Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo and have the privilege to sit down today with Josh Lefkowitz. Josh is CEO of Flashpoint. He's one of the OGs in the Cyber business. We've known each other a long time and really excited to sit down with Josh today. Josh, thanks so much. Great to be here. It's
been a long time since I've seen you and great to catch up before our official chat and thanks for making time during such a busy week. Well, thank you
Josh. You've got a lot going on and actually, why don't we start with that. How did you get into the cyber business? I mean, you've got an MBA from Harvard, you've went to Williams, I believe, undergrad. So smart dude. But how'd you get into the whole cyber business? Yeah, a very nonlinear path, like so many paths that
folks take. I native New Yorker and graduated the first college class post 9 11. I had spent the summer of 2001 interning at Merrill lynch doing equity sales and trading. Between my junior and senior year. And heading into graduation, I anticipated that I was going to go work on Wall street like my dad had and many others. And the more that I learned about 9 11, the more I learned around the national security threats that we were facing, the more I wanted to contribute in some
small way. So 6am the morning I was supposed to start onboarding and training in my financial services job, I quit, didn't have anything lined up, had no contacts in the national security community, but just started knocking on doors and eventually was fortunate enough to find an entry level position and over the next decade work to eventually found Flashpoint in 2010. Wow, so you've been at the helm for 14 years. Exactly. And
you know my co founder, Evan Coleman quite well. Evan was one of the leading global experts on terrorist use of the Internet. And that was the origins of Flashpoint for the first couple years. It wasn't until a few years in that we recognized that the tradecraft, the methodologies that we were using to understand terrorist activity online could be more broadly applicable to a wider set of illicit actors, hackers, cyber criminals, fraudsters,
and really that was the beginning of the next phase of Flashpoint. You know, before
we jumped into our conversation here, other than talking about the Knicks, which go Nicks, we were also talking about how open source intelligence, the evolution, how much it's changed over the many years it used to sort of be the stepchild of the intelligence community. I would argue today it's front and center. So what are your thoughts there?
Yeah, it's extraordinary to see how OSINT has come of age. Intelligence community, of course, put out their OSINT IC strategy a couple months ago, called it the entire first resort. A senior leader at DIA was presenting last week. He said when he started in the intelligence community about two decades ago, IC was the, or Osint rather was the salt sprinkled on top of the foundational exquisite capabilities, SIGINT, human, et cetera. He
said today OSINT comprises 75 or 80%. It's truly the main course. And we see through our work across the national security ecosystem as well as the enterprise that OSINT is driving, incredible insights and incredible outcomes, incredible solutions in a way that is really changing the game. And not to butter you up while we're here, but you played
a big role in all of that. So, I mean, correct me if I'm wrong, but when I think of Flashpoint, I think of illuminating the deep web, the darknet, and it's sort of a combination of human to meets technical means. And I would argue just from an OSINT perspective, there's always going to be a need for exquisite sources, methods, means of collection that only the government can and quite honestly should do. But I think the rest, the majority of the information is, is not going to
be procured by the government. But I'd be curious what some of your thinking is there. Yeah. And we're certainly extremely proud of the leadership role that we've helped to
play in blazing new trails when it comes to OSINT and the impact that it can have in the national security community as well as the enterprise, as you said,
the government is exquisite at the exquisite stuff. And when you marry up what private sector partners can do in the OSINT domain with those unique capabilities on the government side, that's where we've seen remarkable outcomes driven and we're able to operate with tremendous agility and help to break down barriers that often bureaucratic limitations slow down.
