Subscribe
Share
Share
Embed
We explore the risks arising from the use and misuse of digital devices and electronic communication tools. We interview experts in the fields of cybersafety, cybersecurity, privacy, parenting, and technology and share the wisdom of these experts with you!
Welcome to the Cyber Traps podcast.
This is Jethro Jones.
I am on location for this episode at the Inch 360 Conference and these are panels from that conference, uh, that I think are just really interesting and I hope you enjoy them.
For more information about the this organization, go to inch three sixty.org.
Heather Stratford: Okay, so AI and phishing, some of you in this audience are practitioners and you're going to be, what can you teach me?
But what I'm trying to do with this talk is bring everybody up to a base level of knowledge because the environment is moving so quickly.
What we've seen with the fast adoption with AI has been incredible.
Some of you might know this, but there were are, there are a hundred million monthly active users by chat GBT in just the first two months that it was released.
Two months.
78% of organizations report that they're actively, regularly using AI in their business, and 35% of the US market says they're using AI on a daily basis.
The adoption of ai, our world has never seen something impact that fast.
Now, here's the problem.
It completely affects cybersecurity.
So we're gonna go through just a little bit of level setting on terminology and what we're talking about when we're talking about ai.
So AI covers a lot of different areas, right?
And all of you're saying, yeah, well what about this, or what about that?
So we're gonna be talking about these three main machine learning.
We're gonna talk about natural language processing and also vision.
These three areas are impacting cybersecurity in a defensive way specifically.
And we're gonna talk about how, so when we talk about supervised machine learning, this is level setting.
Everybody remember?
So that means.
You can see in the diagram here you've got cats, and then down below the machine is learning.
Which one of those pictures is a cat, right?
This is a cat.
This is not a cat.
It is learning what to see.
Machine learning.
We do all the time, and we've done this for 10, 20 years when we type in, yeah, that's a road sign.
Yes.
You know that's a stairwell.
We do this frequently.
This is an example of that machine learning.
Unsupervised machine learning is where it's starting to put patterns together on its own.
So taking all those animal pictures, running it through and saying, huh, I think these are all birds.
Or saying, I think these are all cats.
I think these are all dogs.
This is unsupervised machine learning.
Now, we all do this every single day, I would suspect, because we're all on many forms of entertainment.
How many of you are have a Netflix account?
Raise your hands.
Okay.
How many of you have seen the popup that says, we recommend based on the show you just watched, you would like this show too?
Yes.
Raise your hand.
You've seen that and you're like, well, I've never heard of that one, but I think I'll try it.
Okay, so this is unsupervised machine learning, and we're doing it every single day.
Here's another place that we're doing unsupervised machine learning.
We all have, many of us have Amazon accounts.
Raise your hand if you have an Amazon account.
Okay.
With your Amazon account, you buy something.
What pops up, down below I'm gonna do some arm exercises.
I'm gonna buy little weights and you see down below, oh, would you like a yoga mat to go with that?
It's telling me what it thinks I want to see, and it's unsupervised machine learning, but it's taking everybody that's on Amazon and correlating that data.
Okay, so now we're gonna go into deep learning.
Facial recognition.
This is an area that's been exploding over the last 10 to 15 years.
And some of us will say, yeah, well, I'm not really in, in the database.
Yep, we all are.
We're all being monitored whether we like it or not.
Now, some of us have volunteered for that.
How many of you have a TSA or a clear account to get through the airport?
What do they do when you walk through?
They scan your face.
How can they do that?
Because they have facial recognition.
So we are moving more and more to this.
Now there are some countries out there that are doing this on a massive LE level, and I'm not going to name those countries, but we all know who they are.
But we're all moving this direction.
So here's another way that we are training the algorithms to find people.
How many of you have taken a photo, put it on social media and tagged another person?
Raise your hand.
Might be at a reunion, might be out with a boyfriend or a girlfriend, right?
You're tagging.
What you're doing is you're training that deep learning of that face.
Okay, so now we're moving to the language models.
