A

Hey, everyone, I'm James Wilson from Risky Business and welcome to this sponsored interview with Push Security's Chief Research officer, Jacques Lowe. Push makes a browser extension that combines telemetry, real time control, autonomous agents, and because it's a browser extension, it's got like the perfect vantage point for stopping things like click fix and install fix attacks that we talk about in this episode, as well as securing your use of AI and SaaS services, hardening your identities against phishing, and generally preventing data loss. Push operates a huge threat hunting machine that they use to spot new attack types in campaigns. But as you'll hear from Jacques in this interview, they were increasingly realizing that having this all be human driven is creating a pretty huge bottleneck in the form of that human in the loop. And then when a customer came to them and asked them to have a deeper look at a particular malvertising campaign, they decided to do this with a more agentic AI approach to harnessing and running their threat hunting machine. So I'll drop you in here where Jacques talks about how when they started to take that more agentic approach to operating the threat hunting machine, it led straight away to them finding their very first live example of an install fix malvertising campaign and a whole lot more. Enjoy.

B

Yeah, we've also noticed a lot of people getting their Google Ads accounts targeted. You'll find a whole blog post about that campaign. Like, why are people targeting Google Ads accounts? Like, yeah, obviously because they want to do malvertising, they don't want to make some ads.

A

Yeah.

B

So what are people doing with these accounts then? Yeah, I mean, you see the classic sort of stuff where it's just like malicious file downloads and you know, just weak stuff that doesn't work. But then the question is like, can we find new things that are being delivered through malvertising? What could that be like? If you want to go hunting, you have to have a theory. Theory has to be like broad enough that you're going to catch new, but not so broad that you're going to catch every legit ad click in the world.

A

Right, Right.

B

So yeah, I mean, this is like really one of the first cases where we're using heavily agentic flow to like support this. So everything we've written, everyone else has written about these things, pummel it in along have in our browser telemetry. What can you hunt for? What have we hunted for in the past successfully? All of that goes together and some of the cool ideas that came out was like combining two stages, two main events. So start with Something where someone has clicked on an ad in a Google browser and then the next thing is come up a breakdown of next events that have to happen at some point. So one of those things, for this to be an attack, something has to happen after you click the link. You have to have to be shown a password field or you have to enter a password. You have to. Something needs to end up in your clipboard, a file needs to get downloaded, you have to go into an oauth flow. Something has to happen, otherwise there's no chance of an attack. So just like really broad strokes, like when is this happening? How is this happening? One of the things that popped up immediately was this exact campaign which just caught our eye immediately. AI flagged this immediately. It's like this thing is saying it is know a NotebookLM installer, but NotebookLM does not have an installer. This is all wrong, all wrong here. Yeah, so that's essentially what triggered the whole thing. And then we started looking for more and more of the same and we found the whole Claude code, you know, fake installer campaign. I think that's the one we actually blogged about. But this notebook alum was actually the first detection.

A

Oh, interesting. And those things that you mentioned there, the couple of like, I guess, buckets of attack class, you know, it's got to have an oauth login or there must be a file download or something ends up on the clipboard are those things that you've encoded into the system, into this agent and sort of what, what mechanism are you using to actually give it that knowledge, give it that head start?

B

You know, I'd love to say yes, it's all relying on our knowledge, but you know, the fact is like these models are so smart and if they're specialists at anything, they're specialists at coding. And if there's any coding they really know, well, it's web coding. So they do have just a ton of what looks reasonable and normal and what doesn't. In these cases, we want them to use the right wording and the right narrative. So especially when we go after these hunts, we give them some kind of prompt. We're looking for this class of thing. So malvertising what kind of things have happened in the past. So that does form part of the context. It's like hard to tease out exactly what came from our threat research database, what came from public sources. But ultimately, yeah, I think it really is less about specific workflows and instructions and a lot more about just like the right data, the right context, the Right. Information. When you see the entire browsing flow, any human looking at that thing goes like, whoa, this looks all wrong. Something's off here. And these agents are just like. Modern models are just like easily able to do the same thing.

A

It feels like we've moved into a mode where initially it was all about the prompt and then it was all about the tools that you could put alongside the prompt. And now I think we've entered this age of understanding. It's a balance of the tools, the data available. The model itself is not actually the most important thing, but it's still important. But you also just. It's amazing how not so much little context, but the thing that kicks off the model to go and do this search tends to be like a relatively simple prompt. Is that what you found as well? When you're sort of starting these things

B

off, often the prompt can be something as simple as see if there's an attack in this path. And that kind of works. You can obviously improve a lot about that and you need to give it a little bit of information about how to use the tools you provide. And a rough scaffolding for workflow does definitely increase files, positive rates, race. But like you say, man, yeah, we can swap out a Claude model for a Gemini model. The performance basically doesn't change. So I think the critical thing, I think there's one thing that's just come along for the ride because it was already there, which is just the right browser context having the right events available. If you don't have that, then the model has to try fill in gaps. When it has to start guessing, it starts hallucinating.

A

Right.

B

That's the problem you have to have. Then you have the alternative problem, which is now the model has all the information, it has so much data. And basically then I think the engineering effort over the last quarter has been dealing with context rot.

A

Yes.

