[00:00:00] Davyn: The path of entry is a lot easier now than it used to be. Artificial intelligence, yes, is playing a point on this, but there’s also such a breadth of knowledge out there now. And as we spoke about this cybercrime ecosystem, only a few years later, we see this massive explosion in ransomware groups and ransomware activity. So I think that’s another challenge we face. Not just artificial intelligence, but the breadth of knowledge is so large that the gateway to start doing cyber criminal activity in particular is quite low.

[INTRO]

Joining now is Davyn Baumann, senior analyst at Mandiant, part of Google Cloud Security. And today we’re discussing hackers don’t break in anymore, they simply log in. So, Devin, thanks for joining and welcome.

[00:00:51] Davyn: Thanks very much, Karissa. It’s really great to be here talking about what is an interesting part of the fit landscape that we see unfolding over the last couple of years.

[00:01:01] Karissa: Okay, so let’s sort of start there. So we’ve moved from espionage to profit driven attacks, right. So does that fundamentally change you should be worried or how worried should people sort of be at the moment? And it’s interesting because every time, every interview I’m doing on this show each week, it’s like everyone’s got a little corner of the market that we should all be worried about. So I’m keen to sort of understand what really worries you and talk me through a little bit more about what comes up in your mind when I ask you that question.

[00:01:29] Davyn: Yeah, that is, it’s a really great question. And I think it is something as you touched on that a lot of the industry more broadly is sort of figuring out. And then of course, a lot of organizations themselves are really dealing with the challenge we’re forwarding of really what they need to look at in terms of where they sit in the threat landscape. And I think that’s something that’s very sort of endearing across cyber at the moment and probably the last few years is organizations that may not necessarily be aware of the type of threats they should be concerned about. So when you take espionage, it’s often really highly targeted and often quite meticulous in execution. And it does traditionally really focus on those high value organizations. So you think governments, telecommunications and defense industries. So a lot of organizations kind of do pay off the espionage threat and say, well, you know, I’m not that sort of big type of organization. There’s not really that concern for me when it comes to espionage. But then on the flip side, what we see, you know, from our last years of reporting is that, you know, espionage has increased 16% of the activity we tracked over 500,000 hours of IR activity was based around espionage activity. So they are still prevalent in the landscape. They are very active. And the other thing you see with espionage, which is really interesting, is the length of time they’re spending in networks, and they’re spending 390 days on average. So they spend a lot of time with these networks, and they’re very focused on making sure they get the information they’re after. As I said, very meticulous, very targeted activity. They do have a smaller target set compared to cybercrime. And when it comes to cybercrime, it’s really interesting because it’s really sort of a scattershot, you know, an opportunistic activity that can target anyone in the threat landscape. I think that’s something that might be a little bit underappreciated sometimes, is just how prolific cybercormativity is and how hungry cyber criminal actors are to target anyone and everyone in the landscape. It’s a really interesting aspect. And if you look at, if you look at ransomware as a good example, it still remains the most damaging cyber crime attack type that we see, and that’s persisted for the last few years. And you take Australia, for example. You know, really interesting aspect here is you look at Data Lake site postings over the last few years. If we go back to, you know, April or March of 2024, Australia had 247 victims posted to leak sites. And then you look at the top three industries. The top three industries were legal and professional services, healthcare and manufacturing. That really sort of plays in this idea that, you know, these aren’t necessarily your traditional espionage type of organizations that espionage Access will target.

Instead, these are often smaller organizations that very likely more susceptible to cyber activity because they might have smaller cybersecurity teams, if they have a cyber security team at all. So I find that really interesting when it comes to the landscape. And just on that and you know, to sort of highlight this again, yeah, 38% of those victims, Australian victims had less than 20 employees.

26% of those victims had less than 200 employees. So overall for Australia, the last two years, 60% of all Australian victims close to the league sites had less than 200 employees. So a lot of organizations might sit back and go, we’re not really a target in the landscape because, you know, we may not work for the defense industry, we may not, you know, be a high profile bank that has a lot of money, but what we’re seeing on the flip side is that cybercrime activity and ransomware activity is really targeting these smaller organizations. And you go back to the companies and organizations I mentioned, legal and professional services and healthcare have some of the richest data that you can get in the threat landscape. You know, these cybercriminals really go after this stuff because it is highly valuable, personally identifiable information. And so you’ve got this kind of perfect storm happening. Where to the question everyone should be quite worried about how the landscape is now and how it will be probably moving forward.

