Transcript
Hello and welcome to the Wake Up podcast by Veeam. Global leader in data resilience. I'm Caroline Wong, your host, and today I'm joined by Ray Heffer. Ray, welcome. It's so good to see you. Great to be here. Thank you. Ray, tell me a little bit about yourself. Well, I'm the field CISO for Veeam, Veeam Software. Despite my accent, I'm based in the Americas, so I cover the US. And yeah, I've been in the cybersecurity and let's say tech industry for over 25 years, a long time now. Ray, what's your favorite thing about working in cybersecurity? Oh, I love to nerd out. So while I talk strategy every day with business leaders, at heart I'm still a nerd. So yeah, when it gets technical, I'm in my place. Ray, we're here to talk about what it's like when bad things happen. Tell me about what you've seen throughout your career when it comes to security incidents. Yeah, this, well, I've got quite a background. If I go back 25 years, I didn't even call it cybersecurity back then. You know, security incidents, you know, I was on call at an internet service provider, for example. And security incidents then were, you know, we didn't consider cybersecurity. For an internet service provider, this could be critical. We had two infrastructures. There was the managed hosting, so customer environments that we were hosting in data centers, and then the internet side of things, so name servers and the web infrastructure. So I was responsible for security for both of those environments. There was no ransomware in my time in those days. And security was a firewall, antivirus, VPN, and this perimeter, and that was it, you know, this perimeter security. Things have changed a lot. You know, throughout my career, we had the advent of cloud and everything going into the cloud. And then I think it was around, was it 2010, 2011, cryptocurrency really changed things. And that's really, in the last 15 years, we've seen just this rise of ransomware, which certainly takes a very different shape to what it used to back in the good old days. Definitely. And Ray, I imagine that you and your clients have experienced so many different cybersecurity events, cybersecurity incidents. You know, I find that so often there's a focus on the technical vulnerabilities. But I think sometimes what's overlooked is the human aspect. Yes. I'd love to hear what you think about that. My favorite subject. Okay, so you may be familiar with the cyber kill chain, Lockheed Martin. So for those that don't know, Lockheed Martin developed this, I think it was around 2011. And it's these discrete steps that attackers use. So it starts at reconnaissance, moves into weaponization, delivery. But at the end, you have this action on objectives. The problem with that in cybersecurity that I see is we're focusing so much on investment in tech and trying to check off each of those boxes that we're not just taking a step back. I'll give you an example. Social engineering, where would that fall? Is it reconnaissance? Because that's certainly a big part of it. Is it weaponization? Sure. Is it delivery? Sure. It kind of fits everywhere. If I could, if I could rename it, I would change it from the cyber kill chain to the cyber kill spectrum. Because it's not just discrete buckets of things. It really is not. And social engineering is a great example of that. I like that so much. The cyber kill spectrum. And tell me a little bit more about your thoughts on social engineering. Okay, big one. First off with social engineering is to understand this is one book I'd love to suggest. It's Think Fast, Think Slow by Daniel Kahneman. He's a Nobel Prize winning psychologist. He's more of a into social engineering today is he lays out there's two systems of the brain, the system one and the system two. So system one, if I was to give you an analogy, is I'm driving my car, someone runs out in front of me, I'm not going to really think for a few minutes, I'm going to slam my brakes on this, that immediate response. System two, on the other hand, is maybe I'm planning a vacation, I'm going to take a few hours, a few days, maybe a few weeks to make that decision. So it involves much more critical thinking. From the attacker's perspective, or the threat actor, they are absolutely aware of this. And they're trying to get system one engaged. So there's a sense of urgency, make a quick decision. Time is critical. And we can dive more into that as well, if you're interested. I'm so interested. Ray, I wonder if you can give us an example of how an attacker might exploit system one thinking in order to take advantage of human psychology. Sure. There's probably every ransomware example will exploit this, but I'm going to use one that's slightly different. 