Episode Transcript
Speaker 1 00:00:04 Well, uh, hello and welcome back to Cyber Matters with your host, Rus Dorsey. Um, I'm a principal and c i o of Kaso and Company and Cyber Matters as part of the kaso Podcast Network. Uh, this is what we're trying to talk about, the, the cyber that matters both to, uh, us and our clients and our clients', businesses and their families. Finding those things about technology that, that impact us personally, um, but also to, to enrich our businesses, but mainly to stay safe. Um, so I have back with me, Joshua Crumba, uh, C e o of Fish Firewall, uh, Huntsville based company. Um, and, uh, you know, full disclosure, I said in the last segment, uh, they are a product that we use and that we recommend to our clients. Um, but we were talking about businesses. I invite you to go back to that episode and what businesses do to implement, hopefully a successful phishing program to make your employees, uh, cyber smart and safe against, uh, uh, phishing attacks.
Speaker 1 00:00:57 But with Joshua's background, uh, as a, uh, an ethical hacker, uh, having worked with, uh, with, with FINRA and the U S S E C, uh, United States, uh, securities exchange. Um, he's been doing this a lot of years, um, and understanding what I do about this is that it doesn't, I mean, the, the, the threats are continuing. So I wanted to talk specifically about the threat landscape. I I'm bringing you on camera now. Uh, I wanna talk specifically about the threat landscape and, and what we're seeing, uh, you know, as far as the evolution of, um, uh, the, of phishing, because you think it's one of those problems that we'd, we'd solve, but the bad guys are, are, are too good at it. They've got too much technology. And the other thing I think that's, uh, working against us is, uh, in my mind, we've reached this plateau.
Speaker 1 00:01:50 Everything makes news and it hits the news cycle and then reaches what Gartner calls the plateau of permanent annoyance. It's just one of those things. But the problem is, any one of these phishes, not phishes, one of these phishing attempts is could lead to a ransomware attack, could take your business down, could lead to, uh, uh, business email compromise, and cost you a hundred thousand dollars. I mean, we we're talking about a, a a single mistake somebody can make. So the risk hasn't, hasn't gone away. We haven't seen the numbers drop. Um, but, but why, in your mind, what is going on in this industry that, that, that is continuing to make phishing such a, a prevalent threat, an evolving threat?
Speaker 2 00:02:32 I mean, it, nothing's really changed a whole lot. It's always been that the attackers are gonna go after the low hanging fruit. Now, there have been other lower hanging fruits in the past, but, uh, but as we get more and more secure, uh, from a malware perspective and from a technical exploitation or technical hacking perspective, um, that leaves one last low hanging fruit. Now, it's not that anyone ever stopped, uh, attacking humans because they've always attacked humans, because that's been the weakest link, the easiest, most guaranteed way to get in. Uh, partially because I only need one person to click. And if I send a hundred emails to your organization, I'm guaranteed to get at least one person to click and do what I want them to do. And so, uh, that, that's the reason phishing started out as a, uh, as a major attack vector.
Speaker 2 00:03:34 And that's the reason it continues to be. Um, and so it, it's, it's our, our users are not as, as prepared as they probably should be. And I, I really do blame it on that pervasive attitude in the industry that, you know, you can't patch stupid. And so often, not, not as much as maybe could be done is, uh, is being done to secure our human element. And, uh, and so what do we do instead? Well, we, we put in an endpoint detection and response tool that is designed to block the malware. Once somebody does click, we, we put in a firewall. Um, and all of these things are really good, must have tools. Um, but at, at the end of the day, it's far better to prevent that from ever happening than to block it at the end point. Um, we want our, our reactive tools to our, you know, I guess our last lines of defense to almost never be used, um, not to become almost the frontline of defensive, if that makes sense.
