KB [00:00:10]:
I recently attended SPHERE by Atmos to sit down with some of the presenters on the day for one on one interviews and to meet with people attending to find out what brought them there and what they learned from the day. Over the next few weeks, we’ll be releasing these conversations to the public, providing rare insights into the state of cyber security and risk for Australia, New Zealand and on a more global scale. We’ll find out exactly what moving beyond just a responsive moment of crisis actually looks like. Stay tuned. So today I’m joined by Lieutenant General Michelle McGuinness, CSC, appointed as Australia’s National Cybersecurity Coordinator and Steph Way, Director, National Office of Cybersecurity. And today we’re discussing the interrelationship between the public and private sector and collective national security. Thank you both for joining.
LTGEN Michelle McGuinness [00:01:03]:
Great to be here.
Stephanie Way [00:01:04]:
Kb, thanks for having us.
KB [00:01:06]:
Okay, so I really want to start and maybe Michelle, you can go first. What do you see as the biggest strides we’ve taken in cyber over recent years?
LTGEN Michelle McGuinness [00:01:15]:
Oh, look, that’s really hard to define. I spoke earlier about a highlights reel, but we have really in Horizon 1 focused on the foundations. We’re focused on making this a whole of nation endeavour and empowering every citizen and through them, businesses so that we can be clear on our role in our own cybersecurity and not be intimidated by it. We have every reason and every right to thrive in the digital ecosystem and the technology that we have available. But there are things that every one of us can do, I think beyond that cultural uplift that we’re driving. I’m incredibly proud of the trusting public private partnerships we’ve set up where we actually work across industries. We work with leaders across our economy to ensure that they are partnering with us and they have taken that obligation incredibly seriously. You know, our ability to reach every Australian relies on us going through every sector, whether it be critical infrastructure sectors and supporting them in their risk management and driving uplift and ensuring they understand the risks and the threats through to our business leaders who are helping with their supply chains, their customers and their employers.
LTGEN Michelle McGuinness [00:02:24]:
We passed legislation. In all we’ve done 60 actions under Horizon 1. That was a massive undertaking and it was something that I know that as a department and as a government, we’re incredibly proud of achieving it around the end of November, early December last year. So Steph?
Stephanie Way [00:02:44]:
Yeah, I think additional to that, the act now Stay Secure campaign that hopefully people have seen on their Netflix and on their Instagram has really helped bring cybersecurity into everybody’s lives. And like Michelle said, that’s really starting to embed it as a cultural norm so that people aren’t, you know, cyber isn’t just the responsibility of technical people or people with technical capabilities anymore. We’ve seen scams and advancing technology is just getting so much cleverer that we really need to ensure that Australians are smart enough and sensible enough to mitigate those threats and to keep themselves safe. And then I guess complementary to that is the responsibilities government feels to ensure that we’re doing everything we can to uphold the standards of technology companies, of organisations that provide our most critical infrastructure and make sure that they’re doing everything they can to keep Australians safe and keep those critical services operating.
LTGEN Michelle McGuinness [00:03:35]:
Can I add, I think also removing the shame around victims who are targeted by cybersecurity. I know a couple of years ago these were things that we hid or we felt super embarrassed by. This is something that we need to tell these stories. You know, it can’t be unimaginable anymore that we might be targeted. You know, Australians two years ago, really, our research demonstrated that they either felt it wouldn’t happen to them or there’s nothing they could do about it. We’re bringing them into the centre so that they understand the incredibly dynamic and outrageous threat environment that is out there targeting us every day. You know, the number of attacks, the number of attempts, the number of side of threat criminals that are targeting Australians, everyday Australians. You know, we need to make sure that it’s clear that you don’t need to be ashamed or embarrassed.
LTGEN Michelle McGuinness [00:04:25]:
You should reach out for help, you should reach out early. And we particularly want to partner with businesses so that we can minimise the harm and build that resilience to bounce back.
KB [00:04:34]:
And Michelle, just on that point, do you think as well that historically, as you mentioned, that it’s going to get to a point where people are. That feeling will dissipate that, oh, I’m not ashamed, I’m not embarrassed. Because it is that more awareness. Even when I started on the practical side as a practitioner, there wasn’t that much. The awareness, yes. But also just understanding more about it because like in movies and that people like look at the guy with the hoodie and they don’t necessarily think it could happen to me. Do you think over time it’ll get to a point where it’s kind of like the sun safety, like no hat, no play. I think here in Australia.