2020, so five years ago, there was an attorney named Gary Shildorn. And he, you know, he, he deals with fraud cases. So this is someone that knows this space, you know, he's a lawyer. He was actually tricked into paying almost $9,000 through a deep fake phone call. He actually received the phone call. He thought it was his son. He said, hi, it's Brett, his son. I've been involved in a car accident. There's a pregnant lady involved. The police are here. I'm going to have to go, but I'll call you back in a moment. I'm going to need your help. So the call ends. The next thing he gets a phone call from this guy called Barry Goldstein. He said, hi, I'm the lawyer representing your son. He's been arrested. Anyway, to cut a long story short, that was AI. It was a deep fake. Now bear in mind, that was 2020. We have significantly advanced in our AI capabilities since then. You could clone my voice just from a few seconds of audio and it will pass off very realistically. And the point I would like to make is Gary Shildhorn is an attorney. He's aware of these but they were playing on the urgency. This is urgent. Just to fill in more of the story, there was this elaborate story where the person at the court that would normally receive the bail money was away on a family emergency. But this threat actor that was pretending to be the attorney said, but don't worry, I can deal with it. So he didn't fulfill. He almost paid the $9,000. The reason I share that is you can go and look on YouTube. You'll see the full story by Gary. He was in Congress discussing this, trying to warn others of what's going on. But ransomware groups do the same. There's a threat actor called Scattered Spider. This is a group, a collective of individuals. And they are UK, US, Australian, Canadian citizens. So they will speak in the native dialect, the accent, if they were targeting a retail chain in the UK, which happened just a while ago. They will sound very plausible. And one of the other areas that's exploited as well as urgency is the timing. Like in Gary's case, we've only got a few hours. We've only got a few days. And if I may give another example, there's plenty out there. Recently, we saw this breach with NPM. Now NPM is the node package manager. There is a maintainer of some node packages called Josh Dunan. Great guy, very well versed in security. He knows his stuff. But he fell for a phishing email. And he was very open about it. There's interviews with him online as well. The phishing email was urgent because it said if he didn't act, he would lose access within two days. This actually came through on September the 8th. And it said your account will be locked on September 10th. Then there was the timing. I don't know exactly what time it was, but let's assume it was a Monday morning. He's busy. He thought, I can't afford to lose access. I've got to deal with this now. So you can see system one is engaged. He clicks. He logs in. He confirms his two-factor authentication token. And he gave access to potentially billions of devices on the planet that use these packages. This could have been the skeleton key to so many systems. Luckily, it didn't yet. We haven't seen that kind of fallout. But this is how quickly it can happen. Ray, what happened in between Nigerian Prince and poor grammar to being able to deepfake somebody's close family member? This is what's so scary is the sophistication that we have. And this deepfake of Gary, his son, going back to the cyber-kill chain, they did the reconnaissance. They knew his son's name. They did their research on how the court system worked. I'd have no clue. I've not been in that situation. So I wouldn't know the process. But they did. So the fact they were even talking to an attorney, they were able to still convince him that he was speaking to another attorney. They knew that process. But yeah, what's happened is look at the technology. And this was in 2020. But what we can do now is available to everyone. And not just a deepfake of the audio, the voice, but our face as well. You may have seen on social media, people are running around in nuggets and running away. It is so realistic. And these threat actors are absolutely going to be weaponizing this. I call this the new force multiplier of ransomware. This ability to use AI and deepfakes, not just for social engineering, but throughout the whole process. Anthropic, for example, who has Claude Code. There's many people listening, I'm sure, are vibe coders. But there's this thing called vibe hacking now. So we're just seeing this just multiply and multiply. And they're using these tools to accelerate their attacks. Ray, there's something I want to talk to you about, which is the shame. Some of these folks that you've described, an attorney, a person responsible for NPM. These are smart folks. These are educated folks. These folks. And so I wonder if you would tell me a little bit about when you work with clients and when you've looked at these incidents, and when people do get scammed, what does that feel like when they realize what's gone wrong? Honestly, hearing the story from Josh or hearing that story from Gary, you can feel that from them that they just feel devastated. And if I may share something, 20, 15, 20 years ago, I'm sounding old now, aren't I? But quite a long time ago, I had a boss, his name was Phil. If he's listening, he'll know who he is. And this was working at this internet service provider. He said to me, he said, Ray, don't ever worry about making a mistake, just tell us. Because if you make the mistake, we allowed it to happen. Now, I've never forgotten that. Because ever since that day, if I've made a mistake, I would own up and feel like I've got the team behind my back. And that's important, because in cybersecurity, if we're feeling shameful or stupid, because we made the bad decision, and I'll give you another example. We all