Risky Business #779 -- DOGE staffer linked to The Com - Risky Business

Summary7 min read

Summary of Risky Business #779 – DOGE Staffer Linked to The Comm

Risky Business Episode #779, released on February 12, 2025, is hosted by Patrick Gray alongside Adam Boileau. The episode delves into the latest happenings in the information security landscape, providing insightful analyses of recent news, discussions on advanced threat reports, and an engaging interview with Edward Wu from DropZone AI. Below is a detailed summary capturing all key points, discussions, insights, and conclusions from the episode.

1. Corrections and Clarifications

Timestamp: 00:00 – 02:34

Patrick Gray begins the episode by addressing corrections from the previous week. He clarifies a misconception about malware performing Optical Character Recognition (OCR) on photo reels to extract Bitcoin seed phrases. Initially, he believed the process was highly complex, but feedback revealed that the limited dictionary used for these phrases makes the attack notably easier.

Patrick Gray: "So my bad on that."

He also touches on a discussion with an Australian journalist regarding the sanctions imposed on Terragram, expressing skepticism about the true motives behind these actions.

2. Doge News: Linking a Staffer to The Comm

Timestamp: 02:34 – 05:21

The hosts dive into the central topic: Brian Krebs' detailed report linking a Doge staffer to The Comm. Adam Boileau emphasizes the severity of the situation, highlighting how individuals from The Comm, including those from NeuroLink (Musk’s AI startup), are infiltrating US government roles.

Adam Boileau: "It's just bad all around... it's just a mess." ([03:00])

Patrick Gray adds to the concern by noting the presence of extremist content tied to these individuals, specifically Nazi affiliations, which tarnishes Elon Musk's reputation despite his non-involvement with such ideologies.

Patrick Gray: "He's just misunderstood." ([03:47])

They debate whether the sanctions against Terragram are genuine security measures or political maneuvers by the government, leaving the true intent unclear.

3. Malware Exploit in Trimble City Works Software

Timestamp: 07:04 – 08:08

Patrick Gray and Adam discuss a recent cybersecurity issue reported by John Greig over at The Record. A bug in Trimble City Works, software used by municipalities to manage critical infrastructure, is being exploited by attackers.

Patrick Gray: "They are exploiting this bug and that's not good." ([07:04])

Adam speculates the vulnerability might be a .NET deserialization bug, allowing remote code execution (RCE), potentially granting attackers significant control over affected systems.

4. DeepSEQ App Security Concerns

Timestamp: 08:00 – 11:24

The conversation shifts to a report from Dan Gooden at Ars about DeepSEQ, an iOS app sending unencrypted data to ByteDance-controlled servers. Patrick Gray criticizes the focus on transit security rather than the more significant issue of data destination security.

Patrick Gray: "People are kind of losing the forest for the trees..." ([08:46])

Adam Boileau concurs, highlighting that the real threat lies in using Chinese AI applications where data could be misused at the destination regardless of encryption during transit.

Adam Boileau: "You can't use a Chinese AI app if you don't trust China." ([09:34])

They conclude that the concern extends beyond technical vulnerabilities to broader geopolitical implications.

5. Paragon Spyware and Italy’s Scandal

Timestamp: 11:24 – 16:11

The hosts examine the misuse of Paragon spyware in Italy, leading to the country being blacklisted by the company for violating its terms of service. This action likely stems from Paragon's acquisition by a US private equity firm and increased scrutiny following actions against NSO Group.

Patrick Gray: "It's turning into a bit of a political scandal in Italy as well..." ([14:33])

Adam Boileau discusses the ethical dilemmas spyware companies face when selling to governments, especially when misuse leads to human rights abuses.

6. Apple’s Security Patch and iOS Exploits

Timestamp: 16:11 – 17:56

Patrick Gray and Adam address Apple's recent security patch that fixed a sophisticated flaw allowing attackers to bypass USB authentication on iOS devices. This vulnerability posed significant risks, akin to the exploits used by companies like Cellebrite.

Adam Boileau: "Companies like Cellebrite won’t have coverage for modern iOS for a period of time at least." ([17:46])

They note the increasing difficulty for exploit developers to keep up with Apple's stringent security measures, leading to potential delays in exploit availability.

7. US Sanctions on Russian Hosting and Thailand’s Crackdown on Scam Hubs

Timestamp: 17:56 – 22:00

The discussion moves to US sanctions targeting a Russian-based bulletproof hosting company, emphasizing the positive impact of such actions on cybersecurity. They then highlight Thailand's aggressive measures to dismantle scam hubs by cutting power, fuel, and internet access to these operations.

Patrick Gray: "It looks like that's what's happening now." ([18:53])

Adam Boileau appreciates Thailand's decisive actions but raises concerns about potential collateral damage affecting nearby communities.

8. Tigran Gambaran’s Detention in Nigeria

Timestamp: 22:00 – 26:21

A compelling story is shared about Tigran Gambaran, a former Binance employee detained in Nigeria. Accused of mismanaging the economy, Gambaran faced a potential 20-year sentence. The hosts explore the broader implications for cybersecurity professionals caught in geopolitical conflicts.

Adam Boileau: "How badly it can go." ([25:26])

They underscore the risks associated with operating in volatile regions and the importance of understanding local legal landscapes.

9. Cyber CX's DFIR Threat Report Analysis

Timestamp: 26:21 – 43:25

A significant portion of the episode is dedicated to analyzing the latest DFIR (Digital Forensics and Incident Response) report from Cyber CX, a leading Australian cybersecurity consultancy. Key findings and discussions include:

a. MFA Effectiveness

Key Finding: Non-phishing resistant MFA offers minimal protection against business email compromise.
- Patrick Gray: "If you're not using some sort of WebAuthn... it's rubbish." ([28:01])

b. Conditional Access Policies

Key Finding: Attackers can bypass geo-restrictions using VPNs, rendering such policies ineffective.
- Patrick Gray: "Because those kinds of controls are not effective against an attacker that's motivated..." ([28:26])

c. Dwell Time in Espionage Incidents

Key Finding: Espionage-related breaches remain undetected for an average of 400 days.
- Adam Boileau: "In some cases, three years of dwell time." ([29:28])

d. EDR Misconfigurations

Key Finding: Despite increased EDR (Endpoint Detection and Response) adoption, misconfigurations often hinder their effectiveness.
- Patrick Gray: "Without the monitoring piece and good monitoring, it doesn't really get you as far as people realize." ([30:42])

The hosts emphasize the importance of proper EDR configuration and continuous monitoring to enhance security postures.

10. Sponsorship and Interview with Edward Wu from DropZone AI

Timestamp: 43:25 – 58:01

The episode features a sponsorship segment highlighting DropZone AI, an innovative tool designed to automate Tier One SOC (Security Operations Center) analyst tasks using AI. Patrick Gray interviews Edward Wu, one of the co-founders, discussing the concept of "model coachability."

a. Model Coachability

Edward explains how DropZone AI allows users to influence the AI's behavior to align with organizational policies and practices.

Edward Wu: "We added capabilities that allows the users of our AI SOC analyst to influence the activity, the technique and the behavior of our AI system." ([46:00])

Patrick shares his experience setting up security tools for a new team member, highlighting practical applications of DropZone AI in enhancing security operations without increasing budgets or headcounts.

