A

You're listening to the Cyberwire network, powered by N2K. We have an obligation to continue training those that are coming up behind us, but then we have to maintain that chain. And that chain of expertise is really only needed when somebody fires that starter's pistol and there's an event, there's a crisis, there's some exigency that requires. It's what you do for a L. Whenever there's some massive breach and they're calling somebody, who are they calling? They're calling you. And they're not calling you because you're a nice guy. They're calling you because you've got the reputation, the experience, and the connections. If you can't solve it, to the people who can.

B

Welcome to Threat Vector, the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. This episode's a little different. I'm Michael Sikorsky, the CTO of Unit 42 at Palo Alto Networks, and I'm stepping in as guest host today. If you know me, you know I'm obsessed with reverse engineering malware and staying five to 10 steps ahead of attackers. I've also had the good fortune to work alongside and learn from today's guest, someone who's not only shaped national cybersecurity policy, but is now building technologies that change how we fight cyber threats in the real world. I'm joined by my friend Tom Bossert, president at Trinity Cyber, distinguished fellow at Atlantic Council, and former US Homeland Security Advisor. Tom's been a policy powerhouse and now leads one of the most innovative cybersecurity companies out there, focusing on proactive threat interference. Think of it like messing with the attackers mid operation in a way that changes the game entirely. Full transparency. I've been on the advisory board of Trinity for four and a half years now, which is crazy. That's been that long time.

A

Thank you.

B

And one thing that excited me about the company from the start was just this concept of messing with attackers. I worked at Incident Response for, like, going on 20 years now, and it's the idea of, like, messing with them as they're trying to attack us is just such a pleasant thing, because it seems like when you come and do incident response, it's like it's already too late, right? They've already got in, they've already found their way in and hacked in, and then that's it. They're gone with the goods and you're negotiating a ransomware.

A

I mean, it's more fun than Anyone should be allowed to have.

B

What makes it fun for you.

A

Well, the idea of messing with the atmosphere. You go through all the gut wrenching ups and downs a startup and then figuring out how to get yourself into this complicated, complex, noisy market. And at the end of the day, when you're really feeling like maybe I'm losing hope or faith, what are we doing? What's the focus? You go back and you mess with the bad guy. You talk to the tech team, you get into what they do every day and they're having more fun than they should be allowed to have in any other place. You'd have to be in the government to do something that's directly intended to interfere with the adversary's operational outcome. But we found a way to do it in a commercial way that's legal, effective. It's just fun.

B

There's been a lot of talk lately about the concepts of more offensive security, more interference, more technologies that are kind of getting back at the attacker. I mean, if you've heard a lot of rhetoric like that in the last few months even.

A

Yep.

B

Do you have any sort of, you know, where do you think that's going and what is going to be the impact of that? Do you think they're, you know, for the next four years longer? Like, do you think there's going to be a lasting effect to that kind of talk? Is there going to be more action taken in the private space with that kind of thing?

A

Yeah, you know, I think you have a really like technical listening base here to this podcast and so we'll just kind of jump into it. But one of my biggest fears is the massive disconnect between those policymakers that say that and what you know to be the case and how the tech works and what it really means. So what does offensive mean? What does defensive mean? You get into these debates, but yeah, listen, at this level, it's easy to say. At one high level, people can't see me. I'm saying at the 30,000 foot level, I'm all for not just cyber induced, but any kind of policy lever inducing a change in the incentive structure. So listen, there are bad actors out there. Do things to them to punish them, to impose consequences, all for it. You don't have to limit yourself to just offensive cyber. I think one of the things that troubles the United States and Western countries on the offensive debate is we say, I'm mad, I want to get back at these guys for taking advantage of us. Check, check. Me too. And then so let's start hacking them. Well, what do you mean? Well, what do you want to hack? You want to just hack in general? If you want to shut down, you.

B

Kind of have to define what that is.

