Risky Business - Risky Business #711 -- Albanian authorities raid MEK camp over Iran hacks
Episode Date: June 20, 2023On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover: Albanian authorities raid MEK over Iran hacks Microsoft admits ...“Anonymous Sudan” took down its services US Government puts $10m bounty on CL0P A deeper look at the Barracuda hack campaign Much, much more This week’s show is brought to you by Material Security. We’ll be hearing from one of Material’s friends – Courtney Healey, senior manager of insider threat at Coinbase – in this week’s sponsor interview. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing. Show notes Police raid Iranian opposition camp in Albania, seize computers | AP News Risky Biz News: Microsoft embarrassingly admits it got DDoSed into the ground by Anonymous Sudan Anonymous Sudan and Killnet strike again, target EIB Pro-Russian hackers remain active amid Ukraine counteroffensive | CyberScoop Hackers infect Russian-speaking gamers with fake WannaCry ransomware US puts $10M bounty on Clop as federal agencies confirm data compromises | Cybersecurity Dive (1) Catherine Herridge on Twitter: "Tonight, sources tell @cbsnews senior government officials are racing to limit impact - of what one cyber expert calls - potentially the largest theft + extortion event in recent history. USG official says no evidence to date US MIL or INTEL compromised. https://t.co/R4f6naFqFx" / Twitter U.S. government says several agencies hacked as part of broader cyberattack Clop names a dozen MOVEit victims, but holds back details | Cybersecurity Dive Another MOVEit vulnerability found, as state and federal agencies reveal breaches | Cybersecurity Dive Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Mandiant New DOJ unit will focus on prosecuting nation-state cybercrime EU states told to restrict Huawei and ZTE from 5G networks ‘without delay’ The US Navy, NATO, and NASA Are Using a Shady Chinese Company’s Encryption Chips | WIRED Widow of slain Saudi journalist Jamal Khashoggi files suit against Pegasus spyware maker Jamal Khashoggi’s wife to sue NSO Group over Pegasus spyware | Jamal Khashoggi | The Guardian Bipartisan bill would protect Americans’ data from export abroad District of Nebraska | Massachusetts Man Sentenced for Computer Intrusion | United States Department of Justice I Was Sentenced to 18 Months in Prison for Hacking Back - My Story | HackerNoon CID-FLYER-TEMPLATE New FCC privacy task force takes aim at data breaches, SIM-swaps | CyberScoop Bloodied Macbooks and Stacks of Cash: Inside the Increasingly Violent Discord Servers Where Kids Flaunt Their Crimes Russian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses | OPA | Department of Justice BrianKrebs: "Haha love it when a data ranso…" - Infosec Exchange
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name's Patrick Gray. This week's show is
brought to you by Materials Security and a little bit later on we'll be hearing from
one of Materials' friends, Courtney Healy, who is the Senior Manager of Insider Threat
at Coinbase. And she's joining us in her personal capacity to talk about why addressing the insider
threat takes more than just rolling out a DLP program. So do stick around for that one. But
first up, of course, it is time for a check of the week's security news with Adam Boileau. And Adam,
over the last couple of months, we've been following these, you know, huge intrusions
into Iranian targets like hack and leak operations targeting the Iranian
president's office and whatnot. And, you know, we've sort of thought that this was the opposition
political party MEK, which these days is based largely in Albania. The Albanian police have just
raided the MEK compound in Albania. A bunch of people have been injured. It looks like one person may have died during this
raid. And the purpose of the raid was to seize evidence of these cyber incidents that have been
targeting the Iranian government. Yeah, the MEK is accused of running a, quote, like hacker center
based in one of these camps, which was supposedly carrying out these operations
inside Iran which you know certainly sounds believable and now we've seen you know the
Albanian police seize a bunch of computers and systems from this hacker center and you know
perhaps more information will come out from that you know we've talked a bit about how successful
some of these campaigns against Iranian institutions have been.
So it's not surprising that the Albanians are feeling some of the pressure
from allegedly hosting the place where this activity comes from.
Yeah.
I mean, you can understand why the MEK is doing what it's doing,
but expecting the Albanians not to push back on it,
given that the MEK exists in Albania kind of at the discretion of the Albanian government, right?
And one of the conditions of them being there
is that they don't do stuff like this.
Yeah, it certainly does seem at odds with the description of the camps
as for humanitarian purposes, like a place for them to have some refuge,
but then attacking onwards into another country.
And especially when we've seen retaliatory attacks
against Albanian institutions,
presumably as a result of some of this activity.
You can see why it has become a bit contentious for them.
Yeah, so what's really weird is we've got this cyber conflict
playing out between an opposition party in exile based in Albania
and Iran, and Iran then attacking the Albanian government.
I mean, it sounds pretty amazing when you just say it out loud right like what a world
we've arrived at where that's going on but uh yeah you can absolutely see why the albanian you know
authorities are interested in cracking down on this and trying to restore some order to you know
their circumstances and relationship with iran i, it's just been really obvious that these intrusions were being done by the MEK
because the first time you would hear anything about them would be on the MEK's website.
Yeah, I think they had like a telegram channel that's been announcing a bunch of these attacks
and, you know, some coordination and so on and so forth.
So yeah, a little bit on the nose, I think, for the Albanians.
Yeah, I mean, it's going to be interesting to see
how they handle this legally, right?
Because they're obviously not going to extradite them to Iran,
but are they going to charge them with computer crimes,
targeting Iran, that the victim isn't even in Albania?
It's just such a weird situation.
Yeah, and it may just be a case of go shake them down,
make sure everyone understands where their place is,
and then it all gets kind of like quietly dealt with without it being turned into...
Well, the MEK don't strike me as the type of people who would respond to a stern talking to.
You know, like they're not fluffy bunnies based on doing a little bit of reading about the background.
I don't know all that much about them, but I think it's fair to say that they're not a bunch of fluffy bunnies
who you can just say, hey, stop that, and they will.
Yes, and I think that, you know, Albania also,
like, there's just so much relationship
between all of the parties involved that, yeah,
it's just a thorny, thorny mess.
Yeah, yeah, I think that is the way,
that is the word that comes to mind,
is the whole thing's a big mess.
Speaking of big messes,
Microsoft has finally admitted
that it was DDoSed successfully
by the group calling itself Anonymous Sudan, which is, as we all know, a front for pro-Russian activities.
Katalin Kimpanu, who works with us, did a pretty fierce write-up on this, actually, where he gave Microsoft and Russia both barrels.
But Katalin's main point in his write-up
is that you shouldn't be able to take down
like Azure services this way.
And I think it's a well-made point.
