How Cloudforce One thwarted FlyingYeti's campaign targeting Ukraine (and what is Cloudforce One)
Presented by: João Tomé, Blake Darché
Originally aired on June 14 @ 3:00 PM - 3:30 PM EDT
In this week’s episode, we have a segment about how we thwarted a threat campaign targeting Ukraine and explain what our team, Cloudforce One, does.
Host João Tomé is joined by Blake Darché, Head of Cloudforce One. First, we discuss how Cloudforce One employed proactive defense measures to successfully prevent Russia-aligned threat actor FlyingYeti from launching their latest phishing campaign targeting Ukraine.
Then, we dive into how our threat operations and research team, Cloudforce One, operates. This team not only publishes research but primarily focuses on tracking and disrupting threat actors.
We also cover new threats emerging in 2024 and explore Blake Darché’s impressive experience in both the public and private sectors.
Additionally, this week, our Project Galileo is celebrating 10 years. The program supports more than 2,600 independent journalists and nonprofit organizations worldwide, promoting human rights, democracy, and local communities. Check out last week’s episode with Alissa Starzak , where we celebrated our first program of this kind.
Hello everyone and welcome to This Week in Net. It's the June the 15th, 2024 edition and this week we're going to talk about Cloudforce 1.
I'm your host, João Tomé, based in Lisbon, Portugal, and with me I have Blake Darché, head of Cloudforce 1.
Hello Blake, how are you?
Very good, how are you doing? I'm good. Where are you based, for those who don't know?
I'm based in Montana. So Montana to Lisbon, Portugal, but fun fact, I'm not in Lisbon, Portugal today, I'm in our London office because this week we're having our corporate event called Connect in London, so I'm here for that.
So this week actually I'm in our London office. So before we start, there was this blog post that is what we kick off this conversation with about a specific event.
That blog post was published two weeks ago. For those who don't know, what can we say about this specific blog post?
Yeah, so we released a blog post about an operation that we successfully interdicted.
So we detected a Russian-aligned threat group attempting to set up a very targeted attack against the country of Ukraine, specifically the government and military of Ukraine.
And we were able to successfully stop this attack in its formation stage.
So during the kill chain weaponization stage, prior to the attacker actually launching and delivering that attack.
So we were able to stop that early.
And then we had design make up this great flying Yeti graphic. It's amazing. It's really good.
And then actually I've noticed over on the Internet that there are hundreds of other, like there have been many other postings on Twitter and whatnot, or I guess it's x.com now.
And all the different postings, different people have made up other AI generated flying Yetis as well.
And so it seems like there's been a lot of people trying to make a flying Yeti over the last two weeks, which is very interesting.
Fun to take a look at. It is this one. I don't believe it was AI generated.
No, that was human generated. We use humans. But there are a lot of AI generation going on in a flying Yeti.
I'll just say that. For sure. And the blog post explains the investigation that was done.
And this was an investigation also to try to mitigate and block that specific attack, right?
Correct.
Yeah. So we were successful in actually interrupting the attacker as they were bringing different components of their infrastructure online.
And we actually outlined the entire, we give a timeline of all of our different mitigated actions.
And so the attacker was trying to use a WinRAR CDE, so like a known vulnerability.
But if you didn't have the patch version of WinRAR, and you open up this RAR file, basically, it basically executes things automatically in the RAR archive and then install malware on your computer.
It uses PowerShell to drop some malware, which is known as CookBox.
And this threat actor has been using this to target Ukrainian defense entities since about 2023.
So this is a sustained threat. And this just goes to show you the level of sustainment like some of these threat actors have.
So this threat actor will not give up their very intent and focus on gaining access to the set of targets.
And this is kind of a good use case about what a advanced persistent threat, a nation state probable threat would look like against other organizations.
And they'll just keep coming at you over time. And they are patient, right?
They're trying and in the hopes of getting inside. So they have time, they have resources, and they will be keeping at it until they are discovered in a sense, right?
Correct. So like, I think the way that I tend to think about these things is like, it looks like someone's being paid to do this, if that makes sense.
Like if you're being paid to do something, you have, you know, your entire life to dedicate to this.
And that's what it looks like this threat actor is.
