Transcript
In this episode enables Nicole Reineke and Will Ledesma take a deep dive into how AI is empowering cyber attacks from phishing scams right the way through to deep fakes and what businesses can do to help themselves stay safe. When I look at phishing and how generative AI is helping that, the tactics and the key things that individuals used to look at are going to the wayside. Hi, I'm Nicole Reineke, I am a senior distinguished product leader at Enable and I actually lead our AI strategy. I've been in the AI industry for about 20 plus years and I am one of the top 1% of patent holders including quite a few on the AI and machine learning technology. Hi and I'm Will Ledesma, I am the director of the MDR team here at Enable. I've been in the industry almost 25 years and I'm basically helping find bad guys that are trying to hurt economies, businesses and people. I love that. Thank you for doing that on our behalf. I appreciate it and I know our customers appreciate you keeping them safe. We were here today to chat about security and artificial intelligence and how it's actually changing the game. And I want to start with the question that impacts so many of us on a daily basis. We receive all of these more and more realistic looking phishing emails and they've been around forever but now we're having AI generate the scams. Can you talk to us a little bit about how you're seeing AI change the phishing game? Absolutely and how I miss the days of the Prince of Nigeria when we used to get those emails and it was just like, hey, by the way, I need you to help me send money to a bank in order to, you can make us extra money by doing this, right? But the game has changed, right? And when I look at phishing and how generative AI is helping that, it's really making it challenging because the tactics and the key things that individuals used to look at are going to the wayside, right? So I'll give you some examples. Prince of Nigeria. If you're in the US or somewhere else that's very heavily in English, you can kind of pick up key points that it may not be a direct English speaking individual. But in that case, it was actually an individual identifying themselves, right? That they're like, hey, I'm actually not from there. But those tactics were absorbed and used and we can still see from time to time where language is identified and basically the grammar of the structure, right? And that has changed because now with generative AI, right, an attacker can basically just go talk to, I'm going to throw this out there right now, Nicole, I call all LLMs chappy. So I may say chappy in this moment, but that's what I'm referring to, right? It's just a thing that I named LLMs, right? I would say you actually anthropomorphize them and the name of the LLM is chappy. Yeah, yeah. I use multiples, but they're all chappy to me, right? They're all chappy to me. So an attacker can go to a chappy and just be like, hey, by the way, I want to send this email, make it sound professional, make it sound like if I'm talking with the person, like if I know the person. And it's going to come across very scripted to where it's making it very hard to actually figure out if it's coming from a bad guy or not, based on those key indicators that we used to utilize on, at least at the surface level. And there's some indicators of language models that you can usually tell, right? Have they inserted an em dash? Are they using an if it's not really this, but it's this, right? So there are sentence structures that are common, but those are things that you can prompt around and you can figure out, well, hey, don't sound like a chat bot. And you can even put that into the prompt and it will update the output so that it sounds more natural language speaking and is more aligned to a persona that you're trying to portray. So they do they do help you get through a lot of those language barriers, which is really quite scary. One of the things that I noticed when we're dealing with sort of the traditional scams is that the banks have caught on. So if you're trying to do a wire transfer, they will actually give you a call if it's over a 50 or a hundred dollar transfer and ask you how well you know the person you're about to transfer the money to, which I was surprised by. Like I recently had a transaction where it required that it was not a scam, but the bank wouldn't do it until they physically spoke to me, which was really surprising. So some of those stopgaps, I mean, is there, is that still happening with AI phishing or is there a way they're starting to work around it? I need your bank because my bank does not do that. My bank will allow me to send money without, it will actually now tell me. So it's interesting you say that because I guess my bank is trying to catch up because it will now tell me, hey, if you're going to send this money, make sure you know the person, do all these things right. But it's not actually doing a voice call. And so I go back and I think of the like. Essentially trust, right? When we're sending off something, we're sending off an email, it's do you trust that individual? Do you know who they are? Right. And that's essentially what your bank's doing. They're saying, hey, are you sure you know who this person is? I'm going to tell you a