It absolutely is.
Like, I mean, some of the techniques they are using
are not traditional volumetric DDoS,
but they are techniques that have been around
for a long time.
Like for example, the slow Loris attack
where you like request a resource and then
don't acknowledge the reply thus holding the connection open like that's a technique that's
been used for a long time and that azure is vulnerable to that type of attack does seem a
little strange well and hitting them with like incomplete https handshakes as well like you
would think microsoft should be able to mitigate this i mean well i mean
clearly they have gone back and added some mitigations for it and you know i suppose i
have some sympathy for how fast and loose cloud operators have to move to kind of keep up with
the pace of everything because like you know it's hard as an end user keeping up with the pace of
development and cloud environments let alone building them so So I have a little bit of sympathy,
but this is Azure we're talking about.
It's not like this is some third-tier rubbish cloud service provider.
This is where half the Western world hosts its stuff.
It needs to be able to survive someone not using their cache servers
or whatever else.
Yeah, yeah, yeah.
I mean, the good side, I guess, is that it was quickly mitigated, right?
Yes.
But it is embarrassing that they needed to roll out mitigations
to defeat these attacks.
But I just, look, I just think Catalan's done a terrific job
with his write-up.
I mean, he basically calls Microsoft a bunch of idiots.
He calls Russians a bunch of neo-fascist genocidal maniacs
and says that he needs to eat his words from his june 7 edition uh when he
thought there was no way some media whoring hacktivist poses would be able to down official
microsoft services because they could barely keep the websites of a nordic airline down for more
than 10 minutes savage oh dear yes some some word eating required there catalan but uh well
you know he's right which is like how
would you think that the same people who couldn't keep a nordic airline down for 10 minutes were the
ones behind a ddos against microsoft right like you know i don't blame you for making that mistake
buddy is what i'm saying yes yeah exactly and you know on the other hand like i also feel like
for anonymous sudan going and picking a fight with microsoft like probably
also not the world's best move you know you can you can denial of service a bunch of stuff and
they have but going after microsoft does seem to be asking for trouble well how i don't get that
you said that to me before we got recording but i don't see how it's really going to cause him
much drama considering they're just going to keep ddosing people they're based in russia
it's not like they're going to get arrested, you know.
So why is this a bad thing?
Like, I don't understand how this could be.
You know, I would understand that if they went off and started dropping wipers on US
critical infrastructure, that it could be a bad move for them.
But, you know, DDoSing Azure, I don't know.
No, I mean, just Azure is very important to a lot of things.
Yeah, but you're blaming them
for this instead of Microsoft.
This was Microsoft's incompetence
that let this happen.
My instinct would be if I were a hacker
crew, then I would attempt to
keep a slightly lower profile
but once again, they are
just a Russian front. They can do what they please.
And their whole job is to have profile, right?
Like the whole point of them doing what they do is to do this.
And you know what's crazy is like Microsoft put out its admission
on like a Friday afternoon on this.
It's so – like everything about this is so Microsoft,
which is no, no, nothing like that happened.
And then, oh, maybe it happened a little bit and then it's like,
yeah, it happened.
It's like, you know, we saw similar things
when they had source code pinched by Lapsus.
And then, you know, they got owned in the SolarWinds stuff.
And first they were like, oh, you know, we got a tiny bit owned.
But no, I think they actually got quite a lot owned.
Just very, I don't know, man.
It's so funny.
Like Microsoft is better.
Even now is better than it was, you know, 20 years ago.
But like some of these old habits just obviously die hard, right?
Yeah, maybe those of us with, you know,
who've been doing this for a long time and have the long memory
are still comparing to, you know, the Microsoft,
the borders ActiveX and IE6
and all of the other terrible things that happened 20 years ago.
But, yeah, the world has definitely changed
and they need to do better than this.
Yeah, they do.
Now, look, you know, speaking of the Russia-Ukraine
hacktivist cyber war, it's just depressingly petty.
You know, like one interesting one,
you and I spoke about it last week,
was when some Ukrainians wiped routers, right,
at a Russian telco that provides services
to like the Russian central bank, right?
And this caused some major drama.
In response, like Anonymous Sudan and Killnet working together,
wink, wink, managed to like DDoS the website of the European Investment Bank.
Yeah, you showed them, mate.
You showed them, buddy.
Slow clap for Anonymous Sudan and Killnet.
And, you know, we got another another story here about, like, Russian-speaking gamers
being directed to fake gaming websites
to have, like, what is it, like, wipers and stuff
dropped on them?
Like, fake WannaCry.
Like, ransomware that claims to be WannaCry 3
but is not.
It's just some open-source ransomware
that's been rebranded.
This is not the cyber war we were promised.
No, exactly. We were promised
kinetic effects and power stations
going boom and melting down
steel plants. We were promised
Reaper drones going
rogue, you know?
This is what Hollywood promised us
and instead we get
fake WannaCry 3
attacks on Russian-speaking gamers.
It is a little underwhelming, isn't it, when you put it like that?
Yeah.
It is.
It is.
Now, look, let's move on, obviously, to the two big stories of the week.
And I guess they're the two big stories of the month, though.
The Klopp stuff, right?
So there's the Move It stuff, and that's just continuing.
Like, now that we're in the harvest season, as we spoke about last week, it is harvest season.
But it's just turned into this absolutely huge big deal.
And there's also some interesting stuff to talk about on the Barracuda campaign, right?
But first up, let's talk about the move it stuff.
The US government has put a $10 million bounty on CLOP.
Don't know how much that's going to help when they're pretty obviously based in
Russia. I mean, who knows? Maybe there's a couple of members or contractors or affiliates, or I
don't even know how they structure their operations. I mean, maybe they're going to see something out
of this. But what's interesting to me about this $10 million is it's a recognition that a group of
criminals just targeting vulnerabilities in file transfer applications is worthy of a $10 million government bounty.
It's just, you know, it's depressing
that you need to put a reward out
for people doing something so dumb.
Yeah, yeah, it certainly is.
And, you know, the CLOP's path through this process
has just been kind of pretty well worn
over the last few years.
And there is a recognition that their approach
has worked pretty well for them,
that they're now staring down the barrel of a bounty know of a bounty like that of being you know most wanted
etc um but yeah they uh they've been very effective and you know i don't got to hand it to
them but kind of do got to hand it to them a little bit but you know it's they're they are doing what
they have chosen to do very well yeah and it's blown up in the mainstream media in the united
states like there's clips i'll link through to one from CBS in this week's show notes.
If people want to go have a look,
but it's like,
Oh my God,
you know,
the biggest,
the biggest breach in recent history.