[00:05:13] Karissa: So I want to get back to the 390 days. So from memory. I worked in the industry for a bit and now I’m doing this sort of work, media work, interviewing people like yourself. So that’s 390 days, like from memory. It used to be like, I don’t know, like 170 days, like sitting on your network. And now that seems like almost double. I mean I can’t remember the number, but it was definitely substantially lower than 390 days because that’s then more than a year. I think it was like maybe a couple of months back in the day. So obviously that’s a longer period of time.

So what are your sort of thoughts then on that? Because do you think that that’s more applicable to like big banks and friends? Because it’s like, well, there’s more to potentially gain. But then to your point, I was, what I was thinking about is yeah, like legal, healthcare, manufacturing, sure, less people but they easier target. So maybe would you say that their plan is to try to do both, like we can get some easy wins with these smaller players, but then we’ll try to do you know, advanced persistent threats for like 390 days then and let’s try to get something more. So do you think they’re hedging their bets or they’re, they’re spreading out their prey, so to speak.

[00:06:15] Davyn: I think it kind of comes back to the targeting. So the dwell time is really based around those espionage actors. And as we’ve seen over the last year or probably two years, we’ve, you know, a lot of reporting that’s now been coming out, particularly from the United States. You know, we’ve got highly sophisticated China connected actors who have been reportedly in telecommunications networks for months to years buying their time and you know, just moving within the network. And then we see other facets of the espionage landscape that you know might be skewing this statistic a little bit with things like the RT workers from North Korea whose inherent goal is to be on networks as long as possible because that’s how they finance themselves and finance the regime. So that might be a little bit of a factor when it comes to the extended dwell time with cyber espionage actors. And then on the flip side, what we see with cyber criminal actors is we see them remaining in networks a little bit longer, but it’s a lot shorter. It’s down to days instead of sort of that year sort of length. So you see this sort of contrasting activity where you’ve got cyber espionage actors who will remain in networks for as long as possible, living off the land techniques, moving meticulously through a network. So forget the goals are after. So that might be to maintain persistence in a network or it might be to source certain parts of the data. And then on the flip side, you got cyber criminal actors like ransomware groups and extortion actors who are going in, moving quite quickly through a network, finding what they’re after and then moving on. So it’s kind of this sort of this double sided coin as, as you would say in terms of the threat landscape at the moment.

[00:07:47] Karissa: Yeah, that’s interesting. So do you think as well like and like back in the day, like, do you remember when they’d send out like looking at cyber criminals, they’d send it like just thousands of like dodgy emails and people would fall for it like so now just going back to shorter time sitting on a network because it’s like, well we can get in, get out really quickly, get what you need and then we’re done rather than like, oh, let’s hang around for more than a year because that’s a longer term play and obviously that’s for other reasons like the espionage side of things. But do you think that that window of times is going to keep getting shorter considering everything that’s going on at the moment as well as like AI that you know, from an attack point of view, yes, we have AI to defend it. But do you envision, given your role in the space that’s going to get even shorter time frames?

[00:08:34] Davyn: I think so. And I think as you sort of touched on there, you know, artificial intelligence will play into that as well because they’re going to get, they’re going to get faster. But you know, artificial intelligence is going to support them similar to how it supports us, better productivity and you know, quicker ways to do workflows. You know, we’ve already got well established Again, if you go back to ransomware, the are already pretty well established workflows when it comes to how they’re conducting these activities, you know, in terms of a broad ecosystem. So you can expect that they, you know, similar to us, will be looking at ways to plug in things like artificial intelligence to speed up that process. Because, you know, end of the day their goal is to make as much money as possible.

Especially, you know, when you look at the. There’s no, I don’t think there’s really any statistics about this, but if you look at sort of the life span of a ransomware group, it’s really not that long. You know, Lockbit was a really high profile actor. Eventually, you know, it got taken down by multiple law enforcement activity and, you know, has kind of fizzled out now. So they don’t really have a long shelf life, I guess, you know, ransomware groups, the individual operators may, they can pivot to different groups. But as a broad sort of construct, as you know, we are ransomware as a service group, they don’t have a long lifespan. So it’s really about how much can we grab from our victims as quickly as possible.

And then, you know, it’s almost like, it’s almost like an exit game I think they call it, you know, where you grab as much as you can before you get found out. So sort of that process. So you could expect them to find ways to be quicker because the quicker they are, the more victims they can, you know, put forward and the more chances they have of getting payment.

[00:10:04] Karissa: That’s interesting. So, okay, there’s another stat here. So 55% of threat actors are financially motivated.