Patrick Gray: "It's shifting that whole protection left, right, which is you can't even execute it. You're not relying on a tool to detect something after it's gone. You know, you're stopping it from happening in the first place." ([31:59])

Edward further elaborates on how DropZone AI integrates with existing SIEM systems to autonomously handle alert investigations, allowing human analysts to focus on higher-value tasks.

11. Conclusion

Timestamp: 58:01 – End

Patrick Gray wraps up the episode by summarizing the key insights from the Cyber CX report and reiterating the importance of advanced tools like DropZone AI in modern cybersecurity operations. He thanks Adam Boileau and Edward Wu for their contributions and encourages listeners to stay tuned for future episodes.

Patrick Gray: "That was Adam Boileau... Congratulations to Cyber CX on their comprehensive threat report." ([43:25])

Notable Quotes

Adam Boileau: "It's just a mess." ([03:00])
Patrick Gray: "He's just misunderstood." ([03:47])
Patrick Gray: "If you're not using some sort of WebAuthn... it's rubbish." ([28:01])
Adam Boileau: "It's getting harder now." ([17:46])
Edward Wu: "We transform an AI agent from somebody who is very kind of smart but quite stubborn to somebody who is smart but can actually listen to additional instructions." ([46:00])

Key Takeaways

Security Practices: Emphasizes the critical need for phishing-resistant MFA and proper EDR configurations to mitigate advanced threats.
Geopolitical Impacts: Highlights how international sanctions and governmental actions significantly influence cybersecurity landscapes.
AI in Security: Showcases the rising importance of AI-driven tools like DropZone AI in automating routine security tasks, allowing professionals to focus on more strategic initiatives.
Threat Persistence: Underlines the alarming dwell times in espionage-related incidents, signaling the need for enhanced detection and response mechanisms.

Final Thoughts

Episode #779 of Risky Business offers a comprehensive overview of current cybersecurity challenges and advancements. From dissecting intricate threat reports to exploring the integration of AI in security operations, Patrick Gray and Adam Boileau provide valuable insights for information security professionals. The episode underscores the evolving nature of cyber threats and the essential role of innovative solutions in combating them.

Listen to the full episode here.