I'm gonna, I'm gonna see now there's a lot more out there, but these are some of the big ones that people regularly use.
So I'm gonna see what's your flavor.
Okay.
If you were to say which one you generally use, who in here uses grok more frequently?
Who in here uses chat?
GPT more?
That's interesting.
Okay.
Who uses Claude?
Okay, interesting.
So in this sample segment, cha GPT just won out as the most frequently used.
Now you're getting reasoning capabilities here.
Here's the issue.
Anyone can use ai, anyone, right?
So 900 million active AI users globally.
Think about that.
900 million and it's growing exponentially.
It will be double that in a year.
So here's the problem.
Business, government, personal activity.
I am gonna put us all on the light side of the coin, the white hackers, the defenders, the people who work in the, in all of these businesses of sponsors that are surrounding here.
I'm looking at Enable, I'm looking at Google Cloud, STCU, drip seven, Palo Alto, ICCU.
We're all defending, we're all trying to be on the light side of this.
Okay.
But we all know there's the dark side and that's not a star Wars term, it's just, it's the criminal activity side.
And they're using AI too, and they're using it really well.
So the question is, who's gonna win that arms race?
So if you were a criminal, how would you use ai?
Right.
Let's put on the other hat.
You know, how you're using it for your business.
You know how you're using it personally.
If you were a criminal, I see a smirk down here, right?
Like, what would you do?
How would you use it?
So let's think about these areas very specifically, unsupervised machine learning, where you're talking about Netflix telling you what to watch.
They're tracking all that.
They're tracking.
Hey, this person probably watches breaking Bad, or this person loves rom-coms deep learning.
They're tagging your face.
How many of you have had put your face in where you could be a superwoman or Superman or fun pictures?
Any, how many have tried that?
Most cyber people are like, hell no, I don't wanna give them my face, but it's already out there.
Okay, so let's look at the supervised machine learning, right?
That's the cat.
That's the, it's already learned how to identify certain things.
So when you take it on the dark side, what are they doing?
They're using all of these things together to target the mark better.
Now, who's the mark?
If it's personal, the mark is you.
It could be your elderly parents.
It could be your kid who's only 12 or eight.
The mark on a personal note is people, just regular people.
Who's the mark in business?
It used to be just the financial institutions and maybe bigger government.
It's anybody.
Now, the mark is anybody.
I get calls from law firms.
This one call I got, he goes, so what happens if I think somebody's in my system?
I'm like, okay, what's happened?
Well, I transferred money at the end of a divorce case, $178,000 transferred to the wife and it didn't arrive.
I'm like, okay, how long has it been?
Where's your financial institutions?
Right?
The whole thing.
Lost it.
It was gone.
Completely gone.
$178,000. Small business office of five people, right?
It's the small businesses that are being crushed.
So who's the mark?
Everybody's the mark.
And it doesn't matter if you're an oil and gas changing, if you're a small credit union or if you're a law firm, it doesn't matter because you're transferring money.
You have personal data that can get them into other things.
So let's talk about the MGM breach.
Raise of hands, how many of you researched, read about the MGM breach?
It was pretty significant, right?
But certainly not the only one out there.
But what happened?
It was a combination of social engineering impersonating an employee.
So for those of you who don't know what happened, basically they did research.
They said, okay, who are the employees?
And they probably tested and dug some, and really dug into a couple of employees that are, were on a certain level or layer in the organization.
And then they chose one person.
And then they took that one person and they said, okay, let's see if we can impersonate this person.
Voice mannerisms, knowing who their supervisor was, who might be on their team.
And then they called the help desk.
And they said, oh I, and I don't know what they said exactly.
We don't know that, but I can guess, Hey, I'm locked outta my system and hey, this doesn't quite work.
And hey, I am, I'm on the team with so and so, can you reset it?
Let me in, blah, blah, blah.
Right?
So what happened?
It goes through, right?
Massive, massive.
So the ransomware attack, they choose it has ramifications.
What I wanna focus on is it's a coordinated effort and it was not just one thing that made it happen.