So then are we effectively in a permanent sort of cybercrime economy now? And that’s interesting because, I mean, for a while it was like people saying, oh, they’re not financially motivated. There was a period of time where that was sort of a thing in the industry, but now this obviously says otherwise again.

So talk me a little bit more about that.

[00:10:30] Davyn: Yeah, again, it’s really sort of interesting and it speaks to, I guess more broadly how quickly the landscape changes. As you said, you know, people years ago would say this wasn’t the case. But then you start to see the statistics and you start to see the evidence and you realize that, you know, we are really facing a robust and pretty well orchestrated Cybercom ecosystem. I would say, you know, there are multiple actors can target one organization. If we just go with a little example, you know, of our legal and professional services group from before, they might get a, you Know, an email that comes through and it says, hey, they’re a lock bit ransomware group. We’ve stolen all your data. You need to pay a certain amount of money. You know, classic sort of extortion scheme that we see operate now.

The reality behind that though, is that could have been three or four actors that have actually been involved in that process.

You know, for a quick example, that organization could have had credentials stolen from a credential, stealing malware that gets put up for sale for, you know, 10 to $20 on a dark web marketplace. You could then have an access broker comes along, an access broker grabs that data, they pay for that data set, they log into that organization with the credentials, they move around the network, they realize they can maintain that access, they chuck that up on another diaper forum, they sell that off to someone else that that next person. So we’re about with two people or two organizations into the ecosystem. They could then sell that onto an affiliate of a ransomware group. So the affiliates are essentially the contractors who go about their day, you know, using the access that they’re paid for or they’ve gathered through, yeah, cyber means to then steal the data for these organizations. So, you know, the affiliate. So the third person in line for this process goes on, they go into the network, they steal the data, they then go to the ransomware group. So for this example, you know, they get a lot bit, they say, hello bit. We’ve got data from this organization. You know, let’s split the profits or let’s do, you know, whatever the split is, to both make some money. Can you use your infrastructure to contact them, to force them to make the payment, use your extortion site to post them as a victim, to pressure them again, and then essentially you handle the final phase of that process.

So just as you know, that’s a bit of a sort of a basic example that kind of shows you how the ecosystem can work and the fact that one organization can actually be impacted by four or five or more parts of the cybercrime ecosystem. So it’s not just one individual or one group really these days. They’re outsourcing. They’re like legitimate businesses and the real world where they see the value of outsourcing, getting someone else to do these processes to speed up, as I said, their effort at getting more money into the system. So, you know, if you take, again, ransomware is a really good example for a lot of these questions. You take ransomware. It does really show us that there is a robust ecosystem applied. And we see Them. Not only that, we also see them evolving and changing. So, you know, if you and I were talking a couple of years ago, you’d be talking about, you know, ransomware that is bricking systems and locking up networks. You know, think of the Colonial Pipeline as a really good example of that. And that was only a few years ago.

Whereas now it’s really about that extortion activity. Instead of leaving traces on a network and using your ransomware payloads to block up networks, instead you’re just grabbing the data and sort of leaving and extorting the payment. And that’s really interesting. And then what we do see now evolving even further still is things like they’re going in and making sure that the backups that organizations have now can’t function. So they’re going and destroying the backups, because what they’ve seen is organizations are going, okay, you’re trying to extort us for payment. We’ve got backups. We’ll just reload from our backups and we’ll move on. So you sort of see this evolution. So, yeah, to your point, I think there definitely is a pretty good cybercrime ecosystem out there, and I think there’s a really established ttps out there that they’re leveraging.

[00:14:11] Karissa: Okay, so one thing I want to talk to you a little bit more about, get your thoughts. So, because like you said, you can outsource stuff. Like, back in the day, you had to really know stuff inherently. And now if like, even, like, Claude code and all this stuff, like, you could literally just be anyone now and start to make these tools to get this outcome. So it’s like the bar for entry is substantially even lower than what it was.

And so one of the things that I’ve been seeing a little bit across my interviews and articles would be people are saying, like, hey, it’s really hard to even just get, like, general workers. Everyone wants to be some TikToker, YouTuber or cyber criminal, because, hey, why would I spend all this money going to university colleges when it’s like, oh, I can just get some tools on the Internet, potentially outsource the areas, I don’t know, get someone else to do it, get some money, live in some random country that there’s no treaty with the country they’re extorting. And there I go about my day. So I’m seeing that from a behavioral point of view of people see it as easy wins. I don’t have to do these other things. I’m lazy. I can hide behind a computer. You know, it Might be a little bit different if you’re physically going out there and having to like bail up some poor old lady in the street and take a person run with it. Whereas now it’s like, well, I can sit here. People don’t actually know who I am because I’m anonymous. So do you think from a behavioral point of view as well, Devin, that that’s something that we’re starting to see more of?

