In the standalone sponsored episode I speak with Ismael Valenzuela. Ismael is the VP of threat research and Intelligence at BlackBerry silence. We talk about modern threat intelligence, the shifting attention of attackers, how JNI can be used for attacks. How defenders are adapting to deny threats. And many other topics. And with that, here is the conversation with Ismael Valenzuela. All right. Hello. Welcome, Ismael, to unsupervised learning.
Thank you. Thank you, Daniel, for having me.
Yeah. Perfect. So I will have already introduced you. I just want to get a brief, uh, sort of overview on, uh, on yourself and and how you got into security and, uh, what you do there at BlackBerry.
Sure. So I've been doing, uh, well, cybersecurity since, uh, it was called, uh, something different, right? Information security. We didn't call even cyber back then, but I started to do, um, you know, cybersecurity related things back in 98, 99. And I founded, uh, a company, a consulting firm doing, uh, information security in at the end of 2000, beginning of 2001, in Spain. That's, uh, where I come from. I moved
here to the States about ten years ago. But, yeah, I've been doing cyber security for, I guess, like 24 years. And what I do for BlackBerry is, uh, I lead the threat research and intelligence team. So essentially I lead, uh, uh, a team of, uh, very smart people that they not only understand, uh, you know, the malware. I like to talk about attackers weapons more than just like malware. Just this just one subset of it. Um, I understand these
these attackers weapons, but they also understand the motivation. They understand the geopolitics around, uh, you know, why attackers started doing something. And that's more like what we call the intelligence piece, right? So we cover all the aspects from the more technical, the reverse engineering, the malware analysis, the, uh, you know, helping to tune our machine learning models. I know that your show is, you know, mostly about that.
So we, we, we work with the data scientists to make sure that we, we tune these models for our products. But we also, um, you know, do research on the threat actors and their motivations.
Yeah, it's it's very interesting you say that the name implies that I'm mostly about machine learning. It's actually kind of a play in words. My background is actually almost exactly 24 years in security. So about the same time. Yeah. Yeah. So so it's not uh, it wasn't originally I my whole career has been in security and then I sort of transitioned into AI. So I think we probably have
a lot to talk about there. Um, I think it's the right framing because I like to think about what are the attackers doing, what techniques are they using and inside of what context like global context, like you said, uh, geopolitical context. And that's why I find threat intelligence so fascinating. And yeah, maybe we can sprinkle some AI in there, but, uh,
not necessarily if it doesn't belong. Right. Um, so so what would you say the, the primary things that are happening right now, what are the trends like what are attackers doing? Why are they doing it? Who who are these different groups. What does that look like?
Well, I guess if I had to summarize it in just one phrase, it's like the internet is a mess. Mhm. It's a lot of everything and there is more of everything on a daily basis. Um, we, we do this quarterly thread reports. Uh, that they're very interesting for us specifically. Right.
And we, we're thrilled when we see, um, you know, law enforcement agencies and uh, we even got like, you know, United Nations and the Senate and a lot of other like, uh, very important, you know, organizations coming to us and saying, oh, you know, we're reading your third report and it's very awesome. Like, we have these questions which, you know, it's fascinating, but we do this primarily for us to understand the trends.
And one of the things that we just, uh, see regularly is that there is a, uh, the regular constant increase in the number of unique malware that we see, uh, on a, on a per minute, right. So, for example, I'm just looking at the last listings we have. Uh, if you look at where we were about a year ago, we were seeing from December 2022 to February 23rd, 1.5 unique hashes per minute. That's what we see with our telemetry, right? Based on our products. And right now, the last number
I have is about 3.7 unique hashes per minute. Mhm. Uh, targeting uh targeting you know our customers. Right. But it's obviously everybody has different visibility, different angles. Uh, but this definitely tells you that there's a lot more, there's a lot more of unique malware that is being thrown out there to organizations per minute. What else do we see? I usually say attackers are lazy, right? When? When something works. Why would you change it?
Yeah, absolutely.
In many cases it's a business for them, right? If we're talking about cybercrime, uh, so we still see a lot of old school stuff like the phishing attacks. Right. Uh, with, uh, you know, embedded, uh, links or embedded, uh, PDFs. We're seeing a lot of PDFs again, like these things coming.
Oh, interesting.
