The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

86. Ex-FBI Agent: The Biggest Security Threat is the Human Behind the Keyboard

Hello, everyone, and welcome to another episode of the security podcast of Silicon Valley. I'm one of the hosts, John McLaughlin. I'm joined with the other host, Sasha Sinkovich. We have an amazing guest today, Trevor Hilligas.

Trevor, you have awesome set of experience. You came up through the U. S. Army.

You're a fire support sergeant. And then from there, you jumped into the cyber center. Yeah, there was a couple of steps between there. But yeah, yeah.

Kinetic security to cybersecurity, I guess. Yeah, I'm just going off your LinkedIn. Do you want to do you want to fill in the story? How detailed do you want to go?

I mean, we've we've got a short amount of time here. It was an interesting background. So I could, I guess I'll why don't I provide the 30, 000 foot view. And then if you need me to get any specifics, we can dig in there.

So like many young people, I was in college, had no idea what I wanted to do with my life, had no idea what I wanted to do when I grew up. But I had this vague notion of grandeur as an FBI agent, I'm embarrassed to admit. And so I remember I went to a career fair when I think I was a junior in college. And I spoke with a very nice FBI agent that was a recruiter at the time.

And she broke me the very hard news that my sociology degree was essentially bupkis as far as FBI applications are concerned. And so I needed to either become a cop or join the army or join the military, I should say, become a veteran. And so I chose the option behind door number two, joined the army, did was a forward observer for a number of years before I realized that bombs and other things that go boom do not make very transitive skills in the civilian sector. And so I kind of re re anointed myself with that goal of maybe I can be a federal cop someday.

And I went into federal law enforcement as a special agent with army CID, which was a blast. I did the general crimes thing for a little while, as everybody does, whatever walks in the door is your problem. And then quickly realized that cyber is cool. And, you know, I liked building computers when I was a kid and coding and all of those nerdy skills.

So I quickly kind of adjusted myself towards that trajectory. And that brought me over to the FBI on a cyber task force, which is where I finished out my government service. What was so exciting about cyber is that pulled you into that space? That's a really good question.

So one of the hard things that I confronted with law enforcement early on was it's highly reactive. There's very few instances in, you know, modern law enforcement, probably in a historical context as well, that you can truly like prevent crime. Typically, 90% of the time you're responding to something that's already happened. And you're, you know, you do the best you can for the victims, for the witnesses, for justice, all of those high-minded ideals.

But ultimately what's happened has happened. And there's no, there's no undo button for that. Right. Whereas in the cyber realm, I feel like we have much more influence and much more ability to be proactive.

So we can actually impact the crime or the criminal before it actually happens. And I don't mean that in like a, you know, future telling your future kind of way, but like, there are things that we can do in the cyber realm that don't really have corollaries in the physical realm that can have really meaningful impacts on people's lives in a positive way. I think like every time we sit down and we think about, you know, are we going to build a new company? Are we going to secure a product that already exists?

Are we going to dive into a new space? Like connecting it back to people is always very important. It's like, if we can't do that, it's like, what, what are we doing? Yeah.

You know, it's, it's interesting because I think in security, especially kind of today, you know, everything is about these really big ideals. We're all talking like AI security, or is it security for AI? You know, is it we're ransomware prevention. We're talking about foreign threat actors, APTs.

It's easy to forget that at the end of the day, it's all just a bunch of humans, right? We're all just a bunch of meatbags that are sitting behind keyboards. And you can take that one of two ways in my mind, right? We can look at it from a sociological perspective and say that, Hey, these threat actors are just people.

And we should look at them like that instead of taking a Hollywood approach that these are some kind of master villains. And the other side of that, which I think calls to me a lot more is sort of the victimology of it, right? I mean, it's, it's fantastic. If you can stop a ransomware event, excellent.