[00:15:30] Davyn: Yeah, I think so. I think you’re right there. You know, we, if we use the commas example or you know, which we sort of transformed a bit into scattered spider and you know, shiny hunters and these groups, you know, we do see, especially with the police arrests and things, these are a large cluster of, you know, 17, 18 year old kids and there’s sometimes from western countries as well as sort of Eastern Europe who are almost playing a game. It’s almost like a game to them to go in and to, you know, see how good they are getting into these networks and you know, sort of exploiting these victims. And you know, when you read through the telegram channels and you look at the way these groups engage, it does have the sense that they’re almost a bit more chaotic in their actions. They take and sort of as professional, you know, you look at some of the classical, I guess we can call them classical ransomware groups, they had a lot more of a professional structure and you know, they were really focused on one goal which was to make money. Whereas now, as you sort of said, you’ve got that maybe even that sort of TikTok culture where you know, there’s that blending of we’re doing like quite serious cybercom activity. You know, we’ve been able to expose and get into some really high profile organizations. But we’re going to joke about it on Twitter, we’re going to joke about it on Telegram and it’s going to be this really funny thing. And it’s kind of like this, the barrier between sort of, you know, they’re a little bit delusional in the way they act I think is really sort of what’s interesting. So I think to your point, maybe that’s the next evolution of cyber crime actors is these individuals who are also looking for notoriety as much as they are, you know, financial profit. And it almost, it almost sort of flirts with that concept of, you know, the hack activism groups who, you know, are very outspoken and very overt in the way they operate and they conduct activity with the sole purpose of advertising it. So there might be a little bit of that sort of emerging now as well, which is interesting. And it will probably be more interesting if they can continue to back it up with, you know, the impact they have on networks.

[00:17:28] Karissa: If you’re working in AI, machine learning or data science, you’re likely already handling sensitive information proving your security and compliance posture. That’s where VANTA comes in. Vanta helps AI driven teams fast track compliance, think SOC2ISO 27001 GDPR with minimal disruption to development. Visit vanta.comkbcast v a n-t a.com kbcast to learn more.

Yeah, it’s just an observation because I was interviewing the former deputy director of the NSA and he was saying like, it’s really hard to get people in government roles because they pay substantially less. Like, yeah, you can go work in a flashy vendor and get paid lots of money. So it’s like, okay, even those people are sometimes hard to get. Then it’s like, well, some work in government’s probably getting half of that pay or a third of that pay. So it’s like if things are so driven financially, well, what’s going to happen? It’s like we might have more people on the side that are like, well, I would rather just do this as a cyber criminal because it’s, it’s easy money for me and I have to leave my house and I don’t have to report to someone and do all the hoo ha and the HR and all the stuff. So I don’t know, it’s just more like I just sort of, I don’t know, maybe it does trend that way. I mean, who knows? But I just thought that number based on everything I’ve seen over the last like 12 years in the space, it’s like, it’s yes, financially motivated was one of them, but now this looks a lot higher than before.

[00:18:56] Davyn: I think you’re spot on there. Like it’s trending up and to the point, sort of touching on, you know, it’s hard to find people into, to get into the industry.

Not so much talking about them maybe pivoting into cybercrime activity. But it definitely does seem like a challenge. You know, I think there was a report out a year or two ago from the Australian government saying yeah, they were looking at 180,000 I think was the rough figure was 180,000 people short to cover the cyber skills gap out to 2030. And there’s, and you know, there’s genuine challenges on how and how you fill that gap. And you know, I think there’s, there’s maybe a little bit of an appetite that artificial intelligence can support filling that gap at the moment. But in, in terms of, you know, sort of how much coverage that can give, it’s really sort of an unknown at the moment. So that is going to be sort of from a cyber defense standpoint and someone who works in this industry that is going to be a really big challenge because you kind of got to find a way to get people in and as you said, maybe, maybe don’t make as much money and maybe have, you know, more strict processes around how they operate compared to, you know, the free races. And I guess that probably speaks more broadly to how we have to sort of look at the landscape is, you know, we’re always going to be on the defensive side. We’re always going to be a bit hamstrung in the fact that we have processes, we have regulations and laws we have to abide to. Whereas you know, our adversaries, they really have an open plate on things that they can do and it does make it difficult sometimes on how we manage that.