quick little story back during COVID. And this is essentially kind of linking to trust, hacking, phishing emails and so forth. But it came through, and the reason you made me think of this is because the phone call. Right. So I'm working one day and I get a text message. And at the time, at Lumen CEO, right, they're now GM here in Enable, but at Lumen CEO, Rob Johnston, I get a text message from him and it's, hey, Will, I need you to help me. I'm in a board meeting or some meeting and I need help. Right. And I'm like, shoot, Rob. Like, yeah, man, I'm here. I'm all for it. I got you. Right. Like, let's go. I didn't recognize the number though. And so just at that, at that same moment, I started pinging Rob on the side, right? Through additional mechanisms of validation, just as your bank said, hey, I'm going to call you. So I started messaging him on Teams, on Slack, hey, Rob, did you just send me this, like this message? Sadly though, Rob never responded. So, you know, he was busy. So I had to go on, on trying to figure out if this was him or not. Long story short in that one, it turned out that the, the, the messenger who was messaging me wanted me to go to, to my local store and buy some Amazon gift cards. And I was really bothered by it, Nicole. And the reason I was bothered by it was because it was at the height of COVID. And I'm telling this attacker, I have COVID right now, which I didn't. And I'm like, I literally have COVID. I don't feel comfortable going out into the public and risking other lives. And they told me, don't worry, it'll be fine. Go do it. Don't, it's okay. Right. And, and that bothered me so much that they, they like this individual did not care about the wellbeing of others. And I mean, I guess if you're in this level of trying to scam people, there's not a lot of care. Right. Not a lot of empathy going on. Right. Right. And so that, that alluded to me that it was just the beginning wave. I mean, the chappies weren't really out there yet. Right. Like it was nothing that was available to the public very easily, but anyhow, that I just wanted to tell you that little story because that's what you want to think of. So I, I have the same experience. I had actually just started a new job and I was in a, an executive suite seat and it was plausible that the CEO would send me a note, right? That was absolutely a plausible scenario. So it wasn't like a social engineering attack that was completely unheard of. And I had to do the double take and do the two factor authentication manually of let's contact them through different route. One of the things I've always wondered about, and I'm curious if you know, so it feels like something that can be very easily automated. Right. So I would imagine if I was a hacker and I'm, I'm not for reasons beyond technology, right. That if I wanted to set up this kind of a chat scam, I would, I would set up something that automatically sent a text to a large number of phone numbers, use something like a Marketo to then do follow-up conversations. So just basically a rules chat, sort of that antiquated marketing funnel. Is that what happens? It feels like you could automate it. You absolutely can. And I've seen social media platforms where they will make a request to be, you know, your friend or follow you. And then, you know, you're like, yeah, you know, I'm not going to validate anything. I want to build my friend list. I want to have more friends. Right. And you go and you hit yes. And then it's almost instant that you get a message, right. It's like, yeah, by the way, you know, and it's maybe a sales pitch or it's maybe this thing it's absolutely automated and it's absolutely being utilized on good platforms, or at least at what we would believe to be good platforms. Right. And, and, and attackers are, are always looking for ways to exploit trust. Right. And this is the same thing. Like they're, they're hooking into these platforms that people trust are safe. They're trusting that the companies are doing their due diligence. Right. Right. If you go and you download an app, you're trusting that the app is not laced with anything malicious. Right. You're trusting that Google has, has validated the code and the, the, everything that's gone into that is, is actually legitimate, but that doesn't happen all the time. And so are these companies, are these companies that are doing this, are they going to not allow this to be an item to be hooked in on? But at the same time, you, you look and you look at the applications that are out there and they literally tell you, Hey, you can hook into these hundreds of potentially thousands of applications and make your life easier. Right. Maybe. Yeah. But what makes it easy for us is also making it easier for the attackers. And I can imagine. So I, I've started using things like codex and v0.dev and you know, you can even imagine using Zapier and 8n and you can create apps that deploy anywhere in hours. So the, the barrier to entry for actually creating something that hooks into the security validation of social and is distributable via, via one of these app stores, or even via a, you know, click through in a social context is near zero. Like that's, that's a really easy hurdle to get over. And then what do you know about what they're