I love,
I love that caveat there.
Cause they make it sound like it's historic,
but say in recent history,
but you know,
they're pointing out that last month.
Yeah.
But I mean,
you know,
marquee names are getting taken down with this.
Like a lot of us government.
I think PWC is caught up in this and you know, just a bunch like a lot of u.s government uh i think pwc is
caught up in this and uh you know just a bunch a bunch of orgs like which i guess isn't surprising
to us but certainly is surprising to the average uh to the average person yeah and especially when
it's your department of agriculture department of energy the office of personnel management like
these are names that you know in the u.s are big deals so you can kind of see why it is getting getting a
bit of hype but uh you know it is also funny seeing it you know reported like that on a major
you know major tv news yeah yeah and uh meanwhile there's another bug in move it like a third
is this one being this one's been found by like someone with good intentions though i yeah i think
someone has been reviewing the code and has found another but it does not bode well for the quality of that piece of software and you know if there's three remote
code execs in it what's the chances that there's four five and six you know pretty reasonable so
yeah if you're one of the unfortunate people who are running it then you know it's probably going
to be quite a long year now look i i mentioned earlier that the uh you know the barracuda
campaign uh that's so good well this, this is the thing, right?
So we spoke about it last week.
I can't remember if it had been attributed to China already.
I think it had.
I think it was pretty clear that it looked nation-statey
and obviously the China tie-up, I think, was looking strong,
but it certainly firmed up this week.
Yeah, well, I mean, have a look.
We'll link through to it,
but there's a great write-up from Mandiant.
Yeah.
And it's amazing what happened here, right?
Because it's, yeah, it's definitely a Chinese,
like they've assessed with high confidence
that it's a Chinese government espionage operation.
They call it UNC-4841.
That's how they've attributed this thing.
And what's incredible here is that when Barracuda became aware
of this happening on May 19,
they started pushing out patches on May 21,
and in response to that,
the threat actor accelerated its activities, right?
So it dropped different malware, started evading the patches,
and then just massively accelerated its targeting,
and it looks like they just went absolutely feral with this thing,
hitting targets in something like 16 countries.
A third of the successful compromises here were government.
And they were using compromised Barracuda appliances
to hit other Barracuda appliances.
And they kind of went huge.
And it reminds me a little bit of the exchange operation
in that they just have gone
absolutely big and broad with this.
But wow, you know, like as we were joking about,
like you don't got to hand it to them.
I mean, anyway, it just looks like it's a threat actor
who really knows what they're doing and doesn't really care
about getting caught, identified, whatever.
They just want to get as
many shells on as many boxes as possible they even did lateral movement into a small number
of these networks but mostly what they were doing is they were just like exfilling mail and whatever
yeah i think when we saw barracuda come out with that advice saying okay now everyone needs to just
like brick the appliances and get a fresh one you know that certainly felt like either they had found
through their investigation you know another level of backdooring but reading the story it feels like
that was a response to barracudas starting to react and they barracuda retained mandian directly
by the look of it and they started investigating these things globally mandian says in their write
up that they were receiving you know telemetry from barracudas systems overall you know globally
to be able to try and identify what was going on.
And so that movement to then go backdoor up into the BIOS
or the hardware may have come as part of that kind of ongoing skirmish.
And that certainly speaks to an actor that is not afraid
and not afraid to do whatever it needs to do to get on with its job,
but also just doesn't care about the response process
and the feedback and the discussions in public and so on.
So, yeah, I mean, it's a pretty serious biz operation
and Mandiant breaks down a bunch of interesting details
and gubbins of how that actually works inside the appliances
and they write up for anyone who's interested.
Yeah, I mean, it's real like,
it's proper Hollywood plot hacking, this one.
Cat and mouse.
Yes.
But I will say that I've heard through a source that this is actually a big deal
as far as governments, the affected governments are concerned.
Like this is actually being brought to the attention of serious people
and there's probably going to be some – you would think there's going to be some sort of response here,
but, you know, my colleague, our colleague, Tom Murren,
is working on analysing this
for this week's Seriously Risky Business newsletter
because, you know, you can sanction and indict these threat actors,
but it doesn't seem to disincentivise them, right?
So what is the correct response?
Yeah, well, and we've certainly seen some of these issues, you know, when there's been intrusion into
government systems. I'm reminded of the OBM hack a few years back. You know, it does spiral up into
being a thing that ends up being talked about between the governments and, you know...
Yeah, but in the case of OBM, that was valid targeting and it was a single organisation.
When you look at these exchange hacks and this Barracuda thing, they're hitting hundreds,
thousands of gateways, right? Like that's, it's a different, it's a single organisation, when you look at these exchange hacks and this Barracuda thing, they're hitting hundreds, thousands of gateways, right?
Like that's, it's a different thing.
Yeah, but I guess like, you know,
in terms of the response options available,
you know, when you've got, you know,
potentially a proportional hack like OPM,
you know, then we've had some degree
of diplomatic kind of conversations about,
oh yeah, what do you do when it's this broad
and, you know,
in this case, this effective?
Yeah, I don't know what conversation would look like.
No, but this might tie in nicely with the next story
we're going to look at.
And Martin Matysiak has written this one up for the record.
The Department of Justice in the United States
is spinning up a new section of its National Security Division,
which is going to focus on prosecuting malicious foreign cyber activity
and also disrupting it.
Now, this I find very, very interesting, right?
So I can understand the FBI doing disruption to ransomware crews
and whatever because, you know, you can sort of squint and say,
well, yeah, that's a law enforcement activity
and doing disruption when you can't get the arrests.
Yeah, fair enough.
But then they went and did the big disruption against the snake malware which was fsb malware that wasn't even
really deployed all that much in the united states right and of course the fbi is you know sits under
the doj so we got this situation where doj is now taking on a bunch of the responsibility for disrupting, like, foreign APTs,
which I did not see coming.
I mean, I would have thought that would be more in, you know,
Cyber Command or NSA's wheelhouse.
But, hey, I'll take it.
It's fine, right?
Like, more hounds being released, it's good news.
Yeah, exactly.
Whose hounds they are perhaps less important
than the fact that they are hounds nevertheless.
It seems like part of the conversation seems to be about having the prosecutorial kind of support as well from inside DOJ to match the level of seriousness of the amount of work they have to do.
That part I get, right?