[00:20:22] Karissa: So, okay, I want to talk to you now about stolen credentials. So now again, top of entry points. So I want to talk about this because I’ve been seeing a lot of people and they always say like the problem, it starts with identity. KB it starts with identity. So do you think we sort of officially spied out of control like with identity? Because look, I know there’s like the zero trust and this and we’re doing that and you know, there’s all these other things and I know people have tried to solve a gap but like this still feels very rudimentary. And now we’re revisiting this again.

[00:20:52] Davyn: Identity is a super hard one because it comes back to that, that idea of, you know, the human element of a network which always seems to be a little bit of a, I guess a low hanging fruit when people want to sort of look at ways to sort of nitpick, I guess at sort of cyber defense activity we always sort of like to talk about the human element, which is a challenge. But what we actually see evolving now is it’s not just the human aspect of a network that is about identity, it’s also those non human identities that we see in landscapes. So you know, talking about authentication keys and API, you know, APIs and those type of things now are also a consideration when it comes to identity.

And I think that sort of speaks to the challenges we have with sort of mass integration of SaaS platforms and cloud integration. And then if we sort of look at the identity challenge now and I wouldn’t say we’ve really lost control of identity, but I think it is a sort of a challenge that I guess no one’s sort of got the definitive answer for. Everyone sort of seems to have concepts and as you said, zero trust is one of those. But it seems like a difficult challenge and it may be something that continues to be a challenge when you think about the integration of the next evolution of technology, which is going to be artificial intelligence. And we already see a lot of talk about integrating AI agents into networks. So you then maybe you’re going to implement another non human identity, which might again have these same inherent challenges that we see with APIs and with authentication tokens, where these systems have often have really high privileges and they’re often not really sort of integrated well enough that they have security. And I guess the challenge with identity is it sort of talks back to that concept and you know, it’s kind of that cliche now that, you know, a lot of organizations like to potentially, you know, set and forget their detection systems and sort of, you know, sit behind the castle wall, which I think was sort of the classic explainer a few years ago.

Whereas identity kind of smashes that anchor a little bit and says, well, yeah, you can’t sit behind this static defenses and hope that your detections pick up on stuff. Because threat actors are leveraging not only stolen credentials we mentioned before, but they’re leveraging identity. They’re targeting the human algorithm network, they’re also targeting non human entities and they’re essentially getting into your network that way, which really makes it hard to sort of put up your perimeter fence and, you know, hope for the best, so to speak. So I think, you know, stolen credentials and identity sort of discussion really needs to be sort of based around this idea of static versus dynamic defense postures.

And I think sort of, you know, as we sort of look at it more broadly, it actually sort of speaks to, I guess another sort of misunderstanding in the, in the industry and in the landscape, which is organizations may not inherently understand what their network is in regards to how threat actors see it. So the organizations will go, my Network is my IPs, it’s my routers, it’s my switches, it’s my computers. But that might be, as far as they look at it, cyber defense teams, that might be all they look at in terms of what they need to defend. The reality is now is that this is really, it’s a lot broader than that. You can look at A network, particularly in terms of our threat actor sees it. The threat actor sees your supply chain, your third parties, they see a geographical location. They see, you know, if it’s an espionage group, your geopolitical standpoint of the countries you might operate in. They see the human element of your network. And that’s, you know, not, that’s not just your staff, that’s also your contractors and whatever country they might operate in and also customers as well. So there’s this and then you know, as I said before, is that non human identities as well. So things like APIs. So there’s this huge sort of digital footprint and this really exposure that organizations have that I don’t think they appreciate so much is what is sort of available to threat actors to target. So I think when we talk about identity, I think it’s sort of more that looking at that broader view of how organizations sort of posture themselves and also how they see themselves in the threat landscape, that becomes a sort of a greater challenge.

[00:24:42] Karissa: Okay, so talk to me a little bit more about static first dynamic, like how does that work?

