Transcript
Narrator:
Welcome to Cyber 909, your source for wit and wisdom and cybersecurity and beyond. On this podcast, your host, veteran chief security officer and cyber aficionado, Den Jones taps his vast network to bring you guests, stories, opinions, predictions and analysis you won't get anywhere else. Join us for Cyber 909, episode 25 with Scott Hellman.
Den:
Hey folks, welcome to another episode of Cyber 909, your podcast for random cyber leadership, wellness, whatever we could. That list could go on forever, but the good thing is every episode we bring in some exciting guests and friends of mine from our network, and I'm blessed to have now this guy, friend, mentor, agent extraordinaire. I don't know, Scott, can I give you any other accolades, but let me introduce Scott Hellman, special agent with the FBI. Scott, why don't you introduce yourself better than I did?
Scott:
Obviously you've gone overboard yet again. I've been an agent with the FBI for almost 17 years, all 17 of those years working or managing various different types of cyber investigations from anything from criminal style like ransomware, business, email compromise or data breaches to various different nation state threats. I've spent my entire career working them, managing them, being interested in them, and just very obsessed to the point where I certainly still enjoy talking about them on a regular basis daily.
Den:
Yeah. So you were recently wrapping up a keynote for Cybersecurity Summit, the conference in Santa Clara. I mean, you guys do a lot of these kind of events and stuff. You're out there trying to raise awareness. Can you share with us what were a couple of the themes that you were sharing with the audience that day?
Scott:
Well, I think you bring about awareness and yes, I'm going to talk about themes. I think the awareness piece is so important, especially from our perspective because we get well over a million reports a year of different types of cyber crime. There's no possible way that we could investigate each and every one. There's just no way. And so a huge piece of what we try and do is bring awareness to the various different threats that are out there because I mean, frankly, it's like a crowdsourcing effort where you've got to have people that are aware so that they can be taking their own measures to prevent these things from happening to them. In terms of the things we're seeing, I think about it from two perspectives. One, what are the most common things we're seeing, and then also what are we starting to see a little bit more of?
The common things we're seeing are things that we've seen for many, many, many years. Tremendous amount of phishing attacks, hundreds of thousands of year, hundreds of thousands a year, and that hasn't really changed. We saw a slight dip in our dataset this year, whereas last year we got about 300,000 reports, and this year it was about 200,000 reports. So I guess a third is more than a slight dip. I don't really have a good answer for why that is, but depending upon who you talk to, the reality is phishing is still a primary vector for many attacks, so that hasn't really subjectively changed. We see, if I'm looking broadly at cyber attacks like technical intrusions along with different types of internet fraud, of the maybe 22 billion in financial damages that we saw in 2024, somewhere in that range, a good chunk of them come with some human-based elements, some fear-based attack against people.
So for example, if you look at the standard tech support fraud, it is, you get a popup, it says your computer's been infected with some sort of malware, click here or call this number and you call the number and you are tricked into providing sensitive information, banking records or transferring money, things like that. And it's that very common fear-based attack that we see involved in a wide range of different types of attacks. I mean, tech support fraud alone, that was a billion and a half dollars in 2020. So I mean, yes, we still see lots of ransomware, but when I say lots, let's put it in perspective, the simple types of attacks, phishing hundreds of thousands because it's cheap, and if you don't win, as in nobody clicks on it. No one's coming after you as a criminal. There's just too many of those for us to, we can't arrest every single person who's doing a phishing attack on the far right, which is okay, there's been a phishing attack or some sort of breach, and then there's pivoting and there is exfiltration and encryption, all the things that go to a ransomware attack.
There's a lot more steps there. You need a lot more infrastructure, and you've actually won at that point. If you're the criminal, right, you've succeeded. And so we see, let's say 3000 plus of those types of attacks get reported. The impact is dramatic, of course, if you're a victim. But when you look at those two numbers, 200,000 phishing attacks versus 3000 or 5,000 ransomware attacks initially, it seems like, well, there's not that many, but of course if you have 3000 companies that just had their infrastructure completely debilitated or substantially debilitated, the impact is huge and the financial repercussions are huge.