Come and go. Like, we haven't seen PDFs for a long time. Now we're starting to see a lot of PDFs again. And this usually has to do with, you know, maybe some defenses that Microsoft has built into, uh, into office lately that, you know, maybe sometime it will be bypassed again and there will be a resurgence in, you know, maybe macros or, uh, or other weaponized, um, uh, office documents. And we also see a clear trend in the use of, uh,
cross-platform malware. Again, with this premise of attackers. See if I can obtain more return on investment by crafting a piece of malware that will will work across different platforms windows, Linux and Mac OS by using, uh, you know, uh, go or, you know, rust or other, um, cross-platform languages. I'm going to be doing that. Right, because I'm going to be able to reach out to a larger, uh,
population or get more victims. So there's just like, you know, a brief summary of 50,000 foot overview of some of the things that we see.
Okay, that that makes sense. Yeah. I'm looking at the report. I pulled it up when you mentioned it. Uh, interesting. And you got some breakdown by industry as well.
Yeah, I'm showing, by the way, some numbers that haven't been, you know, published yet at this time that we're having this conversation, but we publish very soon. So yeah, I'll give you a heads up on that.
Yeah. Very cool. What about like, origins or types of attackers, like, you know, hacktivists versus like a government versus, you know, I don't know attacker types. Is it like is it Eastern Europe? Is it Asia? Is it us versus us like those types of things?
That's that's a good question. And again, like if you look at this from a global perspective, unbiased perspective, you're going to see that everybody's attacking everybody right. Everybody has motivation. And cyber is just a weapon. It's just the how right. Uh, but this has been done. If we look at governments, for example, this has been done for many years, uh, you know, in other areas. And it's still, you know,
done in other areas. And that's why there is not only like cyber threat intelligence or CGI, but also human intelligence, right, or open source intelligence and, you know, physical threats. And so, um, but from a, from a CTI perspective, Cyberthreat intelligence, uh, we, we have seen, you know, in the past that there was a clear distinction between the so-called apts, the advanced persistent threat nation, uh, states, um, attacks where the motivation
is stealing intellectual property or doing espionage. And, and then the other world on the other side of the spectrum, right, which is cybercrime. So this is the criminals are just going after the money for financial gain.
Yep.
Um, and then the hacktivists. Right. That's kind of the other group, uh, the people that are just like going to hack into a company. And just because I don't know, you sell, you make profit by selling records or music and that's bad, right? That's evil. Right? Like that. Um, they want to make a statement, right? A political statement or socialist statement. These lines are more blurred than ever. Uh, one of the reasons of that is because we, um,
we're more interconnected, right? And everybody has more of a digital presence. And also because these weapons that attackers are using in the past were like hard to craft or, uh, it require a lot more skills maybe to do these things these days. A lot of these are public, right. And there's been a lot of, uh, red teaming tools that have been leaked. Cobalt strike is one of the
common offenders, right. In that in that list, uh, but also Metasploit, a bunch of other frameworks that are frameworks are open, uh, they're available that people can just like, go and modify. There's a lot of rats. One of, uh, the rats, the remote access tools that we have been discussing in one of our recent reports is a zinc rat. And anybody can go online and just look at the source code of a sink rat and then maybe modified and use it, uh, for these, uh, nefarious purposes so that, um,
availability of these tools, attackers, weapons. Right. Makes it a lot more difficult because sometimes you may have an apt a nation state using these tools. And it's very hard to attribute exactly who's behind this unless you have more information, you know, you have context, geopolitical context in many cases, and you can understand the motivation behind why somebody is doing this.
Yeah, that makes sense. So it's all kind of blurring together. I've seen that a lot with a lot of Russian groups where someone was like, oh, apt related or whatever, but really it's kind of like a cybercrime group, but they are kind of given a little bit of a go ahead by the government to not come after them because they seem to be doing good things for the country, but it's not a formal relationship. So it's like, are they affiliated? Are they not affiliated? It's it's hard to say.