[00:24:47] Davyn: So sort of static defense is that traditional concept I think, you know, and as I said, you know, you’ve got that, that cliche that I think we all got taught a few years ago of, you know, we need to put up the, yeah, put up the walls and we need the moat around the castle and that’s really what we need. You know, and you still do need really strong detection capability. You know, the technical aspect of this stuff isn’t going to go away, of course, but I think that’s really sort of that traditional static defense where if we set the right, if we set the right systems up, we can kind of, you know, that’ll kind of do, we’ll be okay for now. And then we can, you know, we can monitor that, we can look for sort of indicators through that and that’ll kind of be how we operate. But what we’ve kind of seen over the last year in particular is that kind of isn’t going to fly currently, particularly with organizations getting into networks, three actors getting into networks because we see them, you know, using things like vishing voice phishing now where they’re just calling up and asking for access and they’re getting it. So it’s going to be really hard to, you know, maintain the static defensive wall when organizations are just, you know, getting exposed because someone’s ringing up their help desk and getting direct access. So it’s just said it’s about looking at that dynamic process like how can we get more dynamic in our defensive posture? And you can talk, you know, you could use a whole multitude of different terms like defense in depth or folder leaning defense. This kind of ideas where, you know, you can be prepared for all the multitudes of threats. And I guess for me as a threat intelligence analyst, I think this is really where it’s really important for organizations to look at the threat landscape from an intelligence led posture. If you have an intelligence that foster, you can be far more dynamic in your defensive posture because you understand the landscape. You know, you can have an organization that, that might be trying to defend against everything and you know, intelligence led defense could say, well actually you may not have to worry so much about that type of threat, but maybe you should worry about this type of threat. So if we go back to our legal services group from the discussion earlier, you know, intelligence led analysis that can give them dynamic defense can say, well, you may not have to worry so much about espionage, but you should be worried about cybercrime. And these are the specific aspects of cybercrime that you should be worried about. So kind of it gives them a better opportunity to harness their resources. Because at the end of the day, organizations are often very likely just putting in these sort of static defenses, you know, focused around EDRs and SIEMs and things like that. Because yeah, everyone has a really tough time maintaining a strong defensive budget and also resources. As you touched on before, yeah, it’s very hard to get people into this industry.

So you know, static defense. So putting in those sort of classical frameworks might be all a lot of organizations can do. So you know, leading it with intelligence led processes can really actually enhance their opportunity to spread their resources the best way they can.

[00:27:35] Karissa: Okay, I want to zoom out now for a moment and understand where the size of those sort of heads are at now. And again, it depends who you ask, who I’m talking to, etc. But do you think, Davin, in your experience that sizes are over investing in detection or sort of under investing in identity? Because like, I hear that a lot now, like, oh, they’re so investing in detection too much, et cetera. So I mean, where’s your head at with that question?

[00:28:00] Davyn: This is a really interesting one. And as you said, you know, there’s going to be a multitude of debates around this. You know, I’m in no means a CISO myself, so you know, it’s sort of difficult for me to look in that perspective. But what I have seen working with Australian organizations, Asia Pacific organizations, and even globally is that decision makers, even at your cyber, you know, cyber manager level. And those type of organizations, as I sort of touched on, are really struggling with security budgets and resourcing. You know, they really don’t have, I think, the luxury of being able to implement everything they want to do.

So I think it often comes down to what can we just get in place that will keep the system running? I think, is that kind of, you know, that classic availability versus security aspect. And I think another thing that’s a challenge, particularly for sizers, is, you know, CISOs wear a lot of risk in an organization.

So often it comes down to what legal requirements within that country that they have to meet, that they have to have a seam in place. Do they have to ingest all the IOCs that are pushed to them from a government body sort of thing? And that can take up a lot of their time sort of off the bat. So when we sort of talk about detection versus identity, I think it’s really just a case of resourcing. Do they have the resources to actually do much outside of actually just getting the detection programs working?

And again, is there an opportunity now in the future to leverage things like artificial intelligence and these type of processes to speed this up? Potentially. But I think it really comes down to. And again, this is what I see from my perspective is this really big challenge of they have to, on one hand, manage the risk aspect. They have to manage what the company wants, but then they also have to manage what they can put in place. And it does leave some organizations exposed if they do really go heavy into detection and maybe don’t look enough at identity. And again, they sort of look at that static defense in instead of dynamic because it can leave them exposed. As we spoke about living off the land techniques, these espionage actors in particular, who, you know, instead of using bulky malware that can be detected quite quickly with, you know, really good and advanced seams and things, instead, you know, they just getting. And they’re living off whatever’s on the network. So it does make it difficult. But I think it really comes back to a battle of resources versus, you know, risk reward. I think.