So here you see voice impersonation as well as a lot of social engineering.
So this one you've probably heard about also.
So this happened in Asia, February of 2024.
It hit the cybersecurity news feeds really fast because a finance worker got on a Zoom call with their CFO, their coworkers, and it was a full zoom call.
And the person said, and in that meeting they said, Hey, we need you to transfer $25 million to this other account.
Now the person said, huh, that doesn't seem right.
Like, should I really be doing that?
But they saw their boss.
They heard their boss on a zoom call, it's called a deep fake.
And that deep fake, the person says, well, I don't wanna lose my job.
I see him.
I hear him.
Yeah.
It doesn't quite fit, but I better do it.
So what happened?
He transferred the $25 million that transferred to the criminals to the other side.
So deep fakes are getting better.
We all know that.
We see things in the media where it hits the rich and the famous.
Oh, is that real?
Oh, it's clickbait, right?
Like we see this and we're like, that can't be real.
Oh, it is real, right?
Lot of deep fakes.
But how does it impact cybersecurity?
Because they can deep fake the chain of command and they can deep fake the people that are making decisions.
So deep fake losses are expected to hit $40 billion by 2027.
This is one of the fastest growing areas because it kind of brings together all of AI together.
And I love this picture here.
'cause I look at it and I'm like, yeah, they're twins, right?
Same person.
And I'm like, yep, same person.
Not the same person.
It's a deep fake.
Okay, so here's the million dollar question.
Could your employees spot or report a deepfake?
Okay, I'm gonna pick on Todd in the back.
'cause he's shaking his head.
He's like, no, my people would never spot the deepfake.
Right?
Like, do they even know what to look for?
Right?
So think about your employees, think about your organization.
Can they spot this?
Do they even know this is on the radar and it could happen?
So let's go through four different areas that really look at what people are pulling.
Okay?
Basic personal data is in general breaches.
We know all about these, the Equifax, the TransUnion credit report, right?
All these general Gmail users, Salesforce, I mean, you name it.
There are a lot of breaches that they can pull and extract data from.
And this, what they use it for is they personalize the attack and the emails, they personalize everything.
So basic personal data makes, combined with AI, makes the attack personalized.
Okay, now let's go to professional information.
You can do an osint scrape and get a lot of data.
Where are you pulling it from?
LinkedIn, social media posts, corporate breaches.
Most of the people in this room are findable and the this information is out there, so job title, position work history.
If I have a black hat on, I'm like, oh, I know who your boss is.
I know who's on your team.
Okay, medical records.
Why is this important?
Right?
What does it help us understand?
Also, an osint scrape with LinkedIn, social media, corporate breaches.
This helps spearfishing and it especially helps with the senior executive level.
Now, I'm gonna make a big assumption.
I'm gonna assume that the leadership team in your organization.
Are over 50 years old.
Is that accurate?
Okay.
Slightly older.
They're gonna be spearfished as an executive.
They're gonna have wailing attacks.
They're gonna be, IM, they're gonna impersonate colleagues to get through.
And then the final area is just social media in general.
Your preferences, your likes, your images, your family's images, it is all out there.
Spearfishing for the executives is probably the biggest one, but also your chief financial officer.
So anybody in the accounting team, your training, your impact for that accounting team.
You need to s. Have them in a special group and say, Hey, this is how the attack would come through.
Hey, if somebody says, I'm a vendor, we changed our bank account information.
Here's our new bank account.
Like red flag, how do you verify?
Okay, so we're pulling together all of these areas, the personal information, the social media information, your work and LinkedIn information, as well as your medical records.
They have a pretty good idea of who you are.
So what do criminals do with that?
Now, this is not a talk about how to become a black hat, right?
But these are four different very readable resources that are out there.
Breach forum, right?
Buying and selling.
Stolen information, selling hacking tools.
Very accessible, crack pro cracking, spamming, carding, hacking tools, resources, easy to get ramp.
The Russian anonymous marketplace sells ransomware to anybody who wants to purchase it.
Noel buying and selling stolen credentials.