So to put together the indictments, right, to target foreign APT operators, the part that I was surprised by is they're talking about doing disruption as well yeah so i'm like i guess i'm not 100% clear where the
delineations of responsibility are but i don't think they are either right but i mean more of
it clearly useful and you know the amount of work they must get from the fbi to support the various
ongoing prosecutions and investigations you know clearly they needed some more resource but yeah
exactly who's bailiwick is what i am still unclear about as you know perhaps they are too i don't
know yeah well i mean fbi seems to have been doing a pretty bang up job lately i mean obviously there
would be wins coming out of cyber commanded nsa that just no one knows about but when you look at
the the stuff that the fbi has publicly done i mean, you look at the Hive ransomware takedown,
that was pretty spectacular.
You look at the snake malware stuff, also pretty spectacular.
So, you know, I don't know, maybe this is just about applying,
you know, adding some executives
where the FBI has demonstrated a capability.
Yeah, I mean, in the end,
however the US government decides to slice up the responsibility,
you know, it's still got a lot of work to do
and is getting a lot of work done.
So good for them.
Now, the EU has said that Huawei and ZTE are on the nose, Adam.
So it took them a while, but they're finally there.
It took them quite a while, but apparently they're quite there.
So the European Commission is going to ban the use of Huawei stuff
from its own internal networks.
But it's also urging member states to not use it.
Yeah, we've seen them specifically targeting the mobile equipment,
5G mobile networks.
So the sort of conversations that we were having in the US
and in the UK and Australia and New Zealand
a couple of years back now, maybe?
Well, more than a couple of years, man.
It's been going on a while, yes.
So the European Union does sometimes move a little slowly,
but they've got there in the end.
And I think understanding for them what it means
to have your communications infrastructure operated by a third party.
I was really pleased to see part of the conversation was,
like, it's not that there's backdoors,
it's that it's controlled by someone else that we don't trust
and they can make it do whatever they want.
And that was always one of my bugbears with this conversation earlier
was the framing of backdoors like it was separate
from the ownership of Huawei, when, in fact,
like it doesn't matter if it's backdoors or not,
when they can update it remotely by virtue of their support arrangements.
I mean, I think the concern here, just based on conversations
I've had with various people close to the Australian government
and whatnot, the concern here was really just that less that they were
going to pop shell and more that they could just turn it off.
Yes.
And when you look at the way china's been behaving uh particularly since
xi has has come to power um you know it seems like quite a reasonable concern you know and
these changes they've made to their espionage laws domestically which basically make market
research espionage i don't think china realizes the degree to which it just keeps shooting itself
in its foot like it could have the global market for this stuff it could be a world leader in 5g stuff but you know
just no yeah i mean they absolutely they could control the world in a different way
than than this and they seem to have missed that at some point we know whether that's any logical
whether that's something else but you know they i think history is going to look back at how china behaved
here and probably judged them pretty harshly and look staying on the topic of like china risks uh
we got a great piece here from andy greenberg in wired uh which looks at look i'll read you the
headline it's how a shady chinese firm's encryption chips got inside the u.s navy nato and nasa and
i actually really liked this story
because it makes the point that,
okay, these chips could be compromised.
I mean, it's my feeling that they're most likely
not compromised or backdoored in any way,
but it's not really the point.
The point is that there's just so much stuff
washing around in our supply chains of,
keeping track of the origins is hard.
And the way this happened in this case
is the company was Taiwanese,
but has since been acquired by a mainland Chinese company
that's on the entities list, right?
So now we've got this weird situation
where there are chips supplied by a company
on the US entities list actually in equipment
used in sensitive places in the US government, right?
Yeah, so the company in question is called Initio and they make chips for doing encryption. equipment used in sensitive places in the US government, right? Yeah.
So the company in question is called Initio, and they make chips for doing encryption,
which end up inside hard drives that have built-in encryption modules and that kind of thing.
And the fact that they've been acquired by a Chinese vendor, it's so very normal for
this industry.
Understanding the relationship between the suppliers of all the various components and all your equipment is super complicated
and then even you know if we're dealing with like the reality of a threat to you know encrypted
hard drives in this case you know understanding how the key management works what does the
encryption how it works like all the flows is quite difficult and Andy talks to a UK vendor
that uses this equipment but says
the way that they do the key management and the drives means that they don't trust that component
so that's kind of like understanding how your hardware works especially when it's not documented
it's difficult enough understanding the business relationships between the companies involved
is also hard and then even the entity list that we're talking about itself like that's a list that
is meant to stop US companies exporting you know equipment that is potentially sensitive
to Chinese organizations and it's not really meant for use the other way around even though that is
what is meant by it so like the whole framework is also confusing so combined together it does make you understand how you end up with
um you know us entities not even sure if a subsidiary like the parent company of a subsidiary
being on the list means that they're in scope for it like it's all a bit of a mess it is a bit of a
mess but i think it's i i i find all of this very interesting because I don't think people quite realise the extent to which the entire global economy relies on supply chains that run into China.
Yes.
So one of the things that really screwed up the auto industry were the lockdowns in China, the COVID lockdowns in China.
After the rest of the world had opened up, China was still having these pretty aggressive lockdowns.
And the global auto industry couldn't get part supply from China. And, you know, it doesn't even need to be the sophisticated parts.
Like it doesn't need to be that, that we're talking about here. It can be stuff like plastic
moldings, headlight lenses, you know what I mean? The little, the little lens covers that cover the,
the indicators on the side of the car. You know, everyone loves to talk about decoupling,
right? Oh, we're going to decouple from China.
Good luck.
You know, I saw some really interesting comments
from some German auto executives at the time
when people were asking them, like,
how long would it take us to supply,
to like pivot away from, you know,
reliance at all on Chinese parts.
And they're like, well, it just can't be done.
But when it comes to stuff like this,
maybe they're the parts of the supply chain
we need to focus on.
Yeah, the bit sort of handling security-related,
security-critical properties, like in this case encryption chips.
You can imagine those being a focus.
But if you're willing to put backdoors in
or you're willing to modify or leverage the behavior of components of a system,
that's not always going to be clearly just security parts like there's all
sorts of places where you're on the same bus or you're in the same device or and it also depends
on the effect you're trying to go for it's if it's just to make a plane drop out of the sky
right you can apply effect in all sorts of different places inside the system not just in
the obviously security critical part so it's a hell of a problem now adam the widow uh of jamal kashoggi the journalist who
was murdered by the saudi arabian government uh she's filed suit against nso group uh she
announced she was going to do this in september last year we spoke about it at the time she said
she was going to sue the governments of the uae and uh and saudi arabia and also nso group for
their role in putting um for their roles in putting malware on her devices.
And yeah, she's pulled the trigger on that suit.
Yeah, I guess all of us who work in this industry
must imagine what it would be like,
finding out that your devices
had been compromised like that.