And so it's kind of an interesting view of, you know, cyber warfare, cyber espionage, and kind of what is going on out there on the front lines in the Ukraine.
Specifically, we in the past, even here at the show, and in our blog, we've mentioned different types of attacks and threats.
But this ones that are state sponsored, in a sense, those are those working as you were explaining, it works like a company, right?
And a company that's doing attacks, but it's organized, people go there, they work to try to find vulnerabilities to try to enter in this case.
And it's part of the war effort in this situation. Yeah, that's correct. And even the vulnerability itself, there was a, there was an article a bit ago from Google's threat analysis group, talking about the WinRAR vulnerability.
So it's actually from October 18, 2023, Google put out an article called government backed actors exploiting WinRAR vulnerability.
And so the vulnerability has been in use in the wild by sophisticated threat actors for some period of time.
And it must be successful enough to this day, that they are continuing to use it.
Otherwise, it doesn't make sense that it would be used if that makes sense.
So like people must still be vulnerable to this version of WinRAR.
One of those things that there's different elements of potential vulnerabilities, and attackers will try to find what they can and what people use.
In this case, Ukraine uses specifically, right?
Correct. Yep. And so we actually put in detections in our platform below there.
So our customers can actually go through with those detection names and search inside of their email environments and locate if they've been targeted by this attack or the CVE.
And then above there, we actually put in detection or we put in logic to query Splunk and Microsoft Sentinel and other tools to let users including PowerShell to actually be able to interrogate a system to determine if there's any activity or any files on disk or available on disk that have done that activity.
So you can determine if you've been targeted, which is helpful for like the average user because you know, some users may just not have Microsoft Sentinel, they may not have Cloudflare email security, and then maybe they can just run this PowerShell script to locate the activity.
So there's ways to look for that activity.
This was also with a potential impact in others other than Ukraine, right?
This was highly targeted on the Ukraine, we don't actually have, we don't think that this was going to go to any other victims aside from the Ukraine.
Oh, that makes sense.
But for example, in these types of attacks, if they find a vulnerability, they use that.
Is there cases where they use it elsewhere, they use the same technique they find that was successful?
In this case, it wasn't successful, but they're learning with the attacks they do in a sense.
I mean, it was in this attack, we they didn't actually launch it.
So we actually stopped it at one of the right prior to launch.
So if you go up the timeline, one of the more kind of novel things we did to this attacker right there is when we detected the attack, we started seeing the attack coming live.
And then we coordinated with the GitHub team, who was super useful and instrumental in stopping this attack against the Ukraine as well by simply just taking down various repositories.
So we saw like, hey, this Cloudflare worker came up, it was bad.
So we actually disabled the worker took that worker offline, and waited a couple days to see what the attacker would do in response.
And then they started migrating their operation more towards GitHub.
So then we notify GitHub, hey, you should take down this RAR file, it's bad, then they did another action.
And so the totality of events, we were actually able to increase the amount of time the attacker spent trying to run this attack for maybe a couple days to weeks.
And it just kept extending every time we did something.
And some of the actions near the bottom on 521 in the 521 timeframe, we actually think the attacker was trying to figure out if someone was monitoring their operation and what components of their operation were known.
So we, we knew about the whole operation, the entire time, but they didn't know we knew.
So we're kind of playing this like really interesting game of cat and mouse. So we're attacking the cat is attacking them, the mouse is going after the cat, and then vice versa.
And so it's a very interesting, like game of warfare almost against this threat actor, trying to disrupt this activity.
And we actually received a lot of positive feedback from this post from a lot of different people.
Because I think online really demonstrates that like, no, no, there is a sustained threat and the actor, threat actors out there, they're literally doing all these different things, which are not always evident, I think, in a typical story that comes out, it's like, hey, we did some analysis of this threat.
And this is what it looks like.
But in this case, we're actually able to give the like the exact date and timestamps in UTC time, by the way, of what they were doing, what we did, and then what, how they responded.
So you can really see kind of the evolution of the campaign and where they were moving, which I don't think is generally evident on a lot of, a lot of analysis pieces.
You don't have that sort of like in-depth inside view.
Does that make sense? Perfect sense. And in a sense, it also shows, it's a good example of how these things work.