Loading summary

Transcript102 lines

[00:00]
Adam Boileau
Foreign.
[00:04]
Patrick Gray
And welcome to another episode of Risky Business. My name's Patrick Gray. On this week's show, Adam Boileau and I are going to talk about the week's news and then we're going to take a bit of a deep dive into the latest DFIR report from Cyber cx, which is Adam's former employer. They've just dropped an absolute banger of a report which is full of really interesting information trends on TTPs, what attackers are doing, how they're winning. So we'll be talking through that. And of course, this week's sponsor is Drop Zone AI, and they make a really interesting tool that you plug into your SOC and it does all of your Tier one triage automagically with AI, and it is less insane than it sounds. And in this week's sponsor interview, we're chatting with one of the founders of Dropzone, which is Edward Wu, and he'll be talking to us about model Coachability, because as it turns out, when you tell an LLM, hey, stop doing this thing, most of the time, it just won't listen to you. Right, so they've had to put in some work at making these models coachable, which in the context of SOC operations is very, very important. But, Adam, just before we get into the news, I just want to do, you know, corrections and clarifications from last week. Someone pointed out to me that I was talking about how amazing it was that that malware that did OCR on people's photo rules, photo reels, looking for seed phrases for Bitcoin. I'm like, wow. Secrets, discovery and whatever. Turns out like those wallet recovery phrases are from a pretty limited dictionary and doing that is actually not too hard. So my bad on that. And I also had an interesting conversation with an Australian journalist about the Terragram thing. Of course, last week we talked about the sanctions being imposed on Terragram and how that might be linked to a spate of sort of vandalism and, you know, torched cars and whatnot happening in Australia. This journalist, he's a bit sceptical that it's actually Terragram behind that stuff. He pointed to a similar campaign in Sweden, which was actually traced back to Iran, but there was more of a sort of organised crime nexus there. I don't know. But anyway, the point is he's sceptical. He thinks the sanctions against Terragram could just be the government doing something to be seen to be doing something. Who knows? In time we will find out. But look, again, we're going to start with Doge News, unfortunately. And again, we're not going to get bogged down into it. Brian Krebs has dropped an absolutely terrific write up here which has linked one of these kids that Musk has sent into various bits of the US government to the comm, which is probably not what you want.
[02:35]
Adam Boileau
Yeah, that is really not a great, it's not a great thing. And Brian's write up is as usual, detailed and pulls lots of threads. But know we've seen some reporting about like kind of how these kids that are working for Doge end up in these roles. And this particular kid had come up through NeuroLink, Musk's like AI startup thingy. But yeah, had been hanging out in the comm. Yeah, they're really having that crowd rolling around inside the US government and you kind of get the vibes that they are just going to throw a whole bunch of stuff into an LLM and just kind of see what falls out and call that work. Because yeah, it's, I don't know, the whole thing is just, just seems a little bit nuts. But yes, having people from the comm, and especially given the like the history that the comm has of attacking its own members. I mean we've got Brian Krebs has got some screenshots and grabs and stuff of people talking about this kid and you know, the extent to which he can code and so on and so forth. You know, like it's just bad all around. Like you've got leverage against these people. You've got, you know, them not being necessarily very good at what they do. You've got all these connections into violence and crime and so on. It's just such a mess.
[03:47]
Patrick Gray
Well, a lot of them appear to have like pretty Nazi stuff tied to their social media accounts. Right. And it's just amazing how unlucky Elon Musk is. People keep saying, you know, questioning whether or not he did a Nazi salute. And you know, that's really unlucky when you're just trying to say my heart comes out to you as is retweeting Nazi accounts, platforming Nazis. You know, all of the, all of the Nazi stuff that seems to happen around Elon Musk, he's just misunderstood.
[04:13]
Adam Boileau
Just some like Nazi bogon flux that just happens to flow around and for some reason, I don't know why.
[04:20]
Patrick Gray
Unbelievable stuff. And of course, you know, all of this has triggered a deluge of lawsuits from various unions, the ACLU students. Like what? There's just a million lawsuits here. It looks like one of these, like a federal judge has ordered a stop to some of this stuff. And I think the Trump camp is just saying, yeah, whatever, and they're kind of ignoring it. You get the sense that this is heading to some sort of constitutional crisis and it's all traced to IT systems at this. At this point. And, you know, one thing that occurs to me is that sending a bunch of, like, Nazi 4chan kids into the most sensitive government systems in the United States and getting them to just randomly flick switches and turn things on and off, like, I think eventually people are going to understand that that's a pretty bad idea. You know, last week we spoke about how it might be great to have some bright young things going in there, figuring out, like, drawing insights from government data and whatnot. You know, I don't think that's what's happening here. I think this is headed for something bad. Yeah, I think this is heading for something bad. I mean, there's a couple of.
[05:21]
Adam Boileau
That way.
[05:22]
Patrick Gray
Yeah, there's a couple of ways to learn that this is a bad idea. Like maybe, you know, paying attention in civics and taking some time to understand how government works and why it does what it does and, you know, about how inefficiencies are sort of inherent at scale and that's in the private sector as well as the public sector. Or you can do this. You can just keep getting people to flip switches until something big breaks. And. Yeah. So look, again, we're not going to get bogged down in this, but, you know, we spoke about it last week as a data governance issue. It looks like that's the basis of a lot of these lawsuits, that some of this activity might violate various laws and regulations and it's all going to the courts and we'll just see where it goes. But yeah, links to the comm. Extremely not great, given where these kids are going, you know, and what they're doing. Now, we're going to turn to a look, let's get into some actual, you know, proper cybersecurity news now, not get bogged down in this. And, you know, something is interesting, too, is with this current administration in the United States, they just generate so much, you know, so many things to talk about, and the media is running after every little thing like a golden retriever. And, you know, let's not do that. Let's just cover it very simply and then move on to some more bread and butter stuff. We've got a great report here from John Greig over at the Record talking about a bug in this software called Trimble City Works, which is used by municipalities to like, manage assets and critical infrastructure and whatnot, or public infrastructure. And people are exploiting this bug and, you know, that's not good. But this ties back to the discussion we had, you know, a couple weeks ago about niche SaaS being the next tire fire for, you know, 2025.
[07:05]
Adam Boileau
Yeah. This particular set of software obviously manages important stuff. And actually I went and tried to have a rumor to try and find the exploit because there's very little detail about the bugs itself. It's on the cisakev list because it's being used in the wild, but I didn't find an exploit. I did find some details about the software and it feels like a. Net deserialization bug. And usually with these types of software, it's because there's some kind of like, secret key that's shared by the vendor across multiple installations. And if you find it one place, then you can use. Net deserialization to go almost to codexec, kind of by design, because these keys are meant to be unique. That's usually what this is. But we don't know for sure. But either way, getting people shelled.
[07:45]
Patrick Gray
Yeah. I mean, I should clarify too, that this isn't actually SaaS, but it is niche software. Right. Because it refers to how you can get RCE on a customer's Microsoft Internet Information Services web server. So you're thinking some sort of. Yeah, some sort of deserialization is what would kind of makes sense here, right?
[08:00]
Adam Boileau
Yes. Yeah. I think they've sentenced deserialization, but we don't know whether it's the usual. Net thing, which is, you know, using a hard coded key. Womp. Womp.
[08:08]
Patrick Gray
Yeah, yeah. All right, moving on. And we've talked about Deep SEQ a little bit over the last couple of weeks. We've got a report here from Dan Gooden over at Ars. You and I are both like, pretty lukewarm on this report because the headline is deep seq iOS app sends data unencrypted to ByteDance controlled servers. I mean, are we really worried about the transit security of this information? Like, I don't think that's the problem. The problem is where it's winding up, not how it's getting there. Right. So I think, you know, people are kind of losing the forest for the trees a little bit when they're looking at the risks involved in using Deep seq.
[08:46]
Adam Boileau
Yeah, yeah, exactly. And I thought, you know, this piece focuses on, as you said, the transport encryption. There's some stuff that's in the clear. There's some stuff that's going to byte dance rather than deep seek itself presumably because of hosting or whatever else. And then also the use of I think what like triple DES for crypto which, you know, all of these things point at not particularly mature security practices in an app that's gone viral and gotten big very quickly but really doesn't, you know, deal with the big picture, which is you can't use a Chinese AI app if you don't trust China, it doesn't really matter how you transport that data to China. You know, that's the bigger picture problem. So yeah, I think it is a case of getting lost in, you know, in the weeds when really this is a big picture, you know, geopolitical issue, not a technical. You didn't crypto there or stuff on the wire issue.