And especially in something as serious
as what happened to Jamal Khashoggi.
So at some point she was detained in the uae she was a flight attendant at
the time um and her device she was taken away for questioning and her devices were infected at that
point according to the forensic records so like she's making you know arguments about what that
has done to her quality of life and how she feels about you know trusting the fabric of modern
digital society so yeah interested to follow this
and see where it gets for NSO Group.
Now, I spoke about this last week
in Seriously Risky Business with Tom Uren,
which if you're not subscribed to,
that goes out through the Risky Business News RSS feed,
not this podcast feed.
But yeah, I spoke briefly about this with Tom last week,
but there's a new bill on the table in the United States
called the Protecting Americans Data from Foreign Surveillance Act
of 2023.
And the idea is it would outlaw the sale of personal data collected on Americans through
things like mobile app SDKs and whatever.
It would prohibit the sale of that information to entities based offshore.
I mean, cool, right?
But as Tom made the point that that's not you know it's
not like the chinese mss turns up and says hi we're the chinese mss can we please buy some data
you know they can do this stuff with front companies and whatever and okay you're making
them break another law that's great but really the solution to this is going to be better general um
privacy regulations in the united states and maybe outlawing the collection of some of this
stuff uh if it doesn't have a, like just ban the collection of it.
Yeah, that was absolutely my feeling reading this.
Like, good start, good place to go.
You know, that's one easy way to sell it,
but comprehensive privacy legislation inside the US, full stop,
would prevent a bunch of this data existing in the first place,
and that's really the right approach,
even if this will, you know will be a good start, perhaps.
Now let's talk about, what's this guy's name?
Jonathan Manzi.
Oh, God.
31.
This is like some real galaxy brain stuff, I've got to say.
Wait, he's 31?
Yeah.
He writes like he's much younger than that.
He writes like he's 17.
I know, I know.
Yes.
I know.
This guy has been sentenced to prison for what he says is hacking back.
And in fact, he has written an entire blog post about his sentencing,
saying how unfair it is because he was hacking back,
and that's an entirely justifiable thing.
But, you know, them's the break, so he's off to prison.
Basically, what happened is an employee of his left to go work for a competitor so he sim swapped the employee's phone got into their gmail
and then onwards uh and wound up stealing a bunch of data from the uh competitor and like anonymously
emailing it to that competitor's customers like did you know that they're doing xyz
and this is what he's saying was hacking back
i mean look at 18 months i reckon he got off light uh what do you think there's certainly a degree of
deterrence that message that was meant to be sent here but yeah 18 months doesn't seem particularly
much uh for for what he was doing here and like the guy's blog post is just a little bit unhinged
right it kind of starts off as a well i did this uh and it was tit for tat and you know
they were asking for it and then pivots into like a bunch of new age spirituality that he got after a
spiritual event with a like homeless woman in san francisco what he ends he ends at the subhead on
the last section is today i embrace the outcome of my actions with love i mean like if you were making a you know tv series or a movie about you know
california tech startup culture like you'd be like oh that's just too on the nose right
for the plot i mean he talks about the american dream and like it's just
yeah it's weird it's really weird like the whole the whole blog post is a fever dream and i'd
recommend people actually read it just because it's so weird.
It is so weird.
But, well, I guess, I don't know, he's going to spend some time in jail.
He can perhaps find the new spiritual outlet for his hacking.
You know, he's trying to talk about the Active Cyber Defense Certainty Act,
which was proposed to Congress.
I don't think it was ever actually passed.
But this would have been the hacking back, so-called hacking back legislation he's like cyber stand your ground
yeah cyber stand your ground i love it oh no um but yeah anyway real nutty stuff go have a look
at it uh we've got a real interesting one here that catalan turned up uh which is that a bunch of service members across the military have been receiving smartwatches in the mail that they didn't buy.
And when they've been turning these things on,
apparently they're pretty aggressively connecting
to all of the Wi-Fi around them.
And this alert from the Army Criminal Investigation Division
says that it's like trying to exfiltrate data
from mobile devices and stuff, which, I don't might be true feels a bit feels a bit sus what's interesting here is that
they've said that what's likely happening here is people are doing false purchases sending stuff to
these service people so that they can leave like five-star reviews in their name so it's probably
not a like an espionage thing i mean it, it could be, but just what a world.
Anyway, I've got a link through to the Army Criminal Investigation Division
notification on this.
It's a what in the world sort of thing.
They do say there's malware present which accesses both voice
and cameras on the devices, which sounds pretty –
that could go pretty badly wrong, but hopefully it's wrong. But it also sounds kind of made up.
But it also sounds a little wild, yeah, like a little bit cray.
So, yeah, I guess the moral of the story is if you are an Army service person
and you have received one of these watches,
I think everyone would be quite interested to have a look at it in some more detail.
Oh, look at this.
I won a raffle and I've got a new Xiaomi phone.
This is so exciting. i'll just log into
all of my accounts um now uh the fcc in the united states is spinning up a task force taking aim at
data breaches and sim swaps so this is a telco industry task force adam take that t-mobile
like what let me just check what year is 2023 how long have we been sim swapping
for a little bit slow there fcc guys but uh yeah i guess some kind of regulatory action against the
american mobile operators is well overdue and something that can make sim swapping less of a
problem and as you say like t-mobile in particular has had a pretty rough pretty rough few years um
with the high profile of sim
swapping crews and the other bad things crypto thefts and swatting and whatever else so time
for some regulatory action just a little bit late there yeah i think the idea here is that they're
just going to be able to levy massive fines against and look it's a blunt tool i'm not getting
too excited that they're going to solve about you know all of the problems but the idea that they
can just come in and say you suck here's here's a $200 million fine, I mean, that is an incentive
to improve your practices, right?
One would certainly hope so.
I mean, $200 million should buy you a little bit of security review, perhaps, but yeah,
we just have to wait and see whether they actually use these, whether the task force
does some things, whether they use these powers, and whether they use them in a way that makes
telcos, which are historically historically glacial getting anything done
actually make some changes that are meaningful i would think that some changes to sims like that
would make sim swapping harder wouldn't be all that difficult like if someone walks into a store
and says i would like to you know i lost my phone why don't you pick up the phone and ring the number and see if anyone picks up
you know send him a message put a 24-hour hold on it send the phone a bunch of messages saying
someone's trying to port your number you know and if there's a disagreement then we'll kick it up to
a kick it up to a you know more advanced support team or something i'm just saying there's stuff
that can be done here yeah i mean i will say that the telco ecosystem, you know, of third-party vendors and retailers and so on and so forth,
like it is really complicated and does, like,
making changes to that is difficult.