doing with your data? And then how are they how are they trying to socially engineer getting money or getting data or, you know invading your privacy? Those are things that we can't control. And even when you report apps and you report people to some of these large companies, they're not removing people and they're not removing the apps because the pendulum has swung from, Hey, everybody gets stopped and a lot of, a lot of real people get nicked to, we are not in charge of policing that aspect of our environment. So you have people with just one friend who send out all of these things and aren't verified who will social engineer their way into your life. It's really interesting to see. It's getting really scary, right? Because you mentioned some applications right now, like N8n, right? And some other ones. And I look at N8n and it really doesn't have to have a, like, like I've used it before as well. And it reminds me of what, seven, eight years ago when we were building no code, low code playbooks for security, right? And creating automations, creating artifacts that we could hook into, you know, bringing in open source intelligence and doing all these things in it. And now, you know, these applications are allowing any, any individual to basically, and that's publicly available, you know, and even has free trials and free this, and you can go and you can just say, Oh, you know, let me grab this box and drop this down. And Oh, what does this do? Let me drop this. Oh, shoot. I'm building this link and I want to get from here to here and I don't have, I don't have to be tech savvy. All I got to do is know what I want and drop it into place and run it and test it. So for me, it's, it's definitely becoming a much more dangerous world as these items are becoming more and more easily accessible and also easier to use. I think the number that I saw recently was overall losses from cybercrime was $16.6 billion last year. And there was one high level incident, which was a business with business email compromises around $2.77 billion. So the numbers here are really quite incredible. Like that's, that's a lot of money that they're scamming. There was a hacker, I'm not going to name their name because I don't want to publicize them. Right. But they were recently arrested, I believe it was in Prague is where they were arrested. And they had, it was like 10 Lamborghinis, like five Ferraris, a Pagotti, like they had a number of high end super machines. Clearly this is a successful monetary business for them because if it wasn't, they wouldn't be doing this, right? They'd be trying to find something else. And so we, we as defenders and we as programmers and coders and you, you know, creating and doing some so forth, we have to keep trying to protect those again, that they're, that they're looking to hurt. Right. Cause that guy shouldn't have been, he shouldn't have had any of those items, but because he took advantage of these types of applications of these things, he was finding success and living a, now he's in jail, right? But he was living it up for a bit. I feel like he's never read any true crime novels, you know, because you would know you're not supposed to be flashy with the money you steal. That's when it's sort of like rule number one of true crime is hide the money. You don't drive around in the Lambo. It kind of screams, Hey, I'm the crook. Right. But maybe I just read too many true crime novels. Oh no, I need to start reading some more as well. Right. So there's those fundamentals and you're, you're highlighting a very key item, right? Cause earlier we were talking about the phishing game, you know, we've kind of switched into this items and you mentioned the monetary gain. So is this all coming through phishing? Right. And the majority of it is coming through business email compromises. And so I think of, you know, what can we do, like, what can we do to protect or try to identify, right. And I'll give you some of my thoughts here really quick, Nicole. So as we mentioned in the past, right, it used to be a really quick, easy item to look for grammar. Like, Hey, is this, is this something that I can easily identify, but now with the chappies that are being brought in, it's harder to figure out what's going on. So some would potentially say, Hey, you know, we're never going to be a target. We're never going to be a target. Everybody's a target. Everybody is a target. My home is a target. Your home is a target. You are a target, right? And so how do we make ourselves better? Right. If even tech savvy individuals can be tricked, right. How do, how does the non-tech savvy person survive? How do they survive this? And the reality is, is in, at least in my opinion, is you got to, if you want to continue to use email and if you want to continue to rely on it, you have to level up a little bit. You have to learn a little bit enough to be extra safe because something can look really good and it might not be real. So I'll just give a quick, a quick example of what you can do, right? And so in Microsoft and Google and Yahoo and all these, you know, big email applications and services, there's, there's a way to view the message data, right? And essentially it's like view source, view message, view headers, depending on which application