You should absolutely do whatever you can to do that. But let's not minimize the day-to-day good that happens when we prevent a identity theft. Some grandma somewhere, you know, got a call from Microsoft support and that person, that very nice person wants a gift card from Walmart. Like if we can prevent that, like granted, the scales are quite different between that and, you know, a ransomware of an organization, but it's no less impactful to that individual.

And so I think we should keep that in mind and, and really aim for the best impact we can regardless of the circumstances. What do you think is the biggest threat today? Cybersecurity is very vast space, has so many different subdomains. Where do you see the biggest risk profile?

Yeah. I'm going to make some people angry at me here. Look, unless you work for an organization that is best known by a three-letter acronym, you don't need to worry about APT, whatever. Okay.

You need to worry about 18 year old dude sitting on a 2006 Acer computer in the basement of his mom's house in, you know, St. Petersburg or wherever in the world you want to put that pin that has all the time in the world, just enough money in their Bitcoin wallet to be dangerous and just enough skills to be motivated. That's the person that for 99% of us is the biggest risk. Now, does that mean that we don't need to worry about APTs?

No, I'm not saying that at all. There are definitely good reasons to talk about APTs, but it's important to put it in perspective, right? You have a handful of APTs that are highly targeted. We know, we know their TTPs.

We know their targets of interest. You have 99 million people on the internet that want to harm people in whatever way. Maybe that's the calm and it's a very physical type of harm. Maybe it's a financial type of harm.

Maybe it's reputational harm. That is much more likely to occur. I kind of look at it like, you know, we all drive a car every single day. Most of us drive a car every single day, right?

But if you think about what is scarier, like a car accident or a plane crash, most people would probably say that they're more afraid of getting in a plane crash than they are a car crash. But if you actually look at the statistics, they're not even remotely close to one another, right? You are so much more likely to die driving to the airport than you are to have any kind of incident on the actual aircraft in the air. To me, that's kind of the same thing.

There's these really large public incidents and groups that we all like to talk about. We designate it as named entities. That's what gets the most media attention because it's large and it's flashy and it's huge. It's very impactful.

It's fun to talk about. But realistically speaking, that's the plane crash. What we should really be worried about 99% of the time is the car crash. I mean, if you think about risk and you think about like what actually may transpire if you're, you know, running the security of a startup or responsible for the security of, you know, a medium-sized business, it's all just probabilities.

With AI, like lowering that barrier of entry, it's going to exacerbate a lot of the stuff that we've already seen historically. Yeah. You know, looking back the past 10 years plus that I've kind of been in this space, one of the biggest things that has changed is just how much the cybercrime ecosystem has turned into a commodity. It's everything as a service.

You want malware? You don't need to write that. Pay a dude on the internet 150 bucks in Bitcoin and you get your own malware as a service, right? Complete with C2 infrastructure and a nicely built panel and all these things.

We see the same thing for phishing, right? We see the same thing for even doxing as a service, right? Like all of these things have turned into commodities today. And so what that has done is lowered the barrier to entry for those criminals, right?

You don't need to be a super technically advanced coder to do a lot of damage, right? You need a little bit of money, you need a little bit of know-how, and you need the intent. And I think you add AI into that mix, it becomes even more commodified, right? The bar is even lower.

Maybe you don't even need that technical, that small amount of technical acumen because the AI, the LLM can actually write that. Whatever little bit of code you actually need to write can be handled by that AI now. So what do companies do in order to prevent that influx or to help with that influx of attacks? Yeah, well, I mean, that's the million dollar question.

That's what all those booths black hat on the, in the back where it's a dude and an iPad, that's what they're all hoping to figure out, right? I don't know the answer. I think what I would say is like visibility can't hurt. Ignorance is not bliss.

And I think we could all kind of agree that, you know, just because you don't know about something doesn't mean that something doesn't know about you and is able to harm you. So if you can get visibility, right, you can know what's potentially going to happen or who's targeting you or who has targeted you. That's at least a step in the right direction. But as far as like, is there a silver bullet to all of this?