Den:
Sometimes we're talking about schools and hospitals, there's no amount of insurance really can cover the impact of some of these events because sometimes it's like it could be loss of life or it could be delayed care. I mean, there are some really nasty, nasty outcomes now in the background, certainly in the phishing, I mean, there's whole business ecosystems built up around this, right? Phishing as a service. So it is crazy to think that these criminals actually have backend support services that help them. I mean, what do you guys see there?
Scott:
Any other business that is trying to grow there is the potential for outsourcing various different services. So whether it's ransomware or data breaches or business email compromise, they all have been heavily relying on cybercrime as a service this industry for the last many years
Den:
Because
Scott:
It props up the whole industry. You're talking of course, malware as a service, malware developers, access brokers, we see as a big one, I'm a criminal and I'm interested in gaining access to network, whatever. I don't have to do my own recon and resourcing. I can go and pay someone for credentials. I can pay someone for known vulnerability, things like that.
If I am a ransomware actor and I get paid my two and three quarter million dollars ransom payment, I've got to launder that money in some way. So maybe I'll go to a money mulling as a service where you've got tens of thousands of people around the world who are either witting or unwittingly participating in money laundering by essentially many of them are victims themselves and not realizing that they're helping to funnel money through their legitimate bank accounts. Phishing as a service, crypto mixing, you name it. I mean, all of the services are out there for people to use for sure.
Den:
Yeah, and the funny, so I heard this that a couple of years ago, I don't know if it's still true, but if in a phishing attack they send a million emails out because they get emails off the dark web automated service, they send a million email out, and I think the return rate of people clicking those links and was about 5%. I don't know if that number's true, but you guys have any stats on the number of people that click based on what gets sent out?
Scott:
That's a great question, and I think the number will have to change depending upon the situation, right? There's so many variables. If you think about any companies that you've worked for have the phishing practice for the internal employees for phishing awareness and cybercrime awareness, those numbers change depending upon, I mean, there's too many variables I think to really map it's going to be time of day, the specific person, what was going on in that individual person's life that might be distracting them? How convincing was that particular email? How much fear did it stoke in 'em? And the reality is, of course, you only need a very small percentage potentially to be successful. And again, as I mentioned before, if you're not successful, it didn't cost you very much. You're talking hundreds of dollars for some phishing campaign, and if you didn't win that time, you're going to just keep trying again because it is a very overall represents a vector for almost a third of the attacks that we see.
Den:
Yeah, so I was just thinking, a couple of things came into my head actually. One was, oh, my marketing campaigns can't be too bad because our open rate of a marketing email is about 20%. That's not bad. And I know that with the advent of ai, there's going to be more personalization, the grammar's going to be better, the ability to scrape information off the web that links you and me together and says, Hey, so I think the future, it's going to be crazy. That success rate is going to be way higher for the bad actors, which means the defenders are going to also have to think of leveraging AI and as part of their defense strategy, we'd be remiss. I guess, if we didn't talk a little bit about ai. So what are you guys seeing from an AI perspective that either concerns you or excites you?
Scott:
Great question. We'll talk about both. I totally agree with you that AI is absolutely confident is being used to enhance phishing and social engineering attacks. It's really challenging though, to identify number one, AI doesn't always, some AI enhanced attack doesn't always come with some obvious flag that says this phishing email was created with this LLM, right? Those things, it requires a lot of digging, and even when you're digging, you may not, excuse me, be able to identify whether or not AI was used. We can make some assumptions, but like you said, also AI tools, defense tools are also being used to prevent against those types of phishing attacks. Let's talk about first, here's an example of something I've seen recently and then we'll talk about something that excites me and something that makes me scared. Something I saw recently. So we can talk about, it's likely that attackers are using ai.
Here's a place where we know they were. We have an attacker identifies a company that has a browser plugin, and this happened to multiple companies by the way. They identify that there's a browser plugin that's of interest that they essentially want to compromise. And so they craft this phishing email that essentially says, Hey, we're writing from whatever place where this browser plugin is hosted, various different online stores we're writing from the online store where your browser plugin is hosted and you are in violation of our policy. And the policy was relatively benign. It was like your written description of the browser plugin was too long, and so you've got to reduce it down to X number of characters, and if you don't, your browser plugin is going to be pulled off of the store. So this goes with phishing email. There's so many elements of this I think are interesting.