[09:35]
Patrick Gray
Well, and it's a business issue as well because I think, you know, the interesting thing for me about all of this is it looks like models might be going commodity which is going to be very awkward for Xai OpenAI, you know, all of these companies that have invested gajillions of dollars into models less meaningful for like Nvidia who are still going to just sell, you know, absolutely gargantuan amount of, of chips. But I think our colleague Tom Yoren and I've linked through to this in this week's show Notes Tom's newsletter. Last week he had a take on Deep Seq that I thought was very interesting which is currently, you know, Google will do a, you know, threat report or whatever on malicious use of say Gemini OpenAI will do the same thing now that there's an indigenous capability in China, you know, we're going to lose insight into how Chinese APT crews, for example, are using this technology in their operations. And I think that's a really, you know, interesting component to this. It was gonna, it was always gonna happen, you know, and I guess, you know, there are, you know, open source models they could have been using or whatever, but they still obviously found value in using some of the cloud based models to do various things. And we're just going to lose insight there.
[10:45]
Adam Boileau
Yeah, I think, yeah, absolutely. I mean the open source ones are useful and handy but like the thing that made Deep Seq really stand out is that it was producing stuff that was as good as, and in some cases better than the very, very expensive models, the commercial ones, the ones that took so much work to build for the various US firms and the fact that deepseek itself was open source. So you can, you know, many, many actors beyond Just China now have access to something that's as good as those. So this industry is so young and developing so quickly that, you know, keeping a lid on it was never going to be a good strategy for, for controlling it. But the visibility we did get from those reports, you know, was interesting.
[11:25]
Patrick Gray
Yeah. And that is gone.
[11:27]
Adam Boileau
Yes.
[11:28]
Patrick Gray
Now let's follow up on Paragon. You know, the news, I think. When was it? Last week, week before. We're talking about how the Paragon spyware was popping up on journalists phones and stuff. And this was really not great for them, having just agreed to be sold off to some, you know, American private equity firm. And as I said last week, I would expect that would be complicating their deal. You know, it's. They've now. Paragon itself has now like booted Italy as a customer for violating its terms of service, which say, you can't do this. This is interesting. And I feel like, I wonder if this would happen if all of the action hadn't have been taken against nso. I sort of feel like all of the stuff that was done to NSO for this sort of activity has resulted in this company now going, oh no, and booting Italy as a customer. I suspect that one thing that's different here though is NSO controlled the malware delivery. I don't think that's the case for Paragon. So they don't have quite the same level of insight into how their customers are deploying this software. But, you know, if it is the case that Italy was misusing this, I mean, I mean, what do you do if you're like one of these spyware companies? What you can't sell to Italy because you suspect they're going to do human rights abuses. I don't know. This is so complicated, all of this.
[12:48]
Adam Boileau
Yeah, it really is. And I think you are right that I think the action against NSO has probably brought this into a focus that it wouldn't have otherwise had like that. Plus them now being acquired by a US firm. And the US being such a big marketing Tom makes the point that all the different US agencies purchase these tools independently. It's not like you buy one license for the US government. And so the US is an extra big market for these companies because they can sell to so many places there, whereas presumably the Italians buy at once kind of thing. But yeah, it's, you know, is there a. You know, there's plenty of people who would argue that maybe there isn't an ethical way to sell spyware. Right. That, you know, you can sell it to your own government maybe, at best. But once you start, you know, dealing with others, then, yeah, you end up in positions like this because like Italy, member of the eu, surely they should be, you know, a reasonable customer. But, you know, between the stuff in Poland, the stuff in Italy, you know, stuff in Spain, maybe Europe, you know, isn't the safe customer if you're an Israeli firm, which, you know, funny world, right?
[13:54]
Patrick Gray
Yeah, it is. And you just sort of think, I mean, I touched on this last year through some of our discussions where just the existence of this stuff, I think for so many countries that couldn't develop it in house, so to speak, the temptation to misuse it is just so great. And we see it being misused in unexpected places. If anything, I'm sort of impressed that we haven't seen the stuff sold to five countries popping up where it shouldn't. Right. Because we have not seen that so far. But it does surprise me when you're seeing like, wow, Italy is popping shells on journalists phones. I mean, that's what the allegation is here. It's turning into a bit of a political scandal in Italy as well, not surprisingly.
[14:34]
Adam Boileau
Yeah, yeah, it is. And they haven't quite gone down the same route as, you know, Poland has gone because of the, you know, which government was in power, etc. Etc. But yeah, it's. The temptation, I guess, is irresistible. And you know, I. Part of me wonders because of the long history of electronic espionage in the five lines, like, do we have more mature approaches to governance and approaches to oversight and stuff? Because we've been doing it for a long time. But then again, spying is a very old profession. So yeah, I don't know, I don't know what it is with the Europeans. You would think they would be a little better behaved.
[15:10]
Patrick Gray
Get your act together, guys, come on. But I think you hit on it there, which is the oversight is right. And I think certain things that happened in the English speaking world, particularly in the United States, resulted in good oversight. And I'm thinking of things like, you know, Watergate, for example. As soon as politicians realized that intelligence agencies could threaten them, then it's like oversight, oversight, oversight. That's how it happens. So I think, you know, I do think some of this is just sort of historical and the oversight in, in the English speaking world is actually pretty good. And there's reasons for that. We've also got a report from Lorenzo over at TechCrunch, looking at the specifics of a couple of the people who were targeted and they're people who run refugee organizations and other people who run news websites that have been critical of the government and whatnot. So, yeah, definitely a bad look for Italy.
[16:09]
Adam Boileau
Yeah, absolutely. Not great.
[16:11]
Patrick Gray
Not great. Now, Apple has patched a security flaw that has made people very excited because they described in their sort of advisory or their patch announcement that it was being used. You know, it was extremely sophisticated and being used against very specific targets, like with physical access to the devices. Everyone was thinking James Bond. I'm kind of thinking probably cellbrite. Right. But they have patched a bug that allowed you to bypass like the, you know, the sort of, you know, how they disable the fun bits of the USB interface until you've authenticated to a computer. This bug would allow you to essentially present yourself to an iOS device as a trusted device.
[16:51]
Adam Boileau
Yeah, yeah. And anything that weakens those controls, I guess, is of concern. But also, you know, it wasn't that long ago that we didn't have those controls, you know, so it kind of shows that they have been pretty effective. The things that Apple have added to, you know, lock the device down when it hasn't been used in a while or unlocked in a while. So, you know, kind of a win in a way.
[17:10]
Patrick Gray
Yeah. And you'd imagine, like, if you're a company like Cellbrite, you would have another one of these. Like the plan would be to have another one of these ready to go when the one that you're relying on is inevitably patched. You know, I think the people I know who work in exploit dev, the stuff they worry about are the big changes to iOS, like various mitigations that squash whole classes of bugs and whatever. So you would think they'll have another one ready to go, but it is getting harder now. So, you know, we might be heading to a situation where, you know, companies like Cellbrite won't have coverage for modern iOS, for example, for a period of time at least.
[17:46]
Adam Boileau
Yeah, you certainly talk to people who work in that game when they say their jobs are getting harder. Right. I mean, it's no easy days in the iOS exploit dev business.
[17:57]
Patrick Gray
That's right. It's not exactly a low stress occupation these days. What do we got? We got some US sanctions hitting a Russian based bulletproof hosting company. I mean, this is good. Right. Like, I wonder what sort of effect this is going to have now that, you know, Russia is almost running like this parallel decoupled economy these days. But, you know, broadly speaking, I think these sort of actions are pretty good. And that dovetails nicely with another item that we're speaking about this week, James Redick has the report for the record, which is Thailand has cut power, fuel and Internet access to scam hubs in parts of Thailand. I mean, this is something that I advocated for. I think it was last year where I'm like, why don't we just cut connectivity to these compounds? If you're going to concentrate huge amounts of activity in a physical location, surely you can make life tough for those compounds. It looks like that's what's happening now.