KB [00:05:07]:
Will it get to that point, would you say?
LTGEN Michelle McGuinness [00:05:08]:
Yeah, that’s what we’re driving. You know, we have great. We have great safety culture in the physical world. We know how to keep our kids safe. We know to look left and right when we cross the road. We know siplock’s that we’re big on call safety. Swim between the flags. Put your seatbelt on.
LTGEN Michelle McGuinness [00:05:23]:
Yeah, but we need to. We live in a platform centric society. We are benefiting across so many areas in this digital world that we need to bring that physical security culture into the cyber realm. You know, I’ve heard some incredibly brave people come forward and share their stories and that is super important so that people don’t know that they’re alone. There are so many people who don’t who think they’re alone and are embarrassed, whether it be a romance scam or a finance scam or just a vulnerability that they shouldn’t have clicked that link. I actually had a gut instinct I shouldn’t have clicked it. We don’t want people to be ashamed and embarrassed. We want them to reach out for help.
LTGEN Michelle McGuinness [00:05:59]:
We want them to actually tell their story and we’ve got real tools to help them help themselves. Steph mentioned the act now Stay Secure campaign. Actnowstaysecure.gov au it has really great tutorials on the actions that people should take. So it tells us one of the important things to do. I’d love everyone to go there. It’s in 33 different languages and as I said, it doesn’t just tell you what to do, it tells you how to do it. So the top three items there is multi factor authentication. Always apply it have unique and complex passphrases of 15 characters or more on each of your accounts and update your software.
LTGEN Michelle McGuinness [00:06:39]:
These sound really basic and quite often I go and speak to really technical forums and I feel kind of naive and slightly embarrassed to raise it. But I tell you, this still accounts for the majority of incidents across our ecosystem, whether it be businesses or individuals. Those principles stand. So that site gives really great practical tips on how to do it.
KB [00:07:00]:
And then before we move on, what about industry? So I’m in media and then a breach happens and then people don’t want to talk to me, they don’t want to share. Maybe it’s because they’re not allowed to. They feel embarrassed. They feel like, well, what about my next role opportunity? How can we get to a point where it’s okay to share? Because by sharing we get to learn other things and potentially avoid those pitfalls. It’s just something I’m starting to see it come through, but at the same time I’ve had to go through so many general counsels and lawyers and legal and corporate affairs, will we get to that point, even on the industry side post breach, that it will be okay to share?
LTGEN Michelle McGuinness [00:07:33]:
Look, and Steph is on the front line of this, but we are seeing great developments due to our legislation that was passed, the Cyber security Act in November 2024 that brought in a limited use obligation. What that means is that Steph and I and our team, we can have discussions with leaders, businesses, industry, who’ve had an incident and the information they share with us is Linda’s use. We can only use that information to help them mitigate the circumstances and minimise the harm that has opened up that trusted early engagement. You know, there’s good reason not to talk about it. And KB, I’m sorry, with all due respect for the media, sometimes there’s a real operational imperative and I think we underestimate the tenacity and the agility of threat actors. And so quite often these businesses are dealing with a live threat actor who’s looking for their response. So when we see, when they see it in the media, you know, I’m, I’m not surprised by the agility and the, as I said, the tenacity of these criminals. So there are good reasons not to share details publicly, but we’re seeing a great development in sharing privately.
LTGEN Michelle McGuinness [00:08:41]:
And Seth, maybe you can talk a bit about your engagement with industry.
Stephanie Way [00:08:44]:
Yeah, and Michelle always says we have the great privilege of being really victim focused. So when these businesses are hit by cybercrime and it’s a ransomware incident is the most horrendous and stressful time for them. I mean, not only are these criminals often deeply offensive and deeply targeting and personal in their approach to these business operators and owners, but you know, what they’ve done is extremely egregious. And we see this in businesses who, you know, it might be in the health sector where their primary focus is providing world leading treatment and medical health provisions to patients. So, you know, they might not have invested heavily in their cybersecurity because they would think, why would anybody come looking at my business and I’m just a small medical provider. Unfortunately, you know, we liken these criminals to people walking through car parks just pulling every handle and seeing which door opens. So they are deeply opportunistic and it’s not always very targeted. However, once they are in, then they really ransom and make these really harmful claims and statements and make this a really stressful time.