have these phishing email simulations, we get the email, and you have to report phish. And if it's correct, you might get a bit of Veeam, we do that. And the more you report correctly, you could have a chance of winning an Amazon gift voucher, for example. However, I won't out there, that I've heard will penalise their employees, maybe after three, four, five failed attempts, they could even be let go. The problem with that approach is people then would rather do nothing, I'm not going to get involved in that, hiding their mistakes. That's really not a place we want to be in. And to reiterate that point, these people are highly educated, you know, Josh, I mean, this NPM package maintainer, he's a clever guy, you know, he's doing some pretty intense stuff. He knows security. But system one doesn't engage critical thinking or the analytical brain. And that's what they're targeting. In fact, just two days ago, I got a text message, supposedly from Apple, saying that I've ordered the new iPhone 17 Pro. I thought, great, I'm looking forward to that. I knew it was a scam straight away. But not because this is what I do. Just in that case, because it was sent to the wrong phone number, or it was one of my virtual numbers that I use for something else. I like to segment my identity, I have different email aliases, I have different phone numbers. But because they sent it to the wrong place, I immediately knew, nonsense, obviously, and I didn't order an iPhone. So I actually responded, said, Yeah, I'm excited. When do I receive it? Never got a reply. Or the iPhone. Ray, what else do you want to share with regards to social engineering with regards to the disciplinary punishment response, the shaming? What else should we be discussing? Okay, well, there's another book I'm going to recommend, it's a psychology of persuasion. I think every leader should read this, by the way, as well as thinking fast and slow. And if I may borrow from this book, there's social proof is these examples of social proof is one if everyone else is doing it, then I should do it as well. And just to give you an example. Years ago, I saw a video on this where there was a waiting room, and smoke, fake smoke coming from under the door. And they're all actors, except for one person. And all the actors were told, just sit there, go on your phones, read the magazine, do whatever. So the real person looked around and thought, Oh, well, no one's doing anything. So they just sat there. And I've seen this with the elevator, there's motorcycle helmets in an elevator, and everyone that got in put this motorcycle helmet on. It's absurd. It's like a scene from Monty Python or something. But because everyone was doing it, the person that wasn't an actor went along, they put a motorcycle helmet on, you'll see all these online. So social proof is one part of it. I talked about urgency, timing. But the psychology of persuasion talks about liking as well. So quite often, threat actors like Scattered Spider, but I'm focusing on them, but this applies to all of them, by the way, will impersonate maybe an IT admin or a colleague. And initially, they'll be very friendly, they may even do you a favour. So they want you to like you. So if someone likes you, you reciprocate that, you might want to do them a favour back. And that's typically the path it follows. And on that, the reason they can do this so successfully, going back to the reconnaissance phase, is we are revealing far too much on LinkedIn. There's even sales lead generation sites that will give you an org chart, you know, who you report to who you work with, you know, these are out there. And they are using that as part of the into the weaponization now, I should say. Ray, I want to talk some more about this psychological warfare. Hmm. Why is it so darn hard to tell the difference between something real and something that's a scam? Certainly these days, it's getting a bit harder. I'll share a story with you, actually, about my daughter, she's almost 14. But I've been trying to test her with this. I said, is this AI or is it real? And she's got to the point now, she just calls everything AI, just because, you know, that's her. And apparently, I'm AI. On the phone call this morning, she says, no, you're not real. I said, Phoebe, this is, you know, you're real. But it is getting harder. The technology that was, say, available five years ago, in Gary Shilthorn's case, with that deep fake, is so accessible now. And you can run these locally, you can obviously, there's services in the cloud. And yeah, it's scary. I know, it's so realistic, where things are going, especially with video generation. And sure, they're trying to put watermarks in place to, you know, hide the facts. But we've seen examples where CEOs have been faked with AI, both video and voice, and convinced employees to basically sign invoices and release invoices for hundreds of thousands, if not millions of dollars. So it's pretty scary. Ray, what do we do? What do we do as leaders? What do we do as humans, when frankly, we're so easily tricked? Yeah. I think going back to the cyber kill chain, and this technology and focus that we've been so obsessed with, in fact, Gartner, there's a $215 billion global spend, according to Gartner, on cybersecurity. But I would be really curious