So it's a relatively benign ask, but also creating this sense of fear that your product is no longer going to be accessible by your customers, so creating some risk. And so the phishing email gets sent to a relatively generic support email at the particular victim company. So the support person receives this and it's not something that they would typically deal with and they don't really know what to do with it, but there's no action for them to take in this email other than I've got to find who the right person is to send this to. So they send it to someone else. And think about as soon as you receive now what looks to be an internal email because support person is forwarding to someone else, the someone else who receives it stops thinking of themselves as the gatekeeper for spam and phishing because now they're receiving something internal.
It gets forwarded X number of times. I don't know exactly how many, but it ends up in the hands of some executive to say, Hey, there's a problem. The browser plugin's going to get pulled. Go find the person whose job it is to deal with. This executive sends it to an engineer, engineer sees and is like, oh my gosh, I'm being tasked with this very short timeline turnaround task. I've got to do this because my boss is telling me to do it again, not seeing themselves as the initial gatekeeper of email coming into their system. They click on the link, essentially, they think they're providing this shortened description, but what they're actually doing is providing access to the online store to the attacker. So the attacker goes in, pulls out the legitimate browser plugin, puts in one that is malware laced, and now all of the customers that would automatically download that updated browser plugin get infected.
And so what does the infected computer do? An interesting question, I think in this particular situation, the infected computers would look for various different types of secrets on the infected computer tokens, usernames, passwords, hashes, things like that, scrape them all and pump them out to a command and control server. But also what's happening on the backend is a list of all the things that were stolen is sent out to another, to an LLM to summarize the take, to summarize what was stolen and send that also to the attacker. So here you have a phishing campaign, which leads to a supply chain attack, which then uses AI to augment the attack and make it simpler for the attackers to understand what they stole. So that's not something we see every day, but that's here, that's what we're seeing, and I think we're going to see more and more and more AI touch attacks in various different ways, whether it's developing malware or whether it's just an enhancement tool we all use for our day-to-day operations.
Den:
Yeah, and do you know what's interesting? Because the signs of a scam is evident at the very beginning and all the way through the chain, there's a sense of urgency and there's a sense of urgency. It was unexpected, and there's a click a link. Those three things, when they come together, generally speaking, you're like, wait a minute, let's pause. And then the advice we always give people is don't click the link, go to the official website of the place and then log in officially and see if there's any notifications there or contact their support directly via the official site. But the CEO or some exec shooting that email down only heightens the sense of urgency and the level of stress.
Scott:
That's right. Well, and then there's two things that come on the back of that, which is with a sense of urgency and stress, your brain stops thinking nearly as logically. It's a call to action now, a call to action right now, it's not call to action. Think it through, come up with a game plan. Oftentimes it's being told to do this, your brain is put under stress and then stops thinking very logically and goes straight to action. I'm going to quickly backtrack on something I mentioned. I said that AI tools are often used for just normal productivity, and I said we all use in our day-to-day operations. Just a quick caveat, the FBI is obviously looking into a wide range of different AI tools for various different use cases, but we are doing it with a tremendous amount of caution. I just wanted to make sure I caveat that, that it's not just like
Den:
Legal disclaimer, FBI aren't using chat GPT in order to blah, blah, blah, insert some shit
Scott:
Here. We are taking things very slow and methodical and at the same time, I meant broadly, we as a country, a community, a world are globally using it for a variety of,
Den:
Yeah, that is a good call out, Scott, just to avoid any legal action, I guess, or any grumpy people. Any misunderstanding, any misunderstanding. Now the one thing I think of AI, and keep me honest here, I think of ai not necessarily changing the attacks, but I think of it speeding them up, enhancing them, making them more effective. So the normal defense mechanisms that we've been talking about before, I think they still apply. Absolutely. I think in order for us to keep up, we're going to want to leverage AI in our technologies in order to speed up and trying to, because a cat and mouse game really, right? I mean, am I reading that right?
Scott:
You absolutely are. We're talking about scale and speed and automation are really a lot of the things that AI brings to the table currently on the phishing and social engineering side, the only real new things are DeepFakes, right? I mean anybody, if you took your time or found someone to correct your grammar in emails, you could have done that prior. Now it's just way easier and faster. And I agree with you that thinking about what AI tools are out there to help combat fundamentally what you're talking about, just look at phishing. You said all of a sudden now we don't have the bad spelling and grammar. Those are things that sort of pull your brain out of, to take a theater term, it's like breaking the fourth wall. You're sitting there reading an email and you get sucked into it and believe it's reality, right?