you're using. But a really quick, easy trick that you can use is in there, you'll identify, it'll say P1 and P2. And what that stands for is, is like the first sender, second sender, essentially from the hops. And if those don't match, they're supposed to match, P1, P2 supposed to match. If it doesn't match, then it's a clear indicator that it's either being spoofed or relayed. It's not coming from the original sender. If P2 doesn't match P1, it's not the original sender, essentially. So for the layman among us, including me, so what, what is the P1 stand for? Is it the original location? It's the original email. Good question. So it'd be will, will at my domain.com and P2 will be chappie at domain3.com. But because domains and will and chappie don't match, that means that the, that the sender has been manipulated with. And so when, you know, an easy trick that a lot of people started learning about is if you hover your mouse over, over a, an email, right? It should show you normally on the bottom left, bottom right, somewhere or pop up the, the original sender. That's not proving quite true anymore. And so another thing that I've been noticing companies doing is they're starting to basically not hide that data anymore, right? Cause it, it, it's basically it's hidden. But let's say a company that that's running email, they say, Hey, I think this is a phishing email. What I'm going to do is I'm going to potentially throw it into your junk box or not, but I'm going to, I'm going to raise and I'm going to expose what that true email is behind the name. And that way you can see it and you can say, Oh, wait a minute, why is will coming across as chappie? Like that, that doesn't make sense. But that's where the trust comes in, right? You have to go and ask these questions, who, what, why would will send me an email as chappie? Would he send it from another domain that I'm normally used to him sending to? So it's, it's being more just cognitive and aware of what you're, you're ingesting and what you're looking at, because it's clear these bad guys are finding success with this. And it's still a real active threat. And the recent Verizon short report shows that phishing is now like tied at the top with ransomware for the top threats for SMBs or businesses under a thousand employees. So we're, we're definitely running into this challenge. I think we, what I think about this from a usability perspective or UX or an AI UX perspective, we are introducing so many points of friction that the end user has to do in order to detect themselves, that they might be being scammed, that it's unlikely the majority of people are going to take these actions. You know, we, we think of email as a, a near zero friction experience where something just pops up and we click, we click through. And so our, anybody who's been in the business for any amount of time, our inclination is email is, you know, near zero friction. And so we have to purposely introduce those friction points to actually stop and say, is this true? Is this real? Should I be doing something with it? I also wonder if, I mean, I know in my experience, I've seen more spam come into my email than day-to-day activities. So my day-to-day activities have started moving over into sort of the Teams realm or the, the Slack realm. Is there spoofing that's going on in Teams and Slack too, or are those a little more secure? It's a little more secure, but it's definitely still a target. Okay. And I have, I have read some scenarios where attackers will get in through, into Slack channels, right? There was one, oh gosh, I'm trying to remember the company, but essentially a bad guy got into their Slack and started just creating disruption within the company to where they were eventually able to get data that they were interested in, right? They were able to, yes, yes. And it was through Slack. So it, they're definitely targeting these items. I know a big one was Discord, right? There's been quite a few publications of attackers getting into Discord channels. It doesn't help when good companies are putting sensitive data inside of there as well. Right? You know, practice good hygiene as well. I'm always surprised that companies adopt Discord. I just feel like it's the gamer platform, but indeed they're adopting it for the communication channel. So we have sort of the, the textual attack. That's really what I, what I consider when we think about email and you know, this Slack communication channels, but deepfake audio and video is 100% real. You know, Heygen has made it so just about anybody can take videos of anything online, run it through and train the algorithm so that it's their personal avatar. And you can now generate, you know, videos and audio tracks and real time communication that sounds and looks nearly identical to any human that has been captured. Talk to me a little bit about what that means in terms of your job, like as a security expert, how is that impacting us? Well, I think of impact. So just a little side channel on some weekends, I get to put on a military uniform, put on a cyber patch and go and protect our countries. Right. And I go back and I think of 1938 and there was an impactful item that happened in 1938. It was the war, the world's radio broadcast, right? What happened