[00:30:19] Karissa: Yeah, this is interesting. And so then just one more question on that. What do you think? And I know you said you’re not a sizer, I don’t expect you to be, but just given what you’re doing day to day and what you’re seeing, what do you think really at the end of the day, the sizo seems to be worried about, because I feel as if they get pulled from pillar to post is vendors, people, podcasts like this going in their ears like it seems to. It’s very overwhelming and I don’t envy their position at all. So it’s just more what are you seeing perhaps with some of your customers or people that you’re sort of speaking to?

[00:30:51] Davyn: I think often CISOs and you made the good point. Yeah, they’re drags it all over the place. And they’re accountable. They’re accountable all the way up and all the way down. You know, they’re sort of, they’ve got to deal with, you know, the challenges that their frontline team deals with. They’re both going to deal with the challenges of, you know, the CEOs and the board. So they really are in a tough position. And I think from what I’ve seen from my perspective is they’re really worried about at the end of the day their network operating. So business continuity is really the main focus because the end of the day, if the network isn’t running, they’re not doing their job. And then I think secondary to that is often data. But I think if you had to ask, you know, if you got 10 sizes in a room, probably nine of them are going to say it’s about the network running. And yet that’s their challenge. But again, I’ll bring it back to sort of what I know, which is intelligence led defensive postures and sizes are another one. They often get a lot of information pushed to them, but it’s very difficult sometimes to cut through the noise and just know what they should and shouldn’t worry about.

For example, if you’ve got an organization that is critical. So if you think about manufacturing or a resources organization that may not hold a lot of data, you know, if their system goes down, you’re talking about downtime of in the millions of dollars of losses for the business, then you know, they should be looking more at those sort of those threats that are looking for disruption. So ot focused hacktivist groups, you know, there’s ransomware groups that are still leveraging, you know, ransomware that will disrupt the system instead of maybe other groups like you sort of scattered spider or your shiny hunters who are far more focused on getting in and stealing data. So it’s kind of silos need to sort of appreciate where they should focus their resources and their needs. And I think it’s about for them, from my perspective, it’s about cutting through the noise and understanding the best place to put their resources.

[00:32:41] Karissa: Okay, so now I’ll talk about cloud adoption. Just super quickly. Now the part I think that gets me is like this was meant to improve security, but then it just feels like there’s so many misconfigurations. It’s still like such a major entry point. And I know it’s like certain companies do security of the cloud and then within the cloud is what the customer should do, et cetera. And I get that. But I think the part is we leverage this technology to make our lives easier. And then from what I’ve been hearing from yourself and that it just things, it does appear right now with my finger in the wind, that things are progressively getting worse. Like I’m hearing more breaches than ever, more, this, more, more attacks happening, etc. Like I just feel like we haven’t really improved. Like generally speaking, I know it’s hard and there’s the AI and all this other stuff that’s come out, which has of course attributed to the numbers, etc. But help me make, make sense of

[00:33:34] Davyn: this then in my mind, cloud’s another really interesting one. It’s kind of like that extension, you know, of the SaaS systems that we have. And, and what, you know, I have seen from some organizations is that it kind of is that again it’s that concept of sort of set and forget.

So you know, we chuck in the cloud system or we chuck in the SaaS system and yeah, we kind of are good to go. And I think often there’s this misplaced idea of where the risk sits. So the organizations go, well no, no, we’ve got the cloud system, we’ve got the SaaS system, the risk sits with them. They have to make sure that their part of the network is covered. But what you actually see is that there’s this sort of middle ground where you’ve got the organization that might be putting in sort of processes to sort of protect themselves and you’ve got the cloud organizations and the SAS providers who often have far more robust sort of security postures. But then you’ve got this middle space where they often they’re connecting so where the two systems are connecting or where they talk to each other. And as I mentioned before, this idea of you know, the non human identities, so APIs and you know, authentication keys and this type of thing, they’re often this sort of vehicle for threat actors to move around these places. So I think cloud has huge upside and I think it will be really beneficial. I think it’s just about organizations figuring out, you know, that it’s not just a set and forget process. It’s about, you know, making sure that on their end they’ve got everything in place and then asking the question of the cloud provider or the SaaS provider, you know, are you, do you have the appropriate controls in place and then making sure that those flow states between the two quite well structured and organizing. You know, there aren’t, you know, God level, you know, privileges given to these APIs and those type of things. Instead they’ve got those checks and balances in place. So I think cloud and SAS are really going to be important as we move forward because organizations don’t have the capacity on their own. You know, we’re talking about, you know, organizations that have under 200 employees are really going to have to look to continue to leverage outsourcing some of their security posture. I think it’s just going to be about maybe education and how they can put those mitigations in place to manage things like the threats to cloud. And just this one last thing on that, what you do see is this classic sort of concept where, yeah, if you move all your data to the cloud, the threat actors are going to move with that because espionage actors and cyber criminal actors, if they’re looking for your data, they’re going to go to where your data is. So they’re going to move to the cloud as well. And that’s what I see, I think, continuing to evolve. You know, we move everything to cloud systems, threat actors are going to move to cloud systems. So we move everything back to on Prem. They’re going to move to back on Prem. They’re going to continually sort of seek out the data in particular, which is that pervasive challenge we’ve spoken about where the threat landscape is dynamic and constantly changing. We need to sort of, you know, be aware of that as well.