Until you see some weird spelling and you're like, that's not something a professional company would do. And it sort of breaks that fog, but without those additional cues, it becomes harder and harder and harder to pull your brain away from believing that it's reality. And so there are a handful of tools out there that I think are really interesting. So for example, there are many email tools out there to help with the goal of reducing the number of phishing or malicious emails that end up in front of customer eyes or people eyes, and some of them are designed to do essentially, I think what's called sentiment analysis is review the content of the text and say, Hey, by the way, there are a lot of words in here that are designed to elicit fear or urgency, and I think that's a really fascinating, just those types of tools I think are particularly interesting.
Den:
Yeah, I'm taking a couple of notes here. I look at this. Okay, so if a lot of the attacks are just the same, they're just enhanced the defense techniques. So you and I, we talk about things like zero trust. I mean, I got involved in Adobe 2017 on our first zero trust initiative. So there's things like that I think that really help. I mean, what's the best advice you give to companies to thwart the attacks on how to defend themselves? Let me hear the top three.
Scott:
Top three. Well, certainly of course, I can't recommend any one particular product, and I'm not even in that game to say, Hey, I've tested these empirically.
I think ultimately what I'm looking at if I am a protector is what am I really protecting against? If we're talking about prevention, it's prevention. Let's say for phishing, the first thing I want to prevent is the email from even coming in the door. And if I fail at that, I want to prevent somebody from clicking on something responding. So you're talking about an initial filter and then something that flags for my reader, but let's say they click okay, the attacker's goal is to escalate privileges, pivot around the network and ultimately take something of value and then maybe deprive access to it. And so it's all to me, you want to look at things that fundamentally prevent each of those various steps, prevent the email from coming in, but then let's say we fail all the way through and the information goes out the door. That data is valuable to me as the victim typically, because it's all about the main CIA security tenants.
Den:
It's
Scott:
Going to be confidentiality and integrity and availability. So I have to plan for my data went out the door, I still need to make sure it's available to me. My data went out the door. I still need to make sure that it's confidential to me, and how can I think about that point? It's not just about remediation and rebuilding a network. Did I have effective backups and therefore, even though my data went out the door effective, I know is a broad term, did I have effective enough backups that I don't feel beholden to have to pay a ransom because I still have data availability intact? I think there's really interesting technology out there that's looking at data level encryption, so that information goes out the door, but there's still key information inside documents or what have you that is protected. So it's about prevention at every level of an attack, and I think that there's no one right way to do it. The problem
Den:
Is
Scott:
If there was, we wouldn't have RSA,
Den:
We
Scott:
Would just have one company that provided a tool and we'd all use it, and there would be no cyber crime, but that doesn't exist.
Den:
I was going to say, when I think of RSA, I think of the meat market, which is the conference with about, I don't know, a billion vendors. I mean, I'm obviously exaggerating the number, but you could walk around that vendor hall for four days and you can't talk to all the vendors in time and nor would you want to actually. So one thing that we mentioned earlier, and you and I love this topic of emotional wellness and how do you, oh, now also in our offline conversations and the FBI in your roles, so you were a hostage negotiator at some point. Did I
Scott:
Get that right? I was on the hostage, the crisis negotiation team. Yes.
Den:
Right.
Scott:
Yes.
Den:
So that's a very emotionally charged situation generally, I would think. Sure. When we think of cyber crime and cyber protection and instant responders and people that have to deal with child porn and just all the nasty shit that's out there from an emotional wellness perspective, how do you think people survive and thrive and don't burn out on this? I mean, what's your take there?
Scott:
Are you talking about people working in a soc? What
Den:
Role? Yeah. Well, it's funny because I mean, there's such a broad range of roles. So you're under pressure as the cso, and if your company's under attack, and I've been involved in those and I've known a lot of those people, then you're under an immense amount of pressure if you're working the SOC every day in your're dealing with daily attacks. So I think I'm generalizing it right now. I mean, I'd love to have you back on the show and we just talk about wellness and the emotional side of this, but generally speaking, I mean, how do you think people survive it? What mindset or what tools would you recommend or consider?