But as you said, like, there is,
surely there are some simple things that would make this, you know,
introduce some friction into this process.
Yeah.
I mean, the crime ecosystem that all of this is supporting right like crypto theft and
you know just general uh you know underground crime ecosystem stuff i think what's different is
to how it used to be back in the day is the real world violence in this scene right and and joe
cox actually has a story up for vice Motherboard this week that really looks at that
angle of this new
young, angry and
violent cyber
underground, Adam. Yeah, like
he's got a write-up of a bunch of the sorts of
thuggery, I guess was the thing
that came to mind for me
of young people who've
got a relatively straightforward, non-technical
not very technical way to take over other people's phones and devices and onwards
from there. And having that mixed in with crypto theft and money and drugs and, you know, other,
you know, kind of underground stuff like that. Like it's not, you know, it's not the traditional
hacker scene of the 90s anymore. Like this is, you know, just, you know, thuggery being
facilitated by relatively
straightforward ways to take over people's phones and devices and all the downstream consequences of
lots of money lots of violence you know communities like discord communities where
you can solicit crimes and all those and violence like it's a very different world than those where
i grew up back in 20 20 30 years ago. Yeah, no, it is very different.
The violence nexus stuff is relatively new, you know.
I mean, you used to hear stuff like someone who was involved
in Russian cybercrime got whacked or someone got the crap
beaten out of them because they did something wrong,
stole some money from someone or whatever, right?
But it wasn't like this.
Like it wasn't the bulk of the culture.
Yeah, yeah. And Joe's write-up really is it's pretty grim reading to be honest you know when you see um and and seeing the
tie-ins between you know youth communities you know minecraft players or call of duty players
and the easy on-ramp into doing this this kind of crime from those communities um but then also like
some of the off-ramps right where it's it doesn't take much friction to push, you know,
a young person out of this environment back into a, you know,
more productive path in life.
I think one thing, though, that's interesting here is that
SIM swapping is at the centre of a lot of this stuff, right?
So, you know, there's a case to be made that the telcos need
to tackle this, not just for the, you know,
not just for some idea about cybersecurity,
but because it's actually their insecurity, their crappy job here is resulting in real
world harms.
I remember the first time I heard about SIM swapping, the first case I could really think
of, it was actually in South Africa, where someone did a SIM swap on a mobile so that
they could do an SMS-based auth, and i think they ran away with like 60 grand and you know i just even remember thinking then okay well that's gonna
happen more yes yeah yeah um yeah and that was quite a long time ago now and it's just the lack
of action in in the united states is just yeah mind-boggling you'd even think like you look at
uh apps like whatsapp and signal how you can set up pins where if someone
sim swaps you unless they have your pin they can't activate your service what's to stop telcos from
doing something you know similar and of course there's going to be people who forget their pin
you know of course there's going to be some friction for stuff but i guess what i'm getting
at is that is that sim swapping isn't an insurmountable problem they're just not trying
yeah and i mean sim swapping is a thing that know, we could have done at any point in the mobile world's history since GSM,
but it's only become relevant now,
and what it means to society, you know, in a more broad sense,
is not a thing that the telcos have kept up with.
Like, their role as a key part of the security ecosystem
in the overall, you know, kind of modern world
is not a thing that
telcos have ever really taken on board or spent appropriately well there was the line that i used
to use 10 years ago adam which is all you're doing is transferring the risk from your help desk onto
your mobile you know your employees mobile uh mobile carriers help desk right so you think
you're improving things um maybe not so much um And, you know, uptake on stuff like,
look,
pass keys is going to help you.
Absolutely.
Pass keys will help.
I mean,
yeah,
but it just frustrates me because a lot more could be happening.
And it's,
and it's just not.
Yeah.
I mean,
anything that ends up being in the realm of the telco to solve,
like they're,
you know,
they are not organizations that are,
that love change and
move nimbly so it's about let's hope the fcc task force is like oprah uh but giving away fines
instead of cars yes exactly you get a fine and you get a fine and everyone gets a fine let's hope
that happens now look staying with weird law enforcement news too like i should i probably
should have put this with the, the hack back guy.
But you know,
you will double take when you hear this Russian national arrested and charged with conspiring to commit lock bit ransomware attacks against us and foreign
businesses.
That is the heading of the department of justice release.
He was arrested in the United States.
Yeah.
What are you doing, buddy?
What are you doing?
That's just the wrong place to be a Russian cyber criminal.
If you want to be a Russian cyber criminal,
go to Russia where you're not going to get arrested.
I mean, this guy was actually living in the US.
I mean, what were you thinking?
He was thinking he had great OPSEC and he was wrong.
I think he's
right now look
staying on that
and this is our
last item for the
week I'm going to
link through to
this in this
week's show
notes Brian
Krebs has an
absolutely terrific
post up on
Mastodon and
I'll read it to
you it says
haha love it
when a data
ransom dump of
a public utility
extorted by
CLOP ends up
providing a
pivotal identifier for a top
cyber criminal who just happened to live in the area served by the utility been stuck on this
research forever until Klopp posted a recent trove hashtag thanks Klopp and that right there
illustrates why OPSEC is so hard like would, would you have had, at some point in the future,
Russian cyber criminals will steal data and release it, dump it,
and then that's the thing that ruins your OPSEC?
But what's crazy is, like, this is how a lot of the OSINT
on Russian cyber criminals works,
is because this sort of stuff has been stolen in Russia,
available in torrents and stuff,
and now we're getting the same stuff.
But, yeah, there is some pretty thick irony here
that Klopp is now inadvertently doxing its mates.
It's certainly a wonderful time to be an open source
intel person or investigator or I imagine law enforcement
also enjoy this kind of thing very much
where they don't have to go through the process
of getting a warrant and raiding someone's data centre when it just shows up
in a torrent and you can help
yourself and onwards goes the
investigation. Well, it looks like
some cyber criminal is about to get their
Brian Krebs
Doc's wings.
Every time Klopp posts
something like this, someone gets their
Doc's wings, like a little
angel, a little fairy.
Wonderful, wonderful work there, Brian.
Yeah, yeah, and very funny post.
All right, Adam, that is actually it for the week's news.
Thank you very much for joining me.
And, of course, we're not doing shows for the next couple of weeks.
We're kind of taking – you know, I always say I'm having time off,
in quote marks, because, of course, I'll still be editing our three times
a week news scripts and working with Tom on Seriously Risky Business.
But we're off air for a couple of weeks.
But yeah, we'll be back in three weeks.
Yeah, and I will talk to you then, Pat.