May that be from the attacker side, they don't quit easily.
They go and try other techniques and other methods. And also from the ones that are protecting, trying to get, and where is the attacker going?
What is he doing, he or she doing?
So there's a lot here that also shows how some of these things work.
And it's, that's not always the case. I was a journalist for a number of years and sometimes these are the things that we want, like an explanation from what happened with the timeline.
These are really helpful to get a sense of how these things work and how attackers are really around.
100%. And I think, you know, like this threat actor was focused on this like Ukrainian payment service.
And that was one of the most interesting things about the attack, right?
So they found something that was like in the general consensus, kind of like COVID-19 was, and they used this payment processor to basically like, that was throughout Ukraine, people are worried about this, like having to make debt payments, whatnot.
And they found something that would be like, oh, everyone will check this out.
Because it's very interesting, because it's impacting my life.
And so I think we see threat actors doing that a lot, right? So they create really effective content to lure people.
And they do that by choosing something that's generally available in the public context, that's widely in the news, that everyone's talking about, that people are worried about.
And that's why COVID-19 actually was a really good theme back in, you know, early, early 2020.
It was super effective to get people to engage content, especially initially for like the first year even, you know, that was highly effective.
And so this threat actor took advantage of another issue.
And that is an effective strategy attackers do. And it really gets people to engage.
Makes sense. And in this case, the war in Ukraine was the same thing.
People were really scared. Actually, I wrote a blog post when the Ukraine did one year of the traffic shift, the Internet traffic shift.
So people were more scared, moving, they had to move, they had to understand what's going on, they use the Internet for that too.
So it's much more easier for a threat actor to use that insecurity and people don't know what is happening, try to get a sense of how can they move, how can they do specific things that they weren't doing before.
And then they can put services in front of people just to try to deceive them, right?
That's 100% correct. And, you know, when you look at the picture, I don't know if you can bring the picture up, it's down here, maybe.
So, you know, the picture, you know, like looks like the legitimate version of this website.
And they almost made it look like, do you see how, do you see like the Microsoft word, like icon over there on the left side there, the blue.
And so if you see that, you know, that looks totally legitimate and people are like, oh my gosh, like I got to look at this.
They click it, they open it, they get infected, right? And then they've been a victim of this attack, unfortunately.
Exactly. And there's a few steps here indicated in terms of, for the download to successfully occur, right?
Yeah, so the download worked by contacting a Cloudflare worker.
And so basically Cloudflare was kind of like in the center of the attack.
So they'd click the worker on the GitHub page, they'd click the GitHub page link, and then that would go to a Cloudflare worker, and the worker would push the content to the user, right?
So we had a really great vantage point to know that yes, no one did successfully click this attack who was not the threat actor.
And that allowed us to write our analysis in that way, because we could actually see what had happened.
Exactly. There's this mention here on how it was identified specifically.
And then they changed their own malware delivery method to trying to be more successful in a sense, right?
Correct. So like once we started basically engaging the threat actor, they start altering their operation.
So there's kind of two schools of thought in like threat actor engagement.
There's kind of what we did here, which is dynamic, and, hey, we did something, they did this, they did something, we did this, we did something, they did this, and vice versa, right?
And that was interesting.
That worked out really well for this. And then there's also sometimes where people when they're trying to take down content, try to build a more coordinated effort amongst different community members, try to get like five, 10 different organizations to simultaneously just shut down this campaign.
Now, because this campaign kind of only involves us, Cloudflare and GitHub, it was kind of it was not that difficult to coordinate kind of amongst the two of us.
But sometimes you have like 10 or 15 different parties, and those operations can be more time consuming.
But they also may impact far more users. So this is highly targeted, right?
If you're looking at like a bot that's targeting like 20,000 computers, it's on 20,000 computers, obviously, the mitigation there is much different than the mitigation that occurred here, if that makes sense.
Of course, it makes sense.
For those who don't know, and we already give some highlights on what Cloudforce One is.
But for those who don't know, how could we explain what Cloudforce One is?
And why does Cloudflare has this task force, this security task force?
Sure. So our team is focused on detecting and disrupting cyber operations on Cloudflare, or that has some sort of Cloudflare component to them.