[18:53]
Adam Boileau
Yeah, when you've got compounds that are serving what, 100,000 scammers, like, that's got to make a pretty big dent in terms of power utilization. You know, all the, all the aircon and all of the computers and so on, plus the comms. So. Yeah. The interior Minister of Thailand posed for a photo op at the, you know, like control center for the local power company.
[19:14]
Patrick Gray
And I gotta say I'm very disappointed that the photo shows him holding a mouse where he's about to click the, you know, power off button. I would hope they would mock up, you know, a Hillary Clinton reset style button that he could smash for the cameras. But no click.
[19:29]
Adam Boileau
Yeah, boring. Anyway, an ax through a spare, you know, big, nice thick power cable with some sparks flying off, you know, that would be a good photo op. But no, I was looking for some details about how they, like, how granular are the power cuts was the question I had.
[19:44]
Patrick Gray
Like, are they cutting off as well? Like, are they cutting off nearby homes? Yes. Right.
[19:48]
Adam Boileau
Like is the collateral damage? Or like are they targeting individual, like power subscribers based on their usage? Like, I wanted to see a few details and I did click around a bunch of the reporting and no one seemed to have answered that kind of question because, you know, it would be sad if there were, you know, if there was collateral damage to other people that just happened to live in the, you know, in the neighborhood or nearby or whatever else. But you know, on the other hand, I guess they said what to the Thai economy, it's costing them what, $2 million a day in scamming?
[20:18]
Patrick Gray
Yeah, the whole thing's really nuts. And Thailand and China are actually setting up a coordination center in Bangkok to try to tackle this because a lot of Chinese citizens are being sort of stolen, kidnapped and forced to work in these, in these compounds. So, you know, China's involved in cracking down on this. I think the Russians are getting involved as well, and the Americans. Like, I feel like finally we're seeing some movement here. There's a great piece From CNN about a Chinese actor who turned up for like a casting call or whatever in like somewhere in Southeast Asia and wound up being sort of vanned and taken to one of these compounds. And they got him back after a few days. But this turned into a really big sort of issue in China. And you know, given the number of their citizens that are being sort of stolen, you know, it's something I mentioned before. I know someone who works at like a jobs listing website and they had this issue years ago where I think it was in the Philippines. Cause they operate in the Philippines as well where people were turning up for job interviews and then just disappearing and they did not know why. So, you know, it turned out this is where they were, where they were going. But obviously what do you do? You work in the sort of anti fraud and sort of user safety department of a job listing websites and then your, you know, job candidates start going missing. Like what do you even do?
[21:37]
Adam Boileau
Like that is a mess. Yes. Actually I also clicked through to the link about that Chinese actor guy because that seemed to have caused the Chinese to, you know, do some things. I think also there is some like government visit from someone in Thailand to China as well. So I think that probably has applied a bit of pressure to them, you know, go shake some hands and show some progress, et cetera. So, you know, whatever gets the job done in the end, a lot of.
[22:01]
Patrick Gray
It'S going to be coordination and resources and whatever. And I think every. My point is everybody's on the same page. It's got bad enough that everybody's like, okay, we've got to do something about this. You know, again, it's going to be like ransomware, right? Where you know, release the hounds was never about, you know, going, going after ransomware actors, was never about ransomware elimination. It's about suppression. It's about at least making it somewhat difficult. You know, Tom's writing up, he's doing a write up for this week's newsletter. We just spoke to him this morning. And there is progress there. Like the amount, the total profits, the total revenue going to ransomware crews is down. There's less big game stuff, more targeting SMEs. Like the economy is sort of, the ransomware economy is contracting. I mean, I hear through sources that some of these offensive operations against ransomware crews are actually having an effect. Like they are, they're ongoing, like governments aren't talking about them, but they are doing that. The hounds are out there, man, and they're, they're causing a ruckus, right? For ransomware operators. So that's.
[22:59]
Adam Boileau
Good job, hounds. Good job, Good job, hounds.
[23:01]
Patrick Gray
I know we've got a lot of hounds listening to this, so, you know, happy hunting. Oh, so let's stay with Southeast Asia. Now. We've seen a bunch of arrests by Thai police of ransomware actors. And then we saw like DOJ indictment land that might be connected to that, but we're not entirely sure. Walk us through this.
[23:21]
Adam Boileau
Yeah, so the 8base ransomware crew got a bunch of their infrastructure taken down with a coordinated law enforcement operation in Europe and the uk. FBI, usual, usual kind of people. They arrested four people in Thailand. And then, yes, simultaneously we saw a DOJ release saying that they had charged a couple of Russian men for their role in the Phobos ransomware infrastructure. Ransomware gang and a base and Phobos are pretty well tied together. Like they share a lot of plumbing and things. So I think those are the same people. No one has specifically said that. The DOJ says they're in custody and the Thai police arrested two men and two women. So I think it probably lines up. But you know, that crew goes back quite a long way through other ransomware groups. So, yeah, these are experienced people. So, yeah, good work, good work.
[24:15]
Patrick Gray
Sucks to be you guys. Now, look, there's. We've seen a whole round of coverage about this guy, Tigran Gambaran. Gambarian. I don't know, I always, I always fail pronouncing his name. He was the guy who worked for, what was it? Binance.
[24:32]
Adam Boileau
Binance, yeah.
[24:33]
Patrick Gray
Binance, yeah. So he was a guy who worked for Binance who got detained in Nigeria because the government held him like personally responsible for the currency. They're tanking because really the government had mismanaged the economy and a lot of people were starting to use stablecoins through platforms like Binance, which, you know, can't blame them for voting with their feet and, you know, going to a stable form of currency. But yeah, government didn't like it. They put him in prison. He was going to be there 20 years. Eventually he got out. I mean, this is a story. It's been going on for quite a while. We've talked a lot about it. The record, Dina Temple Rastin and Sean Powers have a write up here and indeed he appeared on their podcast. We've also got a write up from Andy Greenberg who was apparently in touch with this guy while he was imprisoned. And yeah, just a fascinating story and I guess this would be our reading list item for this week.
[25:27]
Adam Boileau
Yeah, there's a Lot of interesting details about kind of the process and how it kind of went down. Like if you're trying to imagine what it's like, you know, being arrested as part of essentially, you know, sort of almost like a blackmail operation, you know, and where international, you know, the Nigerian government in this case, you know, just kind of wanted to hold someone responsible. Sure they were doing something. And seeing the inside of that process I think is insightful especially for those of our listeners that work in, you know, in cryptocurrency and in areas of cybercrime where you kind of get messed up in this stuff like to see how badly it can go. So yeah, definitely worth, worth a read just, you know, for those little details like how do you buy a cell phone in a prison in Nigeria when they think you're a billionaire cryptocurrency mogul as opposed to, you know. Well, he was used to work at the irs so I guess he had, you know, some federal government, you know, kind of salary, but wasn't really a rich man. You know, just lots of interesting details. Go have a read.
[26:22]
Patrick Gray
Yeah, yeah, indeed. Now we're going to talk about this threat report from Cyber cx. Cyber CX of course is the sort of large Australian security consultancy which bough the business where you worked. You were kind of a co founder at Insomnia Security which was acquired by Cyber cx. They bought for people outside of Australia they might not know. They went around and they just bought up a bunch of consultancies. It was like a private equity roll up. And you know, as a result they are the big player in Australian cybersecurity services these days. We don't have a business relationship with them. You know, you did work there for years after the acquisition, but you are no longer there. You are full time. Risky, bizarre. But they've dropped an absolute banger of a DFIR report. Unfortunately it is like regrow walled so you have to cough up your email address to get a copy of it. But it's probably worth it, right, because as far as these sort of reports go, this is a good one.
[27:13]
Adam Boileau
Yeah, I mean the incident response team over at Cyber CX are absolutely the best in the region. Like they are very good at what they do and they get some really interesting places. So yeah, I think it's worth a read even if you do have to fill in a form.
[27:25]
Patrick Gray
Now there's some really interesting key findings here. Where's that? Page five. Right. So the key findings just on their own are very interesting. One is that mfa if you're not using phishing resistant mfa. You're not doing really anything to slow down business email compromise. Because phish kits these days grab session tokens, not credentials. And I think this is something that's not perhaps well understood enough these days. If you're not using some sort of WebAuthn or U2F or Yubikey or some sort of phishing resistant, you know, MFA technology, it's rubbish. Like you know, you're basically not using anything at all.