And I'm sure there's always going to be a million things
to talk about, but there's just an extra special chance
when you go on leave from the main show.
Cybergeddon is coming.
Cybergeddon.
So brace yourselves.
That was CyberCX's Adam Boileau with a chat about the week's security news.
And it's time for this week's sponsored interview now.
And yeah, this week's show is brought to you
by Material Security.
And they make a product that basically lets you vault all of your employees' email,
like their cloud email, 0365 and Google Workspace and whatnot.
And if your employees want to go back and pull up an email from last year,
they might have to do something like go do a step-up authentication using MFA.
And this is a really handy thing if an attacker gets access to an employee mailbox somehow, right?
It's also useful in the case of insider threats.
And there's just a bunch of really interesting use cases that stem from having a vault containing all of your employees' cloud email.
So if that's something you want to know more about, head over to material.security and have a read.
But in this sponsored review, we're going to hear from Material Security's product manager, Matt Muller, and Coinbase's Courtney Healy. And we're all
talking about insider threats. So Courtney is here with a simple message, DLP doth not an insider
threat program make. And here she is to kick off the discussion. I would argue that there's been a
lot of insider threat programs that have become DLP programs, but these are fundamentally different. You're talking about data loss
prevention is stopping data from moving somewhere. And yes, that might be the goal of a lot of the
threat actors, but the threat actors and insider threat, depending on how you define that,
is very wide and they can materialize in very different ways. How a fraudster is going to approach stealing
information or monies, vice house, somebody committing espionage, IT sabotage, these are
all very different. So this idea that you can have a tool only and consider it an insider
threat program, I would just say is in error. So I guess you're not saying DLP is useless,
just that it's not going to give you complete coverage against insider threat, which I think, you know, that's probably like, you know, a sensible thing to say, right?
Absolutely. It is a tool in the toolbox. However, it is not the only tool in the toolbox, and it certainly won't protect you if you think you're going to just implement any tool, turn it on and forget about it. That is certainly not going to protect you from a true malicious insider.
So how do you protect yourself from a true malicious insider?
Because, you know, it's one of the hardest problems, right?
Like it is one of those last remaining great, great challenges in InfoSec.
I mean, there are many difficult challenges in InfoSec, but these days they have solutions,
even if they're like often crazy expensive or really difficult to do, like there is at least a path towards getting there. But what's the solution here for insider threat?
Because there are some things that just make it inherently unsolvable, I guess.
So solvable is a different term. I wouldn't say you can always catch everything, of course,
but I honestly do think that this is a place for cross-functional information and for
building teams that have not just the technological experience, the ideas and the foundational
security apparatus and knowledge, but also need to have that background for culture, for HR,
interfacing with legal. I think it's actually a place where that multidisciplinary approach
is really what is needed because a lot
of your technical indicators are indicators, but the context isn't necessarily something you're
going to get from the tool in this case, like you would in other scenarios. You might get that
context from your HR partner, from the manager, from a legal scenario that you're looking at.
There's just a lot of various pieces that can come and enter play in this space. So it's
really an opportunity to cross-function. So you need like a Stasi-style insight into your
employees? Is this kind of what we're talking about? Like a role like the North Koreans?
I definitely would not make that comparison. But I would certainly say that the strongest
insider threat programs I've seen in the space are very multidisciplinary because they come from all kinds of backgrounds and different lines of thought.
You don't want just one type of security practitioner here.
You want people who come from all kinds of spaces, some that come from big corporate, some that might come from government, some that come from a mindset of let everything be free and open, and some that come from a zero
trust. Having those different perspectives all bouncing against each other is what actually
helps you find a true insider threat. So walk us through what that actually looks like, right?
Because it's great to say, hey, this needs to be a multidisciplinary thing, different people need
to be involved, but what are they doing and what are you hoping to catch with these people from many different
backgrounds?
Absolutely.
Well, first, we have to define what we're looking for.
And I think that's the biggest piece of this whole puzzle, right?
For insider threats, in my worldview, you're looking at everything from intellectual property
theft to financial crimes and fraud to espionage to IT sabotage.
OK, these are all very different disciplines.
So when you're building a team for this,
you want people who are coming
from those different disciplines.
So yeah, you want a fraud person
thinking about how a malicious insider
might do fraud stuff.
You might want some ex-FBI person
thinking about the espionage stuff,
like that sort of thing.
Absolutely, having the skill sets
and the experiential
differences among a team, the diversity really plays out in a positive way here. You do not want
a bunch of like-minded people. In fact, if possible, you want people who are going to
argue against each other because insider threat is a very unclear space. And you're talking about
a gray area where somebody might interpret something somebody did as completely okay.
And another person might say, oh my gosh, this could be a huge threat. What do we not know that they're doing?
Yeah. So I guess what you're saying is these people can help to identify the risks in the
first place and then can interpret stuff as it happens and have a good instinct for whether
something is bad or not. Absolutely. And also, frankly, bring that human component to it. Again, as technologists, a lot of us default to wanting tools to tell us
all the pieces of the puzzle. An insider threat, that is simply just not something that is feasible.
You need to have that human context for what pressures are being exerted on this person,
what parameters are being set, what is the business asking them to do that they need to do quickly?
And how are they trying to solution it? Because 99% of the time, people are trying to do the
right thing. And you have to be able to contextualize that to find the 1% that is not.
Yeah, okay. So like, I guess you're alluding to sort of inadvertent insider threat, right? People
doing the wrong things by accident. You know, that is certainly not to be discounted. That's
a very large percentage of the real insider threat damages that companies experience on the
daily. But that being said, that's almost a different scenario entirely than the person who
is, for whatever reason, either came into the company with intent to harm or frankly, turned
out. And it feels like it's a problem that's more addressable these days, right? Because it really
was that sort of inadvertent loss.
There were two things.
There was the laptop left in the taxi, right?
That was a big one.
And, you know, full disk encryption has largely mitigated that because that's something that is easy to roll out through corporate policy and whatever.
And the other thing was like companies not giving their employees access to stuff like, you know, cloud-based storage so that they could take their work home.
So they were always using their personal Dropboxes and stuff and those accounts were getting owned and, you know,
that was turning into a bad time. So yeah, it certainly feels like it's easier now to help
employees to do the right thing. Easier, but also in some ways more difficult because we also have
employees who are incredibly savvy with new technologies all of the time and can very easily not be aware. And that's the key piece too. I
honestly feel like that's a piece that is often missing from the technologies when we implement
rules is explaining the why. Because if somebody is trying to do their job, they're just trying to
do their job. If they don't comprehend- Yeah. Telling them not to do something isn't enough,
right? You got to tell them why. It's not. Exactly. You have to explain the why because
they will be a force multiplier if they understand what you're trying to protect them from.