Right. You have initial access brokers now, right? You have affiliates, uh, contractors. Like I could be an independent contractor and offering my services. My, uh, you know, my skills, my time, uh, on behalf of different groups. And one day, I could be working for a cybercriminal group that has financial gain. The next day, I could be working as part of a, um, you know, maybe a nation state or some other type of, um, uh, group. We have also seen and this is a trend that
we've seen recently, commercial organizations behind some of these campaigns. Um, and, you know, large multinationals that that might be in the process of a merger and acquisition and, you know, there's the traditional way of doing a due diligence, uh, by looking at, you know, the financial health of an organization that is also like unofficial ways of doing due diligence. Sure. And, uh, it's interesting we're seeing some of that. Uh, so when I say that the internet is a mess, it's it really is.
Yeah. Interesting. And what are some of the specific techniques or tactics that people are using? It seems like with, with proliferation of AI, it seems like spearfishing is one of the things that's getting really easy, really easy to target specific people, especially if you put in a whole bunch of context information about a particular target. You can really make the email compelling. One of my favorite examples of this is somebody who just, uh, has a big ego.
I don't know, sometimes happens in security, but you could just be like, hey, I saw your last talk. It was amazing, right? I really agree with your point about this. And I wrote an article about your talk and I'm going to. Actually send it on to the New York Times or something. You send that in a phishing email, like you're going to get a lot of security people. And it's one thing to handcraft that email, right? But
that's pretty difficult. But what if you have a crawler who can pull all the security people and then pull all the people who have given talks recently, then you could pull a particular point out of the talk and then craft the email and send it to them. Well, now you can maybe do that at scale, you know, at the level of like a criminal organization or even at the level of like an apt group for like
government to target more important people. So I feel like that is one of the use cases that's getting really bad. Are you guys seeing a lot of spear phishing type stuff?
Well, we have seen reports right over the last couple of years of a specific threat actors. I'm thinking, for example, North Korea, that that has been involved in this type of targeting, cyber security researchers specifically, uh, specifically working for certain companies that may have access to certain information that might be useful for, for them. Uh, but, yeah. And and, you know, we have actually data that supports what you're saying.
For example, uh, in our report, uh, the report that we released, uh, a few months ago, we again, we do this every quarter. Right. But we have seen an increase since last year, coincidentally or not, with the release of ChatGPT and all these, uh, generative AI tools, we have seen a surge in phishing attacks against Japan. And, you know, Japan is a very interesting, uh, area because we usually see some malware in Japan that we don't see in other places. Again, everything is is every region
has like, their own characteristics. Right? But in Japan we have seen like for example, uh, Emotet, some variants that we haven't seen anywhere else. And, you know, they come and go. But now with these tools, guess what? Like, everybody can speak fluent Japanese, right? Yeah. And Japanese is not really easy, right? At least for for us foreigners.
And it's just a very particular region of the world. Now, these has opened up the possibility of any threat actor out there to craft really, you know, legit looking, uh, phishing emails to, to target this specific area of the world, which is also, you know, a wealthy country with a lot of industries and could be profitable. So, yes, the data supports that attackers are using generative AI for these type of, um, purposes.
Yeah. It's a really interesting point that you make. So you've probably seen this conversation a million times in your career because you've been doing this so long. It's like somebody talks about how, you know, you can't hack Linux. Linux is the most secure operating system. Windows is so insecure. And I'm guilty of this. Back at, you know, 20 years ago, I used to think I was on the most secure operating system because I only run Linux or
I only run whatever. And it's like, actually, if people actually pointed a little bit of the attention that is pointed at windows for the last 20 years, and they pointed that at Linux it would be a nightmare. It would be an absolute nightmare. And the reason windows appears to be so bad because it's so targeted. And so the point that you bring up about Japan is really interesting. It's like maybe they're very vulnerable to spear phishing, but no one's been able to get the email through because
they don't speak Japanese. So now you have an area that's not hardened against these types of attacks. But the door is now open where it was closed for the last 20 years.
It's a window of opportunity. Right. And that's that's one of the key things in the whole impact equation. If we look at risk management oh now we're going to put people to to sleep. Now risk management.
Not me I'll be awake.
