[00:00:00] Dmitry: They always follow the money and to get rid of it that is almost impossible. You need to block oxygen for them and the oxygen for them is money laundering. Because at the end of the day, even if attack was successful, they need to do this money laundering first and then get their money back.
[00:00:18] KB: From KBI Media, I’m Karissa Breen and this is KBKast.
My guest today is Dmitry Volkov, CEO of Group IB and a 20 year cybercrime investigator who worked alongside Interpol, Europol and Africol. We talk about why reactive cybersecurity is already obsolete, why blocking the money matters more than chasing the attackers, and whether collective defence is actually possible when banks legally can’t share what they know.
If you find these conversations useful, hit follow. It’s the single best way to make sure the next one lands right into your feed and and it helps other execs find the show.
Now here’s Dmitry.
Okay, so Dmitry, I really want to start with your view on predictive cyber intelligence, which is effectively stopping attacks before they happen. So tell me what’s going on in your mind?
[00:01:17] Dmitry: Well, look at the history of cybersecurity because I’m doing this for the last 20 years seconds a that it’s pretty the same thing. It’s always been reactive. That means that you as a company need to wait until a threat actor will make a first move and then you have to detect it as fast as possible and response as fast as possible. And what does it mean for everyone?
You see that the number of attacks keep growing complexity and damage keeps growing year over year.
And Fed tech has now started to search and use actively artificial intelligence tools for different purposes. But what it means that speed and scale of attacks is going to grow even more and that means that situation will get worse. So that’s why to change this dynamic we need to move from reactive to predictive approach.
And what does it mean? I’m not talking about long term prediction, but a short term one when I can say that you, your organization will be attacked by a threat actor. A he’s going to use this malware. This is how exactly he’s going to execute. And this is a list of actions that you need to actually take automatically. An ideal case scenario to stop this actor before he actually launched the attack. This is how grouperb approach predictive cybersecurity, not intelligence only because this approach we can apply both for cybersecurity and anti fraud space and with both.
[00:02:47] KB: Okay, I want to get into this a little bit more. So like I don’t know maybe almost eight years, 10 years ago, come from more of an analytics background and like an analyst background in cyber. And I remember like everyone was talking about like predictive analytics, like we need to predict certain things and then that sort of just fell off the bandwagon. So like now obviously there’s a bit more of a resurgence in the predictive part. But I mean there was like chatter in the market of people like being skeptical of it. Would you say? Where do you think that’s at? And I know now the capability’s better, there’s tooling and AI and stuff like that. So maybe walk me through that.
[00:03:20] Dmitry: Okay, probably I will give you a few examples and hope it will make it more clear.
So let’s take fraud as an example. We already built this, let’s say predictive engine in the fraud first fraud space that allows us to tell you that your device, your account will be using the fraud activity even before transaction is done.
How we understand it based on behavior and some signals that we can get as a technical telemetry from underground markets and of course from original banking application. Again you just launched the application, you probably didn’t even log in. But we already know that it will be used by a fraudsters in a fraud end activity. And we know how based on signals that we detect. Just to give you a little bit more context, let’s imagine it’s a mobile banking app and your mobile phone, we understand how you use it, how you hold your device, how big is your farm, how is vibe, what’s your keystone cadence and so on. And if somebody will take your device, we will see that there is a big deviation from the normal behavior. If we will see that he managed to install something else in a mobile device based on that additional piece of information or piece of intelligence, we can make a conclusion. But he will use remote access tool is one as an example to get access to your banking account when it will be unlocked by your biometrics, when he will remotely will do these actions and again when he will be doing this behavior will be different. And you can say that just in two minutes there will be a fraudulent activity in our use case when we detect with our external threat intelligence data about different compromised accounts, in different social, different underground forums and so on.
And we can share it automatically with anti fraud solutions. And based on that we can understand who is already compromised, how it worked, how they were compromised, what devices were used. And you probably use same device shared, I don’t know with your family members.
So that means that not only you, but Your, I don’t know, your kids, your mom, somebody else is also infected because. And also we’re compromised because the malware on the same device.