during that moment? People lost their minds because they thought it was real. What happens if a deepfake gets out, right? To where it's potentially a president, a vice-president, a Senator saying some really impactful items. What can that mean? Right. So as a security individual, it's, it's a real threat. And there's some ways that we can attempt to figure out if they're real or fake, but let's say they hijack a TV station broadcast, right? And all of a sudden they're broadcasting to the world. Same with the war of the world's item. People are going to react in real time to what they're listening to. The same with the emails, like if you're not paying attention and if you're not looking for the potential key indicators of attack or, you know, the potential deepfake that's being going on or the voice clones that are happening, we're likely going to fail. It will likely have some type of paranoia or something just based on what may come out. Right. I think I'm leaning on war of the world. But so how do we, sorry, one of the, one of the ones that I wanted to raise on this as well, now that you asked the question is countries are trying to infiltrate the U.S. Right. We're always trying, they're always trying to get in, get Intel, trying to make it into defense contractors, make it into government agencies, make it into just regular entities such as ours. So they're, they're deep faking and deep voicing their interviews in the air force. Right. It has been told to us that people have set up full personas on LinkedIn to trick people. And again, back to the root that you mentioned, trust, right. It goes back to that trust. So it's really, it's very cool in some ways, but it's terrifying in a lot of other ways. So I've actually built AI personas that mimic a user persona. And the idea is I can use a user persona to train my interview dataset and get rid of the bad questions right up front. So that when I do talk to real humans that, you know, I get answers that are meaningful. So I have been personally creating users through AI that are based on, you know, likely high level descriptions of what their jobs are and what their intentions are. And they get really good. Like to the point where the answers that I get from the AI persona are almost enough data for me to make decisions against given enough background information. I don't do that for many reasons because I actually understand how AI works, but you could, you could in theory be completely tricked by just setting up. And it's as simple as setting up a GPT, right. And you can put all of that training and background data in there and then link that to the generative video creator. So there's not a lot of work that goes into actually creating one of these things that can have a conversation in near real time, just from a technology perspective. It's really quite incredible. One of the, so I just want to do a few things that I've also noticed here. So one important thing that I learned working at a company that did a lot of federal contracts was the importance of air gapping. So the most secure data was never in a location where it could be horizontally accessed. So when you're talking about critical citizen information or critical customer information, that kind of information really does need to be air gapped or needs to be stored where there's a physical barrier between the things that are infiltratable and the actual data itself. And that's a very antiquated set of techniques. And it's something that was very popular in the eighties when we were thinking about doing data protection, but it's actually come back around to be incredibly important. Um, who knew, who knew that would be a thing again? And the other thing that's really interesting is when we think about language models. So one of the, one of the techniques that we used to be able to do is you could ask something that happened in the last week and say, Hey, what do you think about this activity that happens in the last week? And language models are typically date based, right? They've been trained. They have a date that's typically months old, if not, you know, longer than that. And they can't necessarily stay up to date with the latest news, but what's happening now with the, the way the language models are able to stop and think is they're able to actually go out and get more recent information that's available on websites and do self tuning or bring in additional information. So that technique of, Hey, if it gives me information, if it can't give me information from this week, it's old, that no longer really works. So that's been disconcerting as well. Um, and there's one, Oh, do you mind if I do one other thing, one other research report that I just read that was super exciting is how people can take over existing language models. So, um, they did a research report that said, if you have like an 8 billion parameter model, which has been trained on literally billions of points of data, you could actually overthrow that model with just 260,000 documents. So we could create 260,000 documents that lean the model in a direction. And that model will be completely changed moving forward. So we could take something that is typically leaning towards a specific country, have the language model create 200,000 documents