A

Right. Once you get into that debate. This is what I used to do for you. Once you get into the debate of figuring out what's the target, how much is it going to cost, what effect are you going to achieve? Are you actually going to change the behavior of that country by hacking into more of its private businesses? Do they care about their private businesses? Is there a fundamental misunderstanding about how we can.

B

It's harder to be tit for tat. Right. Because China's hacking every single business that we have. Everything we're doing. Would they even care if we did the same?

A

If we did the same to them? And the late Ash Carter said, soaked in gasoline, and you want to get me into a match throwing contest. And I thought, that's pretty good. Right? So there's a lot of parallels to the tariff debate that we're having right now. But yeah, listen, in targeted, useful way. I don't shy away from offensive cyber operations if they have a meaning and a purpose. But you know, for me, tell me how to frame it better. But what I just described about what Trinity's doing is. It's here. I'll direct this to the current president. It's reciprocal. Okay, it's reciprocal. The idea here is that we're not going to do anything to impose any consequence on you unless you first start it. And for us, we're only interfering with that which. It's like judo, where you take the energy of the attacker back on himself. To me, we have to get better at doing that. That's a starting point. Because offensive operations take a long time. They are executed in a different place with singular authorities, and often it would be much easier and more effective to use a different lever or a different type of national power to change the calculus of the adversary. You want to hack all the Chinese businesses to get China to behave differently? I don't know. I don't think that's the best way. It's a way, but it's got to be in a mix of all the other ways that you've got going for you. And the US Has a lot of power. We don't have to sit around and just hack people back at some point. We reserve the right to use bigger force.

B

Yeah, that's interesting. I'm wondering, like, where, you know, if things could get more privatized. Right. I mean, a lot of. At least I think of it as like you got to go work for an agency or something like that to really do the offensive stuff. And that's what people have always talked about. I wonder if this would like open the door for that not to be the case longer term. Well, you know, and then, and then where do you, where do you draw the line? Who's, who's watching the companies? Who would be doing that?

A

Right. There's a thousand answers to that, but one of the simplest ones is honestly, it's like the rule of artillery in the military. You know what you're allowed to do if somebody starts shooting at you? Shoot back. You don't shoot first, but you shoot back. And there's, there's a misnomer in the cyber world that shoot back is kind of a, is kind of a pause thing where you, you get hacked and then you get together and you call a bunch of experts and you say, okay, now we're going to hack back to like kind of a pain type of application. We're going to apply pain to them for doing that. Like it's a spite thing. But that's not what I'm suggesting. What we're trying to do here is to create friction. The kind of pain like I described earlier, that throws off their operations, that stops them from so unimpededly imposing costs on us. It's not about getting into a fight where I'm mad and I want to have my emotion vindicated. It's about trying to achieve a better operational outcome.

B

Yeah, that's cool. So obviously we've now talked about the policy side. Now you're in this fast moving startup in the cyber world. Can you tell me about that transition? What made you go from the guy in the White House advising the President on what to do to now, fast forward years later, helping to run this startup.

A

It's a theme, it's stopping the bad guy. It really is. And the thing about policy and strategy world is this is just my mentality. But if you don't eventually get tired of that and long deep back into some operational role where you can make a difference, well, you're not part of the solution. And in fact, if you really become comfortable in that world, you're probably, probably going to become part of the problem. If all you do is spend your entire life making policy and strategy and don't have an appreciation, experiential appreciation for the operators and their problems, you're probably making bad policy. So yeah, I couldn't, I don't want to say couldn't wait. It was an honor to have every position I've had in government service, but I've always liked the operational ones. And when I got the call that the team at Trinity had cracked the technological nut that they were seeking to crack, and the implications of it are really profound. We'll go into it in a little bit, but this is sort of like.

B

Manipulating traffic at line speed.

A

Yeah.

B

Listen, to keep it short. Right?