I mean, my pessimistic self would probably say no, but I'm sure there's like the aforementioned black hat boosts that are more than willing to tell you about their security for AI or AI for security. That's going to solve that problem. No shade against them. I mean, if you're going to do it fantastic, but I haven't seen anything compelling.

So would you say that the biggest threat in cybersecurity today is how easy it is to stage an attack? I think the biggest threat in cybersecurity is the human. I mean, it's still like there's an old mechanic saying it's, you know, 90% of the problems in a car occur between the driver's seat and the steering wheel. I think you could probably say the same thing for cybersecurity, right?

I know it's not super recent, but like the laps of stuff of a couple of years ago, right? That was like very low skill impersonation, like social engineering, very, very basic. The stuff that we all did when we first got into cybersecurity and we were like, cool, pen testing is so awesome. I want to do that.

That requires essentially of just a very little bit of knowledge, which again, commodity and desire to do it and attempts, right? Get your reps in. But all of that, I mean, the critical link in that is the human. It's the person that's going to answer the call.

It's the person that's going to click on the email or download the file. And I don't mean to do like victim blame or anything like that, but what's the biggest danger that I see? The biggest risk? It's always going to be the dude behind the keyboard.

I'm super curious to hear a little bit more and double click into like how your experiences in law enforcement, in military informed cyber today. And really how that like, it really feels like maybe a strength that you bring to the table, especially SpyCloud. And did you see these sorts of things firsthand and they shape your perspective on the direction of the industry as a whole, like from that very special vantage point that not a lot of us really get to peer into? Yeah, I would say so.

When I was in federal law enforcement, you get to see kind of the extremes. You get to see the very well put together, very organized, very structured organization that is, you know, maybe they did have an incident, but they're responding to it quite well. They have the run books in order. They have the people with the expertise.

They have the logs. So you get to see that and you get to be a part of that. But there's also the other side of the spectrum, right? I remember one of the cases that I worked was a very, very small company in Texas that got ransom.

I mean, it was small to the point of like everybody in the company had the same last name. Like the sysadmin was the owner's son. And, but I mean, it was a critical company. They served a very critical role at the time and they were completely wiped out.

They had no backups. Like it was a very, very, very serious incident that they were dealing with. So that being the other side of that, I think having visibility over both of those, I wouldn't argue that it's, it's unique to law enforcement. Certainly people that are in instant response roles probably have visibility into both of those extremes as well and could certainly bring those skills to bear.

But it was definitely informative for me to kind of see not only what the threats were and what was successful, but also how different companies respond and to what degree that helps or hurts the situation. Yeah. I think the two extremes like definitely can put things into context and it just watching things unfold brings a certain perspective to how we would like to see things done in the future. Right.

So now it's SpyCloud. Help our audience understand what's SpyCloud's like special place in the market. Yeah. So I don't know the Gartner answer, so I'll hand wave over what that is, but we do data.

We do identity and data. I run a team at within SpyCloud called SpyCloud Labs. We're basically the research organization within SpyCloud. So I have a team of incredibly talented and passionate researchers and engineers that spend all day, every day, Monday through Friday.

And occasionally when they, when they feel like it on the weekends, you know, digging into all of the corners of the internet that most sane people choose to avoid, we do direct threat actor engagement. We do all the forums that you've heard of, and we basically make it our mission to collect as much data as we possibly can and then tell a story about that data. So like I mentioned earlier, I mean, remediation is, is kind of the biggest, most important thing in this space. I would say, in my opinion, right, if you know about a problem, because it kind of goes back to what I was saying about visibility, if you know something is wrong, you're at least enabled to fix it.

And whether or not you actually do is kind of an open question. But if you do, it's like a ship with holes in it. If you don't patch those holes, eventually you're going to sink, but you got to know where those holes are. So that's kind of where we're very passionate is how do we not only get that identity data and make sense of it and validate it that it is legitimate, but also how do we get that to the people that need it the most so that they can actually do that remediation before the threat actor actually uses that data.