that are pro that location, feed it into the model. And then now the entire model is leaning in a different direction. And so that takes a little bit more time and effort, but some of those techniques that we can use to start to say, Oh, I'm going to trick you. Where are you from? Those can start to be counteracted as well. I hope I didn't give anybody ideas. That was not my intent, but just so that we know that those are things that we can look out for. No, absolutely. I think of when you're training your child, because it's essentially what these AIs are in my mind before they become teenagers or adolescents. But if I was to tell my son or my daughter when they're young or when they were young, and I show them a picture and I'm like, this is a cat. And it's actually a dog. And I tell them their whole adolescence, this is a cat, this is a cat. And then they go to school and the kindergarten teacher is like, what is this? And my son or daughter says, that's a cat. And everybody's like, what's wrong with you? That's a dog. Right. But we've trained or I've trained my child to say, this is what it is. So it's interesting that, as you mentioned, the amount of documents that are needed to start persuading. Right. And so I think of if my child is in that scenario, and now all of a sudden they have their teacher and the surrounding society that's with them driving a different direction saying, no, this is wrong. This is what it actually is. Well, now my child's going to come back to me and say, hey, you were like, this is what I now believe because of the influences that I have had. Right. And so the same way you were just mentioning how we can essentially poison the data sets in order to trick the LLMs into giving us or into driving a different direction. I did want to raise one item, Nicole, that you had talked about on air gapping. And I have seen this. I've seen proof of concept of this into where two air gapped systems were actually able to transmit data to to an un-air gapped machine via the speakers that were built in to the. Oh, that's crazy. Like Morse code? Yes. Yes. And so it would transmit and then the other one would listen and it would it would pick it up and then it would decode it. And then pull out what they what the air gap machine had. We're going back to tape. That's the only the only answer. It's punch card. You brought a lot of memories to me there with that statement. Oh, I don't like that at all. It reminds me of the router research that somebody just did. So they proved that you can take your router and you can use it to measure where the signals bounce off of. And then you can map the interior of any location based on the distance of the signal from the router. And you could essentially spy on interior locations and recreate the location of humans and furniture and rooms. It feels a little bit like that, except it's not echolocation. And in your case, it's actually just audio location or audio recognition. Wow. Well, now I'm suitably paranoid. If you're not paranoid in cybersecurity in some level of shape or form, you're not doing cybersecurity correct. You're doing it right. Talk to me about two-factor authentication. So we were talking earlier about manual two-factor authentication, which is you get the text, then you try to slack or team somebody to see if it's real or true. So I always think about that as like multi-factor authentication. How are people bypassing this? Or are they? They absolutely are, right? And so there's a couple of knowns that are out there, right? I'm going to just memory as Tycoon 2FA, right? Basically that group. And so what they are is they're essentially, they operate as an adversary in the middle, right? And they're a phishing kit. And so one of the things that, so man in the middle, adversary in the middle, like what does all that mean? Well, what that means is if I'm going to send a message, right? Remember earlier, we're talking about P1, P2. So let's say I send a message and my P1, P2 are perfect. But then there's a man in the middle or an adversary in the middle that's intercepting my traffic, right? They've hacked the system that I am sending to, or they're in between the line of communication. Basically A equals B and B equals C, they're at B. And so what they're doing is they will capture essentially what's called the session cookie, right? And the session cookie holds the information for your authentication potentially, right? Depend on what you're sending. And so there's attacks that are called replay attacks. And you can do it on Google Chrome and Edge. I'm not going to say how to do it, right? But it's very easy to do. You can click three things and you can put the cookie in, hit execute. And if your session cookie is good, you've now gained access into that session. And so let's talk about session for just a second. What exactly is that? Well, let's say you go to your bank, right? We were talking about banks earlier. And you're online and you're like, hey, I see the little lock icon. I see the HTTPS money. I'm good. I'm secure. Well, so you log in, that login, that session between your computer and your bank's servers is what I am grabbing or what the attackers are grabbing. And they replay that. And that's, so now that I replay it, now I am you