[28:02]
Adam Boileau
Yeah, yeah. Then I think they specifically talk about a case they had where someone got compromised and they had conditional access policies restricting logins to only come from Australia and the actor just went, eh, no problem, we'll come from a, you know, NORDVPN or whatever out of Queensland, you know, job done, move on. Because those kinds of controls are not effective against an attacker that's motivated and you know, that's get the job done whatever way works.
[28:26]
Patrick Gray
Now some other key findings here that are less interesting to talk about. Like the healthcare industry was the most represented sector. Some stolen data is never advertised on the dark web, it just gets stolen. But a couple of interesting bits here. Espionage aligned incidents like the dwell time is insane.
[28:43]
Adam Boileau
Right.
[28:44]
Patrick Gray
So you've got the financially motivated actors who do smash and grab and then when you look at the espionage stuff like the, the time to detect was 400 days. And this represents espionage related incidents. I mean it's 5% of their caseload. So it's a non trivial amount of incidents.
[28:59]
Adam Boileau
Yeah, no, they definitely do a lot of work in that kind of area. And the contrast of dwell time, I mean the average is kind of skewed around by some of the big numbers. But I mean we're talking three years in some cases of dwell time in organization before the actor gets snapped. And I think even then some of those are because they also get ransomware or also get other actors in there and then that you start investigating and once you roll IR you find, you know, all of the, you know, Chinese or whoever are up in the exchange service dealing with.
[29:28]
Patrick Gray
Well we saw a story this week about some company in the United States that makes label makers or whatever, they got ransomware and then they did DFIR and they turned out like they'd, they'd been mage carted for like you know, eight months before that or something.
[29:40]
Adam Boileau
Yeah.
[29:40]
Patrick Gray
So this is, this is a thing that happens. But then there's the other interesting findings here which is there's a downward Trend of like C2 framework usage because of EDR. Right. So you can't just cobalt strike your way around to glory anymore, but that is sort of counterbalanced by finding that EDR is just too often misconfigured or not appropriately monitored and is not doing what it should be doing.
[30:12]
Adam Boileau
Yeah, I think that that was one of the takeaways here is that EDR is definitely causing problems for attackers because there's a couple of areas where they are changing their behavior. So for example, the increased use of DLL side loading to circumvent EDR detections. But that yes, EDR still has to be monitored and configured correctly to be effective. And clearly, you know, although it's being deployed more, it's still not, you know, not doing everything that people expect of it just because, you know, hey, this is fiddly and complicated and you do need to monitor it and tune it and so on.
[30:42]
Patrick Gray
Yeah, I mean, DLL side loading, right. I think it's important that people understand that EDI will flag it. It's going to pop an alert. Like when something shady happens as a result of a DLL being side loaded, it's going to generate alerts. But they're only useful if someone is actually watching the alerts. And I think that's what people don't necessarily realize about EDR is without the monitoring piece and good monitoring it doesn't really get you as far as people realize. Like the endpoint protection side of it is not incredible.
[31:12]
Adam Boileau
Yeah, they talk a bit in this report about attackers using web shells for, you know, backdoor for long term access to long term persist. And those of course don't trigger EDR until you use them. So you can go sprinkle them around the web servers and then you know, sure you're going to get snapped when you spawn a CMD with them, but until then you still gotta weigh in and then, you know, you've just gotta outrun the people looking at the logs and the response and so on. So it gives you an opportunity to have another swing in it even if you get evicted next time.
[31:45]
Patrick Gray
Yeah, it's funny actually. One of the recommendations in the report is that people consider using Airlock Digital, which as everyone knows I'm a huge fan of, but also CCX are actually a shareholder in Airlock, so I think that's actually a bit cheeky. But look, I mean, also the right.
[31:59]
Adam Boileau
Solution to the problem.
[32:00]
Patrick Gray
That's the thing. It is also the right solution to the problem, right, which is they specifically solve these sorts of issues. Right. Like you might have a couple of exceptions or whatever. Like yeah, you're going to have a few exceptions and maybe an attacker gets lucky, but still it's going to slow them down and whatever. And like it is shifting that whole protection left, right, which is you can't even execute it. You're not relying on a tool to detect something after it's gone. You know, you're stopping it from happening in the first place. But, you know, all in all, an interesting report and something that was interesting. So. So we've got someone starting on Monday, basically like a trial run to see if she likes working with us and if we like working with her for this editing job, right, Doing production and you know, editing text, video, audio, all sorts of stuff. Because it's, we're at the scale now where we, where we need that. It's cool actually, because it's actually Amberly Jack, who's the sister of the late Barnaby Jack. And when I first met Barnaby, like the first thing he ever said to me is like, my sister's a journalist. And so it feels very cool that she's, she's going to come and, you know, see how she likes working with us. But I had to, it meant that I had to go through the process, the mental exercise of thinking, well, we're going to need to provision her with some sort of managed device, right? And what sort of protections are we going to need to put on that device? And there were three. And it almost surprised me where I landed up, where I landed, excuse me, because the three things that I decided we would need to provision to our one remote user who really needs this stuff because she's going to have access to a lot of social media, our cms, et cetera, et cetera. I thought, okay, Airlock Digital for the anti malware side and to restrict browser extensions because they do that now as well. We've got knock knock to restrict access to our content management system. So that ties that to her, you know, Google Workspace SSO status can use Google Workspace to limit OAuth grants. We're going to have to set that up and that's going to be a nightmare in terms of like navigating the Google Workspace admin interface to actually make that happen.
[34:03]
Adam Boileau
So much white space and yet still so difficult to use. What are you doing? Google?
[34:07]
Patrick Gray
Yeah. And then the final piece, right, and this is the one that I thought was surprising is like because I always, you know, I kind of thought they were nice to have and I've realized they're more of a must have now and you know, full disclaimer I am an advisor to the company, but push security because they make a browser plugin which is going to detect these phish kits that are outlined in this report. Right. And stop. They've got password protection features as well where you can't actually reuse passwords in, you know, on different sites and whatnot. It just won't let you paste them in. And it also does, you know, phish kit detection to detect the major phish kits that do this token theft stuff. So I thought that was just a really interesting thought exercise where, you know, I didn't land on CrowdStrike and an MDM solution. You know, I landed on some stuff that is, I guess, kind of esoteric but is actually going to solve the problem.
[34:54]
Adam Boileau
Yeah, yeah, I mean, I thought, you know, we've talked about this a bunch about, you know, what we're going to do and how we're going to do it and so on. And yeah, it's been interesting to walk through this exercise of like, what does a 2025 ad new setup for this look like? Like, what do we need? How are we going to make it work? And yeah, like, it is a different list than, you know, perhaps at first blush you would have thought of. So, yeah, yeah, I guess we'll talk to our listeners later on once we've, you know, had some experience with it and see, you know, see how it works for us.
[35:28]
Patrick Gray
And we're not posing this as a challenge, by the way, to anyone who would like to bypass these controls. We're doing the best we can. But I don't know, you're the ciso, right? So.
[35:38]
Adam Boileau
Gee, thanks, buddy.
[35:39]
C
Yes.
[35:39]
Adam Boileau
Well, I guess if someone wants to, to face our stuff then, you know, post on our LinkedIn then. Hey, Yai yai. Well, best of luck to you.
[35:49]
Patrick Gray
Yeah. Now look, just, just going back to that report for a moment. Another thing that it's highlighted and this is something that I'm hearing across the board from everyone I talk to who's, you know, adjacent to incidents, which is living off the land is, you know, that used to be kind of niche and now it is just standard workflow. Right. And just more and more people are just using whatever baked in tools they can. Whatever. Yeah, whatever existing code there's there that you can misuse. That's how people are doing it. And we'll talk about the lull bins. But also this report looks at how an attacker was actually using Microsoft's E Discovery tools to do xfil, which is just like, I mean it makes Total sense. But it's also like a little bit, you rub your temples a bit thinking about that. But yeah, I mean, I can't say I'm terribly surprised that people are moving more towards LOL bins.
[36:41]
Adam Boileau