Stephanie Way [00:09:47]:
So we have the benefit and privilege of sort of holding the hands of those organizations. And the people, because these have such a deeply human impact, these incidents, they are so awful to go through. And so we want to really support businesses and industry going through those motions. And like you said, get to a point where you’re able to freely share about how that happened, how you responded, how maybe it could have been prevented so that others can learn from that without having to deal with the same experience.
Stephanie Way [00:10:16]:
And we are trying to reduce that shame and change the tone around. You know, these do happen frequently and to all sorts of companies. It is not always a failing. It can be, you know, through things like social engineering, which are nothing technical or particularly complex at all, other than a convincing person on the other end of a phone line. So it can really happen to anybody. And we’re really trying to change that tone and narrative around the shame that people experience and in the hope that there is that sharing. And like you said, the media does play a really big part in that. And communications should be sort of front and foremost for a lot of these incident responses.
Stephanie Way [00:10:54]:
Listed companies have to report really quickly to the market and their shareholders, and that’s really important. But by working with us in that, we can help align any kind of government communications with their comms. I think it’s a really strong message for companies when they do have to make those statements, that they can also say that they’re working with government authorities and. And that they’re doing everything they can to mitigate the harms of the impacts for their clients and customers. And so that’s a really good thing. And we’ve had great feedback from companies that have worked with us through that response, including through the communications approaches that we’ve been able to take with them. So we’re just hopeful that while we’re hopeful that incidents get less severe and less in scale, unfortunately, that is not what threat is telling us. So we’re just hopeful that we can continue to have this really collaborative public private approach that we have with so many industry partners.
KB [00:11:42]:
So I’d like to move on and talk about what, as a nation, can we do to prepare for the unthinkable catastrophic cyber incident impacting our critical infrastructure? And it’s really important because now I do live in the US, as I was saying to Michelle before we started our interview today, and that’s a big topic of conversation and just how quickly something doesn’t work, and it’s a domino effect, and then people start to really panic. And when you have panicked people, you have chaotic people then. So I’m really keen to understand Perhaps from both of you. What are the sentiments here?
LTGEN Michelle McGuinness [00:12:17]:
Yeah, look, that’s a really great question. I think even having this conversation is a big part of that journey. You know, that realization of the possible is super important. The rapid threat sharing so that we can communicate. And Steph talked about aligning our communications and using both our convening power and our voice as a government to ensure that we don’t cause panic, to ensure that we are prepared. I will say preparedness is the greatest cure. You know, this is so important. Our Act Now Safe Secure campaign looks to really uplift the entire nation.
LTGEN Michelle McGuinness [00:12:48]:
But we also need to have that resilience, knowing that we’re not going to stop every attack. There’s no way we’re going to. Okay, but understanding the context, being as prepared as we can, and then clear communications. You know, we haven’t seen a catastrophic test across Australia. And every day, but every day we are alert to that potential and building our resilience and sovereign capability. If I can just touch briefly on sovereign capability working across the economy, ensure that we have the right cyber security professionals. We think we’re around 30,000 short. We’re working with our vocational education trainers as well as our higher education and research sector to ensure that we have the right throughput, we have the right structures, we have the right pathways, that we have the right culture.
LTGEN Michelle McGuinness [00:13:31]:
You know, you mentioned earlier the hoodie and the glowing green light. That is not, you know, that’s the impression of cybersecurity. But I’m here to say that it actually requires strategic thinkers, it requires problem solvers, it requires innovators and collaborators and leaders and policy experts. So we really want to myth bust around the isolated cyber operator sitting behind that glowing screen. Because I do think it’s important that, that we expand our diversity and we take all critical thinkers into that and we have to make sure that any school leaver or career changer knows they are welcome. And then there is a huge field here. So we have that desire to build our sovereign cyber professional capability, but we also want to make all professionals in Australia cyber secure. Of course, to Steph’s point about the health innovator, the person out there, whether it be not for profit or doing incredible work to support our citizens, they need to be cyber secure because they will be targeted.
LTGEN Michelle McGuinness [00:14:24]:
So we need every professional to understand their vulnerability if they’re working, which I’d argue today everyone is online. So that’s super important as well. Steph?