But uh but yeah the impact right at the end of the day it's all about that. You can usually say you can just like, try to protect against everything you need to define. What is that? What is the problem you're trying to solve. Right. And it can't be everything. You cannot protect all of your assets. Um, like in the physical world, you have to assume, okay, you know, some things can go and it's okay. You just, you know, go and replace them. But other things can't, right? Because
they have a high value to us. Yeah. Uh, that's what we need to, to define and. Yeah. Linux. Uh, I remember a couple of years ago we released a paper on symbiote, which was a Linux implant that we
saw targeting organizations in Latin America, especially financial organizations. And it was a very interesting piece of software, right, of malware in this case, uh, doing command and control over DNS, etc.. We see a lot of web shells right on Linux, uh, servers essentially, um, uh, program, um, programs that are supposed to run, uh, commands or do execution on these, uh, boxes. And think about it like the cloud. What is the cloud made out of, right? Linux box boxes. Yeah, yeah.
And and we have everybody has more cloud presence. So absolutely. I had a conversation a few days ago about the importance of looking at these, uh, systems. You know, miter has a miter attack matrix for Linux. And, uh, if you look at the government, uh, agencies, the documents, recommendations from NSA, from CSI, everybody says, you know, you need to look at these, uh, systems because they're often overlooked. People do not run endpoint protection on them. And, you know,
you trigger memories. Uh, I'm probably all right. But you probably remember this when setting up Linux systems back in the day. And all ports were open by default.
Oh, absolutely.
You have to close them like manually. Yeah. Uh, so there's a lot of implicit trust that sometimes we put into, into these systems making assumptions that are not necessarily true. Yeah.
Yeah. I just I really love that idea of, um, language being a barrier that has stopped attacks from getting through before and with Lmms open opening up. Translation. So that barrier comes down. What about, uh, deepfakes? Are you seeing much around that where it's easier to convince people of things?
Well, it's a natural next step, right? And I remember months ago I was in a close meeting with some government agencies and, um, the head of this agency who was mentioning that they were really seeing these type of deep fakes, uh, with, uh, you know, calls, uh, where they were imitating the voice of somebody and using that to essentially for financial gain. Right. The typical business email compromise. But now with with voice. And that's what we're seeing
on the news right now. We're seeing these, uh, deepfakes using voice, using video, like jumping on a on a zoom call. Oh, it's it's a CFO calling.
Yeah, I saw that one. That was so crazy.
Exactly. And, uh, it's just, again, one more iteration on, um, something that we have known for a long time, you know, same motivation. Just the tools are changing. And with the, um, the, the, uh, democratization right, of these tools, as they become more available to people out there, these things are going to just, you know, make the environment, the internet, even a lot more, uh, noisier than they are. It is today.
Yeah, absolutely. And then you have the issue of, like, if you have a whole bunch of AI bots or agents operating and they're, they're taking all these actions against APIs, how how do you know if it's a real human on the other side, or if that's automation or it's AI or it's an agent or some sort?
That's a good question. And that's actually one of the the uses of, uh, of email. Right. One of the best things that we can use ML for is to create patents. And, uh, by looking at the behavior of, uh, the normal behavior of a, of how users interact with an application, uh, you would, you know, kind of, uh, infer whether that's normal or not, because typically these botnets will behave in a, in a different, in a different way. Um, as usual, you know, it's we usually talk about attackers
tools or attackers weapons. Sorry. And I like to talk also about defenders weapons because, you know, this is at the end of the the day, we're talking about technology that can be used for good or for evil. And many times we just focus on on the tools itself. But we don't talk that much about strategy. Right. Um, uh, somebody that has been doing this for a long time, I started on the what we call the red side. Right. The red teaming.
Yep. Same here.
Hackers and pentesting and all of that. I'll tell you what you got boring. You got at some point where it was boring because it was easy to get into the organizations.
And you come back to the customer the next year and they haven't fixed anything.
They don't care. Yes we know. Yeah. For a water plant in a, you know, country in Europe, I'm not going to say more. And uh, I, I joined, you know, I connect to the network 9:00 and by noon I already had local admin and one of the boxes that control the OT environment. Right. So that's it. At that point, you know, you're a consultant. What do you do? You write the report, take screenshots, do everything. I create my
own local admin account right on that box. So I was called six months later to come back and do a retest. Hmm. Guess what? The first thing I checked is that is that my user, you know, is still there on that box.
Oh, yeah. Nice. Nice.