Yeah, I mean it makes sense that, you know, Lobins and also existing kind of remote management tools, either ones that exist in the like in Windows, but also ones that are in use in the environment or are generally widely available. They also call out the use of cloud for data exfil. So rather than having to, you know, raw up your files and send them out the old fashioned way where you might get spotted by DLP controls or whatever else, like using cloud based file storage, whatever that's already in use in the environment to exfil it, if your data is already up there in the cloud and they can get it out, then you're not sending it out of the network a second time. So that was interesting. I think one of the cases they worked the same one with the Ediscovery for stealing people's email. They were also adding, they added like extra credentials to the cloud accounts used by the, whatever mail filtering provider they were using. So just logged into the Azure portal and the Entra ID portal and then add extra accounts to that so that you can then use that to exfil the mail. So an increased agility in using those kind of cloud environments and using those tools against you, be it OAuth grants, be it setting up extra accounts with access. I think one of them, they set up Microsoft Graph API access so they could use that to query data out of the cloud remotely.
[38:03]
Patrick Gray
So well, and what's funny is how the new stuff echoes the old stuff because a lot of the time they're, you know, they're spinning up accounts that have MFA exceptions because they're essentially service accounts but cloud. Right. And it's like, oh my God, we're just, you know, we've made progress but in some ways we're kind of back where we started.
[38:20]
Adam Boileau
Yeah, I mean these are all the same flavors but you know, all the same things, but there's like a different flavor like this, the same pattern, but in the cloud versus on prem. And it does make you wonder like if you did the old classic Bret Moore, same bug, different app spreadsheet where you make a list of all the applications and all the bugs that you know about and then look at the gaps where those bugs don't exist in other products that you use, then you can, you know what bugs to go look for. There is a Lot of scope for exactly the same thing here with On Prem, AD and business, you know, business networks to Azure and Entra and all of the cloud stack. So lots to be found there, lots of fun to be had.
[38:58]
Patrick Gray
Yeah, I mean it's so funny that we've spent 20 years like throwing mud at AD and then you know, we kind of realize, well, okay, there's some serious foot guns in ad. But even when you take them away and you move to an all singing, all dancing cloud future, you know, identity abuse is just inherent to any directory. Yeah, right. It's an inherent problem. And the tooling on AD is okay now cloud tooling for this stuff. I mean now we're seeing a lot of investment activity in a lot of startups trying to address this problem, but they're not, they're not mature yet. Like it is, it is kind of insane where we are at the moment. You look at how people are running through, you know, organizations and you just think, well, we should have been better prepared for this and we're not.
[39:43]
Adam Boileau
Yeah, I mean, I think if, if anything, like whilst AD was a mess, it kind of moved more slowly than the cloud. Right. It took us a long time to go from NT3, 5 1, NT4, whatever it was that they introduced the kind of what became modern on premise active directory. It took us 10, 15 years to really get our heads around how to do that robustly. Whereas the cloud, it's just moved, especially Azure and Entra. Like it's moving so quickly that no one has time to figure out what's best practice or whatever else. And we're going to be finding new and exciting things in that setup for such a long time. And actually the other thing that while you were talking about AD that occurred to me was we can imagine like a parallel future where sun hadn't been ruined and Sun's LDAP and UNIX environment and network is the computer future had happened, we would have all these same problems except they'd be in Suns LDAP and you know, one directory or whatever it was called and it would totally be worse, you know, some RPC services getting, I mean I'd love it. But you know, the Windows future happened, but it would have, we would have been in this boat regardless of, you know, Microsoft or you know, sun or whoever else. You know.
[41:00]
Patrick Gray
Look, another thing that is interesting to me about all of this is just how much this reinforces the idea that the browser is the new operating system. Because that's where OAuth grants are made, for example. And OAuth grants are the new code execution and you know, authentication tokens are the new, you know, means of, you know, the new, the new tokens, you know, that you bear to prove an identity and that may lead to code execution and like it's just, it's just crazy how much of this is just about browsers, you know, granting authorizations and exchanging tokens and that can lead to a full compromise of cloud environments. And to make it worse, like external SaaS as well.
[41:40]
Adam Boileau
Yeah, I mean I think that's kind of where we ended up with Airlock for controlling the underlying os. So making that robust and push for making the actual real os, I. E. The browser do things that we kind of need to manage from the high level security properties that actually really matter. Whereas underlying file system permissions or whatever else underneath your browser really not that relevant anymore. And you know.
[42:07]
Patrick Gray
Yeah, I mean the missing bit there is the OAuth grants. Right. Which you kind of have to do, you know, in our case because we're a Google shop, we have to do that via Google. Can't really do that with push. They do some limited stuff there and you can actually use that tool to pull in like what's authorized and whatever, get a bit of a list. But in terms of controls and then, oh man, you know, I mean Airlock covering browser extensions is good because that's been a way malicious extensions that leads to token theft and whatever. But yeah, it's just all the action is identity and the way the browser interacts with the identity and stuff. I do feel like we've solved or at least we've got good tools for some of those old challenges. And what does this mean for ransomware? Right. When we look at all of this, what does this mean for ransomware? Are we going to see more attacks against cloud services? And I think we absolutely will, which is just great.
[42:56]
Adam Boileau
At some point the Internet will run out of vulnerable fortinets. Yes. And they'll have to come up with some new tricks.
[43:02]
Patrick Gray
I mean, I don't think that's going to happen very quickly. Crazy stuff. Anyway, that concludes our discussion about the Cyber CX threat report. We put a link into the landing page in this week's show notes. But congrats to all of the people who worked on that. It was very thought provoking, interesting stuff. And of course that concludes also our news segment this week. Adam Boileau, thank you so much for joining me. We'll do it all again next week.
[43:26]
Adam Boileau
Yeah, thanks Pat. We certainly will.
[43:34]
Patrick Gray
That was Adam Boileau there with a check of the week's news and also a discussion of the cyber CX30 threat. Threat threat report. Very interesting stuff. This week's show is brought to you by DropZone. DropZone makes a AI based tier 1 SoC analyst. Right. So it can do some of that drudgery that all of the SOC analysts have to do in terms of like looking at those first stage alerts, seeing if they're a false positive or worth investigating. It's very cool. I've been through it with Edward, who is our next guest, Edward Wu, who is one of the co founders of DropZone. And yeah, it's very interesting stuff. Now they have been around a little bit longer than some of the new entrants who are sort of flooding this space. Right. It's a really sensible application for AI, which is why there are so many companies now flooding the zone. And you know, because they've been around for a while, they've been able to bump into a lot of the corner cases that pop up when you're trying to use an LLM to automate this sort of low level decision making. And one of the issues they've come across is actually an interesting one, which is model coachability. AI models, as it turns out, they're not, they're really stubborn. Like you'll tell them stop doing that and they're like, yeah, whatever meat sack. You know, I'm a robot, I know better. Right. So they just keep doing the same old stuff. So this is something that Edward and his team have had to work at really quite hard. And here's Edward talking about all of that. Enjoy.
[45:00]
C
What we have found is, unfortunately, you know, most AI agents, when you first build them, they come across as somewhat smart but very stubborn because they don't take your input, they ignore specific organizational policies and practices you wanted to adopt. So what we have done is as we are building our product, we added a number of capabilities that allows the users of our AI SOC analyst to influence the activity, the technique and the behavior of our AI system. And by doing that, we transform an AI agent from somebody who is very kind of smart but quite stubborn to somebody who is smart but can actually listen to additional instructions and do things in a way that aligns with other members of the team.
[46:01]
Patrick Gray
Yeah, and I'd imagine too that this type of coachability to some degree like it's better than coaching a human because you only need to tell it once. You know, you're not going to have, you know, it's not going to leave, it's not going to resign and be replaced with someone else who hasn't had those instructions. So why don't you. First of all, let's talk about like what you can coach it to do and then we can talk about how you actually do it. So what sort of stuff? You know, we were talking earlier and it's sort of stuff like, you know, if you don't alert on this unless it happens over here, or maybe we want to know about this if it happens over there. It's that sort of stuff, isn't it? It's really the sort of instruct and training you would give to someone, a human in the soc.
[46:42]
C
Correct? Yeah. So there's a couple concrete examples. One very common example is hey, we are a cloud native AWS shop. We have 500 different AWS accounts. We frequently get publicly exposed S3 bucket alerts. It's a very common alert. But hey, for these 50 accounts, we actually don't care too much about this type of alerts in those accounts because those accounts were for our partners and we're just stuffed a bunch of fake data into it so people can play with it. So that's kind of one concrete example where something, it's something that you would have told a new hire joining the security team as well.