essentially, right? We talked about spoofing and deep fakes and all that. Well, now I'm essentially you because I am now accessing everything that you are and I'm doing it from my computer. So the tycoon and the man in the middle and the adversaries in the middle for the MFA and the 2FA, what they're doing is they're hijacking that session. And it's allowing them to circumvent MFA. But let's say hypothetically, right? That they can't get past the MFA, right? Well, what are they going to do? Well, essentially, because they have your authentication or another way is you fall victim to a phishing site, right? You go and everything looks real. You put your username and your password in. Now they have your username and your password. So your last line of defense, or at least in theory, your last line of defense is going to be your multi-factor authentication. But then what if they keep spamming you? What if they're like hitting you and hitting you and hitting you and you're just like, oh, you know, it must be my computer or whatever. And you just hit yes, let it in, let it go. I tell my team all the time, they're not allowed to drink is what I tell them. Because we're on 24 by 7. I'm like, you can't drink because we've always got to be sharp. But I'm going to just throw this as an example. What if somebody happens to be out having a good time with their friends, have a little, you know, they're having some encouragement juice. And all of a sudden, their phone just starts spamming them. Like, hey, MFA, MFA, MFA. And they're like, oh, my gosh, I don't care about this. I'm out having fun right now. Yeah. Victim instantly, right? And so that essentially is what the these adversaries in the middle are doing there. They're grabbing these session tokens. They're replaying them. They're either bombarding you with MFA authentication, or they are grabbing that token as well. During that moment. So there was a there was a story to where an attacker. So think of it this way, right? Because I'm talking about this device, right? This thing right here that's in my hand, right? The cell phone. Everybody is always thinking or I would think a lot of people are like, well, I have text, right? I MFA that or I have an authentication app, right? Such as Google, Microsoft Authenticators, Duo, Okta. So I'm good there. But the story that I'm about to tell you about. So a bad guy did a session attack. They gained access into a basically a financial environment and for the user. And what the attacker realized was that the 2FA was tied to email. So they started doing wire transfer requests. But now when the 2FA would come in for the bank to say like, hey, are you real? Well, guess what they had access to. They had access to the online email system. And they got the 2FA token. So they didn't even have to do anything except get through that first layer. And so at some point, I mean, I think, Nicole, at some point, we either A, need to figure out a smarter way how to do this or we're going to have to add an additional layer. If I have to do three-factor authentication, I'm going to cry. It might happen. I anticipate at some point we might just have to like, the computers will just have a little pricking item. And it's like, here's my blood, right? Here it is. I am who I am. Oh, I love. I mean, I don't love that, but I feel that it feels very true. And it also feels like such a numbers game, right? And it's, I think attackers have always been a numbers game. You reach out to enough people, somebody does something wrong, and then they get in. And AI has just increased the odds in the favor of the house, because it may still be like one in a million that they get through. But now instead of it taking a week or two weeks to make a million outreaches, it's taking minutes, if not seconds, to do that same level of activity. And so AI isn't necessarily making them more effective, but it's certainly making them more prolific. A hundred percent. Yep. A hundred percent. I don't even have anything to say with that, because that's just a hundred percent true. That's the way that it's going. I don't like it at all, but thank you. Thank you for confirming the feeling of dread. So what can we do? I know that we talked a little bit about looking at the email markers, but if we think specifically about those two-factor authentication, like what exact steps should I be taking in SMBs for that matter? So more for the SMB on this, because there has to be, at least at the enterprise level or small, medium business level, there has to be actions that they're doing to help protect. And so in the world of Windows, and somewhat in the world of Linux and Mac and so forth as well, there's items that admins can do to help validate, essentially, trust. And so how do we help do this trust? So think of our computer. If I have my work computer and I have my personal computer and my work computer, the system, because the SMB, the admins have configured my work computer to be a trusted device in the backend, in the application, on the servers and so forth. So when I am authenticating, it will look for a potential fingerprint for a signal from the computer that says, yes, I am this authenticated device that you know, you know who I am. On the flip side, if I try to do the same thing with my personal