Stephanie Way [00:14:35]:
Yeah, I think that it’s interesting, like you say as well, when the Comms piece. I think we’ve got a responsibility as a nation that if and when those incidents do happen, that we’ve got this great Australian culture of kind of mucking in and all supporting and having the right attitude about getting through the crisis, whatever the crisis is. So we see that bushfires and, you know, you know, we work really closely in the National Office of Cyber Security with others across government, including the National Emergency Management Agency and of course the Australian Cyber Security Centre. And so it’s this really collaborative approach across government when these things happen, including with jurisdictional governments, of course, which have a huge leading role when there is a crisis. And so it’s about leveraging the lessons we’ve learnt through Covid, through bushfires, through all of these other national crises to make sure that we have that same approach. It’s not about pointing fingers and blame and how this started or where it came from. It’s about how do we get through this? It’s about that public messaging pie which is so important. Right.
Stephanie Way [00:15:26]:
If we’ve got critical outages impacting things like major transport or even airports, how are we managing that? How are we communicating to citizens and providing that message of calm and ensuring that there is that assurance that government is working together, industry is working together, we’re all working to resolve the issue as quickly as possible. But then, like Michelle said with that resilience piece, it’s really about asking those critical infrastructure organisations that is done through our colleagues that are in Home affairs, the regulator for critical infrastructure. So there’s a really collaborative approach with all of those sectors to bolster their resilience and prepare them as much as possible for the inevitable.
LTGEN Michelle McGuinness [00:16:06]:
Yeah, I think we come together very well and we saw it during Crown Strike, but at the heart of that is that partnership that we have between governments and industry and citizens, because we can rapidly come together. And, you know, Steph spends every day we heard same looking at consequences and how we minimise them and understanding that impact. And as she said, working closely with the National Emergency Management Agency, we pull all arms of government together. So we have practiced this. I don’t think we’ll ever be fully ready, but we are prepared and we continue to work and exercise and test and really test our processes and test our collaboration so that we can rapidly respond.
KB [00:16:47]:
So I think the big question that a lot of people have at the moment is geopolitical tensions, given the current climate. So I’m curious to understand from both of you, are global conflicts worsening then, and how can Australian businesses respond to that? Threat, Because I’m hearing it a lot in conversations that I’m having. Not an easy answer, but you’re the best people to ask.
LTGEN Michelle McGuinness [00:17:14]:
You know, for sure, zero political tensions reduces our warning time. You know, when things become heightened, that warning time and those signals might get confused and mixed. But I have to say our preparedness is really threat agnostic. It’s really about being prepared for any circumstance. And those risk management plans that Steph has spoken about across our businesses, those exercises, they prepare us our engagement with citizens, they prepare us for all scenarios and that’s really important. I think it just becomes even more important to keep the communication lines open, to have genuine partnerships, real, you know, sharing, rapid sharing of what we’re seeing. And we have a number of forums across the economy that really get after that rapid sharing. So that if someone’s seeing something, we get it into our technical experts, we get it into our intelligence organisations, we can assess, assess the landscape and they can share in a de identified way, you know, what we’re seeing and what everyone should do about it.
LTGEN Michelle McGuinness [00:18:16]:
You know, we’re constantly. Our colleagues over at the Australian Cyber Security Centre within the Australian Signals Directorate have a great resource, cyber.gov.au, they’re constantly pushing out fact sheets, updates, vulnerabilities for businesses in particular. That is a really, really important resource to get after. So. So again, I think what we’re doing is strengthening us for any scenario.
Stephanie Way [00:18:43]:
Yeah, I think that sovereign resilience piece, we know there are huge supply chain critical points where, you know, we are vulnerable and there are those vulnerabilities. So encouraging industry to really have a look at those and interrogate what they can do, what the workarounds are, what their operating model would look like without any elements that they are dependent on and what they can do to mitigate any impacts to a particular system or a particular supplier, for example, that can really help build that resilience. And, you know, I think it’s partly about empowering culture within industry and within government too. You know, every organisation about empowering people to come up with solutions. Because there’s some really creative ideas that come out of a lot of the exercises that we run and sometimes it’s just about brainstorming that and letting people come up with some solutions.
LTGEN Michelle McGuinness [00:19:34]:
Yes, I was going to say, I think when I speak with boards, we talk about know your data. Okay. Know your systems, know your networks, know your customers and really understand that helps you understand that risk, that exposure and that risk picture and what they might need to stretch and how rapidly they need to respond and then sort of
KB [00:19:55]:
lastly to bring this interview together. And I know we sort of touched on it before with the bushfires and other incidents, not necessarily decibel or tech focused that we can learn from. Is there any other learnings that we can all learn from other incidents that you can share with us today?
