Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and this week I have the privilege to sit down with Charles Debeck, who is a cyber threat intelligence expert
at Google Cloud. So we'll be talking about the most recent report that Google Cloud put out on Threat Horizons and we'll also go into some of the more general questions around cloud security resilience and what's over the horizon for the horizon. Charles, thank you for joining us. Thank you so much for having me. Excited to
be here. So maybe before we start, because we want to make sure this is
both relevant to the expert community as well as a more general community. Do you want to maybe start with sort of explaining what the cloud is and what serverless products and what the environment looks like, just to do a little bit of table setting? Yeah, absolutely. So with the. I'll take a step back further even talk about
what this report is. This is Google Cloud's Threat Horizons report, which is our look at what does the landscape look like for cloud users in cloud environments. Currently we have a wide array of data points that we can use, be it Google that we can then leverage to be able to understand what are threat actors doing to target cloud environments, to target users of cloud environments, and how can we put in proactive protections both on our side as well as advocate for our customers and clients
to take proactive steps on their side to better protect themselves. So that's the overarching goal and objective of the report. When we're looking at cloud environments. What are cloud environments? What is serverless architecture? The concept here is convironances. They allow for abstraction. It's all about abstracting out from a base layer and removing a lot of the concerns or organization around some of those lower level functions by allowing a third party to
help augment that for you. So that's, that's fundamentally what I would argue a cloud environment is used for. And then serverless is just sort of the next step in this process where if you have a site that you're running or if you have a service that you're running, if you don't want to have to worry about maintaining a server at all times and having that consistent uptime and runtime available, you can use serverless architecture to help spin up activity and spin up capability when you need
it, but when you don't need it, then it just spins back down again. So it can reduce your costs, reduce your burden both organizationally as well as technologically. And it just makes things a little bit easier for organizations who are trying to want to stand something up but don't want to have to really invest heavily and having their own server farm set up to do so. Excellent. Thank you. And clearly it
makes us rethink attack surface, traditional endpoint security and everything else from a security perspective to go along with all the benefits and the upside. And I think in terms of some of the burden shifting, it also allows maybe small and medium sized businesses to be able to put or the onus with some big actors who have the
wherewithal and the resources and the technical expertise to do so. So I might want to pull on that thread a little bit, but I don't want to get too far away from your report because what I find great about this is that it's bringing empirically based evidence, it's bringing some science to the art of cybersecurity decision making. And I mean Google Cloud clearly has a lot of data to be able to
tease out. Do you want to maybe start sort of premise in terms of some of the key findings in terms of the threat environment and basically the exact summary of the report, if you wouldn't mind jumping into that. I think if I summarize
the report in a broad sense, the key trends I would cover would be first off, when we look at how threat actors are breaking in cloud environments consistently quarter after quarter, year after year, we see threat actors using weak credentials or no credentials or default credentialed services to get initial access as one of their number one methodologies. It's very consistent method. The other key one being misconfiguration, taking advantage of misconfigured resources
or services. When threat actors are in these environments, once they break into a cloud environment that organization is using, we see them doing one of two things primarily. First is sort of what I call smash and grab, which is crypto mining activity. They go in, make a bunch of noise, just take whatever money they can get and leave. The other option being more of the low and slow, taking advantage of having
that environment access to engage in lateral movement into other organizations subsequently. So I think those are kind of the main things that we see them doing once they're there and once they get on the inside otherwise. For the exact summary, I think the key things I'd cover is for this particular issue we looked really hard at what threats were seen to serverless environments and how threat actors are taking advantage of serverless
architecture to leverage that for their malicious activities. And this is definitely a space that we see threat actors moving into. Across the board, though, I think the big takeaway is that threat actors are very much aware the cloud environments are where things are