So that might be working with other third parties, trying to stop a threat or trying to figure out how to detect the threat actor on our platform, and understand what they're doing from kind of a threat intel perspective.
By so doing, we help make the Internet a better place for all users, we help mitigate activity, stop threat actor operations that are causing rampant issues to users on the Internet.
Sometimes users that are being detected, or being, sorry, being attacked, or spied on are just, you know, not sophisticated computer users, a journalist, like people running free speech, things of that nature.
And so those organizations sometimes just do not have the same level of resources as like a fortune 500 company.
And so it's really important, we are able to help people across the Internet, you know, we've, the Galileo project helps all sorts of people.
And then there's another project, the Athenian project that also helps people.
And so a combination of those projects, and our ability to, you know, shut down content and operations that are running on Cloudflare, and with other partners of Cloudflare, is what we can do to stop activities.
So that's kind of like the general view of what CloudForce One is. And then on the commercial commercialized side, we do have threat intel, and data available for customers.
We have an RFI product available for customers. So customers can ask us questions about things that are affecting them.
And then we also have a future events platform coming that allow people to kind of see in more real time, some of the more interesting events affecting their world.
So there's a kind of several different components of it, as well as reporting.
And so that's on like the commercialized aspect.
Makes sense. And you mentioned a few things there, a Project Galileo that is celebrating this month, 10 years, there's a blog post that we had just launched this week, today, actually, the day that we were recording about the 10 years of Project Galileo.
And projects like these are putting our services for free to organizations such as Ukrainian organizations, we were discussing Ukraine, news organizations from Ukraine.
And when the war in Ukraine started, and you know this, as well as I do, there was a lot of attacks, including on news organizations in Ukraine, trying to put those sites down.
So some organizations joined, for example, Project Galileo to be protected there.
So there's a lot there that this is an ecosystem of sorts, right? This is a more upscale, more dedicated analysis on threats team, right?
Yes, absolutely. So our goal is looking at, generally speaking, things that are causing someone pain, or things that are highly targeted, maybe against a specific set of users, maybe against a specific set of organizations, maybe against an industry, things like that, to understand like, hey, what's going on here?
And like, why is this occurring?
And, you know, who might be behind it, like, at least at the geographic level?
Like, and where are the, you know, where's the victimology? And what's the pattern of life of the attacker and try to understand these facets of it help us better protect our organization from future cyber, future attacks, right?
Exactly.
And it's a learning curve that all of the other teams will use the work that is done.
And you mentioned there, the fact that we also published like this blog post, the research that is done, because this company sharing and researchers and folks in the security area, sharing information is really important, right?
To try to block vulnerabilities.
Yeah, absolutely. So I think, you know, when we look at like some of the, some of our Galileo or Athenian customers, we see like some of those organizations, there's some really determined threat actors trying to get in there.
And we've seen the past where some threat actor will first try to launch an attack against them.
Then over time, they might try to launch the same attack against government.
So we've seen some really like that some of those customers have become kind of leading indicators of future cyber threats and future cyber activity against other organizations, which is kind of an interesting aspect of that program, minus helping them.
It does, to your point, help us understand what's going to happen in the future, somewhat at least.
And same thing with this attack, right?
Like understanding, okay, well, this threat actor is doing this, will someone else try to mimic some of the things they're doing?
I'm curious also regarding the other threats that we've seen, at least since the past two years, that show us also the new patterns, the new vectors of attacks, the new types of attackers.
What is some use cases that we can say, even if not specific ones, more general ones that also shows us where is it going really?
So I think things are going to kind of multiple different delivery mechanisms.
So it used to be, phishing attacks were on email, but now we're starting to see cases where the attacks are moving out of email, we're seeing the attacks move on to, you know, iMessage, LinkedIn, Facebook, places like that as well.
WhatsApp, Signal, all of these. Telegram. Telegram, right. So all these sort of different mechanisms and from like a risk controls perspective, you're a CISO, how do you protect yourself from these different risk mechanisms, these people, your users are on maybe BYOD devices, they've got all these different apps, they could get vectorized, any of these things could be targeted, right?