computer, well, that personal computer doesn't have that signature. So therefore the backend system will say, no, even though you're giving me everything, I'm not going to let you in because I am putting these other items in place. And so what are these other items, right? So just simply conditional access, right? That's one of them. You know, we can potentially go back to some old school techniques, which isn't really doing much anymore, right? You think of like geofencing, which is essentially, I'm going to cut off countries that are not doing business with me, but attackers are just going to use jump box. They're going to use VPNs. They're going to use proxies. They're going to, we'll disrupt them for maybe a minute, two minutes, right? But at least it's a form of disruption. And that's what you want to do. You don't want to make it easy, right? Because just as you mentioned, Nicole, right there, they're essentially throwing the cast net and they're looking for who and what they can catch. And then they're looking to see if there's, and I'm using a cast net. So is there an easy fish or a bad fish? Like, is this a lion fish that's poisonous? Or, you know, is it a, is it a flounder that I can, I can take, right? And so those are some things that admins and SMBs can do to start putting some measures into place that add additional trust into the authentication. All right. So definitely add points of friction. I think one of the statistics that we had was 54% of SMBs do not have any type of multi-factor authentication and aren't using those resistance methods. So we should definitely all be adopting the hardware tokens or security keys and doing those kind of notifications to, to look and say, Hey, stop, do these things match? And are you, are you behaving right? And I think the, the Microsoft statistic was that 99.9% of the automated attacks. So those things that happen at scale do fail when the MFA is in place. And while there are some workarounds, at least it does help pause the attack. You know, you get, you get that second to think, which is great. I'm interested on that 99%. That's an interesting statistic. I'm curious what their sample set is, but yes, that's an interesting one. I, I do not know. We should, we should post a link to the we'll, we'll post a link to the research and to the articles that people can make their own informed decisions. 99% of a million still is a lot of failures, but it also seems like a very high number, given that billion dollar impact that has happened in the last year alone. Okay. So it sounds a lot like the best defense is being intelligent, going back to basics, making sure that we have our defenses and we are internally disciplined and trained and informed. Is there anything that you want to add on top of that? So I've been doing this for 25 years professionally, and it is my, my life's mission and goal to protect those that allow, that put their trust in us, right? So we are only as strong as our weakest link, they say, but what we can do is it's one team, one fight on this side, right? An attacker can be wrong a thousand times and be wrong a thousand times, but when they get that thousand and one and that thousand and one is right, then what, right? So we need those defense and depth layers. And that, that means that it's, it's all of us together, working together, having the, the IT admin, having the security individuals, having potential socks, having potential, you know, CS, CSOs, like all the things that we hear and read about are there for a reason, because it's what we have seen show success. When you put, nothing will ever be a hundred percent secure. And I can tell you stories up the wazoo on how many times I've been asked, if I gave you this much money, how secure are we? Never will be a hundred percent, but we must rely and lean on each other, right? The same thing with, within our ops and MDR. It's a relationship with our partners. It's a relationship with our customers. Hey, we're looking, we're identifying, we're taking actions. You come back and you tell us true, positive, false, positive, true, positive, benign. We adjust. And then we keep moving forward, right? In order to build that resilience and build the protections of identification through the signals that we're getting from the telemetry. So the advice that I would have is try to get as much layers of defense as possible versus relying on one or two potential items, right? Like I have a cousin who recently came under attack in his company. And he told me, he's like, Hey, I have a firewall. Why didn't the firewall do what it was supposed to do? Well, because they got past the firewall and you didn't have his, you know, they didn't have extra, extra layers of defense and that's why they were able to get through. So just don't rely on a single source, expand, expand your, your, your protection. Oh, well, I am incredibly grateful that you are on our side. Thank you so much for the conversation. And I've learned a ton today. Nicole, it's been absolutely a pleasure. Thank you. I've learned a lot also from you. And I hope we get to do this again. I'm in. Thank you also to the audience. If you, if you're still here hanging out with us, we really appreciate you coming, listening and spending your time with us.