how much of that spend is on the human element. We do things like social, social security awareness training. We've seen that hits our inbox, we have to watch a bunch of videos, there's some quizzes and questions. And the problem with that is then it's a checkbox. It becomes a checkbox exercise. Employees have done that, we're now compliant. I would argue that doesn't really change the human mindset, we're still going to fall for these things. If we could slow down and think, like really, if you had, in the case of a phishing email, if you could take five minutes and go for a coffee, I love my coffee, so any excuse to make a coffee, that alone could trigger system two and think, hmm, this didn't sound right. You may think you're not acting immediately. In every phishing email, we're obviously reacting to urgency and timing and all these other factors. But if you could just take pause and breathe, and honestly, if I was in leadership at all these organizations, I would question, why don't we just give everyone a meditation app subscription, for example? We may jest about that, but really, it's the ability to stop and think and observe things from a distance, take a few steps back, that will then start to engage system two. So it's a suggestion. Ray, I love these suggestions. A cup of coffee, a meditation app. How long does it take? How long do we need to pause? And what other suggestions do you have to interrupt our system one thinking? Yeah, I don't think we need to pause for long, to be honest. If I get an email and it says, you're going to lose access to your account, we can think, this is going to impact my work, my productivity, I've got to act. And just taking a few minutes to have a look. And one of the problems we've got as well in detecting this is we've been trained through these security awareness courses that we are told to do, to look at where it's coming from. In the case of the NPM package maintainer, he thought it was coming from a place of authority. And authority is another one of those psychologies of persuasion, by the way. It said it was npmjs.help. Sounds legitimate. It should have been .com. .help was not the domain it should have been sent from. So while from a technology perspective, with email, we've got things like send a policy framework and all these mechanisms in place to show it's a genuine sender, microsoft.com, amazon.com, wherever it may be, they are using other domains. So it completely bypasses that technical control. And we think it is being sent from a place of authority. One of my suggestions is, rather than just looking at who it was sent from, maybe look at where it was coming to. And this is going to be a bit of a shift in how we run business today. But I would assume you have an email address, it's your primary email address. I could take any company and assume that their email format is either first at company.com or first.last.company.com. So if I was a threat actor, it would only take me two or three guesses to find out an individual's email address. If things like aliases were used for high risk employees, not for everybody, but let's say finance that are paying invoices. If their email for a particular supplier is a unique alias, then if something comes through, as well as looking at who it's from, they think, hang on a minute, why has this landed in my personal inbox? It'd be a bit like if you got a message to your personal, you may be a Facebook messenger if you're on Facebook, and it was the CEO saying you need to pay an invoice. You think, hang on, why are you sending me a message here? That doesn't make sense. And it's things like that that can make us think and then engage system too. As an industry though, we're not doing that. We all have a phone number, an email address, a home address. I might be a bit different. I use PO boxes and I have virtual phone numbers and aliases, but I'm not saying we have to go that far, but certainly for high risk individuals, and we're seeing finance, HR, IT, executives, we need to start looking at compartmentalizing their communication channels so it's less likely to fall for phishing email. It's not going to reduce all of them, but it's another series of steps towards it. I think that's brilliant. Ray, what other stories or illustrations can you share with us to kind of demonstrate how we might shift our mindsets when it comes to this kind of thing? Yeah. Well, when we think of cyber attacks, we think of the movies. Someone at this terminal, the green screen terminal and code flashing by. I wouldn't say that's the most realistic. You have to bear in mind that a lot of the ransomware groups are individuals, teenagers. In the UK, just two weeks ago, I believe it was, there was a 19-year-old that was arrested who wasn't probably the leader of Scattered Spider, but certainly one of the main individuals. Another teenager was arrested around the same time, and they tend to move around from one group to another. But we've got to remember, we're still dealing with individuals here. This isn't necessarily this tight-knit group all in one building with hoodies on in dark lighting, hacking the environment. They are trying to play, and I think a lot of their success comes from the UK, Australian, Canadian native speakers, for example. They sound plausible. They've