Six months later. So that's that was probably the defining moment for me when I was like, you know what, I need to I need to help these people in a different way. So that's when I moved to the cyber defense side. And I find fascinating to talk about several different strategy because, you know, you cannot fight these people because at the end of the day, the other side of the spectrum is not AI, right, or bots. It's people doing this. You cannot fight that with just tools,
with just products, right? You need those. You need the weapons, but you also need the strategy, the human brain to. Yeah. And what you're doing and justify why you're doing something and change tactics if needed. Right. Like in any sports game you get to, you get to change tactics. If they're not working. Yeah.
Yeah. Interesting. You mentioned a water plant. I had an eye opening assessment as well, assessing a water system for uh, for a state. Um, yeah. Really really interesting. We seem to be, uh, brothers. También hablo espanol.
So también si si si podemos seguir en espanol. Si quieres. Si.
It won't be very smooth.
Uh.
My vocabulary is bad, but you'll play though. Um, so what about supply chain attacks? Are you seeing that or do you have that stuff in your, uh, in your report? Is it one of the things you talk about, like, like, essentially it seems to be getting worse and worse like these. The breaches keep happening and you keep realizing, oh, wait, but they're vendors. Oh, but what about their vendors? And it's like, how do you secure the chain all the way down?
Yeah. No, absolutely. And I think we have a. We have a paragraph there or a comment on, on these uh, in the, in the latest report that we're publishing. Um, and we talk about the secure by default approach, rather the government, especially here in the US with the, uh, executive order, uh, they're trying to push for these, right? Cisa pushing for these as well, especially with, um, you know,
protection of critical infrastructure. So, so important. But other countries as well, the United Kingdom, Canada, EU, the G7, they're all issuing guidelines on, on, uh, on on this topic of like creating secure software. But but here's the thing. Are we ever going to fix that problem? No. There's always going to be something. Right? Can we do something to fix it and use, you know, you know, for example, programming languages that make better use of memory. Yeah. So
we have less buffer overflows. Yes. Absolutely. Right. Technology is going to help there. But we're never ever going to end up creating like 100% secure software because there's no such a thing in the world. Right? There's no 100% secure with anything. Yeah. Um, but so that's, that's what the, the laws and regulations are pushing for in my team as, as, you know, researchers, uh, what we do is to analyze
what we, what we're seeing out there. And what we see is attackers obviously doing the supply chain attacks in the SolarWinds style. This is like very highly targeted attacks that we don't see on a daily basis. Right. Mhm. Um, but you also see. Like pseudo supply chain attacks. What, uh, what we see is, uh, for example, imagine these small. Company in. I'm going to pick a, I don't know, another region of the world that say, the Nordics write
something about language. Uh, so you have, you know, Finnish and Swedish and Danish and not a lot of people out there in the world speak these languages. So there is this little company out there that they have this freeware. Right. And it's a dictionary of, uh, Nordic, you know, terms, something like that. And a lot of companies that want to do business with the Nordics, they actually download this
freeware software. So let's put the bad guy hat on. Right. So, uh, if I want to target these organizations, what do I do? Very simple. I just either attack this website and replace that freeware dictionary with something else that is, that has an extra piece of code in it, right, to compromise these organizations that are going to be downloading it. Or I try to, um, um, essentially clone that side, right? Scrape it, clone it, and instead of, uh, Nordic. Dictionary.com
is Nordic. Dictionary.com. Yeah. And or Nordic. Uh, hyphen dictionary.com. And I'm going to be, uh, cloning all of that. And I'm going to be serving this type of dictionary that has this extra code. We see that a lot. And, you know, through emails now we get the phishing factor right through or any other type of communications. Hey, download this, use this little thing. Uh, now we're targeting specific location
specific region. It's not really a supply chain attack as we, you know, think of it, but there's a lot of that, uh, happening.
Interesting. And where do you see these attacks sort of going, I guess involving AI or not involving. I guess it's probably the biggest switch. So what happens with threat intelligence when both the attacker and the defender are powered with AI? Like, does everything get faster, like the window for attack and the winter window for fixing things? Uh, closes faster? Uh, what do you think?