So sharing these type of signals, they can increase the scope of affected users. And again, if we know and we have signals that you were compromised, you were part of the victim fraud, it gives us a certain degree of confidence that another account will be also in the same fraudulent scheme. That’s another example. And with cybersecurity, it’s pretty same thing if you have external, strong external threat intelligence and you can combine it with knowledge about your internal infrastructure specific signals that we already see as a early warning signals, and combine these two pieces of data from outside of your organization and inside of your organization. This is a moment when we can make very tailored and specific prediction. But again, what is important here, this predictive analytics is quite useless thing if it’s not combined with again, actions, because otherwise it just create noise. Actions should be executed automatically. Actions should be then validated that a potential threat actor or fraudster made an attempt to attack you. And only then you can confirm if your prediction was correct. Then only then you can make better detection engine, better prediction engine.
[00:06:48] KB: Okay, so I want to get into this a bit more because this is interesting. So agreed. I mean look, now there’s looking at even like an analyst, SOC analyst, like even what they have to deal with like so many more alerts. And then there was a whole alert fatigue. Now we’re leveraging AI to calm down the noise, for example. But what do you think? Like, do you think people are overseeing a lot of this because they’re letting the machines do it? But it’s like, oh, actually, I mean, I come from a banking background myself in cyber, so it’s like I know exactly what you’re talking about. So it’s like, do you think that people are just leaving it to the machines? And then it’s like, I’m just gonna kick back, put my feet up. I think that’s an Australian term. And then I’m perhaps overlooked something that was important because there is so much noise going on. And yes, we can say we’ve got tooling and AI and all this stuff, but talk me through that because I’m just trying to paint a picture of where it started to be. Like we have to ingest all of the feeds into our seam and monitor it all. Oh, but now there’s too much and then there’s noise and then we’re over, we’re fatigued. And now we’re trying to Sort of come back again and find that equilibrium. I’m just trying to make sense of it and yeah, paint that picture.
[00:07:56] Dmitry: First of all, too much data is also a bad situation. And you gave a perfect example. We’ve seen that didn’t work in the past, it will not work in the future. It’s perfect for log collection, but definitely not for different purposes. But what makes it really different?
First you don’t need to build a central collection of everything.
Then you need to build a detection engine on top of that and action engine on top of that. You need to be and act as fast as possible. So that means that everything should be as close to original point of signal as possible. What I mean, you have multiple layers, you have endpoint, you have network, you have email, you have other sandbox, whatever this maybe even browser. Because in the era of AI, browser becomes a very important point.
So the closer you are for this endpoint that originates signals, the better conditions you have because you can detect faster at that specific sensor, you can detect and response faster and then basically to take proactive actions where we need signals and again, what kind of signals? It’s not all about all possible information that you may have in telemetry. No, you don’t need that because again, it’s just a noise. But you need to understand what will provide you valuable intelligence to make a conclusion, to make a prediction. Probably to be a little bit more specific how I see that first of all, when we talk about alert fatigue, we should stop looking at these alerts because current state of cybersecurity allow you to to automate that. But you need to focus on something, what’s really important and what will be the next level of what is important.
Because I don’t know, 10 years ago it was locks, raw signals, then it was just alerts. Then we said that let’s do another abstract in terms of alerts that will combine it and same xdr, XCM and so on to something more complicated, but will give you a complex vision. The next thing will be a prediction because all raw alerts and actions with these alerts should be automated. And again, artificial intelligence and this agentic approach really allows you to automate a lot of rooted tasks. But we cannot give 100% control to AI agents. It’s just impossible. Especially in big enterprises with complicated infrastructure where you have to make many different decisions all the time. You will automate.
Can we automate it? And you will focus on the thin layer. But thin layer should be not reactive. Thin layer shouldn’t be predictive.
[00:10:33] KB: A really rudimentary question. I mean, what you’re saying makes sense. So, like, why didn’t anyone do this earlier? Like, we’re spending so much time doing other things when it’s like, what was coming to my mind as you’re talking, Demetri? It’s like, you know, when I’m driving, I live in the US now, people. A lot more intense driving here than in Australia.
