. The future is bright, just different.

A

Thanks, Samyan.