You know, that's a that's a good question. And from a technology perspective, I like to assume that everybody has access to the same. Right. Um, it's just a matter of how well you can implement something like we all have access to pretty much the same type of knowledge about technology. Uh, the difference is, you know, how fast can you do something, build it or weaponize it and how effective it is, how well built it is. And tested proved. And even if you if you assume that
everybody has the same weapons. Right. So it's a it's a Sam zero kind of a game. The difference is on the tactics and the strategy, right? The human, the humans behind it. So that's why I think I love to talk about the human in the loop. Right. When we talk about AI. Uh, the brain, somebody that can, you know, observe what's going on, assisted by these bots or AI and then make a decision based based on that.
For a small, for a lot of small organizations that will probably require some sort of a, you know, a third party, uh, a partner, somebody that can help, right, to, to provide that guidance. But there's never going to be a substitution for the business itself, knowing the business like, you know, your business, right? A manufacturing plan, they know their business. They they know things that nobody else is
going to be able to know. So I think that's that's where the key of this is, is making security accessible, making intelligence accessible to those making the key decisions. This is not just the SoC analyst, right. Or the incident responder or the threat hunter, which is, you know, probably at the level that we operate, um, that we like, right, because we like technology and the toys and all that.
But but no, more importantly, it's to making these intelligence accessible to decision makers, to the sea level executives so they can understand what's happening right in, in with their business, for example. Um, we do a lot of business in Asia-Pacific, and we see manufacturing plants in Taiwan that are being targeted with very specific pieces of malware that have geofencing. So they're only going to execute. If they execute within
that region. Right. In that that geolocation. Those are geo coordinates. So what that means is that it's highly targeted, of course. And who has a vested interest in what's happening in manufacturing plants in Taiwan? Well, you can think of a, you know, one country, for example, that that has extensive operations in terms of, uh, uh, espionage in the, in
the region. Yeah. Um, well, if you're an executive of a manufacturing company in the US and you want to open up a plant in Taiwan, don't you think that you would like to know that? Right. But the thing that that affects your business operations, um, we have seen threat actors going back to Russia right? In the past, targeting law firms here in the US, looking at mergers
and acquisitions and using that information to play the stock exchange. Mhm. So, so all of these things have implications in the, in the real world. And I think that that's something that I'm particularly I want to say obsessed with. But, but I try to work with and it's trying to make this type of intelligence more. Digestible, more, um, strategic. Right, for those that are making these type of decisions.
That's interesting. I, um, I, uh, built the, uh, security measurement program over at Apple, uh, for a number of years in the past, and that was a big part of my I also was in the military. So I was thinking in these same exact terms that you're describing. So I was thinking data. Information and then, uh, insights and then intelligence. And at the very top of that is the decision maker. So I'm trying to figure out what is the most work that I can do for them,
to enable them to make a decision. So they're not processing logs, they're not even looking at log summaries, which would be like the next level up, but instead they're being told a story. Um, so it's a narrative. So the narrative is something like, you know, um, this enemy tends to attack between the hours of two and 3 a.m., right? They tend to come in a small group of 3 to 4 people wearing dark clothing. They carry light weapons. They don't come on full moon. But tonight is not
going to be a full moon. It's actually a new moon. So there's no moon whatsoever. So therefore we think it might happen tonight. And here's why we think that. Right. So that brings them all the way up to the decision point. And that's what that's my favorite type of threat intelligence where it it gives you data but it doesn't drown you in the data. It actually does analysis that brings you right up to the point that they can make a decision. So what does that look like
for you? I see this report here which looks quite good, but what else do you have within your philosophy and your product that helps you do that for the decision maker?
Yeah. So so when we look at for example, this report is it's a mix. Right. We have some more, um, narrative in the beginning. Um, high level introduction. Uh, so I said before, we have, you know, from people in the Senate to, uh, uh, you know, CSOs reading these
to also city analysts. So one of the things that we, we, we do is to, you know, do like a high level, you know, executive summary for anybody out there that wants to share these type of things with, with, uh, executives just know they're not going to read a lot of things, right. If anything, they may just steal a few infographics. Um, and one page. Right. No more than that. So we try to to stick to that rule, uh, and then we go into more statistics. Uh, a lot of people,
you know, love to see these, like, trends. Uh, this also gives us the opportunity to talk to, you know, media and journalists. They love the numbers. Yeah. And and it helps right to, to also identify trends. And then we look at cyber attacks per industry. So for example, if you are in what we call critical infrastructure, right. And this could be, you know, hospitals, this is a manufacturing plant. This is a power plant. Uh, what are some of the top threats for your industry? Right. Sure.