Scott:
Well, actually, if it's okay, I kind of want to push further left because talking about within the confines of an incident or a breach, I'll address that since you asked the question. One of the things that's a very common role for us to play is a company gets breached and there's a massive ransomware attack and they call us. And the reality is that if we could just come in and provide all of the tools to fix the situation like a decryption key and what have you, then ransomware wouldn't be a thing. If it was that easy to defeat, it wouldn't be a business
Den:
Illegal,
Scott:
But it wouldn't be a business. And so a lot of what we are doing when we're interacting with a business with a victim, our primary role is to collect data to investigate. We want to collect IOCs. We want to find out who did it, what infrastructure they're using, where they're storing their money so that we can hold them accountable however possible, whether it's seizing infrastructure funds, actually seizing a person, if that's a possibility, if we can arrest someone. But while we're doing that, in order to get access to that data, we're just sitting and listening to the ciso. I mean, we're an ear because we understand they are in the middle of hair on fire emergency, and it's really hard for them to have someone on the outside understand what they're going through. But we've seen it so many times, and so it's not necessarily, we're not providing a very functional logistical service there. But I remember listening to a speech given by a woman who was running the response at MGM when they got hit, and that's a big piece of what we offer is yes, we're investigating, but we also are an ear because we understand what's going on. I'm going to push further left
When we talk about where does emotional wellness come into play from at various levels of a cyber crime, and again, phishing attack or social engineering attack, one of my favorite stories to tell is true story. Employee gets a phone call from someone purporting to be from hr, and it's like, Hey, den, I'm calling from hr. And unfortunately somebody reported that you posted a racist statements on an online forum, and you think about how that person was feeling and what they were thinking. And probably what's going on is they're going into a fight or flight state where they're very worried. Their brain stops thinking logically, it's dumping stress hormones throughout their body, and their body is saying, you need to get out of this situation. Now, call to action right now is what we talked about before. And I think the only way out of that situation, one way out of that situation, and you're talking about how do you navigate through or how do you survive, is talking about, we talked about sense of urgency.
How is that employee going to recognize that they're feeling a sense of urgency? Because primarily what they're focused on is, I'm going to get in trouble. I'm going to lose my job. I've got to deal with this situation, get out of it. But they're not necessarily thinking cognitively in a sense of presence. I am feeling anxious. There is a sense of urgency. They're just thinking about this crafted situation. And I think the only way that you would recognize that I got a phone call and now I'm feeling anxious, and that should be a red flag, is if you have some element of mindfulness in your daily life,
Narrator:
And
Scott:
That could be something that's talked about at work, and it's not simply just about cyber crime. It's encouraging people to take a beat and examine themselves at any given point in time. Am I racing through my work? We all do better when we take a little bit more time. We all usually can perform at a higher capacity or what have you. And just think about how that situation, I mean, she was on the phone with these people for five hours before she came out of this fear state, and by then it was 7 million pieces of PII out the door. But imagine how that story would've been different if that was something that was talked about regularly and how do you even know that you're feeling that sense of urgency is well, you've got to practice taking stock of what's going on internally, we're talking 50% of all the cyber crime we see has some fear-based element. This is not some crazy thought. It's how do you get people to pay attention to what's in front of them and what's inside them? Because that, to me, very clearly statistically plays a very large role in how many breaches occur throughout the year, whether at the corporate level or on the individual tech support scam
Den:
Or
Scott:
Investment scam level. I mean, you're talking billions and billions of dollars that comes out of these types of initial scams.
Den:
It is crazy. And I think, I mean, you hit the nail on the head on the whole emotional, the anxiety thing. So we wrote last year a small ebook on personal protection from cyber crime, and one of the sections is how to notice a scam. And I think the reality is people don't know when they're being scammed.
Scott:
That's exactly right.
Den:
They get this phone call out the blue, this text message, and it is funny because I remember years ago, even at my house, we got a phone call at the house back in the old days of phone in the house, house phone.