Now, okay. You've explained that a lot of this stuff is about having the right talent,
you know, and the right thinking. Can you think of any sort of, and you've said that DLP is not,
you know, God, what do we call it? The silver bullet. I hate the term, but you know,
fair enough, right? Not a silver bullet. But what are some basic technical
controls that people should be thinking of when they're first starting to think about addressing
the insider threat in earnest, right? So I'm guessing DLP is going to be one of them. What's
another one that's maybe less obvious? So honestly, the less obvious is actually
more obvious than you would expect. And it's what I like to explain to people as like the Maslow's hierarchy of needs for an insider threat program.
You put insider threat at the very top because what it needs is it needs all those logging solutions.
It needs all the access controls.
It needs all of these very basic things that everybody knows is needed.
But you can't actually have a functional insider threat program without all of those tools interoperating in a way that you have a clear visibility and a good picture and kind of single pane of glass perspective of
what's going on in your environment. And incidentally, you need to know what your entire
environment is, which sounds easy enough, but for a lot of spaces that grow rapidly,
that's a challenge unto itself. I mean, this is going back to the
prevention versus detection stuff too, Like the prevention versus detection debate.
And I guess DLP is about preventing, you know, the most egregious stuff.
But yeah, you definitely want logging when people start doing suspicious things with
data that they actually have legitimate access to, right?
And I think, yeah, you're right.
Like it is blindingly obvious, but it's amazing how many people don't think to log that stuff.
Absolutely.
Or frankly, anomalous behavior.
Because, you know, for an insider threat, a lot of times people are, when they're looking
for threats, they're looking for something that is unusual.
Well, you can't do that with an insider threat.
Their inherent ability is the fact that what they're doing is part of their usual job.
It's something they inherently have access and opportunity to execute.
So if you're looking for something that isn't what
they normally do daily, well, you probably missed it if they were an insider. So you have to find
what's anomalous. You have to find what is out of character for this person. Now, of course,
you're doing this interview in a material security sponsor interview, right? So I'm guessing you're a
customer of theirs. I imagine that, well, you know, it's
blindingly obvious that this is a solution that would be useful in addressing certain aspects of
the insider threat, right? Because you're locking away your employees' inboxes and if they want to
go back and retrieve a year-old email or whatever, they have to do a step up auth. I'm guessing that
was part of the case for actually getting material in the first place, right?
So material certainly offers a lot of controls for insider threats.
As it does for non-insider threats, candidly.
A lot of the tools in the space that you're going to want can do a hat for anything from a critical incident response team scenario. Being able to search and find these information, being able to neutralize somebody's capabilities, being able to actually put more granularity on those controls is something that that tool certainly offers and is very helpful.
Now, Matt Muller is from Material Security, and he's been with us this whole time, sitting there waiting very, very patiently for me to ask him a question, actually. But Matt, I guess my question is, from a material security perspective,
is of your customers,
how much of a selling point is it
that this stuff, that your tech,
can be used to address insider threat?
Because I'd imagine it's probably just what Courtney said,
which is it's just generally
a sort of foundational InfoSec thing
that has applications to insider
threat and and elsewhere but i'm just wondering you know of the customers who buy it how many of
them sort of mentioned that that's it's you know a big part of its use case a fair number and i think
you know one of the uh one of the things about you know materials uh data protection product
um is that it makes access to information provable, right? Somebody
had to do a step up auth. And when you're thinking about the difference between an individual that,
you know, oh, may have made a mistake and accidentally shared something with a personal
Gmail account versus, you know, intentionally trying to do something, that is where you're
able to demonstrate intent a little bit more effectively, right? You had to
go through multiple steps and that helps build a case. It's not necessarily dispositive, but it's
certainly helpful for saying, here's a building block that demonstrates somebody maybe acting as
a malicious insider. Yeah. Yeah. That intent piece, what Matt is saying is absolutely true
with intent and being able to prove intent is a very important thing when it
comes to actually addressing something with a potential insider, because you certainly don't
want to be out penalizing or being the big bad security apparatus who's knocking on doors saying
you messed up. People need to have bandwidth to being mistakes. But that being said, security
teams need to be able to demonstrate, no, actually, you had that opportunity to correct this action and you did this intentionally.
Well, I mean, there's different thresholds there as well, right? There's the threshold for HR,
is in, there's a threshold for please explain, there's a threshold for you're fired,
and then there's a threshold for we're calling the FBI.
Absolutely. And those are very wide and differing thresholds, frankly, depending on
all different types of corporate environments. Each company sets its own risk appetite,
and that in and of itself is something that gets very mature and differs depending on the size,
depending on the type of data the company is using and interacting with. So it's very personal to any
corporation, what that risk appetite is and what those thresholds are for meeting those standards.
So Matt, we were talking earlier and one thing you wanted me to ask is what are some of the steps that smaller security teams can take to start building insider threat programs, like simple things that people can do to build insider threat programs, technically, or technical
controls they can use. You know, you've got some ideas there that you wanted to share, basically.
Yeah, absolutely. And I think a lot of it can be done, quite frankly, with the existing
logging and audit trails that folks have in their systems, right? Just having that history
of what your employees have done is super, super valuable. Being able to build on top
of that, make access deliberate. If you have all of your sensitive data in Google Docs, do you just
share that broadly with everybody or do you explicitly share with the people who need to
know that information? Are you able to make access to sensitive information a provable event? One of
the things that material does. And quite frankly, checking in with your folks and saying, hey,
I saw you access this thing. Can I just double click on that? It really gives people the impression
that the security team is out there and right, and is looking at things.
And I think one of the signs of success there is when folks start proactively coming to you and saying, oh, my goodness, you know, I opened this document. I didn't realize that this was full of
sensitive content. Just so you know, I'm bringing this to you. Yeah, yeah, yeah. All right, Courtney
Healy, Matt Muller, thank you so much for joining us to have a bit of a chat about insider threat.
Very interesting stuff. Cheers. Thank you. Have a great evening. Thank you so much for joining us to have a bit of a chat about insider threat. Very interesting stuff. Cheers.
Thank you.
Have a great evening.
Thank you so much.
That was Courtney Healy and Matt Muller there.
Big thanks to Material Security for being this week's show sponsor.
And you can find them at material.security.
But that is it for this week's show.
I do hope you've enjoyed it.
I'll be back tomorrow with another episode of the Seriously Risky Business podcast that I do every week with Tom Uren.
But until then, I've been Patrick Gray.
Thanks for listening. Thank you.