[00:36:17] Karissa: So today we’ve sort of covered a lot of terrain and understanding different perspectives, which I’ve really enjoyed. So I want to, I want to get your forward view then on the landscape moving forward because I mean like every day, like even from a media point of view, like every day there’s stuff in the us, in Australia, it’s very even hard for me who’s doing this each day to keep up. So I can only imagine when other people have got a day job to do, like operations wise, so things are just moving a lot faster than before.

And so now what you’ve discussed with me, is there anything you can share, sort of like moving forward, like where do you think we go from here as an industry or what do you sort of think about that, yeah, I

[00:36:56] Davyn: mean, as you touched on, you know, just sort of spoken about, the threat landscape is really, it’s really sort of ramped up over the last couple of years. What we sort of see is attackers. They like the path of least resistance and they like to reduce their footprints on landscape. So it’s. We’re seeing this shift where we’re seeing them using things like phishing attacks, using credentials that are already available, you know, to get onto these networks, then once they’re on the networks, trying to live off the land as much as possible to sort of master activity. And we’re seeing this at a scale we haven’t seen before. And one of the reasons is that the path of entry is a lot easier now than it used to be.

Artificial intelligence, yes, is playing a point on this, but there’s also such a breadth of knowledge out there now. And as we spoke about this cybercrime ecosystem, there’s well established ttps and procedures that a lot of groups can follow. You know, there’s probably, you know, correlation is not always causation. But if you look back after a couple years, you know, there was the Conti source code leaks and the entire structure of Conti ransomware was leaked. Lockbit had a similar issue, but our book ransomware had a similar issue where all of their source code and all the processes and all the ttps they leveraged were exposed. And then only a few years later, we see this massive explosion in ransomware groups and ransomware activity. So I think that’s another challenge we face. Not just artificial intelligence, but the breadth of knowledge is so large that the gateway to start doing cyber criminal activity in particular is quite low. So in terms of looking forward, I think we’re going to face continued challenges. We’re going to have faster actors who are now leveraging new technologies to quickly get on the systems. I think we’re going to have. We kind of touched on it. It’s kind of this sort of juxtaposition a little bit where you’ve got these sort of chaos type of actors with, you know, the rom com individuals, you know, shiny hunters and scattered spider who are operating at a quite a high level, but also looking for that notoriety factor. But on the other hand, we’re still going to have that highly sophisticated aspect of the landscape where we have the ransomware actors, we have the espionage actors, and then you throw in these really noble concepts. We’re seeing like the IT workers of North Korea, which is a really fascinating aspect of the landscape where you’ve got state sponsored financial activity which becomes an insider threat exposing third parties in supply chains. So I don’t need to be, I don’t need to be organizations that have to navigate this. But where I would said and you know, I feel like I just continually endorsing this is that intelligence led is really a process to go because you know the things that I see in the landscape that organizations have a ton of noise, it’s noisy and as you said, you know, you’re in the media space and you’re finding it overwhelming. But they do actually have a path that they can follow because there are a lot of processes and a lot of things they can put in place that do reduce their footprint and their threat landscape. So it’s not all doom and gloom for organizations out there. Yep, the threat landscape is getting faster, but I think also so is the defensive landscape as well. You’ve got organizations that are getting quicker in the way they’re operating, you know, and I think artificial intelligence, but even other techniques and tools that are being leveraged now will actually help the defensive side of the house maybe not keep lockstep with threats because they’re always going to be a little bit ahead, but we’re going to get a lot closer to challenge these groups. So I guess I’d say there’s a lot of challenges going forward, but there’s also a lot of hope I think as well that we can take the fight back to the threat actors.

[00:40:14] VO: This is KBKast, the voice of Cyber.

[00:40:18] Karissa: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.

[00:40:26] VO: This episode is brought to you by MercSec. Your smarter route to security talent MercSec’s executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently.

Find out [email protected] today.