Speaker 2 00:04:40 So, um, that's why it's, it's a major attack. Why it's getting worse is technology has, has really, really changed the, the playing field. Six months ago when we started 2023, generative AI was good enough to write a paper for me or write an article for me that was okay, but it, it seemed like, you know, someone in high school wrote it for me. Um, it wasn't brilliant. It wasn't great. And then enter 2023. And it very, very quickly changes. And these models start getting a lot larger and a lot smarter. And, uh, and now current, I an attacker can use an AI to not just develop a very compelling and convincing spear phishing email that's targeted, uh, toward you, but they can do it at scale, customizing spearfishing emails targeted down to the individual level. Um, and they can do it millions of times over. And that's where it gets scary, because a, it's more difficult to detect those because the traditional very technical forms of I, uh, of catching and spotting these malicious emails are not gonna trigger on those. Um, and so that's, that's why it's getting worse, you know, as somebody from overseas that barely understands English can craft an email that is incredibly well written and highly convincing.
Speaker 1 00:06:22 Yeah, I, I, I think that's a, a, a, a good, a good point there. We've always said, um, that English and especially, uh, Southern English, uh, gave us a little bit of an edge when we're reading email. That has always been part of my training. Uh, you know, if, if you're expecting an email from somebody that says they're down here in this region, you expect certain things to be said and not said in the email. Um, it's just, it's just the vernacular. It's just the, the, the dialect, um, that goes away now, because if I'm, you're right, if I'm sitting overseas now, I can say, I'd like to write this email, uh, as if I live in Alabama. And, and the ai mm-hmm. <affirmative>, the AI can do that for you now. Uh, heck, it could probably write it in the voice of, uh, Nick Saban if we needed it to.
Speaker 1 00:07:05 And, uh, you know, and, and, and have it come from that, um, which would, which brings up the other, you know, the, the other side of that, which is that the, the way that they can fake and do things 'cause they're sampling all this data that they're, they're pulling outta breaches. We've seen emails come back to us that, um, by the time we did the investigation on 'em, they appear to be years old, some of them, but apparently parts of other mailboxes that got breached at whatever point, and they're just sitting out there in the ether. So every once in a while we'll see a wave of emails and it's, it's clustered around some things, you know, some, some, uh, you know, issues here that we know went on in, in the area, and this is with other organizations. Um, but here comes the same set of emails from, from 20 10, 20 11, but they've got, uh, you know, segments of our staffs, our people's that's got not on the signature lines, but paragraphs they've written.
Speaker 1 00:07:55 So those kinds of things the AI can look at now, right? And say, give me a sample. I can write you an email like your, your, your director. Um, so the more data we're putting out there, the worse we're making it for ourselves. And yes. And the ability for this generative ai. But I mean, I can't, I mean, uh, I, when when you talking about like chat G P T, which seems to be, you know, the, the, what everybody talks about, it's not the only ada, uh, adaptive AI engine or, uh, and out there, um, but are they downloading these themselves? 'cause the thing about Chad G P T, I thought there were governors on it. I thought there was something, in fact, the other day I went and asked it to do something and they said, I can't do that for you. Um, but are they downloading these models themselves and running on their own servers? Or are, how are they getting around some of that that,
Speaker 2 00:08:42 Well, number one is, is most of the governors, uh, if you will, are put on the open web portal version of chat G B T. The hackers aren't using that version of it. It, they are using the open a p i, uh, or the open ai, um, a p i key. Uh, and so with the a p I access that, a lot of those restrictions have been cut down. Hmm. Um, like we were able to easily use it to create phishing simulations for our platform without it asking us any questions. So I, I truly do question how many of those governors actually exist in, uh, in that corporate version of the product. And, uh, and, and why would it, it's, you know, it's a corporate version of the product of however, un unfortunately, too often our, our enterprise or corporate or even small business tools are, are falling into the hands of the criminals. Yeah.