Stephanie Way [00:20:12]:
Yeah, I think we always say never underestimate the interest in your incident to businesses. So that media piece will come fast and quickly and it is really important to ensure that your teams are supported, that you get a lot of people into that crisis team and that they all understand their role and contribution. And you’ve got neat hand off points and that’s where practising that can really support in a very effective response if it does occur. And so that comms piece comes really quickly. Engaging with us early on can really dramatically change things. When we have, and like Michelle said, under limited use, we’ve got this trusted arrangement for sharing information in response to a cyber incident. The information is protected from both the NOCs and through the Australian Cyber Security Centre. And so they can share information even if they’re not sure about it.
Stephanie Way [00:21:05]:
It’s not being shared with regulators for enforcement purposes. It’s just about trying to work through that response together. And when you harness the power of many, it can be a lot smoother.
LTGEN Michelle McGuinness [00:21:15]:
So, you know, limited use gives an entity the ability to think out loud and bounce ideas off without, you know, without fear of making a mistake. That you spoke about as, even as a journalist, you’re speaking to lawyers and you’re speaking to, you know, we want to speak to the operators and we want to hear what they’re saying. You talked about learning, you know, I think we shouldn’t underestimate the very long tail of consequences. And we’ve seen that from our largest incidents, you know, going back three, four years now, we’ve learned a great deal. The other thing is that we are learning from all hazards, all incidents, all the time. And our partnership with the National Emergency Management Agency allows us to partner with them and use the National Coordination Mechanism to actually bring together all stakeholders who might have a role in mitigating or minimising the harm or managing those consequences. So for what it’s worth, if it’s reassuring, and I hope that it is, we are practising those things and learning from all crises management.
KB [00:22:12]:
And I think one of the insights would be just listening to both of you over the last 20 minutes would be breaking down those barriers for industry to feel comfortable going to government because
Stephanie Way [00:22:20]:
it kind of feels like, oh, like it’s mum and dad.
KB [00:22:23]:
So it’s about removing those barriers, and that’s really what I’m hearing here today. So, Michelle, Steph, thank you so much for your time. Really appreciate it.
LTGEN Michelle McGuinness [00:22:30]:
Pleasure. Thanks for having us.
Stephanie Way [00:22:31]:
Thank you.
KB [00:22:36]:
Joining me now in person is James Taliento, CEO at AFTRDRK, and Jeremy Kirk, Director of Intelligence with Okta. And today we’re discussing the modern adversary, including psychology, patterns and what’s next. So, gentlemen, thanks for joining me and welcome.
James Taliento [00:22:50]:
Thank you.
Jeremy Kirk [00:22:50]:
Thanks for having us.
KB [00:22:52]:
Okay, so I want to start right there. So perhaps, Jeremy, let’s get your view on painting a picture of what’s going on out there. Give us an update on moving beyond stereotypes. Bit of a lay of the land.
James Taliento [00:23:05]:
Yeah.
Jeremy Kirk [00:23:05]:
I mean, if you kind of look at the cyberkind landscape right now, it’s probably easier than ever to become a cybercriminal because of cybercrime as a service. So between underground forums and telegrams, if you want to have bulletproof hosting, you can buy that. If you want to get infosteeler malware, you can rent that from another threat actor in their infrastructure. If you want to deploy an infostealer against a group of targets, you can buy a distribution service that will distribute the malware. So really, it’s allowing lesser skilled threat actors into the system. And I think that’s part of the reason why we’re seeing such a increase in scale of cybercrime too. I don’t know what James. I don’t know what James.
James Taliento [00:23:55]:
I agree. I think all of that is right. I think the other thing that kind of draws my attention is that cybercrime is sexy. Right. Being an outlaw has always been kind of like a cool thing, like a dark art. And you’ve got these young people that can do it without carrying a gun. They can go and deploy some malware, they can go do some crazy stuff, they can be impactful and get a little bit of fame, and that goes a long way in the environment that they’re operating within.
KB [00:24:26]:
Do you also think now as well, people’s version of a certain cyber criminal, it’s changed. And also, like you said, like, you can be in literally middle of anywhere and start like hacking a bank, siphoning money out and then moving on. And if there’s no treaty in place with that particular country, it’s really hard then to extradrive that person and then prosecute them. So it’s becoming even easier now for people in terms of there’s not a lot of ramifications. So we’re seeing more of an increase. And now with AI and certain tools that you can buy throughout the process, you could be really anyone starting to do this as a, as somewhat of a career.