done the reconnaissance. And a concept I'd like to introduce, if it's okay, is this concept of the space in between. I'm talking about the spectrum of the cyber kill chain. This is a bit of Japanese culture. I'm a huge fan of Japanese culture. I failed at learning the language, mind you. I spent years trying to learn it. But what came out of it is I know lots of words. They've got a word called ma, and it literally means the space and the relationship between things. They use this in art. So if you think of maybe a Japanese garden, you've seen that there's stones or gravel, and it's raked, and they've got a rock over here and a rock over there. That's what it's describing. It's not the fact there's two rocks. It's that there's this space, and the space wouldn't be there if the rocks weren't there. It's this relationship. Now, that talks to taking pause and space to think, but also going back to the cyber kill chain, what we can do is rather than look at these as discrete buckets, where we've got delivery or weaponization or the command and control, any of these individual buckets is look at the spectrum and the bigger picture, and it's taking that step back. That's why I think about email aliases and changing security awareness training to be more about mindfulness and taking a break. If you see a message, and it may be if the company adopted a posture of not moving so fast, if you have to pay an invoice, it's urgent. Is five minutes really going to make any difference to make that coffee? Perhaps not. Again, just a suggestion. I like more coffee under all the circumstances. Exactly. That's definitely an option. Ray, what other reflections should we be considering at this time? It's a difficult time at the moment because of AI and deep fakes. One of the things that we need to look on the bright side on is we have the ability to use AI in our technology and products. There are ways of detecting phishing emails, and that may be giving you pause. Maybe it will flag up and say, hey, is this right? Time for that coffee. Any of these flags that can figure the time just to take a few minutes. It sounds very scary, what we're going through. We're hearing every single day. I have a news feed on my phone, unfortunately, which is all ransomware news. Every day, there's a new attack. There's a new malware variant. They're using AI to do the coding. They're refactoring old malware. There's so much going on. There's packages with malware embedded in them and third-party supply chain attacks. It can feel overwhelming. As a security leader, if you're faced with that, you think, well, what can I do? Are we really doomed? The technology is not helping. I think we have got light at the end of the tunnel, to be honest. AI, as well as weaponizing the threat actor, is definitely strengthening our defenses as well. Ray, I want to explore some more of this human versus machine. Cybersecurity, we think it's all about technology, but it's really not, is it? It's both. I don't want to dismiss technology because we've come a long way, but the human that I think we're neglecting in the cybersecurity industry, even though we talk about it a lot, literally is the interface between the keyboard and the outside world. When I think back to the good old days, as I said before, we have a firewall, we have antivirus, and maybe had email filtering and VPN. What was in the perimeter was safe, what was outside was the threat, but we have moved a long way since then. We've now got next-gen firewalls and next-gen AV and all this cool stuff, but what have we really done with the human element? Security awareness training is absolutely needed and useful, but we touched on earlier about the shame people feel. They feel like they've made a mistake or they're stupid. I talked to my family about this and I said, please call me if you receive anything. But again, because it plays on those human emotions, even then sometimes they don't call me. They say, I've just clicked a link, but then I thought. That's still a step in the right direction because sometimes even clicking the link doesn't necessarily mean now you've got malware on the machine. It could be a fake credentials login, and if you don't even go that far. Every little step, it's not too late, you should think you've got to own up. Going back to my former boss from all those years ago, if you make a mistake, own up to it. I think in the security industry, we need to come together more within an organization. I'm talking about IT, security, but what about HR, finance? Come together as an org. We do a pretty good job, I think, as a cybersecurity community and we have these amazing conferences each year, but I still think we're a bit separated and segmented. That's the issue. I think we need to do more there as well. There are a long way to go, but I think we're getting there. Ray, how do we evolve beyond this outdated idea that humans are the weakest link? Yeah, I hate hearing that. Unfortunately, I still hear that a lot from fellow cybersecurity professionals. I think that's the easy answer, isn't it? Blame the human because they're the one that clicked the link or they're the one that failed the phishing simulation. Going back to that story, let's not penalize employees for failing those phishing simulations. That's on the