And then if you think you’re going to change lane, the car sort of stops you because it predicts that there’s a car there, it can see it there, it sort of prevents you. There’s a couple of seconds that you get to, you know, know, not get into the lane. Right.
So why have we been so focused on like the reacting or now people are saying, oh, well, you know, you don’t expect to be breached, but you’re pretty much saying like, we’re not even going to get to that point if we predict potentially what’s coming down the pipeline. So I’m just curious to be like, well, why didn’t someone come up with this earlier?
[00:11:19] Dmitry: The answer is simple. It’s always evolution. You start with something small and then you evolve it step by step.
Same is here. If somebody would ask me if it’s possible to do this prediction technologies, I don’t know, three years ago I would say no. But now, level of automation, the significantly improved large language models and the quality of data that we have right now is much better. So that’s why now it’s realistic. It will take time again as any new technology to adopt it, but now it’s realistic.
[00:11:53] KB: Okay, so I want to talk about the quality of the data. I mean, that’s a good point. Haven’t we, like even in enterprise we’ve had these massive data lakes. We’ve had all this data and intelligence on people to sell you a bank loan and a car loan and a credit card times 10. So don’t you think we’ve already had a lot of this intel? Yes, from people. But then that also extends to even our systems that big enterprises use as well.
So would you say the data’s always been there or do you think it’s now? How people operationalizing that data, would you say?
[00:12:21] Dmitry: I would say data was always there, but the way how you process this data was different. I will give you another example. So you said that you had a banking background.
So you all will understand this majority of fraudulent activity that we see now is not just a traditional fraud. It has cyberuse. It’s about Malma it’s about phishing, it’s about remote access to devices.
It starts from a cyber attack and then it becomes a real fraud.
But look at any normal bank, they usually have two separate teams, Cybersecurity Team and MP4 Team.
In ideal use case, they should collaborate very actively because both of them try to reduce the level of fraud.
Also, it doesn’t matter if it’s cyber driven fraud or something else, we want to reduce this fraud. They have all data in place, they have all processes in place, but they cannot work altogether.
They don’t have common workflow, they don’t have common pipeline, they don’t have access to each data sets. So it’s always a silent teams, silent infrastructure, siloed processes in one organization.
And it’s just one example. So that’s why again I’m true believer that cyber fraud fusion is the next big thing for everyone. When we talk about of course financial industry.
So answering to your question, data was there, but the way how we work with this data, the way how we process and building these common workflows was not in place, this is what we can also change.
[00:14:08] KB: Okay, so then on that note, given historically speaking or even recently now, now we’re moving into a new sort of stage around the prediction. Do you think people just spend a lot of time now on responding, detecting all that sort of stuff? Do you think now based on what you’re saying here, Dmitry, that will change and people will go more on the predictive front? Or do you think people are still just going to be very busy and determined detecting and responding?
[00:14:35] Dmitry: Well, again it always depends on maturity level of a specific organization because if you would like to switch to predictive technologies, you still have to keep data, they have high quality, you need to have tools that collect this information or data and you have to keep strong team in place. I don’t believe that AI will replace cybersecurity experts because the numbers of attacks, complexity will continue to grow. But no, not everyone will be able to switch 100% to predictive approach. It will be always a combination. I believe that adoption will take probably next five years until we will see that majority of organization will come to that state, but not faster.
[00:15:17] KB: Why do you think five years or so and I know it’s hard to tell, it’s just more trying to get a gauge. Is it just people are still trying to wrap their head with just basic patching and now we’ve laid on like AI stuff etc and all this data and modernizing it so you can bring AI to your Data and do all these things.
Why do you think there’s going to be a little. I mean that’s relatively slow in terms of like it time frames. So I’m just curious to hear your thoughts there.
[00:15:42] Dmitry: Look at the average adoption cycle because I know 10 years ago probably it was a hype about machine learning how fast it was adopted across organization. Probably took about five years. Even with artificial intelligence it was booming.