A

Yeah. Right. Yeah. Yeah. It's like you have to use terrible metaphors in our field at all times. Right. So a little bit of what I talk about now is like, it's an electric fence. You know, there's a consequence to touching it, and it changes the behavior of the people that consider touching it. So it's beyond just effective in its primary purpose, boundary defense. It has a. It has a kind of a hard to explain legacy. Right. That, that, that, that sting that continues to last after you've touched the fence. But there's something, I think, a little bit more to it than that. But for me, the spark was I've got to get back into stopping the bad guy. And my own 2 cents. The trend's going in the wrong way. And this is not a knock at any individual contributor in our field. But you really have to be blind if you're not looking at the data and developing some concern about our future. Right. Everything's going into a worse direction in terms of outcomes. And yet we continue to, generally speaking, apply the same solutions. And we'll talk about that a little bit more.

B

And I think that's just about, like, the cybersecurity industry as a whole. I think we've done a pretty decent job of detecting attacks. Like, there's a lot of products, a lot of technologies that can detect attacks. The problem that we ended up creating was all of these alerts. Right. That like, everything is going off, some of them, some products better than others at sending out the alerts. But then you have all of these alerts now what do you do? Now you got to take care of that. And that's why technology starts to pop up to try and solve that problem. Right. And we've, as a cyber industry, have created technology to try and make sense of that efficiently. Some of it is correlation, using AI, stuff like that. And then I think others are things like what you're building as well.

A

Yeah. So incident response ecosystem is out of control, and the numbers just don't make sense. We'll talk about policy here, we'll talk about different ways this manifests, but people want to apply compliance standards. Well, there's, there's not enough compliance personnel in the world. There's a, there's more poems than there are hours left in their work week. Right. You know, you understand what I'm saying? But there's a lot of well intended concepts that aren't actually producing a change in either adversary behavior or in their success rate. And so we have to change it around. It's not so much that we've created an active thing that's fine. And we have, it's what we've, it's, we've turned the problem upside down. So what you just described is the result of not only detection, but detection on the target side of the equation. How many endpoints are there? Millions. Billions. Hundreds of millions. It's staggering. And the alerts that we're producing are coming from every enterprise target, every endpoint target, everything that the adversaries are attempting to breach. There are not that many adversaries on the other end of this equation. Maybe we can debate this, maybe 4,000 hackers that have in the world the skill set necessary to develop the tradecraft, many more that then use their payloads, script kitties and like, like the actual.

B

Ones who find the zero days and pull off the really elaborate supply chain, like attacks and stuff like that. It's a small number.

A

I'll call them the, I'll call them the like bad guy version of you, right? How many sophisticated.

B

Well, there's a lot more good guys than there are bad guys, right?

A

And so if, if those bad guys.

B

But also this level of sophistication you need is just, it's a small pool, really quick.

A

It is. So there's, well, there's a number of things here, but if you just talked about it from a, from a market, commercial, technical perspective, what I think is so genius about the creative team at Trinity, these guys say, what if we turn the problem upside down? How often does that small universe of bad guys change their tactics and techniques? They might change the payload a hundred times, but how often? Of course they change their URLs and their documents are re saved and hashes and all that. But those IOCs are easy. How often do they actually change the fundamentals of what they are and who they are? And I think, you know, the answer to that is way less often. The scale of the problem becomes manageable when you do that. So if you can open up the network traffic and inspect it to a level of depth and content where you were confidently finding them, their techniques, not their indicators of compromise, but the actual presence of Their technique, which is what we do, you can start to make a more manageable outcome. That's what I mean by more fun.

B

I used to draw this graph when I would teach about malware and creating signatures for it. And the idea of, well, if you just change one byte, you've changed the hash. If you just change one string, then that's like. And you change the file name, right? And that's a different. The file name doesn't last very long if you just very simply change the file name. But as you move along this graph that I would draw, you'd move over towards like you're getting closer to the human on the other end. And the more you get closer to that human on the other end, then it's harder for them to change who they are, how they operate, how they get in and what they do. The IOCs that are simple to change with a flip of a bit, that's not what you want to go after. You want to move as far to the developer as you can think of. It's like how they install, what are they doing, how are they delivering their exploits, all of that kind of stuff. And if you get to that far side on the right, or you can't see the right, but the right side of my hand, that means you're closer to the developer. And those technologies that are operating closer to the attacker are going to perform better than the ones that are further away.