And SpyCloud actually just released a bunch of research, right? This year, there was an identity exposure report that came out. I think there was also a paper that came out as well. Were there any striking like sound bites from all of that hard work that was poured into the visibility and those reports that came out then?

Yeah, yeah. I'll give you two that are kind of interesting to me, I will say. One is that commodity malware is still a huge problem. You know, we've seen some honestly fantastic work by U.

S. and European law enforcement in taking down a lot of these commodity malware families like Redline, Operation Magnus, which was led by the Dutch police, but also, you know, had the FBI involved and a bunch of other agencies as well. That was incredibly impactful. It effectively took Redline and Metasteeler, which was essentially a fork of Redline, took them out of the equation.

With very limited exceptions, those basically turned off overnight. Unfortunately, that has not fixed the problem. There are still a lot of these commodity malware families out there, Luma C2 being kind of the biggest, baddest right now, that are highly accessible, that are very successful at getting into a system and exfiltrating data and are used incredibly widely. So that's one thing.

It's a good and bad. There's been some really good impacts that have happened and have had a tangible impact on the ecosystem. But, you know, we still have so much use there and so much more needs to be done. The second thing that I would take away was a huge surprise to me.

And maybe I'm admitting something I shouldn't be that I was surprised at this, but like phishing is still a huge problem. I remember in the days of AIM, getting phishing AIM messages, early 2000s, maybe into the 90s, like phishing has been a problem for so long. And it's still a huge problem. Like we still see companies, mature cybersecurity organizations, getting hit by phishing emails and getting hit by smishing and the toll violation scam coming out of China.

And it just goes on and on and on. And so much of that has become a commodity now that we have just seen this massive explosion in attempts, which then has had the predictable outcome that there has been more successes. So I guess those are kind of the two things that are my biggest takeaways from this year's of research. Yeah.

No, that really brings home, actually. Someone tried to phish me not too long ago. Yeah. One of the crazy things about these phishing kits these days is just how, I mean, technically advanced they've gotten, right?

Like there are AI adversary in the middle kits now that will actually trick your browser into dropping your authentication cookie. So it will basically proxy your login, your successful login back to whatever the target of the phish is. And then as that comes back to you, it's pulling that cookie out. So you've effectively bypassed whatever MFA is on that account.

Whatever security is on that account is now in the, in the hands of the adversary. So like, that's really interesting that that kind of thing is, again, a commodity. You don't have to build that, right? You don't have to be a PHP.

I would certainly hope you don't have to be a PHP developer to get access to that level of tooling. It's, it's a payment to a guy on Telegram. Right. Exactly.

And so all of this research that's coming out of SpyCloud really helps like make these threats more quantifiable, the risks that are out there. And so if I take on the perspective of a founder of a CEO of a company, maybe even a fortune 500 or a fortune 50, how does this help me? How can I turn this into something actionable? Yeah, that's a great question.

I think it has to start with data, right? In business, there's, there's a lot of discussion about like data driven decisions. Like everything needs to be backed by data. If we're talking about like financials and, you know, Hey, we're going to take a new product to market, right?

Obviously the first question is like, what's the TAM, right? What's the total addressable market for this thing? Or how much money do we think we can get from our existing customers? Like these are all concepts that are quite well known to people in finance, people that are, you know, founders of business.

They're directly applicable to cybersecurity and cyber risk. If you don't have access to the data, if you need financial data, we all know where to go, right? There are services that provide this information to you and you can ingest that and make sense of that and use that to guide your decisions. The same is true for cybersecurity.