That's how long ago this shit was. But the phone call goes along the lines of it's Microsoft Tech support, and we've determined that one of your computers in your house is a virus, and we want to help you fix that. That's right. And it was my partner at the time that took the call, not the most computer security savvy person, which is generally the case with a lot of these phone calls. And the only thing that she said she was, well, maybe give me your number. I'll get my husband to call you back. And obviously I'm very excited by this because we didn't have a Windows computer in our house, so I figured being the cheeky little shit I was, I'll call them back. So I called them back. I figured, Hey, if they're not on the phone to me, then they're not on the phone to some other poor victim. So let me, 20 minutes later I revealed, yeah, I just revealed 20 minutes later, I'm drinking a beer on the phone, just chatting away and what's the MAC address? And in the end, I revealed to them I didn't have a Windows computer. I was like, sorry, man, we're just messing with you. We're a Mac only shop here in this household. But I think that's the thing is these companies aren't calling Google, Microsoft, apple. They're not phoning your house and saying, Hey, we noticed you got something up.
Scott:
Right. Of
Den:
Course. They don't have time for that shit. So yeah. So couple of things. Now, you've mentioned this a few times. You guys go to companies, victim companies, and you give assistance, you help out. There's a bunch of free services and partners in the ecosystem, right? For sure. So do you want to share a little bit about how do people get in touch with the FBI or who are the partners? What's the best way to engage, and where do you find information that's free information that you guys provide? How do they get all that goodness?
Scott:
I mean, gosh, there's a litany of it, of course, online. So I'll give a shout out to a couple of partners. Number one is cisa Infrastructure Security Agency. I mess up the acronym, but it's cisa, CISA.
Narrator:
And
Scott:
Fundamentally they're under Department of Homeland Security. And basically what they're doing is providing assistance in the form of they can provide ttx is they can provide some mitigation services in the wake of a breach. They're not an investigative arm, but they're more awareness. They might do victim notifications, and we work hand in hand with them. Typically it would be some critical infrastructure type of event. A hospital gets hit or something like that, and they're there doing their thing and we're there doing our investigative piece. And we'll share data potentially after working with the victim. So that's one. And so that's super easy to find online. They've got a whole range of resources. IC three.gov is certainly FBI, internet Computer Complaint, crime Complaint Center. I messed that one up too. I'm not great with acronym. Internet Crime Complaints Center has a host of different resources. It's also a place where we ask people to report different types of cyber crime.
We got 950,000 reports this past year. It's a really valuable resource for us for understanding trends, statistics, things like that. Secret service we also work with, they have a cyber element as well that they tend to look at a lot of pig butchering scams, which I mean, just for reference, for anyone who's watching, it's a huge trend in the last maybe five years of essentially investment fraud. And someone described it to me, I think is a great term. They called it FOMO scams, fear of missing out. And it's, again, it's this sense of urgency. It's typically targeting older individuals that are retired who have some nest egg. And the criminal's goal is to convince this person, Hey, you missed out on crypto investment. I will help you reinvest your life savings into this crypto scheme. And ultimately, I mean, that's a six and a half billion dollars industry just in 2024.
So you're talking, that's a lot of money that people are losing to these types of scams. InfraGard is another entity that the bureau sponsors and puts out, it's basically just a public private partnership. There's lots of these things out there. The key to any of this is just start. If you don't have a point of contact with us or local law enforcement or Secret service or cisa, just look us up. We're not hard to find. This is not some secret organization. We're local. You can call us up and just ask to speak with someone who works on a cyber squad in your local area, and we're happy to go and grab a coffee with you and just be a basic point of contact. And what's the next step from there? It's going to be the next time you all have a tabletop and you get to the point where you would consider calling law enforcement. You can have us be a part of that tabletop, or you could have CISA put on a tabletop for you, depending upon the type of company you are. That's where we bring a lot of value before far to the left, is developing the relationship, understanding what we can do, what we can't do. And then when an incident does occur, you're not starting from scratch. You know who to call and you know what the steps will look like. And that's a huge advantage that you have going into an incident
Is having that relationship ahead of time.
Den:
I think obviously for my Adobe days and Cisco days, I've been involved with you guys since then. And for me, it's an invaluable resource to be able to even, we were doing insider threat work in Adobe, right? We're like, okay, let's look at insider threat as a vector for the business, a risk of the business. And I reached out to your team to Elvis, and then he came in and we had a round table with the team and enterprise security, and basically he participated and he shared, Hey, this is what we're seeing. This is what we know, heard the things that we were thinking of, gave us feedback, and we didn't pay for that. But the reality is it was invaluable to have someone in there who's seen a lot of companies fall foul to insider shit. And we're like, oh, this is brilliant. Because they gave us ideas and advice and they gave us great feedback. And for me, I always think it's better to establish these relationships before the incident than during the incident because when your hair's on fire, right? A hundred percent.