But when this boom started, I would say 2022 was the moment that everyone heard about ChatGPT and so on and it was like a huge spike of interest and belief that artificial intelligence may exist. But do we see a high adoption? I would say everyone will say yes we use artificial intelligence. But do you see really end to end processes automated artificial intelligence at raise efficiency? I don’t know, 10, 20 times. It’s a rare case. Adoption is a complicated thing, especially when you talk about big enterprises.
[00:16:31] KB: Okay, just staying down this talk track because I find this quite interesting with the predictive side of things. Can’t people say yeah but Dimitri, but what about false positives? What if the tool doesn’t detect the thing and then I get breach? How do you handle that sort of conversation or how are you sort of preventing it or what are some of the rules or the process around this?
[00:16:49] Dmitry: And again I didn’t say that prediction will replace absolutely everything.
We still have to keep our existing approach when we’ll be able to detect threat with bypassed security controls that we missed as a prediction. I don’t didn’t manage to take proper preemptive actions to stop it in the early stages. So we still have to keep that layer that will be responsible for reactive detection and reactive response. What I’m talking about that this layer should be almost 100% automated and you as an advanced expert should focus on what is really matters. That will significantly reduce the chances of a threat actor to compromise your infrastructure.
[00:17:31] KB: The intent around the predictive capability, it’s more about reducing like the internal cyber analysts workload. Right. So hypothetically if it’s like they’ve got a hundred tasks alerts they gotta respond to a day again made up numbers, perhaps the predictive component of we’d be able to reduce those hundred tasks to like maybe it’s 70 tasks or 60 or whatever the number is with the byproduct then of making their day to day easier. Not as fatigued, not as overworked, they can focus on doing more strategic things. Is that sort of then the intent behind it? Because I know that nothing out there in cyber is 100% foolproof. But it’s more so just reducing perhaps some of that workload for these people by leveraging some of their predictive stuff.
[00:18:18] Dmitry: Let me explain it from a different angle. Because it’s not about reducing the number of tasks that you are going to handle in the future. The number of tasks is going to increase significantly. The reason why, because again all these last years we saw that the number of incidents can grow with I it will grow faster. Let’s say it’s axiom that the number of attacks and the number of events and alerts and whatever it is, the they’re going to increase in your infrastructure. If it’s a big infrastructure, it will increase significantly. And tradition is not about reducing this level. This level should be processed by agents with agentic soc, they something else. But it should be automated. But then when it will be automated, what is the next thing you should do? What you need to think about. You need to think about how to prevent most of these events happen in my infrastructure. Not because I want to reduce them, because it loads me and my team, because it’s not your concern anymore. It will be handled better. Some robots, automated agents, you focus on how to reduce damage because even if it’s not a significant incident, it creates a certain damage.
Small piece of personal information will leave your organization.
Some portions of reputation will be damaged, your partnerships will be damaged. Whatever it is you want to prevent that. But how you need to take some actions that will not allow threat tactile to execute these attacks. How you can know what exactly to prioritize, what exactly to execute. Taking as an example, vulnerability management process. You do not update absolutely everything. You still keep a lot of software outdated because you cannot afford to update and patch anything.
Same is here. You need to decide, take a decision which things to take first, things or actions to execute first. And that will be your decision. But this decision should be based on something. And this something is a prediction. What is prediction? Again, prediction is, let’s say it’s a combination of external fat intelligence and data that you have in your internal infrastructure. And only when you can relate it, you get it super tailored. Tailored not just to organization, but tailored to your network infrastructure, your internal processes, your team that you can take these decisions. I hope that answered your question.
[00:20:49] KB: Yeah, exactly. I mean I was just using the numbers more for like just an example. But yeah, overall it’s trying to reduce that damage in the the cleanup side of things then as well by taking care of this stuff. Whether they it just happens in the background. That’s fine because yeah, you’re right, there is going to be more of these things that are happening and we’re already seeing that in the space.