The same is true for cyber risk. If you don't take the time to go and find that data and ask those questions and have data driven decisions, then you're effectively rolling the dice. Maybe they're loaded dice because you're especially experienced or you know more than the average consumer, but they're still at the end of the day, they're still dice and you might get lucky or you might roll snake eyes. So I would say from the founder's perspective, or quite frankly, anybody that's in a decision-making role within a company, you should always be trying to find the best, most accurate, most verbose source of data so that you can use that to inform your decisions.

And so you're not gambling on the security of your company. Yeah. I mean, I guess in some sense, folks that lead large organizations, especially start new ones, you know, from the ground up, they're in the business of taking risks and they're in the business of identifying existing threats or risks, not being afraid of them, moving towards them, but doing it with all of the gear and all of the armor on so that you can mitigate what you know about. Yeah.

I really like that, that you said that because it's like a medieval knight in their suit of armor, right? All of us, we all have our suit of armor on and, but there are chinks in that armor, right? There are spots in that armor where the plates don't necessarily line up and it's just our shirt underneath. The challenge is that as an adversary, you only have to find one.

You only got to find one weak spot to stab. Hopefully it'll take this metaphor too far, but you only have to find that one gap in the armor. But as a defender, as the knight, we have to make sure that there are no gaps in that armor. So the odds are stacked against us is what I'm trying to say.

And the best way for you to even those odds or have the best hope of evening those odds is to have that visibility and have that information. All right. So armed with all of this data, I can go to a board of directors. I can go to my founders.

I can go to like folks who are responsible for making business decisions. And I can advocate, Hey, if we allocate this amount of spends to mitigate these risks, like, here's how this changes our risk trajectory as we grow. And as we become like a larger and larger target, because let's face it, hackers, they have the same mindset. It's a business.

They're after something and you can probably get the bigger bang for your buck if you go after like a juicier target, right? And so as you grow, you become more and more of one of those targets. So those risks increase as the success of the business, like becomes visible. Yeah, I would agree with that.

I also think that there's different classes of adversaries that you need to worry about at those different levels. I'll say it at the outset, like everybody's going to get punched in the face at least once. You can have all the data, you can plan for the worst case scenario, you can do everything right. Chances are you're still going to fail at some point.

There's kind of two parts to what comes next. There's how serious was that punch? You know, how long are you down? And then what decisions do you make next?

Both of those things I would argue are just as important as what you do beforehand. And that's going to change. You're absolutely correct. The size of the business, the scale of the business over time, your threat landscape, your threat model necessarily has to change.

And so I would absolutely recommend if you're a founder, if you're somebody that is responsible for this for your company, you should totally have a like reevaluation schedule where you're constantly going back to that model that you built. And you're you're challenging that model and saying, do we need to worry about that next tier? Are we at the level now where we are getting those targeted campaigns? Or are we still worrying about kind of the mass media to whom it may concern attacks?

That has to be accounted for. And your threat model should change over time based on that input. How do you relay the message that you as a founder or you as the executive should do these evaluations? Because security is often seen as the overhead.

It's the thing that slows down the innovation. It's the thing that slows down the business growth. How do you find a balance? How do you usually approach that subject?

Yeah, I mean, we're the cost center, right? Everybody who sits at a research billet or security billet familiar with that term. It's hard. It's it's like you have to argue for yourself and you have to argue for the company.

And you need to frame that in the way that it's going to be received. So sometimes that's going to be the most receptive response might be, this is how this could potentially affect us financially. Maybe that's going to resonate. It could be a reputational discussion.

Certainly, if you're like a cybersecurity company, maybe that reputational harm is even bigger. I mean, it's certainly tied to the financial outlook, but it could be its its own problem. It could be something completely different. I'm very much giving the political answer here.

So I apologize for that. I'm not giving you a straight answer, but it really depends, right? It depends on who you're speaking to, what they're going to be receptive to and really who you are, what the company stands for. I mean, I think that makes sense.

Like if you want the business to do something, you have to make a business argument for it to do something. Exactly. Security is an interesting space in general. There are so many different concepts that used to be relevant back in the day, were not relevant in 2010, maybe, but are relevant again.