If you're in health. What do you want to look at? If I'm if I'm in healthcare, I don't want to see all these, you know, malware that is targeting financial organizations, for example. Because that's not what I may what I may see. Mhm. And it's also very interesting talking about trends. What we have seen is that, um, traditional cybercrime against financial organizations tend to reuse the same malware over and over again. Mhm. It's less targeted versus attacks against healthcare
and government local governments. We're not talking about you know the large large government facilities in many cases we're talking about small government, you know, estate uh, agencies uh, or schools even. Right. Education. Yeah. And we see more highly targeted. Right. Because they're going after specific, uh, objectives. Mhm. So that's, that's the idea of uh, this is data that I would like to have to be able to build my threat model. And then finally something that we would like
to include, there's a geopolitical analysis and common. So we have people that are experts in geopolitical analysis uh looking at what's going on. Like for example, a few months ago, December 23rd, uh, the US. Japan and South Korea. They signed an agreement to defend against North Korea attacks. Mhm. That's that's on the news. Right. So you see that how is that going to influence what we're going to be seeing in Asia Pacific over the next few months.
Well there's definitely an impact right. Yeah. Um so if you're operating again you have business in that area. You want to have that type of context and information. And then the rest of the report is more maybe a little bit more, uh, technical. So if you want to learn more about the CVEs that are getting exploited, uh, this is more like the information that a SoC may consume, you know, threat hunters, uh, maybe incident responders, uh, at a more tactical level.
Yeah, that makes sense. Uh, so looking for like a year or two, do you expect AI advancements to help attackers or defenders more?
Again, very good question. I think that eventually it's going to be a net net right. For for everybody, for both attackers and, and defenders. I think the key it's going to be not that much on the technology but how you use it when you. But I love to talk about the factor of time. If you look at an attack chain. Mhm. Some people just they, they believe there's always going to be like a cyber bullet right. Uh silver bullet sorry a cybersecurity silver bullet that. Oh
this is the only thing I have to install. Right. Just. Install these. And sometimes vendors, you know, the marketing could be a bit, you know, confusing and could give you the illusion that if you just do this, you're going to be you're going to be good. No, it's a lot more complicated than than that. That's why you need the human factor. But if you look at an attack chain, you know, we usually say this thing that attackers, they have to be the right ones and defenders. We have
to be right all the time. Uh, well, if you look at it from an endpoint perspective, then yes. Right. And we see attackers are trying different things and that's what we try to build, you know, predictive models. And you know, you had shield in your, in this, uh, your show talking about the math behind all of these and why these predictive models work. So we have to be right there every single time and how we do that. But if you look at attack Chain, you step out,
you zoom out as a defender. All I need to do. Is to detect the presence of the attacker once. Mhm. That's right. So I have a whole attack chain I have like all the way from the attacker is, you know maybe doing some reconnaissance or trying to get some information from my organization to the initial access, which could be email or it could be, you know, some sort of exploitation of a service all the way to the
attacker's objective. Right? Which is what either to hold hostage of your environment or to where the valuable data is. This takes time, right? Sometimes in a targeted attack, it could be. It could be days. It could be weeks. So you have multiple opportunities across that attack. Interesting. Successful. So that's why I say, you know, we don't talk that much about cyber defense strategy. But if you look at it from that perspective, all I need to do is to have the right sensors and the right, uh.
And.
You know, policy enforcement points in the right places to be able to disrupt that activity. As long as the attacker doesn't get to the final, you know, stage of the attack. Those actions and objectives I'm I can win.
I love I love that I've never actually heard that put in a positive light. You're basically inverting the whole thing, saying, yeah, the the attacker only has to be right once, but look how many opportunities the defender has to see what they're doing because they have to go through this whole chain. And those every point on that chain is an opportunity to detect.