going. I think this trend has been going on for the last three to five years and as organizations, as companies and larger organizations have started shifting more of their resources into cloud environments, threat actors have followed that and have seen that shift and are doing the same shift at this time. Awesome. Thank you. So let's pull the
thread a little bit on weak credentials, and if I'm not mistaken, I think it was weak or no credentials accounted for 47.2% of cloud environment attacks in the first quarter of 2024. You feel like this is a movie we've all seen before, but what is it going to take to actually change the ending to this movie? That's
a great question. I think the biggest frustration here is, as you're alluding to, this is one of the lowest hanging fruit from a security perspective for organizations. Multi Factor authentication has been around for years. It's something that's very well used in a variety of different settings. I have to use multifactor authentication these days to order a pizza online before I can even get it sent to my house. So it's very common
and frequent. So seeing that this credentialing issue still remains a problem to me as a security professional, it's pretty frustrating. But that said, I think the time to retendency issues here are not necessarily because organizations don't want to do what's right, but simply
because somebody wants to do something quickly or easily. They'll just, they say to themselves, I'm just going to quickly spin up an instance, a quick testbed instance to try this thing out, and then I'll spin it back down again, not realizing that even in that very short time of life, that's enough time for threat actors to break in and take advantage of that environment before it gets spun back down. And that
could lead to potential negative impacts to the broader organization. And so I think it really comes down to well meaning folks who are trying to get the job done as effectively as possible, unfortunately opening the door to these potential attacks. I don't think these days, whereas historically five years ago it might have been because organizations weren't instituting
protections, I think today it's more so because organizations, our institution's protections. But folks just make mistakes in the moment and it's that momentary mistake that can really cost an organization. Roger that. And I mean the old ADAGE it's always too much until the
day it's not enough. I kind of feel like we've seen that and I hope that we can move our way through on all of that. But it is worth underscoring, whether in a cloud environment or a non cloud environment. 2fa MFA this isn't rocket science, but is absolutely integral to security efforts. What about misconfigurations that accounted for number two on your list, right? Yeah. Misconfiguration I think is a bit more of
a challenging issue because there's a lot of different ways you can misconfigure a service or software. And this sort of challenge for an organization, the issue becomes not only detecting and mitigating misconfigurations, but also knowing where to look for them. Having an effective inventory of what's running within your cloud environment and then being able to penetration test that environment effectively to look for potential misconfigurations becomes a much more holistic issue for
organizations compared to the much more simple version of credential challenges. So I think the misconfiguration having such a high ranking to me makes sense. And again, this is one we've seen for a long time. But I feel at least that this level of activity is more justifiable just due to the cost and challenge of being able to
effectively stamp out misconfiguration challenges. Roger that. And crypto mining. Crypto mining remains one of the top ways for organization for threat actors to take advantage of access to cloud environments. It frankly makes sense if you're a threat actor and you break into a cloud environment, you have access to a giant pool of resources that could be used
for crypto mining. It's the easiest way to turn illicit access into money. And at the end of the day, if you can't buy a PS4, why are you even doing cybercrime anyways? The whole point of criminal activity is to return a profit. And so crypto mining is a very practical, quick and easy way for an actor of any sophistication level to turn access into money. So I think we're going to continue to see this in the future. And before jumping sort of to the threats to
serverless functions and back end services, as your report sort of broke out, any remediation efforts, any things come top to mind that you identified in your report and maybe going beyond the report in terms of misconfiguration credentials and anything in particular vis a vis crypto mining, if there are, so I would. Say there's a few things, so
I will Say I'll redirect listeners to the report here. There's a lot of good information within the report that will go into more detail than I can here. We
will make that available on our show notes and make sure people can access that as well. So thank you. It was great. Yes, thank you so much. Appreciate that.