One specific example is CIA triad. And the last letter of that CIA has nothing to do with security per se, but it's the availability of the product. And essentially, if you are not able to provide a service that is legitimate and can have the coverage for both confidentiality, integrity, and availability of the data, then you're not really providing services to your customer in the first place. Yeah, I agree.

And I would say that that speaks to both. That could be a, at its core, a reputational harm. It could be at its core, a financial harm, or it could be both. And that calculus, that's a sliding scale.

And I think everybody needs to figure out where they exist on that scale individually. So if I'm responsible for the security of an organization, or if I'm on the team that's responsible for the security of an organization, and I'm thinking about these things, and I'm thinking about, yeah, it would be nice to mitigate some of these risks around phishing for all of my users. And I would really love to see the data to be able to make that business case and do the analysis that's specific for our customers and our verticals that we're selling into and our security commitments as an organization. How do I get my hands on that data?

Do you have like a newsletter that you publish or how do you get the word out? Yeah. So we do publish a monthly newsletter. I tend to repost it on my LinkedIn, but it's also on our website, spycloud.

com. We're kind of hyper-focused on the cybercrime side of things. So we don't typically talk a lot about nation state actors. That's your jam.

Maybe not the newsletter for you, but it's fun. We take a look at all of the different trends that we observe. Lately, it has been, there's this recurring segment for the past, I think, three or four months now, we call forum wars. Breach forums went down and then it was like, oh, who's going to be the next?

Is it going to be dark forums? Is it going to be breach forums v97 or whatever number we're at now? So there's some fun stuff, but we also do dig into the data. And our philosophy is we try not to draw conclusions.

We are not ultimately the arbiters of truth when it comes to what is the most dangerous thing out there. I can certainly have my own opinions, but those are not always true. They're not always right opinions. And so we do our best to like put out the data we have access to and then allow the readers and the consumers to sort of draw their own opinions.

I'm curious, where's the data coming from? Is it scrapes together from dark web behind Tor services or is it experiential? Like you have a subscription base and people are submitting information to you about what's going on in their organizations or how does that work? Well, I have to be kind of general in answering that question.

Of course. As you would imagine. Look, it's not a huge question mark, right? I mean, we do a lot of the things that a lot of other companies do.

I obviously am extremely biased in saying this, but I think we do it better. But, you know, we focus really on that core center of the material. If you think about cyber crime as a ladder and the higher you get on the ladder, the closer the source, you know, we want to climb that ladder. So we go to where the threat actors are and we talk to those threat actors.

We build relationships with those threat actors. We use some cool, sparkly human intelligence and social engineering techniques that everybody that was in government service likes to talk about. And we get access to the data. Like I said, we do a lot of the things that a lot of companies do.

We have, obviously we, we do scrape data. Everybody scrapes data. It's like the easiest thing in the world. But if you're just scraping data, you're seeing what is effectively the surface element.

I mean, for, for things to get to the surface, it's going to take weeks. If they get there at all, they've probably been adulterated. There's a lot of, you know, the chain of custody has been messed up. So for all those reasons, like we definitely have a different value scale when it comes to the data that we pull in.

And like I said, we aim for that core as much as we possibly can. There's so many different types of companies, but often time the tech company will have some type of experience with security and compliance. At least adjacent knowledge will be present, even if there is no dedicated security team. But there is a whole entire sector of economy that is filled with companies that are not necessarily tech companies, but are still present in the cyberspace.

Where, where do you see most successful attacks prevail? That is a very good question. Yeah, I was, I'm thinking about all the companies that like, we don't really think of as tech companies, but like they are, I mean, everything's a tech company now, right? I feel like that pool has gotten so overloaded.

Everybody's got to have an app. Everybody's got to have like a web portal. You can log in and configure things. So in a way we're kind of all in that space, but I think there's, there's different threats to different companies.