employer as well. Why have they failed that? Maybe the training wasn't up to scratch. Sometimes it's because the person is so awesome at their job and they're thinking quick because they're so good at what they do, they're missing the other side of the coin, essentially. It's a tricky one, isn't it? It's trying to get that balance. We can't all send every employee on some meditation retreat for two weeks because things will get expensive. Well, it may help. I was semi-joking earlier, but maybe that meditation app, give the employees a perk, a subscription, but build that into the security training as well and have more awareness over that this is so advanced now. We've got to be on our toes, but owning up when you think something's not right. I think most organizations do a pretty good job of that, but we need to do a bit more. Ray, what kind of things do you do in your personal life to catch yourself in system one thinking and to shift to system two thinking? Okay. I might be the odd exception. I'm the strange one, but there's a number of things I do personally. I don't really share my personal email address. I generate an alias for many uses. The hotel has an email. My Amazon has an email for my Amazon orders. Every account I have is a unique email because I don't want to get caught out, especially I'm talking about this stuff. I would feel ashamed if I got caught by a phishing email. So not just looking at who that was from, but who it's sent to is one of the things I try and adopt in my personal life. I use virtual phone numbers. There's plenty of services out there where you can get a VoIP number. Even if you have one more that's not your SIM card number, that could help negate against SIM swap attacks. By the way, there's another attack vector that the threat actors will try and do is they'll use social engineering not on you, but your suppliers, and in this case, the cell phone provider. If they can get your phone number, they can get your backup codes and get in that way. So I think as an organization, certainly, again, for executives and high-risk employees, giving them a VoIP number. We've got the systems. We all have the systems in place to do it, but perhaps just not using it in the correct way. I'm a bit of a strange one in my personal life. I separate everything. I try and have aliases and compartmentalization for everything. The only people that have my real email address, I think, is my wife and my parents. I think that's quite brilliant. Ray, what advice do you have for organizations and for leaders who want to shift their mindset in this direction to move beyond traditional security awareness training? Yeah, I think take it slowly. Let's not just pull the rug under the whole security policies and program in the company. Start implementing these other steps piece by piece. And look, we always say, assume the breach. It's going to happen. And sure, it probably is. So we need the ability to recover. But also, we need to be able to prepare people for when it does. And going back to when I think of being in a cyber crisis myself, you are under stress. So system one's more likely to kick in. And you've got to feel like people have your back. And you're in a team. You're not on your own. I remember being called out at 3 o'clock in the morning for an incident. I had to drive to the data center. But I knew it wasn't just me going there on my own. I had this team of people I could contact. So as a leader, I think making people aware of the psychology of a cyber attack, the social engineering side, telling them that they can make a mistake and own up to it and share and learn from those mistakes. Because if you just hide everything, you're never going to learn from the mistakes. And I think also just adopting that team mentality, not just in the cybersecurity team, but IT, HR, finance, legal, broaden it as much as possible. Ray, what kind of final advice and lessons learned do you have for us today? Yeah, I think for any security leader, any leader listening is you're not going to change things overnight. Don't pull the rug from under the security program is number one. But I think start adopting more to focus on the employee. As I said before, they are the interface between the keyboard and the outside world and see them as an asset, not the weakest link. But we read in the news every day of ransomware. We are told expect the breach is going to happen. And sure, it might happen. But by looking at this in a slower pace, as I said, just adding that pause, that space in between, it may be that if an employee does click a link, that it hasn't weaponized the machine with malware. It may have been trying to harvest credentials. And if people feel safe, that they can report I made a mistake, I click this link, it might not be too late, it actually might be fine. They never actually proceeded on. And all is good. And they can obviously protect against that. So I think embodying this culture of owning up if something's not right, or I made a mistake is really, really important. And just not not punishing employees for failing that phishing simulation, for example. Ray, thank you so much. Thanks for your leadership. Thank you. This has been great. This has been Wake Up, a podcast by Veeam, global leader in data resilience. Thanks for joining us.