A couple things I'll highlight though. First off, I think there's for a lot of organizations that are using cloud environments, they should take a moment to step back and
understand what security capabilities or protocols are already in place within that environment. You know, cloud service organizations like Google and like others invest a lot of time, effort and money in making sure that people are able to take advantage of the different, of the different capabilities that are there and have security tools already built into the environment
which can allow for very effective defense in place. Additionally, one very easy thing that I always recommend to organizations is to make sure you have alerting in place based
on resource usage. So if a crypto miner gets spun up and suddenly you're using a whole bunch of resources that should trigger something somewhere in your environment that shouldn't be happening for a week and then you find out about it that should be happening for an hour and then you get an alert, especially if it's way more resource usage than you've ever used historically. So there's some really basic steps that can
be taken, I think to help provide those sorts of levels of protection. But that again, I'd reference the report here. There's a lot of good information in there. Great.
And like I said, we will make that available and for our viewers and listeners do take the time to read it. It's empirically based and this isn't guesswork, it's actually based on what Google Cloud is seeing. Let's go right to some of the back end services. And you spent some time talking about hard coded secrets. You want to shed some light on what that means. Yeah. So this is something that we've
observed comes up on occasion where when there's hard code and secret values incorporated into software, incorporated into running services, there's a risk that the organization may be leaking that information to a threat actor who can then leverage that data to be able to gain access to the organization or gain access to sensitive data that should otherwise be
held secret. Obviously. And the concern that we had when we were doing this research investigation was that if organizations weren't looking for this sort of hard coded secret information, it would be easy to overlook. But from a threat action perspective provided a very effective key for them to use to take significant advantage of the organization. So this is something that we're really trying to draw attention to for organizations to look into
as a way for them to better protect themselves. And how often are you seeing
this in the wild, if I can ask? Not naming names or anything to that extent, but how extensive of an issue is this? The fact that you foot stomped it leads me to believe it's not trivial. I can't go into very much detail
on this one, unfortunately, due to a number of sensitivities. I can say that it's I would consider it to be significant, but that's a very general term. But unfortunately due to privacy and sensitivity concerns, I can't really go into numbers at this time.
Understood. And I got pulled into a lot of these discussions during the whole Y2K crisis and there was a lot of concern that we were outsourcing cod and for good reason that you've got to be able to delineate and discern that the code is what the code is intended to do. And that does pose some significant concerns, at least from a computer network exploit and ATTCK perspective. An espionage and an ATTCK perspective. Well, I think the supply chain concern around software as well is going to
continue to be a significant issue moving forward, especially in light of some pretty significant large publicly disclosed software supply chain issues. I think we'll continue to see this grow as threat actors show more interest in this space. In the near term we'll see if long term it continues to maintain interest or if in a few months another big incident occurs and everybody moves on to that. I'm telling you supply chains will
be with us for a while. If Covid didn't open our eyes and some of the response there just to PPE and therapeutics and the like, multiply that on steroids and you've got the cyber side of that equation as well. Would be curious in terms of malicious use of serverless infrastructure, which you also highlighted in your report. Anything
in particular there that you think is worth discussing? And unrelated to the report, I would like to add a question around bulletproof hosting and what some of your concerns are there. If you'd be willing to share your thoughts. Sure. I'll talk briefly about
serverless component. So when it comes to malicious use of serverless architecture and serverless environments from a threat actor perspective, it's nice because it provides a great ability to up resource and take advantage of large scale capabilities within cloud environments. So from a threat actor perspective, being able to use serverless environments is a great way for them to be able to engage in malicious activity while also being able to scale up to
whatever level of malicious activity they want to engage in. As you were talking about bulletproof hosting as well, I will say as a threat intelligence practitioner, one of my it's a consistent thorn in our side where we see threat actors using these sorts of servers that are outside of any effective jurisdiction of law enforcement for any variety
of reasons. And that sort of activity can be really challenging and frustrating because you can see where all the bad stuff is happening and you can point directly to it and say, look, there's a bunch of bad stuff happening right over here, but at the end of the day, nothing can be done about it. There's just not