Exactly. And look, it's like the physical world, right. It's not that hard if I, if I'm trying to protect a defend my, my, my house, right. My home and I have my valuables, I'm not going to put them like close to the, to the front door where somebody could just smash the door and grab it and quickly leave. If I do that and I get stolen, like, look, it's, you know, shame on me. Yeah, I have a really, really poor defensive security detector, right? I put my valuables
next to the front door next to a perimeter window. Yeah. Uh, what do you do? Like a bank does, right? You have the safe in the basement. And what you do, you architect with a lot of preventive mechanisms. Those are walls, right? The access control systems, then. But do you know that in the absence of any detection response, what's going to happen? Somebody's going to, you know, come with a huge drill
or explosives or it's just a matter of time. But if you architect with the right sensors and you also in parallel, you add security cameras, right? You know, motion sensors, um,
you know, thermal sensors or vibration sensors, whatever. And you orchestrate all of that in a way that you can have a fast response with the big guys, with the big weapons showing up quickly, you're effectively now building a defensible, secure architecture that where you have prevention, but also in parallel, you know, sensors for monitoring, for visibility, for detection and
for response. When you combine all of these things, which again, is technology plus people and processes then have a lot more chances to be successful. And all you need is once right, the attacker will have to commit the perfect crime and to be, you know, right every single time to bypass absolutely everything you have architected with. And that's usually, you know, it usually doesn't happen.
Yeah, I really love that positive spin on it. Like I said, I've never actually heard it put that way. Um, so what about the short term though? I feel like in the short term that AI attacks are so new with, you know, deepfakes and spearfishing that the attacker is going to be able to move faster to use all these techniques. But I agree with you that over time it's going to equalize. In fact, because the defender has more context, I think it actually might switch towards the defender maybe later,
but it'll mostly equalize. Do you agree that though early on, like the next couple of years, the attacker might have the advantage because they could just move so fast and they don't care about like production readiness?
Yes. And that's typically the case. Right. We on the defender side we have to now look at how we responsibly use this technology. Right. And yeah that may involve like lost regulations. And that's that's always like you know uh slow. Yeah. Uh, in the meantime there's, there's things that we urge people to do, which is like, you know, to protect themselves with products that are using, you know, the latest and greatest technology. Um, you know, we we
all know that defending with signatures is like playing whac-a-mole. Yeah, but but still, we see a lot of companies out there that they feel safe because they have a traditional antivirus just defending with signatures. Right. Or.
Well, maybe that's why PDFs of attacks are coming back, because the malware detection stuff like antivirus, old antivirus can only hold so many signatures. So as they move through time, they kind of take out the old ones. Maybe they took out some PDF ones. So now the attacker goes back to the PDF ones. Right? Right. Yeah.
So so yes, it's uh, it's always an arms race. But that's why it's important to raise awareness. Uh, that's that's why it's important to have that's what we try to do with these reports. Right. To communicate. Look, this is what's happening. And, you know, these are the tools and this is the strategy, the tactics that you should be using. And.
Um, but.
But yeah, just assume that attackers, they know. Like, you know, the products that are out there and how the majority of people use them. So I'm always a big proponent of like add your own little strategy there. Right. Mhm. You know that attackers are going to go after your organization and do reconnaissance and scrape your website like add a little decoy somewhere, something that will give you an early warning, something that will help you to get that
indicator towards the beginning of that attack chain. That can give you an advantage over the adversary that takes the adversary by surprise. How many times will the adversaries, you know, take us by surprise? How many times can we get them by surprise, by doing something that they were not expecting? Yeah. I think that's that's an area where we still have to to do more and. Well, that's what I hope that we are contributing with these type of, uh, applications.
No. That's perfect. I think that is a good place to start. But where can we learn more about what you and your team are doing and, uh, your latest research, uh, when is it going to come out and when can we get a link to that?
Sure. So, uh, of course, uh, the best way to, uh, uh, you know, look at our reports is to go to our website, blackberry.com. Uh, we have a section for our, uh, threat research, a threat center. And it's typically, you know, front in the, in the in the main page. Uh, there's going to be a link to, to our reports. Uh, but also, you know, I'm very active on social media, LinkedIn, um, you know, x, uh, my handle is about security.
So that's also, oh, very nice username.
I still don't know how I got that one. But again, like this is an advantage of being on this field for a long time, right. Yeah. About security and, um, yeah, I'm happy to, uh, connect with any of our, you know, the audience here. And, you know, you have a fantastic show. So thanks for for having me.
Yeah, absolutely. Thanks for coming on. And we'll put all those links, uh, in the show notes so people can find them. Thanks a lot.
Excellent. Thank you. Danny.