If we're talking about a financial services company, one of their threats that's, it's a big deal is like the insiders. What if I hire somebody that's maybe a teller or maybe, you know, insurance adjuster or a broker or something like that. And whether they're witting or unwitting, they are exploitable by an adversary, by a, by a criminal. And typically that's a financially motivated criminal.

If we're talking about the defense space, we still have the problem with insiders, but maybe there's a different target. It still might have a financial aim, but there's different information now where maybe we're talking about like intellectual property. And then there's kind of the big umbrella. So what is everybody vulnerable to?

And everybody's vulnerable to, again, the human element. When we look at info stealers, which is kind of a passion of mine, almost all of those are not a targeted attack. It's not a, Hey, I want to infect Sasha with Luma. So I'm going to figure out this complex lure to get him to click, like not saying that doesn't happen, but by far and away, the most common way that an info stealer infections occur is because you were in the wrong place at the wrong time.

You clicked on the wrong ad, you downloaded the wrong fortnight skin. You followed that link from that YouTube video, which led you to the bad place. And it might not even be you. It might be your kid or your spouse, or it might be on your personal computer.

The attack surface is so broad when it comes to that because it's so pervasive. It's so frequent. And the amount of data that's stolen is just so robust. I mean, you think about like modern info stealers, they're pulling your form data.

So the stuff that your web browser helpfully caches, you've entered into forms on websites, pulls your save credit card information, your save passwords, it pulls your cookies, which if anybody has heard of session bypass or session hijacking, not a great thing. Some of them will even steal files. So I don't know how many times I've seen like, you know, passwords. csv.

Oh, I wonder what's in passwords. csv that was saved on your desktop. So that to me is kind of like the umbrella. It's like a to whom it may concern.

It doesn't really matter what vertical you're in or what you do. And that has a very long tail, right? Digital exhaust is pretty big and it's hard to get rid of. All right.

So what are the options as a consumer? How do I navigate the space? Because we all have to have some sort of a digital footprint. There are definitely sites that let you look things up.

I mean, I work for a company called SpyCloud. So I'll rep our own. If you go to checkyourexposure. com, it's available for anybody.

It's free. You can enter your email and it'll tell you where you show up, whether you're in malware or something else. The FBI and other law enforcement agencies like putting up portals. Actually, years ago, I was the case agent for the Raccoon Info Stealer case and we put up a little portal.

I think it's actually still up today. So you could go and do that. There's other services, of course, that allow this and that give you verbose information or less verbose information. So definitely do that.

I would recommend doing it for your personal emails. Don't just do it. I mean, your corporate emails, obviously, but don't just limit it to that. Personal emails.

There's a lot of hooks that kind of come into our lives from our enterprise environment down into our personal. And so just because it's a personal email doesn't mean it's not a serious exposure and something that you should absolutely remediate. Do some of the companies offer services like SpyCloud as a benefit to their employees? There's so much that is out there on every single individual.

And to me, it seems like people are getting tired from being bombarded from different directions with different offerings to buy a car, a boat, take it to the SpaceX to orbit around Mars. And it just seems like a lot. And that's just a normal state. But if you become a target, there's so much more information that is available in you.

Do you see some of the companies offer SpyCloud as a benefit to their employees? Yeah. Yeah. Mortgage refinance.

That's the one that always shows up in my email. So, I mean, we have a lot of our customers, obviously, we do have customers that offer that to their employees as like a consequence of their service. If you don't have that, if your company doesn't have access to SpyCloud or something like us, there are a lot of those resources, like I mentioned, that are free generally. So, you know, whether or not you get that benefit as a consequence of your employment, I really would encourage everyone to go out there and just check your personal exposure, see what it looks like, see what the bad guys might have about you, might know about you.

Love that for the consumer space. And so as a consumer, that makes me feel warm and fuzzy on the inside. And I have to say thank you. Thank you for doing all the hard work and putting all of the data together and dropping it behind services.