Speaker 1 00:09:43 And, you know, the is do we really even have is, is there even legal recourse for, uh, any organization to go after a chat G P T or any of these platforms because they're not policing themselves better, or, or, that's probably a ways waste. 'cause apparently right now, there's no legislation that makes sense right now in ai anyway. It, it's happened so fast, nobody's prepared to, to deal with these unintended consequences. Right. So, um, I, I'd heard, yeah,
Speaker 2 00:10:13 I'm not convinced we have anyone in, uh, you know, in, in DC that, that truly understands the complexities of this, uh, of this issue and this problem. Um, so I, you know, I, I know there's gonna be a lot of expert testimony in the coming years about, about it, but, uh, like, I don't know the, the, just the thought of, uh, of, of, you know, trying to have a, you know, trying to get to the bottom of this and, and just figure out how we want to legislate it. And, uh, and coming to a consensus on it just seems like a massively daunting task. Um, I do, I do think that it needs to happen because while there's no threat now, um, you know, look at where we were six months ago. Look at where we are now and, and just how much more intelligent computers have gotten. I mean, six months ago, I, I, you know, computers could help me, but I was still the brains behind it. Now that computer can be my $300 an hour consultant and do a great job at it all day long. Yeah.
Speaker 1 00:11:18 And, and getting back to the platforms, you know, that this idea that, uh, you know, the, the, the e even some of the longer standing platforms, when you're talking about Dropbox, I saw, um, there, there there've been attacks using the file sharing in Canva. Um, but like SendGrid, which I just shudder, in fact, I just block everything from Shin, uh, SendGrid in our filter. And then we look at it and there's some legitimate companies that use SendGrid, but apparently SendGrid has no motivation to keep the bad guys from using them as well. 'cause there's a lot of junk comes through there. Um, so I, I, I, I think, think you're right if you know the more legitimate quote unquote, but it amazes me how many, uh, G Gmail accounts still get stood up by bots. You know, you think you think Google would be on top of that by now, but I know that most of these that we see are, you know, are not hacked mailboxes. It's just, again, they're still able to go after these systems, which should be pretty well controlled, and they're still able to stand up thousands of Gmail accounts, I guess, use 'em for a few minutes until Gmail. Finally. I mean, what, what goes on there? I guess Gmail cleans this stuff up as quick as they can, but they're just overwhelming these platforms with volume, right?
Speaker 2 00:12:27 Uh, they are, I mean, these bot accounts can do a lot of things. Anything from command and control to data ex filtration to just, you know, being used to, uh, go, uh, follow people or send email or, uh, whatever task they can possibly imagine. Um, so yeah, I mean, they're, they're definitely trying to shut them down, but it's, it's, it's not as easy as it sounds. You'd think that every bot would have a similar signature, but the bad guys are, are creating legitimate traffic looking at it and emulating that when creating these things. And then they can do it at scale from a different IP address every single time. And, uh, and, and it, it makes it very difficult to, uh, to shut it down. Um, I actually think this is one of those areas that, uh, that these large language models might be able to assist and, uh, and, you know, performing, uh, well, a identifying, uh, correlations between accounts that a human eye might not catch, um, and other things like that. But also, uh, just to very, you know, to provide that quick analysis of all the data. Well, which ones should we red flag that need a human analysis? So, um, I think sometimes the, the problem itself, uh, resolves the problem, or can be the solution to the problem.
Speaker 1 00:13:52 Yeah.
Speaker 2 00:13:52 Yeah. It creates a lot of problems, but it's gonna create a lot of solutions too.
Speaker 1 00:13:56 Well, that's, that's, that's true. And I mean, and, and, uh, you know, I, we see, you know, I, I, I, I think G Suite and Google have had the better reputation for years as far as, uh, the controls. And I, I'm sure the volume of data, they're able to look at every few minutes they're able to see these, these attack patterns. But, uh, I've noticed Microsoft, uh, 365 gets smarter, uh, in its phish detect, you know, and is phish detecting. So if, you know, using either one of those platforms, you know, go in and make sure that you've turned on those things, uh, you know, those, those filters e either personal or for business. Um, but that gets us down to, again, the, you know, the spearfishing when you really do have, uh, you know, a lot of money on the line, and it's enough for the bad guys to slow down and focus on you specifically.