And we had one customer share with us last week that we were driving outcomes in 96 hours that would take them nine months if they were to run those processes on the government side. Wow. And you mentioned a moment ago the combination of subject matter experts and technical capability, that's always been at the core of our philosophy. We have an analyst team that speaks 35 different languages. Deep technical expertise, deep. What's
the number one language? Mandarin? Farsi. You know, the hard problem areas. Exactly. Russian. Yeah, yeah. And you know, we've always seen that the magic happens when you pair subject
matter experts with technologists. That's been at the core of our collections methodology. As we're now seeing the transformational impact of AI, we're marrying our subject matter experts with AI to drive high fidelity, high signal collections from illicit communities at scale in a way that was previously unfathomable. We've driven a 10x collection increase because of that marriage. And that's really the future. So with AI. And I definitely want to touch on your
report because I think your annual threat report is a must read. But before we jump into that, where do you see, Obviously you're utilizing AI machine learning project sort of 18 months out. What do you think that looks like? So there's on the
adversary side and then there's on the blue side. I'm. Yeah. On the intelligence side, I think it's a massive force multiplier in terms of efficiencies. So much of an analyst's day is spent synthesizing and summarizing, and AI can obviously provide game changing efficiencies in that regard. Randy Nixon, who leads the CIA's open source enterprise, has been quite public talking about how AI has been a force multiplier for them throughout the entirety
of the intelligence lifecycle. It can drive so much when it comes to relevance and personalization and context, as well as cross language translation. And what we see in the overall intelligence landscape is there's just an absolute avalanche of data, an overwhelming volume of data. And so AI can be a really critical lever to help make the analyst even more efficient as they're struggling with that avalanche of data. And sift some of
the signal through the noise. Exactly. Yeah, yeah. And what about human intelligence? I. Even if it's in cyberspace, that's still some of your bread and butter, isn't it? You guys are very good at that. So we're particularly adept at navigating in online illicit
environments and deriving intelligence from adversaries in those particular environments. And it all comes and you got. To meet them where they are. Right. They're not hanging out in churches
or synagogues or wherever. It's all about really understanding the adversary and the environment that
they're operating in. And you hit the nail on the head that AI can really change the game in terms of filtering down to that signal. And in a variety of different scenarios and situations, AI can be a huge force multiplier. So let's go
into your report. Every year, it's actually one of the few reports I actually take the time to read. So let's talk 2024. What were some of the big takeaways?
Yeah, yeah. So one of the headlines, one of the themes was around a topic that I know you pay a lot of attention to, which is the cyber physical geopolitical convergence. And whether we're talking about the Russia, Ukraine war, whether we're talking about Israel, Hamas and the broader ripples into Iran's involvement, the China, Taiwan conflict. That narrowing of and breaking down of silos is front and center with what we're
seeing in the threat landscape. It's also being mirrored in how we see enterprise teams positioning themselves. I'm sure you've talked to CISOs and CSOs who have set up fusion centers in some of the largest Fortune 500 enterprises in the world. It's because they recognize that looking at a threat as just a cyber threat or just a physical
threat no longer reflects the way that illicit actors are operating. You have to have that multi domain, multi team approach to be able to navigate the threat landscape of today. And the next stage of that is whatever's happening in the physical world has
a cyber element to it and vice versa. So you are starting to see geopolitics play into all of this. Any beyond sort of that strategic awareness and intent, any takeaways from either Ukraine in terms of Russian aggression or Hamas in terms of targeting Israel that are worth touching on here? Yeah, I'll make one comment on the geopolitical
front and then bring it back to the enterprise environment around an executive protection example. So certainly we are seeing that physical attacks are being tightly coupled with cyber attacks. For example, as Iran was launching their strike against Israel, there were claims from
Iranian affiliated, associated claimed activist groups that they were targeting the Israeli radar system. In parallel, there's been tremendous reporting on some of the Russian disinformation campaigns aimed at Zelensky and others in an attempt to undermine trust and his credibility, taking it back to the Fortune 500 environment and how that convergence of physical and cyber is increasingly ever
present. We work with a lot of executive protection teams at Fortune 500 companies, and of course you have the typical guards and guns approach to protecting their C suite. But where we're increasingly seeing is activity that's in the cyber realm as well. It could be doxing of an executive posting details around their personal life, their. Their travel or children. Their children, exactly. And so that requires that fused approach to really wrap