And you've done that multiple times now throughout your career. Okay. Now for the B2B case, if I'm a security leader at an organization and I'm like, oh, this actually sounds pretty good. I would love to check every employee, every personnel, every contractor in my organization.

Is there a way that there are B2B deals that can help measure current exposure of everyone within an organization, just a little bit more enterprise geared? Yeah. So you can still do that at checkyourexposure. com.

It's not limited to just free emails. You're going to get a different report and I can't promise you won't get a nice little marketing email from SpyCloud after you do that. In fact, I can promise you will. But yeah, we give a nice little report about what potential exposures you have for, usually it's domain name based.

So that can be something of a challenge, especially if you're one of those companies that uses a different domain name for their email than they do for their website, which by the way, I wish more people did that. Great, great idea. But you can do that and you can get that report and use that to inform. And certainly I don't want to make it sound like SpyCloud's the only company that does this.

There's a lot of other companies out there that do the same thing. So, you know, compare different resources, see what works best for you, pick whichever one that's right for you. I feel the authentic give all the gratitude in the world. So Trevor, you see a lot of visibility in what is going on today.

You have a lot of historical knowledge about security and threats and the evolution of those. What is your prediction in the next year? What will cyber threat surface look like in a year? I mean, it's going to continue, right?

Like I think we kind of say this tongue in cheek in the security industry, that job security is part of security because people are still going to be making mistakes. There's still going to be criminals out there that have all of the motivation in the world and very few downsides to commit crimes and to attack you and your organization. I think we will likely still see a continued shift towards the commodification of cybercrime. So just as we have seen over the past several years, malware is a service, phishing is a service, access is a service, anything is a service.

We're going to continue to see new malware families, new phishing kits, new means of exploitation, and they're all going to be available for purchase. I think AI in the mix is kind of a big unknown for me. I don't really know what that's going to mean long term, but it's probably not going to mean anything good. So I reserve the right to change my answer in six months, depending on what GPT 7.

10 or whatever we end up seeing by then. Of course. Well, with now GPT 5, I'm sure writing its next version of itself, like who knows where that's going to all go. Right.

So do you think there's such a thing as like insider threat as a service? Have you seen that? Have you come across that? I know there is.

Yeah. Yeah. Especially within financial services companies, banks, especially we see pretty regularly folks that will go out and I won't name any banks, but you can fill in the blank. I work at this bank and I have access to these things and I'm seeking a aged account that's interested in moving 10 to $50, 000.

That's a very common thing to see on Telegram or on a forum or, you know, what have you. Maybe that's not really like the full as a service model. We're not fully autonomous, I guess, at that point, but it's that easy. How do you detect those sorts of things?

Are you watching Telegram and like all of the platforms where they are announced or what? Yeah, we do. Telegram is a big part of that. We've gone leveraging LLMs a lot to do that.

The volume is just too much. You could employ a team of hundreds of researchers and you'd still miss things. And so as much as we talk about AI and there's a lot of buzzwords around that, one of the things that it does really well is condensing and summarizing user-generated content, human text. So that's one of the ways you can kind of build a profile for a certain threat actor or a certain technique and then look where that shows up across a broad swath of data.

The other side is just the manual side, right? Human being reading through a channel and saying, whoop, that looks like something that's illegal. Let me flag that. Well, this has been an amazing discussion.

Thank you so much for joining us for another episode of the Security Podcast of Silicon Valley. I'm John McLaughlin, one of the hosts, was joined today with Trevor and co-host Sasha. Thanks for having me. No, huge thank you.

And huge thank you to all of our listeners for tuning in for another episode. An absolute pleasure. And thank you to all of our listeners. This has been a Y Security production and stay tuned for another episode.

‹ 87. Escape the Ticket Trap: How AI Agents Are Replacing Manual DevOps

85. How Companies Lose $197 Million in Seconds (with Channi Greenwall, Olympix) ›