So I think things like Zero Trust become like incredibly interesting, where you could try to intercept traffic and do filtering on that traffic, right?
So the Zero Trust product, Warp, Gateway, all these things that we offer, have become even more interesting as users are more mobile than ever.
I know during COVID, people stopped being mobile for a while, but in general, the mobility trend will only increase and continues to increase today.
There's more people on iPads or iPhones remotely, where they might not want to bring their laptop.
I don't like bringing my laptop sometimes, so I just bring my iPad.
I'm going to be out and I might need to respond to something for work for an hour or two.
I don't really want to carry a heavy laptop, so then I just use my iPad.
But then all of a sudden, could you be targeted on your iPad, where you have this inbound attack come across signal?
And a threat actor related to this threat actor, we know is targeting signal databases.
So when they get on your computer, we've actually seen them copying signal messages, which is interesting.
So I tell people all the time, I'm like, I hope you have disappearing messages on your signal.
And, you know, it doesn't default to disappearing messages, it feels like, where they don't disappear fast enough, because, you know, if a threat actor is on your host, and they're copying your messages, that could be really problematic.
And so you need to, if you're going to use secure comm tools, like signal or any sort of disappearing message, you better be sure they're actually gone.
And they're not like in there for your chat history.
I, I personally don't like chat histories at all.
So it annoys me when people turn them on. And they're like, oh, I need a history.
I'm like, this is such a bad idea. I can tell that you work in security.
Yeah, it's just like such a bad idea. Because like over time, like it's chat history, sometimes become more of a liability than they're worth.
You know what I mean?
True. That's one of the things that working at Falter sometimes for me that I'm a hoarder.
So I like to go and check like a message from 15 years ago and things like that.
And it's not as clear cut like this. I do tell people that chat is not a database.
You need to store something for a period of time. You should copy it and paste it and post it somewhere where we could actually track it.
Because, you know, like just searching chat is not an effective strategy.
And I think, you know, chat in general is just kind of not super effective.
It's, it's really hard to find things in there anyway.
True. It's immediate, right? I tell people that chat just made more email more important.
So like, if I get an email, this must be important.
Otherwise, it would send me a chat message. Because anything important, I'm like, it send me an email more easily.
Chat, it doesn't feel you could send it on as easy and stuff, if you know what I mean.
True. In terms of general purpose advices, for someone like you that works in security for so many years, what is the current thing that you usually advise folks to be aware you spoke about?
Zero Trust, the architecture, Zero Trust, making things protected in that way, instead of using VPNs.
Is there any other advice that we can give folks?
I think like running email security solutions is important in front of your email.
That's effective. Two-factor authentication is great.
That helps prevent attacks as well, right? Especially with the hardware keys, right?
Because with your mobile phone, that could be also the same cards could be.
For sure. I think that two-factor is better than nothing though. So it's like, if you're posting content that's like critical of a totalitarian regime, your threat vector might be different than like someone who's not.
And so like you might be here, the average person might be here.
If you're this person, like turn on your iPhone, extra iPhone controls, Apple's released, you know, use pass keys on everything.
Do you know what I mean? Like you have a different... Sure, sure. And if you're at that threat level, you still might want to look at hardware keys in addition to using like pass keys.
You might want multi-multi-factor authentication.
And so you have to understand your risk level. And I think too many times people are trying to generally assess overall risk from like every user in the world.
And that's just not the case. And each organization has different risk levels.
If your company's about to do some sort of merger in a certain geographic area, and that government's not exactly friendly, they're going to target you and hack you, steal all your data about the merger before they approve it.
And we've seen it time and time again. That's what goes on. So, you know, these things are all kind of predictable, I would say.
Like this happened, then a hacker did this to you.
You know what I mean? So they're somewhat predictable.
So it's like, Hey, like you could do a little bit of preemptive planning.
Like, Hey, I'm going to be posting this like article. And I think I'm a journalist and it's critical of, you know, like some guy named Bob.
Well, that guy named Bob's going to be really upset with you.
You know what I mean? So if you look at it from that perspective, you can kind of gauge risk.
I think a little bit more.
And I think historically people have not done that well. If it belongs to a totalitarian government, it will be, the risk will be higher for sure because it will have more powers to do harm in a sense, right?