A

If you start on the other on your left hand there, right, think of the more ephemeral things that they change all the time and you going after them all the time. And that game of whack a mole that we play, it's a self fulfilling prophecy. We've ended up encouraging them to create more ephemeral IOCs because we're going after those IOCs. And so it becomes not only not effective, but it becomes a cost center for all of us. So those alerts are going up, the same costs are going up, all that stuff. So yeah, on the other side of it, there's a guy called David Bianco, you probably know him, he came up with a way of describing a pyramid of pain. Pyramid of pain. So what you have to do is go after their techniques. And if you can do that, you can have an effect. And for what it's worth, bad guys have budgets too. And if you start to cause them significant legal. I'm not talking about getting into offensive cyber, we can talk about policy here, but you start to cause them a disruption that makes them change fundamentally who they are they run out of time. Operational window, budget, objectives change, politics, calculus changes. And that is friction. That's where we have to go.

B

And I think one place you go, you brought up hacking back, deception, manipulation. I think anytime you're, like, manipulating people's traffic. I guess that's one line of questioning. I want to ask you about your technology. I think we covered pretty well what it does, but maybe if you quickly talk about what it does as part of this answer, it'll help us get to the other question I have, which is like, we have trouble getting our customers pal to networks. Biggest firewall company in the world, right?

A

Yeah, that's shabby.

B

Biggest cybersecurity company in the world. But one thing we have a big issue with still to this day is doing break and inspect of encrypted traffic. It's like, yeah, plenty of customers do that, but a lot don't. And just recently, basically all their customers that are doing that, they had an additional way I could look at the traffic and see what happened. And I was able to reach out to the victims who were hit by IT attack that was happening. Yeah, but because they had that turned on. But so many still don't. So I guess my question to you is, like, if we're having trouble, you know, turning on SSL decro, how does that impact the technology like yours? And then just maybe, maybe give a quick overview of how it works at a little bit one level deeper than.

A

What we've said so far. That's a fantastic question. Right? And there's a couple of different answers to it. Depends on the perspective of the listener. But first off, breaking a specific, depending on who's listening to this sounds terrifying, right?

B

To people, right?

A

You and I know what it means, but what we're talking about is terminating encrypted traffic. Right? And it's central to a full application of what we do. And so one of the things that we've discovered is that there are two different kinds of buyers. And I know you've seen this too. For the most part, I have not encountered yet a security buyer in an organization, large or small, that doesn't love what we're offering. And probably you feel the same way. But then they often say, now you're talking about something that involves another guy in our organization. I want to call in my network engineer, call in the IT director, and that guy says, listen, my job is availability and reliability. And anything that makes the Internet less reliable, less available, or slower, or even makes me do any work outside of what I already do. Is unnecessary to my outcomes. My job here is simple. And you security guys, you go do your job. That's an artificiality that I think every CEO listening to this podcast, and if they're not, we'll send it to them, we'll find a way to promote it. But they really need to understand that it is incumbent on them to reach down and to play referee in that debate. You know, I was looking at all the, you know, I read all these things. I'm sure you do too. And the shout out to cams to the cybersecurity, the MIT team, Sloan team. I don't know if you follow any of those. They came out with a report recently and they're saying all the great numbers, right? They're saying the trend is going the wrong way. What we're currently doing is not working. I think they call it. I don't know if they call it failing or just not working. And I'm sitting there thinking these are useful statistics. And then their recommendation is a whole lot of, I'm sure, good advice. But costly, time consuming, complex work that enterprises are reading these papers and then engaging in. If they really understood, relatively speaking, how much easier it would be to handle B and I and to push the certificates to the machines in there in their network and to handle occasional whitelisting, blacklisting, kind of the work a day kind of management of that, I think they really understood how much time they're spending on doing something that doesn't have a direct consequence on the threat that they face. It's not directly stopping the bad guy and how much they're avoiding something that's relatively easy and it would have direct impact on their security posture. They would change their thinking. And we talk about it with little things.