your arms around such a complex and multivariable threat landscape. Yeah. Not to put too
fine a point on it. But if anything's come out loud and clear today, it's those that are integrating cyber into their conventional war fighting strategy doctrine. They're the ones who are leading the way. And clearly we have capabilities ourselves, but I would argue we play by queen's rule. So. And that's a good thing. I'm not suggesting we, we don't, but, but that's one thing that's come out like loud and clear in
any conflict we're looking at. And obviously right now there's a lot of concern and the bells are being rung nonstop by the government leadership that we have seen. We've seen pre positioning of critical infrastructure in Guam and elsewhere, Volt, Typhoon and the like. Let me ask, Sorry, before we move. Off this point, I would also tie it
back to our threat thread on Osint, because the visibility that OSINT is able to provide into, for example, the Russia Ukraine conflict is unprecedented. To be able to watch in real time as the Wagner coup unfolded on Telegram gave Osint analysts a front row seat to what was taking place. And that's reflective of how Telegram now occupies and incredibly critical position in the overall Osint landscape as well as the illicit actor
community landscape. There are hundreds of thousands, if not millions of different channels where illicit activity of all flavors, whether it's mail theft, whether it's credential stealing, whether it's info stealers, whether it's data dumps, whether it's right wing extremism, left wing extremity extremism, whether it's AQ and beyond, Telegram has really democratized the way that illicit actors are engaging. I'm sure when you were getting started, forums were the nucleus. Oh yeah, that was,
that was even the cutting edge. Exactly. Chat rooms. That's right. And so Telegram, which
is media rich with video and audio and imagery and enables real time discussion between anyone in the world and without the friction points that needing to get approved by an administrator to get into a forum or worrying about law enforcement takedown of the underlying infrastructure that a forum runs on has really been a game changer and. You
raised a really good topic and I want to use it to get to one of the other themes in the report. But in terms of ransomware is really democratized the cyber threat. It is everyone's problem. It's not just Fortune 100 companies, it's small, medium sized businesses, state, local, tribal, territorial, US as individuals. So it's really democratized the
threat in a negative way. But before we jump into that, there's still always going to be the need for an experienced analyst who could sift the disinformation, which is becoming more and more prevalent. So if you put a lot of, if you ingest a lot of information into a system system and it's all garbage, you're going to get garbage in, garbage out. Right? So I think that is sometimes lost in this discussion. We'll never just push a button and get an answer. Right. I'm so glad
you said that, because you could walk around RSA and we think otherwise. You think otherwise that AI is going to replace the human. And since the earliest days of Flashpoint, our philosophy has been, you can't replace the human human, you never will. Technology, whether it was how it existed in 2010 when we got started, or what AI is opening doors for in terms of the art of the possible in 2024 and
beyond, will only lead to the analyst getting smarter and more efficient. But there are so many folks that look at AI with trepidation because they think it's going to put them out of a job. And I would very much say no, it's going to make you far more efficient and enable you to focus on the needle moving activity that will really drive the most profound and meaningful outcomes. Well said. And the
reality is it's here. So you either jump on the bus or you get run over. That's the reality here, isn't it? Isn't it? Yeah. So you did also identify a spike in ransomware incidents. Anything worth highlighting to our audience here? Yeah, it's a
stark landscape on the ransomware front for sure. An 80 plus percent uptick in ransomware attacks in 2023, over 5,000 attacks that we identified. And we're also in parallel seeing an evolution of the cyber extortion tactics that accompany those attacks. And ransomware
actors are becoming bolder, they're becoming more aggressive. So for example, they may start contacting the employees of the impacted organization, they may start contacting the customers of the impacted organization and say your organization has been impacted by ransomware and they're not taking this seriously enough in an effort to create pressure on the organization to pay. It was also a notable revelation today, which has come out previously, but it was highlighted today
in the US and international government actions targeting the. The lock bit support. So a key player in the lock bit network. For folks that are not familiar with lock bit, at times, it has been the most prolific ransomware network in the world. Conti
Lock. But yeah, Exactly. Top. Top 10, no matter what. Right. And they had secured
approximately 500 million in ransom payments, just to give you a sense for the scale and scope of their operation. And in today's DOJ press release announcing the Lock Bit Supports indictment, they noted that through the course of their investigation, they saw that ransomware victims, data and ransomware victims who paid with the assumption and belief that their data would be deleted once they made the payment, in fact, had not been deleted. And