That's correct. And so I think just understanding that helps people understand how to protect themselves at the personal level, right?
And then, you know, at the corporate level, you know, like you have to have all the defense in depth layers, right?
So Zero Trust. Remote browser isolation is great.
You can isolate links. Email security is important, right?
And so you just start in an EDR and you start like layering these layers as a corporate security entity or organizational entity.
And you can be effective at detecting, right?
Because you're never going to stop all cyber attack, all cyber threats, cyber attacks, espionage campaigns.
The key is containment, early detection and containment are the solution.
It makes sense.
The, for those who are thinking of the next steps, what is coming in terms of future, what can we say in terms of 2024, 2025, what is it coming in the security area that worries you?
That worries me. I think AI attacks are way overblown. So that worries me because I think there's too many people that are like, hey, we're working on the security because we're worried about like this AI threat vector.
It's like, hey, that's great.
But you don't have two-factor authentication or multi-factor authentication enabled and the attacker's already in your network.
And so there's a lot of, I'll call it security hysteria about like, just like the unknown, unknown and people haven't done the basics.
Um, and it's really important to have those basics locked down first before spending time worrying about esoteric topics.
And people on email are always like, well, what's the threat we're going to do?
Well, they can generate AI -based content. And I was like, well, they could, but if they're trying to get your Microsoft username and password and the content they generate doesn't say Microsoft on it, you're probably not going to click it and use it, put in your password and username.
So yes, they could use AI to generate the content.
At the end of the day, though, it will still have to say Microsoft or they're going to have a 0 % effectiveness rate on that topic.
Right. So we're on that, on that lore.
And so I think people have to look at that as a fact, which is understanding that hysteria and security, just because it's like some cool topic is not necessarily the number one thing to focus on.
And a lot of the problems that need to be addressed are more simple than that and can be addressed, but aren't.
And we see that all the time in the news where this happened and that happened and that happened.
And it wasn't because of an AI attack. It was because some basic security practices weren't followed.
Sure. And there's always that situation where if it looks too good to be true, it's probably too good to be true.
So be a little bit suspicious, especially if it's a hot topic. Right. Everyone is talking about a specific topic.
Then attackers will know that everyone is talking about that topic.
So they will use that against you. Like if it's near the end of the year and you want to get people's attention, you send them an email that's called like a bonus payout and you send it to like hundreds of people.
They'll all open it because they want to know what this is about because it involves their own personal wealth and money.
And so they'll all pay attention to these sort of content, pieces of content.
And, you know, there's a lot of content like that.
Right. Like, and so you got to pay attention. Like if you don't recognize the center, don't click the links from the center.
Right. Absolutely. You have, before we go, I want to pick your brain a bit because you have like this amazing experience with Area 1 that was acquired by Koffler with CrowdStrike, with NSA, with different experiences over the years.
What is the main thing about security that you've learned that you think most people don't realize that, but they should?
Security is hard.
Just deploying products and hoping for the best without people is not an answer ever.
And if you want to do that sort of security, then you need to buy MDR products that operationalize your security aperture.
It is just not effective to just deploy a product.
I one time did an incident response investigation at a client.
They had bought like $200 million in security products. The client didn't know how to log into the products at all.
And by the way, the client bought the training and education modules for those products too, but they couldn't log into the software.
They didn't have the passwords. So imagine you have these security people that work for you that don't have the password to log in to the security tooling that you paid $200 million for.
Just think about that as like a fact.
But someone was like, yeah, check, check, check. We bought, we're secure. We bought all this stuff.
If it can't be used and no one knows how to use it, then it's ineffective, right?
And we see that, I see that a lot actually. And so it's a little concerning because seeing that is over and over and over again.
But, you know, I would just say security is hard.
You need people. It's not just all products. You need people to look at what's going on and you need to use like common sense and make common sense controls.
And there's a lot of that that still doesn't go on where it's like, hey, like anyone can jam a USB drive into the computer and like, just like codes running.
Do you know what I mean? I had a, I had a, a nonprofit I worked with in the past and they were like, yeah, like sometimes some guy just runs into this office in the middle of the night in this one country and he just jams in a USB drive into our server.