B

You have this problem where it's not that you're hitting the model limits, it's just that you're filling up that context window so long it's hard for the model to pick out the signal from the noise. And so that sort of context engineering has been. That's been the huge engineering effort. That structure is a thing. So at any one point in time, our hunting agent might be overseeing a threat hunt. It understands the query, it knows what it's looking for. It's calling other agents to pick up every single result. So there's an army of analysis agents that's picking up every single result. Each one of those is now dealing with 1000, 2000, 3000 events within that result trace. Way too much for one model to contextualize. So even at that level, that agent is breaking it up into, like, sub blocks. Each of those sub blocks get analyzed and summarized, and something looks for the connections between those blocks. So you have to build hierarchy into this thing so that each agent has like, a manageable piece of this puzzle and it can summarize and pull out the interesting signal. What looks interesting, what looks strange, what's important out of this thing. Bubble up, bubble up, bubble up, bubble up. And then at the end, you have something that's workable. So, yeah, I think I, we can swap out almost everything else, but that hierarchy is the thing that makes it ultimately function.

A

You mentioned there's sort of one side of the scale challenge, which is the amount of data that is generated out of having full visibility into the browser is too much for one model and one context session to deal with. You're breaking it down into lots of different chunks. There's all these agents talking to each other. But I would imagine, you tell me if I'm wrong, that the other side of the scaling aspect of this is that surely this is finding a whole lot of new signals. Surely it's finding a whole lot of new threats and potential campaigns and things that are happening. How do you scale that up? Maybe the first question is, what is the actual step function change that you're seeing in terms of the amount of detections, the amount of signals that you're having to deal with? And then how are you dealing with that scaling up?

B

Yeah, I mean, I think we came into this year ago with something with X number of sort of blocking detections that we've built, like, over the entire history of the company. And just in this first quarter alone, we've tripled that number. So, like, it's creating a lot more detections. We have to, like, for each one of these detections, like, we need to make sure that we're tracking false positive rates for these things, for all the kits that they're detecting, for all the techniques they're detecting when a new version of the same thing gets detected. Because every single time we see it, it changes subtly. Code is changing constantly, constantly, constantly. So we need to make sure, like, okay, six detections used to fire for this kit. Now we've got four. What's changed? Something needs to go pick up that thing and pick up the. And, yeah, I mean, like, predictably, the answer here is just automate the entire pipeline, right. For everything that comes into this pipeline, there's a data collection stage, there's a manual analysis stage, there is a comparison stage, there is a check it and compare it against what's happened in the past stage. And like this is all just. We used to just ask Claude code this, now we're just putting it in a pipeline and it's automated, it's just looking at web code, Web requests, doms. Yeah, this is pretty normal stuff for these models. So yeah, I won't say easy, but it's been relatively straightforward given just where these models are today.

A

Something you mentioned in there made me think that surely there's still gotta be some tricky problems that you've had to maybe think about pivoting to different methodologies or adding new methodology into this pipeline. And the thing that triggered that was you said you had a huge list of block lists. That block list has now tripled block lists though. Like scaling those and managing those, that becomes a very difficult task. Has that become a problem? And sort of, what have you done to sort of move beyond just I guess that, that ever growing pile of block lists to try to keep up with the sheer number of new detections and signals that are, that are coming out of this.

B

What we're doing is trying to curate and make that list smaller, not larger. So when I say we have detections and we're updating the stuff, we're talking about like hundreds, not billions. If you were blocking this using traditional TI feeds, using. How many AV signatures does AV company X have? I don't know, but it must number billions, if not trillions. How many domains does any network vendor have in their domain block list? I mean you're talking about the same order of magnitude. So I think when we're talking about like hundreds for some of the more specific things, maybe a bit more. But like ultimately the product doesn't have the concept of a bad domain name anywhere in it. There is no list of bad domains anywhere in the product. It's a crutch, we don't want to use it. It's a cheat code, stops you from doing the detection on the way. That actually is resilient because you know the next time you see it, it will be on a different domain. If you will never be on the same domain twice. So why even bother looking? Yeah, I mean it's definitely not a solved problem. That's the hard part. That's the bit where we still keep pushing, pushing, pushing, but ultimately, yeah, like fewer, smaller number of detections and more higher fidelity behavioral detections is what we're working towards.

A

One aspect we haven't covered is what are customers seeing out of this? You know, we've talked about the pipeline and how you're automating everything and the techniques that have gone into that and why it's become so important. But you know, all of that kind of doesn't matter or can also actually hinder customers if it's not surfaced to them in a way that is manageable, understandable. So take me through the thought process of all this amazing work. How do you surface it for the customer in a way that is valuable?

B

Oh man. Okay, I'll tell you through like a really hard decision process. We went through the product here because here's the one pressure, right? We have this giant threat hunting, you know, platform, but we're using this thing and I'm going like, if we onboard a new researcher even working in our team full time doing nothing but this, working with the people that built the system, it takes them months to learn how to use this thing properly. Like, it is complicated, man. There's a, this is not like everything is different. There is no like, it's not execution processes, it's not endpoint malware where we've had 10 years to figure out like what the important bits are. We understand the concepts, the languages is sensible. Right. So what you need to do to basically, yeah, so then you need to like recognize that if you expose us to customers, it's going to be very exciting for about two days and then they're going to go, cool, we bought this thing, but now how do we actually use it? And then it goes into the same bin of powerful tools that do nothing that everyone has. And like, so then you make the tough choice and you say like, actually it's not ready. And for me, this feature is going to be ready to expose directly to customers when they can drop a URL to a blog post and say, is this happening on my estate? That's release ready for us.

A

That is going to be super, super cool. Well Jeff, why don't we wrap it up there? This has been really interesting to explore. The research that you've been doing, the things you've been finding and also just to get a bit of a glimpse into the, the challenges that you're finding as you think about productizing this. I look forward to seeing how this comes to market.

B

Sure. Yeah, it's fun actually talking about this. Appreciate the chat, man.