Jeremy Kirk [00:24:59]:
Yeah. To your point about threat actors, especially in the ransomware game, threat actors operate out of Russia. Russia doesn’t extradite its own citizens. So unless those threat actors decide to travel to another jurisdiction that would agree to extradite, they could remain kind of out there. And that’s, you know, I know James, you do a lot of attribution work as well. Like a lot of these characters are still out there and they’ve been at it for years. And if they don’t travel, there’s probably not much chance that the Russian government, for example, is going to do anything about it.
KB [00:25:34]:
Sure.
James Taliento [00:25:35]:
Yeah. Oh, every, every nation state has its own secret sauce. Like the United States intelligence community is very surreptitious. Right. We’ve got China, which is, I mean they’re, their motivation is primarily to compete on the world stage. Right. And be an economical superpower. They’re more engaged in like industrial espionage and they have military units and work with private companies in order to do that.
James Taliento [00:26:03]:
Russia on the other hand, is very different in the way they go about it. And I think it’s actually quite masterful is that they commission their criminal citizens to go and do their dirty work. Why? There’s always some state sponsored nexus somewhere and any Russian based cybercrime. And I find that to be very interesting because like as Jeremy said, they are not prosecuting their own citizens as long as they don’t break the golden rule, which is you don’t half within the Commonwealth of Independent States. That’s kind of changed a little bit over the last year, year and a half where they don’t want, or I should say they’ve kind of Geo fenced off BRICS members. So it’s not just post Soviet countries, it’s except expanded quite a bit. And these youngsters idolize that like who doesn’t want to be rich and live the rock star lifestyle, who doesn’t want to fly around in a private jet, drive a Ferrari? And that’s what these ransomware groups are doing. They’re out there telling, telling people like, yeah, you want to be rich and famous, you want to become a millionaire, do ransom.
KB [00:27:00]:
So is it kind of like when we saw the big surge in these influences saying hey, you can buy my course to then tell people how to get rich? Is that sort of what’s happening in that respect?
James Taliento [00:27:12]:
I would say Kind of. Right. Like so information is very accessible. AIs made things very accessible. These communities are very robust and they share a lot of information. So it’s easy to kind of follow what the next guy’s doing. And then as you were saying, like the availability of these resources, all of these tools, you don’t even need to be sophisticated. You could just be like, hey, I want to use that, I want to use that.
James Taliento [00:27:34]:
I’m going to work with this guy. It’s just, it’s crazy.
KB [00:27:40]:
So Jeremy, I’m going to go back to you. You’ve spoken about online communities and tutorials lowering the barrier to entry, as we just discussed. So how are these communities shaping the psychology of new entrants into like cyberkind? And you know, as I said, it’s making it a lot easier. So what are we going to start to see moving forward now? I know you’re doing a lot of work then in this.
Jeremy Kirk [00:28:03]:
Yeah, I mean there’s lots of tutorials on how to do cybercrime online. And so that’s kind of part of the guide, I think. You know, we’ve been talking about sort of Eastern European, Russian ransomware actors and they’re also a group of, you know, English speaking threat actors that also specialize in data extortion. And you know, again to James’s point, you don’t have to be super technical to just buy stolen credentials. Like there’s markets where, where you can buy credentials and you can try those credentials, you can buy session cookies and basically be able to conduct identity attacks that way. So it’s in phishing, of course, phishing as a service. Kiss like you don’t have to build the phishing pages, you don’t have to build the infrastructure. You can rent the kit, get a list of targets that you want to try to get the credentials from.
Jeremy Kirk [00:28:56]:
Bypassing MFA is pretty easy these days. Like a one time password or a push notification. It’s easy to trick victims into giving up the token or pushing on the push notification and before you know it, they’re inside your systems then with access of all the privileges of that particular user too. And you know, we’ve seen groups basically specialize in getting into CRM systems, into payroll systems, extracting that data and then holding the people to ransomware or the organization’s ransom.
KB [00:29:26]:
And it’s more convenient like what you’re saying than like the old fashioned way of like robbing a bank. Right. Are we going to start to see way more of this now? Because depending on who I’m interviewing Some people say yes, no, maybe so. But then what are your thoughts on that, James?