So then on that I want to sort of switch gears slightly and talk about you. Your company work closely with Interpol, Europol and Afripol. So perhaps like what do they see about global cybercrime? That the private sector is still missing.
Perhaps keen to get some insights here.
[00:21:28] Dmitry: Well, here is quite simple. Everyone understand that collaboration between private and public sector should be more effective. But there is no real motivation for private sector to help public sector to stop threat actors.
And there is a certain limitation why people don’t do that. It’s not just about local regulation. It’s not just because they have their own business to do. But in some cases they cannot do that effectively. Because when we talk about modern cybercrime, in many cases, let’s say threat intelligence should be shared in real time. Again, just because of high speed of attacks. If you want to be effective, you need to share in real time. On the other hand side, you cannot share absolutely everything because it’s quite sensitive information.
So that means that the way you share must be privacy preserved approach. Then you guarantee that private data, sensitive data, whatever it is, they’ll never leave your organization. But if you exclude it completely, that means that you don’t share anything valuable. Even if we talk about local regulators.
And this approach will work only when there is a network, network of, I don’t know, telcos, local regulators, law enforcement agencies, finance sector, private cyber security companies like us.
But only when we have this collective approach, collective defense that will may work sharing signals in a way when it’s again doesn’t disclose any sensitive data and technology is in place.
And this is what now I would say many circles, it’s a financial circuit. If it’s a law enforcement circle missing. At the moment we still rely on passive data collection.
Sharing reports with delay of few months, then taking reactive actions. Of course it’s valuable because it helps to identify threat actors. At the end of the day, arrest them. And this is what really prevent thousands of incidents in the future. This is what I observing for so many years already. You stop one threat actor. You mean that that means that you saved. I know thousands of businesses, thousands of private lives.
Because these guys, they are not Robin Hoods. They cause a real damage, economical damage and real life damage for individuals.
So that’s why they are missing not this particular type of attacks or incidents. They missing intelligence in real time.
[00:24:09] KB: Okay, so you said before Dimitri, there’s not really motivation perhaps to like private sector, to like collaborate with like public sector.
I mean, I’ve got some ideas, but I’m keen to hear maybe more about that because it’s sort of going to feed into my next question.
[00:24:29] Dmitry: So what kind of ideas do you get?
[00:24:31] KB: Well, it’s kind of like they’re running a private business, right? Like private businesses are there to make money for their shareholders and do the thing right.
Public sector is more, well, supposedly more about people and helping society and countries and governments, et cetera. So I think that if the private sector spends more time focusing on the general like so. And there are some companies that do that. I’m not saying this, I’m just saying that just giving a general consensus of private and public, they might think it does a disservice to them if they’re focusing like general, like generally on the cyber security posture in the market. Does that align with what you’re thinking?
[00:25:10] Dmitry: Yeah. Yes. And again, it’s always easier to explain with real life examples. If we talk about mid size organization, we don’t care about cybercrime, we don’t even understand what is it in reality. You probably heard about that from many different sources, but we don’t understand that. So that’s why we cannot even contribute to investigations. But we don’t talk about big enterprises.
They have very mature cybersecurity and anti fraud team that track Fed actors. They have this information and they would in some cases would like to share it, but we don’t have legal framework, for example, how they can share it with Interpol. To share with Interpol you have to be a gateway partner. You have to keep special agreement that you usually don’t have. It’s not your business. You can actually share it with local police force. But usual local police force is extremely busy. We don’t know how to handle so many incidents at the same time. Just to give you an example, in Australia, according to statistics it’s probably it was about 90,000 incidents per year. Basically almost every six minutes there is an incident officially reported. Try to handle this volume. So that’s why people just are overloaded. But what we see, and it’s a positive sign for example, with our solutions, when we develop something, we have this investigative DNA. So that’s why it allows us to take threat actors in real time. Of course our clients see that and they start to see Fed actors movement, the infrastructure behind them and so on using the additional data sets that they have in their organization. Maybe even HD5 is threat tecus, especially in finance sector, talking about fraudsters. So that’s why banks have a lot of information about people, especially about fraudsters. So tracking protectors and find profiles and find real analysis and find real location. They now can shape with local police force. When they start to do it on a regular basis. There is a special, I would say there is a relationship because people trust people. That means that when you come to police force next time they’ll prioritize your case because they understand that it’s a really early case, that they need a steel to validate, to reconfirm according to all local practices.