I put this in here because I think it's really valuable to understand how many people are going to these resources.
No, says they have 5 million users and they earn over $1 million yearly in revenue by selling things that attack people defending.
These resources are out there now.
In my mind, I'm like, okay, so I'm a black hat.
I'm gonna go get my resources.
Like, it's gotta, it's gotta be like hard.
It's gotta be expensive.
It's gotta be hard.
It is not.
So AI as a service is actually a new coined term.
So AI as a service for phishing.
Anybody with a laptop and some scruples, I would venture to guess every single one of the eastern kids up here.
And I call them kids 'cause they're younger than me.
They've chosen to be white hats, okay?
But every single one of them knows resources that are on the black hat side.
So this is what's interesting.
200% spike recently in the personalized attacks.
And for $20 you can rent an AI model to automate scams and phishing and attack people 20 bucks.
The bar is so low that anybody can do it.
So you're wondering why when you are putting you're blocking all the phishing emails coming in, you are wondering why it's going through the roof.
It's because it's so easy to do.
Now, 41% of cybersecurity attacks start with phishing email.
Now I've seen higher statistics, but a shout out to IBM Security, X-Force who came in, I don't know where they are back there, but they came in from New York to be here at this conference.
They they run statistical analysis frequently, and it's still one of the primary vectors.
So is this really different than 10 years ago?
I mean, is that the question?
I look at some of you in this audience and I'm like, Hey, I've been around the block.
I've been in cyber for 10, 20 years.
Same old story.
Do you believe that?
Is it any different?
How many of you we're gonna take a poll?
Okay, you all need to vote.
Can't sit on the edge.
Are the cyber attacks right now the same as they were 10 years ago?
Raise your hand.
Okay, I see a couple.
Are the cyber attacks really different and are they, have they changed?
Especially with ai?
Raise your hand.
Okay.
They've changed and they are continuing to change, so this is really different.
Okay.
Here's some of the ways that they've changed.
More targeted.
Used to take phishing and criminals a lot longer to piece together information.
With ai, they can have a full picture of who you are at the snap of a finger and then automate their attacks.
Over a thousand people quickly used to take them a long time to do that.
Okay, so more targeted, more sophisticated, faster.
I think that's the main point.
They're using AI in devious ways.
They're doing it faster and adapting on the fly with algorithms to see what's working and what's not, and then more frequently.
All right, so here's the thing.
I don't wanna be gloom, doom, and gloom.
I wanna give you actual solutions.
I put this picture up here because once a year training is not enough.
How many in here?
How many people in here have worked out this year?
Once.
Once.
Have you worked out this year?
Once.
Okay.
Good.
Okay.
How many people in here have worked out once a month?
Once a month.
Okay.
Good.
Good.
That's a good, okay.
How many people in here have worked out this week?
Good.
How many people have worked out in the last 48 hours?
I'm pretty impressed.
That's a good number.
That's a good number.
Okay.
So the point is the old school way of saying, Hey, we need to check the box.
We need to push out some training that people can see.
It's kind of like going to the gym January one and working out for like four hours and getting all sweaty and like I did my workout.
And then you don't go back January 2nd, third, fourth, or February or March or April.
Right?
So the problem is, if you go to the gym once a year, you really, you're not gonna do anything.
And you know that, I know that the busiest time of year in a gym is the first two weeks of the year.
I mean, they are slammed.
They sell all their packages first two weeks and then everybody doesn't come back.
It's a weird model.
They make all their money and then they hope that nobody shows up.
So how often are you training?
This is an interesting thought.
Okay, how many?
And you don't have to answer if you don't want to, but how many people in here is your organization training you on cybersecurity current events and attacks?
Once a year.
Okay.
How many people are being maybe trained monthly?
Can anybody raise their hand and say that they're being trained weekly?
I got a couple of hands in here and let me tell you, half those hands there are drip seven hands.
So kudos.
Yeah.
So it's hard.
It's hard because the old way of doing it HR is running it or you're on a standard platform, the old way of doing it, it's hard to shift to a much more consistent model because you're like, wow, that'll take a lot of time.