B

Yeah, I think. And then sort of pivoting to the, you know, what's. Everybody's talking about AI right on. On every billboard you see out there at RSA today.

A

How many zero trusts can we fit into AI?

B

0 trust. But it is, it is important. And where it's. And where things are going a lot. I mean, when we talk about AI and what we're using it for, both attack and defense, we actually have a demo that we built on unit 42 showing how agentic AI could be used instead of a red team. So to take each step of the red team is now you give it a problem, it's outsolving, it's scanning, it's poking holes, it's grabbing payloads and embedding in malware and shipping off all on Its own.

A

I love when words like agentic move from the tech space into the marketing world. You see it all. No, listen, it's.

B

But like, where, where do you think? How does that impact the defense strategy of like Trinity? Or is it just a bigger. It's just faster, bigger scale and all that?

A

No, no, no. Actually, no. Just, just the opposite. I was about to twist that in another direction first. You're right, it's scary. The AI is being trained for the bad guy in a way that's faster than it's being used and trained for the defense of the good guy. It's a world that we've got to reconcile, you know, fast. For Trinity Cyber. We are, in my view, the only. That's a big word. We are a significant play in the future of identifying and thwarting AI generated attacks. Because the thing that our current systems do poorly are the things that AI exploits really well. But AI, no matter how it's trained, no matter how fast it works, no matter how quickly those moles are AI generated to pop up in a way that's meant to avoid the whack. A mole system that we've created that you described earlier. We're going to find the presence of the exploit in the content. And so go ahead. You generate 7 million attempts to put some type of steganography into an image and then create 7 million images and send it through 7,000 different channels into your target. We're going to, among other things that we do, we're going to, we're going to find that and remove that appended data from the traffic in flight so that what gets to the endpoint doesn't have the AI generated payload in it.

B

I think we're both so passionate about stopping the attacker. It's like very obvious to me that that's what we got got into this space for is like this. How do we, how do we stop the bad guys? Like, what we're all about. And that's like why I love the technology, but also why I love what I do. Right? So, like, because I don't think a lot of people in working other jobs get to have that where they feel like, oh, they're also trying to stop this evil that's trying to get us out there. What do you think the most important thing a listener should take away from today's conversation?

A

Self help. There is absolutely nothing that's going to change this current trend that we're on, other than the CISOs who are responsible for defending their networks, taking the right action, seeking the right Funding applying the right sets of tools and innovative solutions like the one we're offering and others. There is nothing that's going to change the place of the, of the CISO in the world outside of their own good judgment, common sense and their own action oriented behavior. It's true. Our vendors have to step up, our corporations have to step up. There is a big role for government in this whole thing. But the real, I think probably best and fastest thing to say is the government's not great at doing a lot of things. The government can start to impose costs on foreign governments, they can start to do things that help us. They can empower the market, they can provide more perfect information that can help us sharing data, they can provide even some intelligence. Right. That would help you and I do our jobs. But the government's really got to stay in the world of doing what they are good at. And I'm not sure if I can offer a prediction, but I think what we're going to see here is another big round of political debate over cybersecurity because it's now a question of regulation and people have different relationships with centralized authority. They have different opinions. Right. Of regulation, sure. Well, I mean I still, I always.

B

Felt like I obviously don't have the political background of you, but you were the first person I called when I was going to testify before Congress.

A

You did a wonderful job.

B

And I was like, I gotta talk to Tom. He's got to tell me everything I need to do. And you definitely were a huge help to me with that. But it's like, to me, I just feel like it should be a bipartisan issue. It should not matter. It'd be in my brain compared to so many other things that are out there. But I think that it's still, it goes back to what you're saying of it ties into everything else. And that's why bipartisan is not my speed.