But it will be definitely something outstanding from what we see usually as complaints or incident reports from all other parties. And what we see that now big organizations realize that there is a big value from this activity and they now dedicate specific teams to focus on these internal investigations and sharing with police forces in the country. But when it’s about international syndicates, you need to have this global cooperation. That means that you need to work with Interpol, Europol and other organizations across the globe to make sure that you stop them. And usually we see global syndicates, but if it’s just a local group, it can be handled absolutely. Local police forces.
[00:28:13] KB: And then there’s like organizations like FSISAC for like the banking and finance industry.
But then what I’ve heard, I mean I live in the US now, but what I’ve heard, being an Australian and living in Australia, historically it was like there was pushback, There was like, oh well, we’re trying to do this thing for the greater good of everyone, but some people are just not on board with it. Do you think that given what you’re saying, do you think that over time there will be more collaboration either whether it’s private enterprise to private enterprise or or private to public sector, then working more closely or what do you think?
[00:28:46] Dmitry: I’m very sure that there’ll be much more collaboration between all these parties because throughout that it’s just impossible to stop cybercriminals. We can continue to close holes, investing in different security controls and so on, but cybercriminals are always ahead of the cyber defense. They always find a way how to earn money. We will always adopt.
That’s why the only way to reduce large scale the level of cybercrime, level of fraud, at least in a particular country. We need to identify who are these people who are doing this, because if you don’t stop them at the early stage, what is going to happen? We will become more mature, with more resources with wider network with more capabilities. And it means that your problem will become even bigger.
[00:29:34] KB: We’ll come back to that after a quick word from our sponsor. I’m known for being direct let’s be honest, nobody gets into technology leadership for the compliance paperwork headache. But if you’re building or scaling a tech company, security frameworks like ISO 27001, SOC2 Essential 8, CPS 234 or GDPR aren’t just tick box exercises, they are business critical.
That’s where Vanta comes in. Vanta automates up to 90% of the work for security and compliance, helping you get audit ready in weeks, not months. It integrates seamlessly with your tech stack so you can spend less time chasing documentation and more time leading innovation. If you’re a cto, CISO or head of security, it’s worth taking a closer look. Visit vanta.com KBKast v a n t a.com KBKast to learn more.
So I want to zoom out now and talk to you about Cyber is now deeply tied to like geopolitics AI. We’re seeing it, we’re hearing about it. I’m interviewing people about this all the time, so maybe Dimitri, talk me through.
How is the threat landscape moving differently across regions? And like what are you sort of seeing? Where are companies more exposed now given the geopolitical climate at the minute?
[00:31:01] Dmitry: Let’s split it in three buckets.
Usually it is about financial cybercriminals.
Second is politically motivated cybercriminals, whom we consider hacktivists and nation state actors.
The last two categories. They usually focus on regions where there is a potential conflict like it was in the Middle east recently in Europe, between UK and Russia. And everywhere there is a hard situation where you see a lot of activities from a nation state actors and activist group. If cybercriminal situation is different, cybercriminals always follow money where it is easier to earn money, that it’s easier to do money laundering but will be always a priority for them. Schemes will be different, tools will be different, scripts we use will be different. Everything can be different, but we still will focus on money. For example, we see that there are specific, let’s say bubbles in Latin America. It’s very different from the rest part of the world. We have local groups, we’re targeting only local companies because we have very good understanding how this local financial ecosystem works. We understand how to do money laundering, they understand psychological aspects of victims and how to trick them in the right way. That’s why the infrastructure is also in the region. The malware developers are in the region and everything is tailored to the region. In Asia it’s very different.