a lot more that you can do for that. The one advantage to studying and researching bulletproof hosting services is I do think when we shed light on that sort of activity, it does help reduce its effectiveness and efficacy as a threat actor, tool or infrastructure. But due to its very ephemeral nature, there's also a challenge that it's constantly shifting and moving, which makes everything more challenging overall. And I'm not going to
put you on the spot, but a colleague and I recently published a piece on designating state sponsors of cybercrime largely to get to the safe haven sets of questions. And bulletproof hosting, just one of the many concerns around that, but it does impede and limit the reach of the law. And if you have countries that do not look to extradition treaties with the United States and other allies, that does have impact
and consequence to our global economy, security and the like. So do think that, that the bulletproof hosting issue is an issue we'll be coming back to in sort of the days ahead. But how about best practices for security around some of this? And I know you captured some of those in your report and again we'll point people to read the report, but to sort of take some of the top waves of that. What's your thinking there? Well, I'd say some of my top recommendations when it
comes to mitigations are first off, making sure that you're doing as much as you can to be secure, to default, secure your environment, look at your organization, your organizational policies, and ensure that you're really taking proactive steps to engage in a lot of this bare bones, expected security posturing across the organization and that it's not optional but mandatory by nature. So that you're requiring, you know, are good credentials being used, Are
these policies well defined and enforceable? And are there actually teeth on these enforcements or is it, you know, just a nasty email that you get, which may. Which could just be summarily ignored. So making sure that there's effective organizational policies in place I
think is a good first step. Additionally, from sort of a technical perspective, making sure that you're doing a good job leveraging the existing security tooling in place within the cloud environments that you might be using is a good way for you to be able to take advantage of all the technical resources that were invested in creating that tooling so that you don't have to reinvent the wheel. That's part of the reason why you go with a big provider if they allow you to take advantage of
a lot of their tooling sort of natively, which is nice. Otherwise, I guess my other big suggestion would be to make sure that organizations are engaging in effective detective controls for malicious activity and saying if something bad were to happen, if a threat actor were to leverage our environment for subsequent malicious activity, or if a threat actor were to break into our environment and try to exfiltrate our valuable data, do we
have detections in place for that? How would we at least see that this is happening? Because the worst case scenario is that something bad happens and you have no idea until you read about it in the newspaper. I think that's what we want to avoid the most. And so figuring out a way to make sure detections are in place I think is absolutely critical. I'm really glad you brought that point, all
of those points, because those are very important steps that owner operators ought to take. You should know we had one of your colleagues, Phil Venables, on recently and he went pretty deep on secure by default and secure by design. And we even got into a whole discussion around cyber informed engineering, which obviously you want to bake this into the design as much as you can, rather than that bolt on effect afterwards.
It's always easier, but keeping in mind it's never going to be foolproof. But I'm glad you brought those points up. And on the exfil side, what are you thinking there in particular that could trigger alarms? What I think is interesting here is when
we look at the trends that we're seeing in threat actor activity, we're seeing the threat actors are really engaging more in exfiltration rather than encryption of data because it's a much more profitable endeavor for them. They're seeing a lot more success in the overall marketplace when we see this for exfiltration, when it comes to what sort of alarms, I mean, so there's a number of data loss prevention solutions out there that
could help with that sort of thing. But there's also solutions or policies in place that look not just for prevention of potential sensitive data leakage but, but just looking for different signs or indications of attempted exfiltration, whether that's at a network level, looking at where is this information being sent to and why it's being sent to a
server that's located outside of our geographic area. Or it could be something more application layer looking at, well, wait a second, why is this application requesting this data over here and sending it to that area over there that doesn't seem to track with
previous activity or sort of heuristics that we've developed. There's a lot of different ways that organization can try and detect exfiltration, but I do think it is critical because I think that's the direction we see threat actors moving in terms of what they're going to attempt to do once they're inside organizations. Roger that. You know, you can't
escape a discussion without AI in the mix, both for blue and red, both for the defender and what Google Cloud is doing. But also obviously the double edged sword how adversaries can, can, can utilize AI to enhance their capabilities. Any thoughts there in terms of the good work you guys are doing and what you're seeing from, from an adversarial AI perspective? Yeah, I mean, and this is, and, and obviously and there's