And I'm like, well, just think about the threat factor, right?
Like I jam in a drive into a server in an office. You don't know who he is.
You don't know how he got in, but you have him on CCTV. So you see this guy jamming a device in.
Right. That's something. You know, like that's, that's a threat, right?
A big threat, vulnerability there. Yeah, there's a vulnerability there.
And so it's like, well, you know, you don't really want that to happen, probably.
Sure. I'm curious, you worked in, in public sector, in private sector, what lessons and main things did you learn in one and the other?
Jeez, that's a broad question.
I would say I learned, I don't know if in the private sector, you know, government likes to do a lot of attribution behind a cyber attacks, which is super effective because they're trying to understand like what happened in private sector.
There's sometimes a lot of attribution work goes on. It's unknown what the risk for war is of that work.
So, or maybe the cost benefit analysis is a better way to say it of that work.
So it's, is it helpful to understand generally, like maybe where, who's attacking you and why?
Sure. But most entities in the private sector can't just go out and deploy like a special ops team to go apprehend threat actors.
And we even see this in the case of government where, you know, the US government has spent in with allied governments has spent countless hours doing attribution and indicting threat actors.
And those threat actors, they are not in jail.
They are in a foreign country. They've not been apprehended.
But I think DOJ's success rate in indicting, in getting people that are indicted for hacking in foreign countries apprehended is probably like 1%.
Because these people just aren't coming to locations where they can be apprehended.
And so it kind of calls, and there's, and there's no deals between the countries, right?
Those are countries that they're not going to send their, I mean, these are like, sometimes they're government people, like they're not going to send their government people.
I heard someone was telling me a story that like in one country, if you get caught hacking, they give you like a, you get a house, they give you a permanent stipend, like a new car, you're a national hero.
So it's unclear to me sometimes that these indictments that are ongoing, if they're effective at all, or they're just making more heroes for like some other country.
Like, I just don't, it's just unclear the value of some of the indictments.
So, but before we go, any stories that you can tell from all of these years that surprised you the most?
Surprise me the most? I guess there's a few you cannot tell, but those that you can tell, is there something that surprised you over the years in different areas and companies and public sectors?
I would say the surprise sometimes is how easy it is to bypass security controls, right?
So like you're a building and you're trying to secure your building.
You have key card readers set up everywhere, but someone left the door open up the fire escape, and now anyone can just go out.
That is real. It happens all the time. And things like that that occur, and it causes us a lot of issues with, there's, you know, just these, like, how do you have a control for that, right?
Like someone propped the door open.
That's a real threat and it happens. And so I think from kind of my experience, I've seen a lot of that, where it's just like this one thing.
The other thing I'll say is like people would, they always have these backup or archive servers.
It's like some old server somewhere that's like just for emergencies.
Every single time that I talked to someone, they're like, well, that was an emergency server and it's been hacked.
You know why it's been hacked? Because it was an emergency server. No one's updating it.
No one's tracking it. And so it's those sorts of things that are like kind of the backdoor, backdoor no one knows about.
And I don't mean backdoor in the malware sense, but like the backdoor into the network, no one knew existed.
I had a story one time where I was talking about someone doing some incident response and the customer had a DMZ between their public and private networks, but they had firewall rules that allowed traffic to go any, any and all directions.
That's DMZ. Those are just firewalls around pushing traffic back and forth, but they considered a DMZ because from an architectural perspective, the devices existed.
They just were not configured properly. And so, you know, configuration, these sort of things, there's a whole bunch of a laundry list of issues.
They're really hard to get your head around and really get them right, but they're what matters.
And once again, it's not AI attacks that matter most of the time. It's hey, there's misconfiguration here.
This guy didn't update the backup server. You know what I mean?
Things of that nature. Sure. And I guess that your mind in security, if you see some of these things, you go and you also have the perspective of the attacker.
Oh, the attacker can use this. The attacker can use that, right? You can have the perspective of the vulnerabilities that most folks won't see that are there, but they are in a sense, right?
Exactly. Okay. This was great. Learned a lot.
Thank you, Blake. Hope you liked it. No problem. Have a good one. Have a good one.
And that's a wrap.