And who's gonna run that?
And I don't have the bandwidth for that.
Those are all the excuses.
But what I see is training really needs to be weekly.
Weekly.
Now, some of you are saying, how do you even do that?
Well, you know that, that's why I pivoted previous cyber company to develop drip seven is because we've given companies tools to actually do that easily.
So, weekly training, and it doesn't need to be long.
Two minutes, three minutes, keep it top of mind, keep it easy, keep it fun.
And then monthly, how many of you are fishing?
Monthly to your employees in phishing simulations.
Now, I know people who do phishing more frequently.
I don't recommend that.
But I also know people who are still on a yearly cadence of phishing.
Now, some people will, and I was on the side that said, phishing really doesn't work.
And that's why we tried to, over the last several years, fix that model.
If you don't have training immediately attached to the Phish, I'm like, what do you mean?
I clicked on something last month and now I'm in a special group?
Like, what does that mean?
I didn't learn from it.
'cause I can't even tell what I clicked on.
Right?
So unless it's attached, you're really not training them because they're not seeing what they did wrong.
So phishing has to be curated properly and then dispersing annual policies.
How many of you are training specifically on work from home policies?
Do you have that in your cyber arsenal?
Raise your hand work from home Policies.
So the ideal is you've got your, you're work from home policy, maybe a password policy.
You have several different cyber policies and that your employees actually know what they are and you don't just say, Hey, they're on the website, or, Hey, when you onboarded five years ago, we made you look at these, right?
Like that.
That just doesn't work.
You need to tell them what the current is.
Okay.
So phishing is still happening.
The AI is ramping it up in ways that we've never seen before.
Types of training that could be covered or should be covered.
Social engineering being job specific.
So if you have an accounting department, and most of you do those accounting people, accounts receivable, accounts payable, the CFO, anybody touching the books, they need to have specific training.
I know here I talked to Gonzaga and they do a lot of recruitment and they do recruitment.
Both of people in the US and people overseas, they have had fake applicants and a huge increase of fake applicants.
What are they trying to get?
They're trying to get accepted to Gonzaga through the vetting process and into financial aid where they get money dumped in their accounts and we're not talking two attacks.
They have hundreds of these attacks, hundreds.
So for Gonzaga, even their recruitment departments need special training.
They need to be able to spot what these flags are.
Current events and trends.
This is where you can take things like MGM breach or if you're in the car industry, right?
We've had major breaches and it's great to bring that in because you might be really interested in it because you're in it, you're in cyber.
But I'll tell you, most employees, they're gonna be like, ah, so make it interesting.
Bring in current events, and if you don't have the bandwidth.
There are platforms and things out there to help you do that.
AI and privacy by a raise of hands, how many of you have specific training on AI and what people can put into platforms and what they cannot?
Who has policies right now on that?
And are you having your employees acknowledge and accept those policies?
Raise your hand.
Okay, so some of you, like I saw, about a third or a quarter of the audience.
The rest of you, that's where we're moving.
That's where you need to be moving.
Okay?
Combination attacks.
These were really popular a couple years ago and they are back with a vengeance.
This is people calling to reset, so help desk calling accounting firms.
It's a personal.
Somebody on the phone.
Vishing meaning voice.
So it's voice and phishing and social engineering together.
It's a combo attack and they're doing it more and more and it's on the rise right now.
And then leadership specific attacks.
Those people that hold the keys to the kingdom, those people who have real access, they need special training.
So you can create a huge plan and automate it so it's not heavy on your team every single week.
So AI is going through personalized, targeted social engineering and phishing cyber attacks in a way you've never seen before In five years, it will be completely different.
I wanna thank you for listening and I'm gonna open it up for q and a now.
Okay, go ahead.
Yeah, here.
Speaker 24: So my company, we like, have an AI policy, but like how do we, how do you make actually like effective trainings versus just like sending out, here's the policy and then people read it.
We hope they do and accept it, but like, how do we make sure that like the trainings are actually getting through to people and they know what to look out for?