James Taliento [00:29:40]:
Absolutely. You’re going to see more and more and more of it. It used to just be very isolated regionally, right? Like where there’s the stereotype that, hey, all ransomware comes out of Russia in particular, but digital extortion on a whole, which is not just ransomware, it’s data theft, it is espionage and there’s so many different players and it’s kind of hard to figure out like who’s who in the zoo. It is expanding because there are no borders. There is an even playing ground that we’re all on called the Internet. And as long as you have an Internet connection and a PC, you’re good to go. So yeah, I think it’s, it’s again, it’s glamorous, it’s attractive. There’s money to be made.
James Taliento [00:30:18]:
Even if you have to do 10, 10 really, really bad things, somebody’s going to pay you, you’re going to make a lot of money. At the end of the day, if whether or not you know how to use that money is a different story because some of them can’t even launder it. But yeah, I don’t think it’s slowing down anytime soon.
KB [00:30:33]:
So recently I interviewed the former NSA Deputy director George Barnes, and he was just saying it’s even hard to get people to go and work like in government because now if you take out that the role of like how glamorous is to be a cyber criminal, it’s like TikTokers, YouTubers, it’s like people don’t really want to go and like necessarily work for government stuff then anymore. So they’re even finding that is an issue. And then equally like, people just knock on like universities or colleges. It takes too long. So it’s like to your point, it’s more glamorous potentially to go and like do a bunch of stuff then, oh, I’m going to do six years at college and then potentially get a job. So now I think that people are, I don’t know if they’re getting lazier, but I just think that there’s an easier option. People seem to be doing it.
Jeremy Kirk [00:31:16]:
I mean, yeah, the English speaking group of threat actors, I mean mostly people ignored them because for many years they were just stealing crypto from one another or targeting people on crypto platforms. What changed was that they started to attack enterprises and businesses, right? And suddenly there was this realization of like, oh wait, these aren’t just people, like in their own sort of sphere. Anymore they’ve expanded and they’re now posing a threat to large organizations with big security budgets. And often they’re just running phishing campaigns and are able to bypass mfa. Some of them, you know, do use vulnerabilities, exploitation sometimes. But a lot of it is phishing based and you know, a lot of it is actually preventable too.
KB [00:32:01]:
And then the other thing I’ve been hearing as well is that some people didn’t know that they were doing it, then they fell into it, but then they can’t stop doing it because like it’s just too easy now. What are your thoughts on that?
James Taliento [00:32:12]:
Yeah, I think, you know, on theme everything is very accessible. I think economically things have changed over the last several years where there’s more people kind of swaying away from going to school because it’s so expensive and time consuming. Job market might be looking bleak and people don’t want to work for the government. So it’s really, it’s interesting to just kind of take a hobby like let’s say Internet addiction and expand on what you already know and start using it for evil. And there’s money to be made doing it, so they go ahead and do it.
KB [00:32:44]:
So what do you think the industry is doing to sort of try to right the wrong? And I know that’s not an easy question to answer because things are popping up all the time, but is there any sort of insight that you both have to share on how we’re going to try to defeat this?
Jeremy Kirk [00:33:01]:
I mean if I was a ciso I would kind of do three things. One thing is like lock down your identity and access management systems. Use phishing resistant passwordless authentication. So when you are logging into systems using biometrics and using passkeys like that’s you can’t phish that. There’s no secrets to be shared. Probably the second thing I would do is there’s just lots and lots of organizations are deploying agency AI systems. So that is exposing a whole new attack surface to organizations. So if you, you know, the problems are going to be like you have an agent that’s over provisioned, right, that can access, you know, say workday and can access Salesforce.
Jeremy Kirk [00:33:45]:
It can Access Other sensitive SaaS systems attackers are going to be looking for. They’re going to be using those tools in a way that benefits them as well. And all the advantages of LLMs of being able to collate lots of information, they’ll be querying those. So unless there are proper access controls around those agents and unless administrators know about those Agents, even if they exist, there’s the whole kind of like shadow agent it, shadow it problem with agency AI. So I think that organizations in the rush to push AI and to see the benefits, it’s also just going to open a huge vector for risk.
James Taliento [00:34:27]:
I think security needs to be made real. A lot of people are of the mindset, let’s gamify it and let’s just kind of go through these rudimentary standards and just do the old school traditional way of approaching security and it’s not working. All of these big companies have significant investments in security and they’re still getting hacked. So I think they need to drive a lot of their decision making with intelligence. They need to be informed about the things that they’re doing so that they’re not going to get everything, but they’re going to be able to prioritize the things that truly matter and that are going to be the most impactful. And then next to that, I think as a vendor based industry, I think we need to do a better job of conveying truth to customers. Right. One of the challenges I find within this industry is that people don’t really hear the ugly from the perspective of somebody who’s experienced the ugly.