Speaker 1 00:14:41 'cause now they know they've, th through through a breach or somebody clicking on something, they, they've now injected themselves into a, a, you know, a thread for a nonprofit that's just doing grants. And there's a couple of, you know, half a million dollar grants at, at play. And so they're able to, to, to come in. That's where, again, those, uh, those conversations and them having that backend access to an AI is going to pose a new threat for us. 'cause now all of a sudden you've got something intelligent. You know, typically if we had a, a business email compromise, a C E O fraud here, where they're trying to do a wire transfer, some something's wrong in the language, uh, you know, they, they, they might've gone and stripped out the phone numbers or done, you know, done those things. Uh, but when you reply back to 'em, the re replies, you know, have never been very good. Um, but what if the AI's able to give you back a very, uh, context driven reply saying, oh yes. Oh, yeah, yeah. Right. So are, are, are we seeing that yet, or is that still a week away since everything's moving so fast, are we're gonna see that next week or two weeks out? <laugh>?
Speaker 2 00:15:39 Uh, no. We're already seeing that, uh, intelligent replies, uh, almost instantaneous. Um, but just enough of a delay that it seems humanistic. Uh, so no, that, that's already happening. Uh, the, the rise of the machines Skynet, uh, if you'll will, <laugh>, um, that the threat is real. And it's, it's happening right now, but it, it's not, you know, the, the Skynet version or whatever. It's, it's the bad guys weaponizing these technologies to hack us. And, uh, you know, earlier we were talking about the governors on these, you know, chat G P t uh, type programs. But the reality is, is I can build a completely unrestricted large language model and have it run on my laptop right here, um, that can do as good of a job as, uh, G P T 3.5, which is the, the free version of it. Um, and if I want some serious horsepower, I can get very close to what G P T four can do. And so, uh, you know, it, it's, uh, it, it, this doesn't have to be run from the cloud anymore. It's, uh, it's been modularized and, uh, and anyone can have a large language model running on their computer, doing their own bidding. Yeah.
Speaker 1 00:16:54 And, and, and so most of the time the, you know, the attacks that come through that we still see, um, are really just stealing more credentials. It's like they're just constantly harvesting to see what they can get into, spread more mischief, get into more mailboxes until they finally hit that, you know, that white elephant thereafter. Um, and then they can focus on that. So that's the tactics. So most of these, I mean, if you get a, Hey, your password's, uh, expired, you know, from Office 365, that phish, they're typically just getting back so they can get your office 365 credentials. So certainly you do m f A, um, you do it smart, so you're, you're actually having to key something back from your phone and hopefully have some biometrics on your phone to get that, that forth identifier there. Um, but if they're, again, really focused on an organization and, you know, don't have any success with that, I mean, what else are, are you seeing where they will come specifically after an individual, maybe they've got a little bit of information from on social media. I mean, this, this is the typical c e o fraud thing, but are, are they finding new ways to find Betty in accounting or do do those kinds of things if they got more tools now to help them find their targets?
Speaker 2 00:18:08 I would say so. I mean, uh, typically within just a day or two of us hiring a new employee, uh, that employee will get a text message from a local number pretending to be me. Huh. Um, and, uh, and it's happening across almost every single new hire, which tells me that this is something that is, you know, fully autonomous as some sort of AI behind it. Um, so, uh, uh, they'll, they'll get very, very targeted now in, in terms of what I'm seeing them do. Um, the biggest thing that I've seen in the, the highly targeted, hey, we want you lately is, as opposed to trying to distill your credentials 'cause they have somebody's credentials, um, it's bypassing m f a, that's the hardest. And so what they're, what the spearfish has become now is convincing you to scan that barcode from within your, uh, your authenticator app.
Speaker 2 00:19:06 Hmm. Um, so that they can quite literally take over the, uh, the authentication and, uh, and have that m f A. Um, and so when, and that's, that's the biggest one that I'm seeing. And now they can use your credentials again and again and again. Um, but there's also some targeted ones where they will do a, uh, a relay attack. Um, it's, it's all the common stuff, uh, of sending you to a login page. What, what typically changes is they'll take some sort of very, uh, proprietary insight info that they've been able to get their hands on and use that to as their premise to get you to go there somewhere or do something, um, and, and often through compromised, uh, business accounts. So it's, it's not even, it doesn't look malicious. It's, you know, it's from your vendor that you work with, you know, on a regular basis basis.