Different type of malware, usually backed by Chinese speaking threat actors. They may based in other countries where we speak Chinese language. They are the most active, most advanced, using really, let’s say, cool tools. That is interesting to research because it gives you a lot of knowledge how effectors operate and what we are going to see next in other regions. But they are quite advanced. And now we see that all these scam call centers that happen now in Latin America, in Europe, in the Middle east, everything comes as a technology, as an approach, as a common practice from Asia, from what we saw there. So that’s why criminals are very different.
Basically this original uniqueness everywhere. But they always follow the money and to get rid of it, that is almost impossible. You need to block oxygen for them. And oxygen for them is money laundering. Because at the end of the day, even if attack was successful, we need to do this money laundering first and then get their money back. So that’s why if it’s possible to block money flow, the level of cyber attacks, scam calls and everything we see right now will reduce significantly. And again, that cyberfusion approach and the example that I gave you when we were talking about Bing, because of that.
[00:33:51] KB: Yeah. And I interviewed one of the threat intel analysts at Mandiant recently and then even some of the stats there was like a huge surge and just like cyber criminals like just going up because like it was all about the money and then it wasn’t about the money, it was just a fact of just doing cybercrime. Now it’s all about the money again, do you think as well? Because now with just lots of things going on in the world, we’re going to see another massive spike for cybercriminals. Easy to get into because back in the day you had to be somewhat smart to be a cybercriminal. Now the barrier is super low. You can outsource it to certain criminal groups to do certain things, et cetera. If you don’t, there’s no treaty with the country. You can be living in Timbuktu, no one ever finds you. And if they do find you, you can’t be extradited back to get prosecuted, et cetera. That’s just what’s happening. So do you think that now, given everything you just spoken about as well, we are going to see much more heightened criminals doing this sort of stuff? Because it’s easier now than what it was before back in the day it’s definitely easier.
[00:34:54] Dmitry: There is definitely a big surge in activity. And again, unfortunately I have to say that it’s mainly because of artificial intelligence and how easy it to use.
And when we talk about fraud, it’s mainly driven by deep fake voice, video, all of that. It really works brilliant in the favor of fraud. St.
But what I cannot agree 100% but it’s hard to identify and it’s hard to at least arrest these people even there somewhere they believe is a safe haven for them. That’s not true. It’s always possible to stop these actors even if they in so called secure locations. We’ve seen it many times. Even in Cambodia people were arrested. It depends on will of specific nation leaders. If you really want to enforce it, it will be enforced. If you really want to come and take over these threat actors, it will happen. It just depends on scale of the problem. But even if it’s not possible to do it quickly, we don’t want to wait, for example, next five years the problem become extremely big and then somebody will take a ultimate decision to solve it in a very rude way. Again, close with oxygen flow causes money flow and it will solve the problem. I’m not saying that’s easy, but probably we just need to focus our attention what exactly we want to do. Do we want to investigate, do we want to focus on irs? Do we want to focus on doing incident response, collecting technical intelligence and so on? Yes, we need to do that. But probably the attention should be stitched to something else. And something else is basically this collective defense. But indify how money flows in the country, across the region to stop that and block cybercriminal fear.
[00:36:41] KB: Okay, so just to clarify, so you’re saying that if companies, governments, whatever want to go after someone, they can, there’s ways of it. That’s interesting because I’ve spoken to so many people over the years and like it’s super hard to find these people, number one. Number two, it’s hard to prosecute them because we got to get all the evidence. And you know, maybe they’ve done a good job at you know, covering their tracks. But then there was maybe one part of it, they did it and that’s the part we have to prosecute them on. But then do you think as well that like, I mean like look at a bank, right? Just say, and I, I’ve seen this happen.
Someone siphon, you know, cyber espionage, siphons out a bunch of money of the bank or someone’s account, they can just replenish It. But then is it worth their time to be like, oh well, you know, Dimitri had 100 case done out of his account. Is it worth the time to do that? Because like for some of these companies, like they just rip that money in the back of their Maserati and they just keep going. So is it worth it? Or to your point, is it worth doing the other things with the intent to that going after these people will be reduced as a result of doing the other stuff. That makes sense.