Heather Stratford: I didn't pay 'em to say that.
That's a perfect lead question.
Here's the thing, making it shorter and more specific to the company and their job makes them pay attention.
If you do a training off the shelf that is long and boring and not part of their job role, they will wanna poke their eyes out and just scream it.
Stop doing this.
Okay.
So more specific, more custom to the company and more custom to their job.
Okay.
Who else has a question?
Okay, over here.
Oh, Chad's.
Gotcha.
Speaker 25: Hi.
I have, I'm curious about that you said there's many AI and people can buy with $20 and do phishing and harm people.
So many countries like government does follow, like even with the VPN, what customers are doing, what users are searching and doing.
So is there any like legal rules or regulation or monitoring, like what AI is out there and what they're doing?
And
Heather Stratford: it's a good question, right?
We expect that our government is going to protect us and help us.
The problem is, as most people in this room know, they're way behind on rules, regulations and how to even keep up with it.
So the attacks and how things are happening way faster than the government can stay up with.
And because of that, as cybersecurity people, we need to not wait for them.
We need to move forward.
The other thing is a lot of attacks originate in the US but a lot of tech originate in places that it's very difficult for law enforcement to go after.
Last year we had a great conversation with Chris Swick from the FBI, who really talked about counter-terrorism and attacks, right?
So it's hard when they're hiding behind a government and you can't go in and get them.
Okay.
Anybody else?
Go ahead.
Chad's gotcha.
Speaker 26: Thank you.
So you said training frequently, so how do you keep those trainings from not getting boring?
You said like two minutes monthly training.
How does that work?
What kind of training are you talking about?
And it's not the phishing, simulated phishing and training, but Yeah.
Heather Stratford: So, how is it different?
It's called micro learning and really it takes, it keeps it top of mind.
We all use social media, right?
If you're scanning through and you're on a, an Instagram account, a LinkedIn account, a we're scanning faster.
So what you're trying to do is have training be build upon itself, but be short.
So anywhere between two to four minutes and you're mind someplace else.
Like, you've gone to s you're thinking about something else.
So keeping it short and tied to your job and then you get into a habit.
There are people in this room and I know them 'cause they're customers and they've helped us develop what we've developed and their people do it daily, weekly, and they're in the habit and that's how they become part of your security team.
That's how they are front and center.
So there's a whole methodology behind it and it's catching on because it works.
Yeah.
Other questions?
Speaker 20: Hey Heather?
I have one.
Yes.
What are the top two or three?
Most income producing is it is malware or ransomware?
Still number one.
Do we know?
What, who's making the most money doing what?
Heather Stratford: I think that's a hard question because there are some really sophisticated ransomware attacks that hit places like oil and gas companies.
I know that they, because I was involved in some of those circles, they paid out over a seven figure sum on the ransomware.
So you can have a lot of smaller attacks and get your money a thousand dollars at a time, or you can go for the gold and shut down you know,
processing of the backend of car dealerships, which was a big breach that happened and you shut down 60 or a hundred car dealerships all at once.
That's a big payday.
Right.
So attacks can be very large and coordinated, or you can be small little ones, and so there are different players in the market.
Yeah.
Any other questions?
Alright, so I hope that the one thing that you take away from my talk is that people are still an issue.
Layer eight is a tricky layer and you can put all the dual factor authentication and fortunate firewalls in place, and if your people go around it and give up the credentials.
You're in trouble.
Your network is in trouble, so don't ignore the people and you've gotta up your game.
Happy to talk to anybody after.
Thank you very much.
I think we are headed now into lunch.
So if you wanna go to the back, they've got full lunch already.
And please mingle.
If you're sitting with a table of people that you already know get outta your comfort zone.
Introduce yourself to somebody and come back here.
We're gonna have a tabletop exercise after lunch.
Also, please go talk to these sponsors.
Even if you know you're not going to be purchasing.
Go have a conversation, talk to them.
They spent their day and their time to be here, so please, please go see them.
Thank you very much.