they sometimes get hit twice, three times. You know, how do we scale some of this? Because the takedowns are great. We actually have been a little more creative. The reality is a lot of these actors are provided safe. Haven't they operate out of basically Russia or former Soviet republics, where you have bulletproof hosting and all sorts of
issues we need to get our arms around. But how do we scale that? Yeah, and I think if I'm in, and I don't want to overstep here, but if I'm in flashpoints, you have the ability to look at the entire industry as an industry, because it is a business. They've got to move money. They've got to do the same thing any legitimate business would. Would do to be able to pull the resources out. Should we be thinking about these as economic issues as well as traditional
law enforcement issues? Yeah. So first, I want to acknowledge that, as you noted, law
enforcement in the international community has really stepped up the game in terms of the takedowns, in terms of the creativity that they're exhibiting. The Lock Bit operation was a textbook case of information operations turned towards the bad guys. Yeah, it was awesome. It
was pretty fun. Yeah, it was remarkable. They used the same techniques that the adversary would use. Clocks ticking. That's right. And really taking off their gloves in terms of
some of the mind games that the bad guys have been playing and turning them on their heads, which. Makes sense, because trust is the coin of the realm for
the good guys and the bad guys. You lose confidence and trust in your people, you suddenly can't do business as well. That's exactly right. And what Lockbit did, like
many others, is they developed this RAS ransomware as a service where you had the. The Nucleus, the headquarters of the operation, but then you had affiliates who would take home 80% of their profits, but then pay 20% back to headquarters effectively. And so that has been a model that has really helped to scale illicit activity. We're not just seeing it in ransomware. We're seeing in a multitude of other domains. But to answer your question directly, in terms of what do we do, there's a lot that
can be done. On the defender side, we purchased the leading player in the vulnerability intelligence space for space security in 2022. And so that's given us a very front row seat to the vulnerability management and vulnerability intelligence landscape. Last year alone, there were over 33,000 vulnerabilities disclosed. More than 50% of them were rated high to critical on a severity scale. And if you think about that volume. I'm not good at math,
but that's not very good, so. Yeah, exactly. And it raises the question, well, if
you're a vulnerability management leader, how do you prioritize patching if everything is a priority? Yep. And you see from what CISA has done with the KEV catalog, the known exploited vulnerability catalog, you know, it helps to provide context and guidance around what to prioritize. Companies are often using KEV in collaboration with, complemented by Flashpoint's vulnerability intelligence, which
provides additional context and additional metadata to guide that prioritization. So that's one pillar of where we need to get better. And then another key pillar is around what are known as infostealers. Info stealers are a type of malware which have exploded in popularity. They get on an endpoint, they get on a device, and they steal a staggering diversity of data, whether it be usernames and passwords, financial information like credit cards and
crypto wallets, but also cookies. And so that enables an individual with an infosteel or log to often defeat mfa. It enables them to log in to sensitive corporate accesses, Whether it be VPNs, whether it be JIRA instances, Confluence, webmail. And that activity is often taking place on Telegram. So you can see how these threads converge. And working with a threat intelligence provider that can really be outside of your perimeter, that can
be your eyes and ears, that can help you move from reactive to proactive. On the vulnerability side, on the identity side, with info stealers and credential stealing malware are key components of how we can become more resilient and harden our security posture. I'm
going to say something that you may not like at all. Can you make a pledge that at the end of the day you can almost work yourself out of a job just on the ransomware issue, because at the end of the day, we have to scale this. We really do. And I don't think government can do it alone. I know they cannot do it alone. So, yeah, they need entities like you to sharpen their focus and maximize their impact. So you don't have to answer that.
But I will say let's work, let's. All work all of ourselves out of. Jobs that's certainly the aspiration and you know CISA has done a great job in so many different ways they released some eye opening data recently where they said they reached out to organizations that were impacted by particular vulnerabilities and encouraged them to patch let's say and it was staggering to see that less than 50% had and what that tells us is that we have a real hygiene problem because if you're getting that
type of call on the bat phone you there's a good reason and if we're only seeing that level of follow through it's reflective of some of the broader hygiene issues that we encounter. Josh the tyranny of time requires I be a bit of
a tyrant. We are at the end of our time. Thank you for joining us today. Thank you for fighting the good fight and keep fighting that so thank you.
This was a lot of fun thanks. For having me on Frank awesome as.