[00:37:43] Dmitry: Yes, absolutely. But again, we should not divide it in like black and white. We should do both because something will be more efficient in a particular situation.
In some cases, yes, it’s worth to indify these people do these investigations. I don’t say that’s easy, but it’s possible.
And it’s definitely possible in many cases.
And why I’m saying we need to focus on that first, because it stopped the root cause of the problem. It stopped people who do this.
And again, stop it once and you will prevent thousands of incidents in the future. Because we’re talking about digital space. The scale in digital is not the same as in the physical world. Again, stop it once and thousands of cases will prevent it.
We want to prevent bad things to happen.
When I talk about the second approach about money laundering, it’s not because we are going to stop them completely, but we will make it really hard to earn money on that.
Probably we will switch to something else. We will definitely switch to something else. We will never stop. We will switch to another country, we will switch to another industry. We will find another way to earn money.
Maybe even if we will decide to go open a legitimate business, who knows. But we will switch attention because that will not allow them to earn with the same level of earnings as it was before. And it’s not easy, but it’s still possible.
The reason why it is not possible to block it right now, because fraudsters understand how financial ecosystem works. They know how to stay under.
And one of the reason why it’s possible, because banks do not share information about fraudulent activity in the country.
Why we cannot share that? Because again, we live in the world of instant payment. That means that you need to share real time again and you are not allowed to share because fraudsters or suspects to be fraudsters, it’s a personal information, it should stay in the bank. You are not allowed to share it others, even if you want, even if you have all needed details, it’s just not allowed. Or even if you share it, you cannot actually operationalize it in the right way, because you probably received information that you should not receive. That’s a limitation.
[00:40:05] KB: So then just to confirm, are you saying that as well? I just say there was an incident, cyber criminal got caught. It’s in the media, it’s all that. Do you think that will then deter other cyber criminals to be like, oh well, that guy got caught for like doing a massive crime or even a small crime, it will start to hopefully deter people from doing it because they know that there is a possibility of being caught because historically it was a lot harder.
[00:40:29] Dmitry: Well, that’s another example. Again, the most active threat actors will be stopped just because they are arrested. So that means when you are in jail, it’s hard to do every kind. It’s still possible, but it’s significantly harder. Will it affect other criminals that are not arrested? Yes, because we look at the situation, we understand that it’s not that secure as it was before. That’s another approach. I really like what happens with some operations that are led by Europol and Africa and Interpol of course as well. Then they do big operations, they understand what is the other part of the ecosystem. And even when they don’t have enough evidence to confirm that they are criminals, we know that they are part of this criminal chain, but we don’t have enough evidence. They can approach them saying I know that you were involved and this is my earlier warning signal to you, stop now because you already on the record or you’ll be arrested soon. And this is what really changed mind of people because we take it seriously. They know that now police know about them, they know what they did. Even if it’s hard to prove in the court, they know and it’s a very powerful signal.
[00:41:38] KB: That’s interesting.
So Demetri, just to sort of close out our interview, what do you sort of think now moving forward from the industry? I know we’ve covered a lot of terrain here, but maybe just closing comments. Final thoughts on industry to move from reactive to more predictive security.
What can you leave us with today?
[00:41:56] Dmitry: Switch from preactive to predictive is number one second. Let’s stop money flow that feeds a criminal ecosystem. And to achieve it, it’s all about collective defense and sharing signals across industries, including financial industry. And let’s help public sector to identify threat actors and arrest them because it really helps to prevent huge damages.
[00:42:20] KB: That was Dmitry Volkov. The thing that I’m going to be sitting with from that conversation is his argument that you can’t stop cybercrime by chasing attackers. You stop it by blocking the money laundering that feeds them. If you’re a board director listening to this, the question to ask your security leadership isn’t how fast you can detect a breach. It’s whether your cyber and fraud teams share data, and if not, why not?
I read every reply. If you got some thoughts on this one, send me a message on LinkedIn.
KBKast – Cyber for the C-suite.