definitely entire teams that are devoted to this. So I'm not an expert in specifically this area, but I will provide sort of my, my individual opinion and perspective based on what I've seen so far. So just a broad caveat there, but I'll say that I've seen that AI definitely provides a lot of benefits on the defense side
of the house. There's a lot of ways that we can leverage artificial intelligence to more quickly and effectively parse through large amounts of data and use that large data set to be able to draw conclusions and sort of bubble up the valuable security insights that we need to be effective. That's something that AI is inherently good at, is looking at big chunks of data and really distilling it into what. You need
to know. And when it comes down to it, cybersecurity, 99% of it is getting
all the noise out of the way so you can really focus on the signal that you care about from an adversarial perspective. I'm not entirely confident that we've seen the threat actor market really figure out the best way to use AI just Yet we have seen a few major hits with AI being used for deep fakes of voice generated content. We've seen some incidents where AI is being used to more effectively
produce phishing emails that are higher quality than you might have seen otherwise. So we're seeing some bits and bobs in terms of how threat actors could leverage AI in an adversarial way. But I don't think we've seen the fundamental tectonic shift that I think that we expected in terms of adversarial activity with AI just yet. I think that might still be down the line where we see something that really shifts the landscape in a real underlying way. But so far I don't think we've come across
that. And that's a great point. And as much as we can, we want to.
Since the end of the Cold War, threat forecasting has made astrology look respectable. But I think we do know that there are adversaries that are turning to these. And as much as we can, the best way to predict it is to shape it. And Google Cloud is in a position to help shape all that. So I hope you are thinking some of those issues through because I think it can have massive impact. And the irony is the best case solution is an adversary not being able
to exploit that. So you don't always know how to disprove double negatives and demonstrate success. But I'm glad you're thinking some of those issues through. Let's talk sort of serverless and distribution of malware and phishing campaigns. And I was surprised and actually pleasantly surprised that you actually named some names in terms of some of the activities Google Cloud has identified. So we can get into some of those. But generally speaking, I'd
be curious what your thinking is. And then if you wouldn't be willing to sort of get into whether it's info stealers or some of the other major incidents you saw. Yeah, so I guess going into that last question first here, I think when
it comes to the major incidents that we've observed, I think the trend that I think is really interesting is ransomware. Obviously ransomware is, well, it's on everyone's mind. It's one of the most significant, prolific transfers of wealth from legitimate organizations to criminal actors. And it's causing significant harm to organizations of all sizes across the board, from small mom and pop shops to large multinational Fortune 500 companies. Ransomware targets anyone and everyone
they get their hands on. And partially due to the success, we've seen more and more threat actors get into this same game. Trying to figure out a way for them to make some quick money. I think that's really resulted in a significant shift in the overall landscape in terms of where threat actors are targeting. And as we've seen, that sort of focus shift from on prem to cloud targeting by threat actors that I mentioned before, the fact that a lot of these threat actors are engaging
in ransomware attacks has subsequently also made it so. The cloud. Cloud environments are heavily targeted by ransomware actors because the theory is that's where they can get the valuable data that they're looking to steal and use. I want to go back briefly and talk about something I mentioned before, which I think is an interesting trend in ransomware
of moving from an encryption model to an exfiltration model. Two, three years ago, if we were talking ransomware, we would have said that ransomware looks like you break into an organization, you encrypt all their stuff, and then you leave and you sell them the decryption key. That was sort of the business model, but that ran into a couple key issues. First off, it was decryption keys didn't always work, so that lost
a lot of reputation for them for threat actors. Second, it was really tough to convince people to buy this when they had good reconstitution plans because they just say, no, thank you, we'll just go back from backup. Thank you very much. And so I think that for a few different reasons, this became a very ineffective methodology. But what is still very effective from a threat actor perspective is exfiltrating valuable data and
then holding that for ransom on risk of public release. And that's, I think, where we're seeing threat actors really get good money and good payouts. And as a result, we're seeing that much more frequently. And I think that's the direction we're going to see ransomware go in the future is more toward an exfiltration model rather than an encryption model. So they're still being ransomed, but. But what's being held for ransom has
changed over the last few years, which I just think is kind of interesting. Yeah.