Speaker 2 00:19:59 Um, but yeah, those are, are the, the attacks. And so it's really important to watch where you're at, uh, and where these emails are coming from, and don't just go scanning QR codes and on, on one side and on the other side, uh, make sure that you're actually at Microsoft before you start entering your multifactor, uh, or your one-time pass code, uh, or clicking, uh, uh, you know, except on the login, because there are a lot of ways to bypass that multifactor. And just because you have, it doesn't make you 100% safe. And it still comes back to knowing the threat and, uh, and being suspect.
Speaker 1 00:20:36 Yeah. I, I've, I've, I've questioned, uh, the, the QR codes myself and, and obviously they're very convenient. Uh, but it's one of those things people think they're minted someplace, so they must be legitimate, but you can go generate a QR code for anything. Um, I, I remember during the World Games, uh, they, they flew a QR code by with the drones, or it was, it might not have been at the World Games, but it was during that time period. And I was like, well, what did they just do to that stadium full of people with that little trick? Right? Yeah. You know, <laugh>, uh, so, uh, that's, that's, that's an interesting point. I didn't know they were doing that with the, with the codes of the M F A, that, that, that makes sense. Um, but again, it gets down to that trust factor. Why would you, I mean, it's, heck, we'll, we'll pick up anything, won't we? If if somebody lays it in front of us, we'll pick it up and take a look at it. Right. That's just human nature. That's, that's just the curiosity of,
Speaker 2 00:21:26 It's not just that. I mean, there are these things called cognitive biases, uh, and there's, there's quite literally hundreds of them, but there's like 25 really common ones used in phishing attacks. And, uh, and, and each one of these cognitive biases, it's just a mental shortcut that people use every day to make decisions. They don't realize they do, but they do. Um, and so things like fear of missing out, uh, authority bias, things like that help, uh, help people make decisions. So if they think this email's coming from their boss, they're going to do whatever it says regardless of how stupid it sounds, um, because it's, you know, it's coming from their boss, and that's the authority bias. Uh, but there, there's so many others that, uh, that can be, you know, pre preed on. And, uh, and so it's, it's all a matter of finding out which one you are most susceptible to.
Speaker 2 00:22:19 Um, and we're all susceptible, even, even people like myself are, are potentially susceptible to phishing attacks. I mean, I like to think I'm one of the least susceptible people in the world, but I, I guarantee if you send me the right phish, you may be able to get me to, no matter how careful I am, no matter all of it. Um, and so, you know, part of this just becomes getting our, our people to, you know, at that very secure level, um, to where almost nothing gets through. And, and hopefully when somebody does accidentally fall for one, it's one of ours instead of the bad guys, and we caught the click instead of the bad guys. Yeah.
Speaker 1 00:22:55 Um, just, just, just, and encapsulate all that again, for, for, for those listening. I mean the, the, you know, the, the, the current threats, and I don't have a, a graph or anything to put up, but, um, credential stealing is probably the most prevalent because that's what they need is more credentials. More credentials. Um, you know, the, the, the crypto, you know, malware driven, click this link for something malicious. You know, those things, uh, you know, coming in as attachments, usually it's the PDFs with, uh, a passcode on 'em. I mean, those things are, are, are easier to spot. Uh, you know, the, the, the, the things they embed in, uh, odd attachments. So if you're not getting a, um, a, uh, uh, you know, a Word document or an Excel document, but, uh, I know there was a, um, a, uh, uh, an attack recently.