Scott:
If we're going to talk about insider threat for a second, I'll throw one thing out there that I think I have found when talking to private sector companies, I always see them write this one down. And so it tells me that that's not something they were already doing, which is we oftentimes see, when we say insider threat from a cyber perspective, oftentimes it's like the former insider that manages to make their way back into the network so they get fired and somehow they're gaining access again. And the most common reason for that is one of two things, either one, well, it really comes down to in the outboarding process, what sort of process do you have to remove accesses? And most companies will have some process where they coordinate with it and okay, we're going to come up with a list of all of the accesses that this person had and removed them.
What oftentimes doesn't get caught is the accesses that are sort of off the books accesses that this person created typically with good intention, they wanted to do their job, and so they create an extra admin account because it was easier for whatever reason. Or they had a backup of a database or what have you. Or there were shared keys, shared API, keys shared credentials. That was probably the biggest one. And so the person gets fired, they leave, and yet now they're disgruntled, they're upset. They still have access because of these shared credentials. And I think one of the easiest ways to figure that out would be not just doing an interview of the employee, but interviewing a small handful of the employees colleagues to ask those questions. What other shared resources does everybody on the team use? Because you're not necessarily going to get that from the employee who's bitter and walking out the
Den:
Door. Yeah. Yeah. I've been in the identity and access management game since the mid, early, mid nineties. I was an ex Novell admin, so Novell three 11, that's how old this guy is. And it is one of the things that I pride my career on is identity and access management. It is a serious business, and it really is the business of how quickly do you get employees onboarded and be productive?
How quickly do you get them access to the stuff that they need to do their job? And then it's how quickly do you cut off that access to everything that they had when they walk out the door? And like you say, it's funny, the directory accounts like your ad's and your Okta's of the world. That's the easy shit. The hard shit is, oh, we've got a Salesforce local account. Backdoor account. We've got an Oracle database account. I've got this generic account I use to run these applications, like you say, shared keys, or I've got an account to the password manager, the password vault, shit, like that manager doesn't get to you anywhere. Yeah, the managers need to know this stuff. Now, for us, again, when we were doing our zero trustee business, you can say, I've got the identity access management strategy and layered to the side of it, or on top of it, if you like, is that whole your trust strategy. And for me, this is an end to end game that is a deal breaker because it has the ability, if you do it right, it has the ability to save your ass more than once. I mean, I've been involved with a couple of companies where, yeah, they've had exited employees they're struggling to deal with, do they still have access?
Just answer that question. That's it. Yeah. Scott, hey, it's been great having you on. I think, well, you and I spoke about this beforehand, but we're going to sync up on an emotional wellness session from that perspective. So I think getting our brains around that in the future would be cool you made.
Scott:
Absolutely. Because I definitely do believe it plays such an enormous role in cybercrime, for sure.
Den:
Yeah. Well, so I took the notes, emotional wellness during cyber crime, and then the other thing is you guys have access to a lot of data. You're a big fan of data. I remember you saying that to me. So maybe that'll be another thing in the future, but I'm huge on the emotional wellness stuff as you see, when I think of it, I think of all these different roles and functions in the security organization, and I believe they all have different levels of emotional impact in the roles and different roles have different levels of impact. But then you mentioned about cybercrime as the recipient, then there's the whole emotional piece. So yeah, I'd love to, we can sync up offline and figure out how we structure an episode just on that one. So sir, really appreciate your service, what you guys are doing. I appreciate your time and coming on the show and sharing with everybody. Keep up the great work. Thank you very much. We'll have you back. This is always fun. Thank you everybody. Scott Hillman, super special agent. I mean, I can give you a promotion, right? Super special agent of the FBI. Thank you, man. Always a pleasure. Thanks Dan,
Scott:
Appreciate it.
Narrator:
Thanks for listening to Cyber 909. Subscribe wherever you get your podcasts, and don't miss an episode of your source for Wit and Wisdom in cybersecurity.
.svg)
.svg){kind=icon}