That more than interesting, it has significant consequences. So thank you for bringing that up. We're seeing a lot of the same sort of movement in terms of trends in that direction. And increasingly you're seeing companies be ransomed more than once. It was sort of onesie twosie, but now it seems to be flipping a little where you see
companies multiple times, either by the same perpetrator or those piggybacking them. So, yeah, I'd be curious if you Think if you think that's the case, or if I'm just cherry picking my findings there, I think it's a little. Bit tough because there's so
many, there's so many victims at any given time that it's tough to say if it's how often we've seen repeat offenders. And in my experience there's been generally organizations that are impacted by a cybersecurity event build back better to a large extent subsequently. But there is also something to be said about the copycat nature of a lot
of criminal actors in this space. And if one person is able to effectively gain access to an organization, others sometimes try to pile on the same organization simply because they think, well, it seems like it's an easy enough target, we might as well
go for it and see if we get lucky. So I can't say definitively with statistics, but it wouldn't surprise me at all if there was a pretty decent stat around the number of repeat impacts we had, which should be a good wake of call to organizations that just because you're in the middle of an incident doesn't mean that you're not also potentially in the middle of your next incident as well if you're not putting up defenses as quickly as possible. That was exactly my point. Well
said, well said. And before we sort of get into. Because I do want to talk sort of pineapple campaign which you guys highlighted there, and it's not whether you should have pineapple on pizza for some of those who follow the cyber debate, but, but I do want to get your thoughts on ot. I'm having a harder time differentiating and delineating it. OT that environment is converging and converging fast. And the reality
is the cultures are still very different in terms of our defenders. But anything you're seeing there that is worth sort of discussing on the OT environment and cloud in particular. Yeah, I think the interesting thing with OT IT is that the relevance and
importance of operational technology across the board is going to continue to grow. Right. We use OT across a wide array of systems to make it so. A lot of basic things function in society and as a result ot's continue to expand. At the same time though, its integration with IT is also critical because it allows for users to be able to effectively engage with and interact with these cyber physical systems that
we see in the OT space. And I think that it ot overlap and the transversal between IT and OT systems is going to continue to make it so that threat actors see potential value in targeting these systems because they'll be able to take advantage of, of the critical uptime and availability requirements that most OT systems have. Usually you can't just, you know, shut off a water pump for a little while and say, oh, that's fine, it'll get back on later. It's pretty, it's pretty time critical.
So it's. I think that we will continue to see this be an area of interest for threat actors. Similar though with some things we talked about previously. I don't think we've had a watershed moment in this space just yet where there's been a major incident that's led to significant profit for a threat actor. So from a criminal perspective, I think the one bright side in this realm is that we're not seeing a lot of threat actors engaged in targeting of these systems. I think primarily because
we're not seeing the profit motivation really panning out. But it will just take one. And then suddenly, after a successful ITOT breach that led to a lot of money, we could see a pretty significant run on this by threat actors across the board.