James Taliento [00:35:23]:
They just go and they invest in a lot of product and there’s really no rhyme or reason to it. It’s not appropriately strategized and they’re not really forecasting the threats that they’re going to encounter. And once that does become real, and it’s usually when they’re calling the people at this event, right? Because there’s an incident and they need help, they don’t want to talk to us, but they have to now. That’s when things start to really illuminate for them. And I think they need to take more of those scenarios into perspective when they’re making big decisions for their business. So I think it’s a change. Ultimately my theme here is change the way you look at security overall.
KB [00:35:58]:
And they made a point about making it more real. And I think that even perhaps some of the scenarios, like it’s like, wow, we’ve sort of heard that for 20 years. Or even when I was working internally, like some of the, to put it more rudimentary, like awareness training was just really basic or a bit awkward. Are we moving away from that now? Because like I’m seeing some of it starting to come through, but there’s still obvious, there’s obviously a lot of work to be done. But to your point, are we going to get to the point this year or next where it does become more real.
James Taliento [00:36:29]:
It’ll become real when you’re calling the people here. Unfortunately.
Jeremy Kirk [00:36:35]:
Yeah, I mean I think like, you know, looking at your external attack service, like looking at how attackers are exploiting systems, right. CISA publishes the top 10 list of vulnerabilities exploited. Right. So if you have like edge facing appliances, ssl, vpn, those have always been go after by the ransom. More gangs, open RDP ports. Honestly a lot of it has not really changed in several years. So if you know what you’re exposing, how you can shut it down, move off old enterprise platforms that have bugs. I mean, you know, there’s one specific group called CLOP that goes after managed file transfer systems.
Jeremy Kirk [00:37:14]:
And it’s just kind of sequentially over the last few years attacked these different platform, you know, funded their own vulnerability research, found a vulnerability and then gone sequentially through to those Internet exposed systems. So you know, it’s just kind of like looking at that and going, does that, does that management interface really need to be exposed? Because somebody else can find out that it’s there. So you know, the best guidance is out there. I mean, right. I think it’s hard. I sympathize with organizations that, where, especially organizations where IT security is just a small slice of maybe general IT admin too. It all depends on the maturity of the organizations. You know, you have banks and investment companies that of course are going to be able to, you know, buy the best in class, you know, things and hire the best people.
Jeremy Kirk [00:37:59]:
But most organizations aren’t like that. So it really comes down to figuring out, well, what, what can we do? Look at the threats, as James says, look at the threat intelligence school is most likely to attack us. What are the common attack vectors and try to secure those.
KB [00:38:15]:
And then maybe my last question for both of you would be if Cyberkind moves beyond financial leverage to reputational, psychological and operational leverage, how does that really start to change the defensive mindset?
James Taliento [00:38:29]:
So it absolutely is moving in that direction right now we’re seeing more instances where it’s not truly financially motivated again. And it’s that environment, the calm scattered spiral, this younger generation of more Western English speaking threat actors. It’s, it’s about the thrill. It’s thrill. Like that’s a motive we’ve never really talked about in this industry over the years. We talk about espionage, we talk about sabotage, we talk about being financially motivated, ideologically motivated, you know, hacktivism, but that’s not what we’re dealing with today. And that’s why it’s so new and it’s so frustrating is that it’s thrill seeking and how do you compete with that? And to Jeremy’s point before, like they are exploiting things like jurisdiction, they’re exploiting things like health care issues. Right.
James Taliento [00:39:17]:
Like mental illness and whatnot to avoid prosecution and extradition. So there are a lot of tools and resources. Just like hacking an organization or a network, you’re hacking the system and it’s proven to be quite effective.
KB [00:39:30]:
Yeah.
Jeremy Kirk [00:39:31]:
It’s not only the financial payout, it’s the lure of peer adulation. Right. Because they’re operating in groups, especially the English speaking road hackers operating groups on Telegram and Discord working together to do extortion and then just being delighted with it all too. Right. Because if you look at these chats that they have, it’s really peer recognition, how much money they’ve made and it kind of poses a challenge for deterrence, I think.
KB [00:40:00]:
Well, Jeremy James, thank you so much.
James Taliento [00:40:02]:
Thank you.
KB [00:40:07]:
And there you have it. This is KB on The Go. Stay tuned for more.