Speaker 1 00:23:41 This was not a phishing attack, but they, they, uh, Barracuda got into trouble last month, uh, with their appliances, and it was their email, uh, protection appliance, but the bad guys were sending, uh, TAR attachments, which is a, a Unix backup file back through the interface. Um, so as the system scanning the email through the, through through the S M T P thread, which I didn't even think you'd attack S M T P, but there was a vulnerability there they'd found. Um, but you know, if I'm sitting there watching my inbox, it's the weird things that they're gonna send you. They're just unusual. I mean, it's the, you know, uh, odd file formats. Why am I getting a, um, an R T F file from this person, a rich text format file, and they usually send me a Doc X, right? Um, but those kinds of things that have malicious, uh, you know, content in them where then they, it is, like you said, then that has to fall back to the secondary, the, the malware protection, but the real losses are still coming through straight up, uh, you know, theft by deception. They, they're gonna hook you with that email. Uh, but, uh, you know, the, the business email compromise, uh, wire transfer fraud, uh, where they intercept the email outpaces, uh, ransomware by, I think, uh, I've heard 29 to one last year as far as loss. Oh,
Speaker 2 00:24:54 Absolutely. That's all. I mean, not all. I guess we saw a few ransomware attacks last year with our, uh, not with our clients, uh, our, our client, I guess, uh, the people that became our clients after they had some sort of issue. Um, but last year, the, the predominant thing, or, or force that, uh, that drove people to call us, uh, was exactly that the business email compromise attacks, um, that they're, you know, they'd rather get in the middle of a wire than, uh, than ransom and extort because it, it's getting far, far more difficult to pull off a successful ransom and extortion. Yeah.
Speaker 1 00:25:31 And, and, and the other i, I was informed, uh, last week was that the, uh, the, the investment scams have, have gone past, uh, even, uh, the wire fraud scams. Um, and so that, that, again, for, for anybody listening that's got, you know, money and savings, or you've got, uh, uh, you know, uh, parents or, or elderly, you know, aunts, uncles, that's where a lot of our nation's wealth is, is with people that are 50 years and older. They're at that point in life, and they're so susceptible to this. Um, and you're not even having to click on anything there to get engaged with the fish. You're just, you know, the, the fish, you know, the, the fish comes and it seems like a legitimate offer. Uh, and then the, and then the, the con game starts. And again, if it's either a person on the other side that's, that's earning your confidence or an AI on the other side, earning your confidence, um, then somebody winds up losing 200, $300,000 their life savings through one of these longer, I, I think the term I heard was pig butchering, but it's basically any kind of investment scam.
Speaker 1 00:26:31 Well, you know, the, the crypto scams, the stuff that came through with c o D. So understanding the topicality of these things, um, even for us personally in and in our lives. Um, we've, we've, we've come up on an hour and I, I, I can't, uh, thank you enough for, for, for giving me time outta your busy schedule for this. Um, have you got any closing comments or anything as we, as, as we fade to black here? I mean,
Speaker 2 00:26:55 You know, just that, uh, email security, security awareness as, as a whole's so critically important, uh, within our organizations. Uh, but we do have to be careful how we deploy that, because when we create punitive environments, uh, it, it's, it's counterproductive and can actually make people more susceptible. And so, uh, it's important that we do something, but, uh, but it's important that we do it in a way that is friendly and nice and rewards our people instead of just punishing them. Yeah.
Speaker 1 00:27:26 Well said. All right. We'll, uh, we'll, we'll go ahead and, uh, and, and, and wrap here on part two. Um, I, I wanna thank everybody again for your time. Um, I, I love these, uh, second segments where we kind of can get deeper into things. Uh, so, and, uh, and, and, and try to keep this informative. Uh, but, but Joshua, thank you again for your time. Um, again, I encourage you to look, uh, at, at Fish Firewall, uh, or, you know, and, and the products you're using, take a deeper look into them as well. If you, if you picked up some good tips here, take a, you know, good look at the products you might be using. If it's on those default settings, you might go in and find there's some, some, some jewels there that you can, can turn on and implement to make that product work better for you. Um, but again, I'm Russ Doser from c i o of Kaso, and I wanna thank you for joining, uh, and joining us for today's episode of Cyber Matters.