Yeah, and I think we also have to factor in not all hacks are the same. Intentions vary, obviously, capabilities vary, and some of this goes beyond criminal intent. It could be nation state intent for pre positioning or intelligence preparation of the battlefield or what have you that does have significant implications. So one is arguably too many at a critical juncture in time in our country. So let's talk Pineapple quickly. The campaign
there. I thought that was a fascinating case study. Anything you'd like to share with the audience around that? Yeah, I think what's interesting about this was that it gets
to what I think is a broader challenge or a broader rationale as to why threat actors may like to use cloud environments for malicious activity. And one reason that we're actively working to stamp it out is because in the Pineapple incident, what we had was we had threat actors that were taking advantage of cloud infrastructure to use that to distribute malicious URL, to host a malicious URL that individuals that users would
be sent a link to as part of a phishing email. And then they would click on the link, go there, put their credentials in, and it was a credential stealing website that would then send that back to the threat actor after the users
put in their creds. Pretty standard stuff. But the twist here is since the threat actors were using a cloud environment as part of their infrastructural component, from a network perspective, this could have easily appeared as a legitimate set of activity for organization as expected, if your organization uses that particular cloud provider and there's a lot of interactions between your organization and that cloud provider on a day in, day out basis and
you're going back and forth doing stuff all the time. One more set of connections here wouldn't look particularly suspicious or malicious even to a URL you hadn't seen before. Your detection heuristics might not notice it because the cloud provides this veneer of legitimacy
to the malicious activity. And I think that was as partially the rationale for what happened here is the threat actors got into a cloud environment and then said, well, since we have this, this sort of fake appearance of being a legitimate hosting provider, because we're on a legitimate cloud environment, we can put up this malicious URL, we can take advantage of that, of this access to be able to take it, to
get access to other systems by using this veneer to their advantage. I think that's a big takeaway from a security perspective is understanding what the implications are from why a threat actor would use cloud environments and also what you might need to be considering when you're looking at your detective controls. It can't just be saying, oh well, if it connects out someplace bad, then it's bad. You're going to have to have
more in depth heuristics to look at. And I think you underscore the point and
this still gets lost on people. This is a dynamic environment. The bad guys learn based on good guys and counter, counter, counter, counter, countermeasures, back and forth. So I think that that is, but, but you need to have good intelligence or good information
to make smart decisions. Right? And, and I think that is why Google Cloud is, is putting out these sorts of reports because it is based on good information, good intelligence, and as much as we can have intelligence or empirically led decisions, the more the better in my eyes. Which is, which is great. Let me ask the unfair question and in the words of the late and great Yogi Berra, the future ain't what, what it used to be. Where do you see things going and looking over
the horizon for the threat horizon report? What do you, what do you think comes next? Well, I think we have an exciting, you know, six 12 months ahead of
us here for a variety of reasons. Obviously there's a number of major geopolitical events happening in the next six months that will have significant impact all over the world. And I think that we're going to see threat actors try to take advantage of
these events as they occur, occur to further their criminal activities. I think from a nation state perspective, similarly, a lot of big events happening will mean that we'll see a real ramp up in nation state activity sort of across the board as part
of that, as part of their needs for intelligence organizations or what have you. And then I think we'll continue to see this weird blending of criminal activity targeting public and private sectors and really diminishing that seeming wall between historically targets that were just targeted by criminals versus targets that were just targeted by nation state actors. And I think we'll see that really continue to blend and merge into all organizations being targeted
by all for different reasons or different rationales. And I think that'll have a lot of impacts in terms of the security posture for organizations both in public and private sectors. That's a great point. In terms of proxies, in terms of understanding, you can't
look at security cyber in isolation of broader geopolitical environments and the like. And I'm glad that you not only recognize that, but are acting upon that. Let me close with the question. What questions didn't I ask that I should have? You know, I
think these are all great questions. I think the only other question you could have asked was where can I find this report? And I think you already said it, but I'll answer that again. It's in the show notes for this show. You'll find it right below somewhere down there and check it out. And if you have any questions, please feel free to reach out to Google Cloud office of the CISO anytime. We're happy to follow up if you have any questions on the report or want
more information. Hey Charles, thank you for not only spending so much time with us
today, but for what you do every day to make our country and our companies and all of your clients more secure. I also appreciate the transparency. No one's perfect in this business. And if that's our goal, God help us all because we're all going to have incidents. But learn from those and get ahead further. And bottom line is thank you and appreciate the time and keep fighting the good fight. Hey, thank
you so much for the opportunity and I really appreciate it. Have a great day.
Thank you. Charles, thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you'd like for us to host. Until next time, stay safe, stay informed and stay curious.