A

Honest to God. I used to. It's nonpartisan. Right. So I think what you and I are saying is that it should not be partis or bipartisan. There should be some kind of nonpartisan consensus that how to best defend the.

B

Country and the businesses.

A

Sometimes it has to be said.

B

Right?

A

We have a system where we believe in the virtue of private property and we believe in the virtue of free market trade. And it's not right for you to walk into my house and do anything with, use, convert, possess my property. That's just not how it works in our system and our culture. Not every culture works that way. And so it's infuriating to us if others take unauthorized access to our network and our data. And if that's our kind of fundamental principle as a country, then we should be in a nonpartisan way trying to prevent that. Stopping the bad guy is defining the bad guy, and the bad guys are doing exactly what I just said. They're hacking us. We distract ourselves with all the other things that we talk about. At the end of the day, there's a keyboard operator, right. And that person has intent, they have tactics, they have an objective, and they have an incentive structure, and we can mess with that. I don't think we're going to avoid political debate on whether we should or should not regulate. Right. Whether the market imposes proper incentives or doesn't. That's an age old kind of conversation. And the cyber world and your listeners are going to have to realize that that's where we are. It stinks. None of us have had to face that before. We've all just been best friends with for 20 years. That chain of expertise that I talked about, people that work in both administrations, both political parties, we don't even think about it. We call operators, we're texting people and saying, are you seeing what I'm seeing? There's kind of this sub community that was just righteous. Well, that's over. I mean, that still exists, but there's gonna be a partisan debate and there's gonna be a political debate on top of this. And for me, I prefer debate without the partisan rancoring and all that. So the most disappointing thing for me is to see that this partisanship that's so ugly right now has now started to hit our community. And, man, that's.

B

I wanted to stay away. I was like, I thought we were immune. I was hoping for that to stay.

A

It's really weird. Me too. But, yeah, but listen, you know, people shouldn't be afraid to have an opinion.

B

All right, well, Tom, it's been an awesome conversation. Yeah, I mean, just the diversity between policy and tech. I mean, this is a world I don't think I ever thought I would get into. At least not when I was ones and zeros at the NSA with Steve back in the day. But, you know, now I found myself getting into your world a little bit. Now you're obviously full force in my world, which is really cool to kind of go see both sides of the coin there.

A

Yes. And man, the. The students become the master. All sorts of praise and thanks to you, you're killing it every day. Unit 42 deserves a huge shout out and I'm just thrilled and honored to be on this podcast. Anytime you need it, I'd be honored to come.

B

If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. Your reviews and feedback really do help us understand what you want to hear about. If you want to reach out to me directly about the show, email me at threatvectoraltonetworks.com I want to thank our executive producer, Mike Heller, our content and production teams, which include Kenny Miller, Joe Bettencourt, and Virginia Tran. Elliot Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant, happy reversing. Goodbye for.

A

Sam Foreign.

C

Vector listeners, this is David Moulton, your usual host, and I wanted to share an extra bonus clip here. It's a moment from behind the scenes as we're recording this episode that was just too hilarious not to include.

A

Hey, Mike, you know I changed all my passwords to Kenny. Now I have all Kenny logins.

B

Just Dangerous zone. What Danger zone?

A

Do you hear it? Kenny Loggins.

C

He's in danger zone.

B

Not following it up. I'm not Loggins as an artist.

A

Oh, this is even better. You don't know. Kenny Loggins is.

B

I don't know.

A

It's fantastic. It's Kenny Loggins.

B

Fantastic.

A

God, I hope this is all giving. I want all of this in the podcast.

B

Anybody listening?

A

Kenny Loggins is a fantastic punchline. And Mike, just right over his head.

B

Right over his head.

A

That's just fantastic. Oh, man.

C

A big thanks to Tom for being such an awesome guest and to Sicko for being such a good sport about this silly joke at the end of our podcast. We'll see you next week.