[47:30]
Patrick Gray
But I can see exactly why you would have needed to do this. Right. Because initially it just would have been stubbornly alerting on something like that in a test environment. There was no real way to tell it not to. Right? Yeah. That's funny.
[47:44]
C
Yeah. So these kind of organization, it could be organizational policy preference or sometimes practices. Right. This team always does this. You should keep that in mind. As you are looking at security alerts, the director of IT has a script that he or she runs every now and then to reset people's MFAs for a variety of different reasons. And this behavior is actually expected. So these kind of organizational knowledge is one type of coaching that can be done. But another type of coaching is more about, hey, when you are looking at AWS alerts, I want you to look at this specific label that's associated with asset. Why? Because in our organization we use this label to determine if it's prod or dev.
[48:32]
Patrick Gray
Yeah.
[48:33]
C
So not some things that you should be doing everywhere. But in our environment we use this label. This label is like the ground truth of a lot of assets. And as an AI sock analyst, you should really look at this label and consider the value of that label as you are looking at security alerts. Because that's another example. It's less about the context. It's more about specific techniques that's unique to the environment.
[49:02]
Patrick Gray
So how do you actually achieve this? With a large language model, I'd imagine that say you want to get it to do a thing, you enter that somewhere into the drop zone interface and then in the background, what is it? Continuously reminding it. Hey, keep in mind when you process all queries that you need to do X, Y and Z. Is that kind? I mean that's just me, an idiot who doesn't really understand AI all that well. That's how I'd imagine it would work.
[49:27]
C
Yeah, one way you can think of it, it's kind of. I'm sure you have heard of systems like rag, right? So it's essentially a retrieval augmented system where very similar to how for example when we go through our day to day lives, when I walk out of the door subconsciously the activity of walking out of the door and closing the door creates this reminder. I should have probably locked the door as well as I exit my house. And I would say see coachability or subsystem actually works in a very similar way. You monitor what the agent is doing and when the agent is performing certain activities that correlates to certain configured, you can say tips or suggestions or devices that the human user has kind of wanted to remember, it will recall that advice and then which will help to remind the system, hey, as you are looking at AWS assets and you are trying to understand the context about an AWS asset, remember this user 2 weeks ago told you that you should look at this label. So it is kind of a retrieval augmented generation system where depending on the activity of the agent, the system is recalling certain advices and tips and using that to remind the agent, you know, here are some additional things you should be looking at.
[51:13]
Patrick Gray
It's still pretty mind bending all of this stuff. Now we should point out too that you know, your customers, their data isn't just going into consumer grade models. Like everybody kind of gets their own instance of these things. What's interesting is, you know, I work doing some advisory with you and I know early on like you would run into a bit of a barrier where people were a little bit nervous about like well is my log data going to start training like ChatGPT and then leak out through people's queries. And of course people are getting more comfortable with the idea of oh okay, now you can sort of license your own tenant and you know there's contracts which say they can't train based on your data and whatever and there's you know, A certain level of confidentiality that's, you know, similarly to when you buy, get an EC2 instance on, on Amazon, etc. And one thing that's changed recently, and I find this really interesting is where some of the business, you know what some of the business drivers are that are leading people to actually reach out to you at the moment. And it is boards having a meeting and saying we need to find ways to make our business more efficient by using AI. And they're sending that out to every single department, every single manager in their entire enterprise. And that's driving a lot of inbound for you. And I just, I think that's really fascinating that we're seeing this as a absolutely a top down thing from boards who are like we've got to find ways to paste AI into every corner of our business to extract that efficiency. I mean that's been. And that's been a recent change, hasn't it?
[52:43]
C
Yeah, yeah. We have noticed a huge uptick from organizations that, you know, as they wrap up 2024, they are looking at 2025. I think, you know, between the recent deep sea announcements to Nvidia stock crashing to the $500 billion of Stargate projects, you know, I think Gen AI is definitely on top of mind. Frankly at this point if you know, it feels a little bit difficult to even isolate yourself from some of those news.
[53:15]
Patrick Gray
Yes, I can imagine you go home at the end of the day, the last thing you want to think about is LLMs. You turn on the news and there it is. Right?
[53:23]
C
Yeah. And I get calls from my parents like, hey, when are you building a stock trading AI using large language models? It's all over the place. But yeah, I would say we have noticed definitely a tremendous uptick in the number of organizations where it's a board level mandate. We need to improve the efficiency in every single business function. And that obviously includes security teams. And surprisingly one of the most universal and glaringly obvious need for a security team is alert investigations. Detection response is a core component of most security teams. And as a result of that, yeah, we have definitely been getting tons of inbound interest in learning about how our technology can allow security teams to do a whole lot more than what they are currently doing, but without doubling the budget or doubling the headcount.
[54:22]
Patrick Gray
Yeah, yeah, it is. I feel like, yeah, 2025, there's going to be a lot of prime time, a lot of people using AI for real stuff. But I mean you built DropZone to do what it does for a reason because it is frankly the most obvious use case for large language models in security.
[54:39]
C
Yeah, yeah, it's definitely a very, and it's a very good use case as well. Because from our perspective, you know, our goal and when we are building drop zone, it's not to replace human engineers to human analysts. And human analysts, yes.
[54:53]
Patrick Gray
To take away the grindy, boring, crappy parts of their job basically.
[54:58]
C
Yeah, absolutely. And we have seen that not only in enterprise security teams, we have also seen that with some of our early adopters and customers. On the service discovery front, as you can imagine, most managed detection, response and managed security service providers have a lot of security analysts and frankly a lot of these security analysts are doing 24, 7 alert investigation not because they couldn't do something that's more interesting and higher value, it's because out of necessity. So one thing we have been helping in addition to enterprise with service providers on is allowing them to uplevel their team so they can allow the existing talent and engineers they have on their staff to offer and work on higher value projects, whether it's SIM configuration, visibility, fabric deployment, security architecturing, red teaming and pen testing instead of endlessly triaging things.
[56:00]
Patrick Gray
That probably aren't incidents. Yeah, no, exactly, I get what you're saying. It's funny though because one thing I know through discussions we've had is there's really two different types of MSSPs out there or MDRs. There's the ones who have like hacked up DIY horrible stuff where you're limited in what you can do there. But there are these new categories of MDR where they're using some of the more established off the shelf tools. They might have a multi tenant arrangement of some big existing commercial SIEM or whatever. And you're having a lot of success there.
[56:31]
C
Yeah, absolutely. What we have seen is a lot of these MDRs or MSSPs like you said, they will have a multi tenanted license of a large SIM and then because that's what allows them to achieve economic of scale and then in addition to that they will oftentimes build their own content packs on top of those sims. So they are not taking Splunk, Sumo Logic or Panther and just running it, but they are actually building additional detection content pack which to some extent is their unique value proposition. They have taken their expertise in security and built additional detection rules that's relevant to the segment of customers and organizations they service and with those organizations because they are using the same SIEM across different organizations and different clients that really allow us an automation product like us to plug into their ecosystem and helps them autonomously take alerts from this multi tenant siem, perform investigations by pivoting across different data sources and tables within the siem, and ultimately generate drafting investigation reports that the service providers can their human analysts can review and build. On top of.
[57:51]
Patrick Gray
We're out of time. Edward Wu, great to see you. Great to talk to you. Always a fascinating conversation and we'll chat again through the year.
[58:00]
C
Thank you.
[58:01]
Patrick Gray
That was Edward Wu from Dropzone there and you can find dropzoneropzone AI. And yeah, full disclosure, I am an advisor to that company. Yeah, I'm into it. Really cool stuff. And that actually wraps up this week's edition of Risky Business. I do hope you enjoyed it. We'll be back through this week with more Risky Business for you all and another weekly show next week. But until then, I've been Patrick Gray. Thanks for listening.