Cybersecurity Perspectives from a Principal Threat Hunter

Cameron D’Ambrosi [00:00:00] Welcome, everyone, to State of Identity. I’m your host, Cameron D’Ambrosi. Joining me this week is John Bambenek, principal threat hunter at Netenrich. John, welcome so much to State of Identity. Really excited to have you here.

John Bambenek [00:00:16] Thank you. Very glad to be here as well.

Cameron D’Ambrosi [00:00:21] So for our audience that maybe is not familiar with net enrich, maybe you will start there. What’s a quick 15,000-foot overview of the platform and your raison d’etre, if you will?

John Bambenek [00:00:35] So essentially, right, the platform is designed to kind of solve my short attention span. We’ve got all these security products creating alerts and telemetry. We put them all in one place, right? That sounds like a sim, but what other tools don’t do is highlight what really matters. What do I need to work on? What is interesting that I can research, write net new stuff. I don’t need to research the same family of malware or yet another phishing attack. You know what’s a new technique that I can go find by digging through all that normalized telemetry and being able to search fast to say this is the stuff that you have to work from a SOC analyst perspective instead of grinding on level one tickets. Or here is the interesting thing that threat hunters and researchers like me where automation fails because it’s net new to go dig in, to go find interesting research to go talk about.

Cameron D’Ambrosi [00:01:32] Interesting. And you’re bandying about some inside baseball terms that maybe I’ll pause in and pull back. So, when you say SIM, you’re referring to security information and event management. You know, where would you say that, uh, net enrich sits like you talked about SIM and then you talked about SOC. Like where are you sitting alongside these tools? Are you supplementing them, making them more powerful? Like, where would you say overall, like you fit alongside, you know, the security operations center and, and the SIM within a stack?

John Bambenek [00:02:11] I would say I mean; the SIM is we have a data link that aggregates the information. What colloquially I just referred to a SIM as a data dumpster. You throw a bunch of stuff in there and maybe you get insights out. Really are use cases designed for, you know, to transform SOC to do higher value work. So if you think of how we train our younger professionals here, go get your bachelor’s degree in computer science, go get a masters in cybersecurity, then get a G SEC, are Security Plus or CISSP. And now we’re going to airdrop you into a level one soc where you’re responding to noise every day and just button mashing. It is a very miserable existence. It is also something that. Its creativity and mind destroying, mind numbing work that takes a lot of the passion, a lot of elements that why people my age got into the industry two decades ago and just beats it out of people. And if they managed to survive it with their liver intact, you get to go do potentially more interesting things, but you’re already kind of broken in the whiskey swilling misanthrope way that that a lot of our industry tends to churn out professionals. So the notion is let’s automate away as much of the noise as possible, right? The EDR tools, endpoint detection or antivirus. Lots of false positives, We know that. Right. So you can have a person button mashing open close to pass it up to some higher level where human thought is allowed. Or you can get a system to go look at all the data because once repetitive repetition and process take hold, when you’re responding to something that’s slightly new, you’re still going to do it the same way that you’ve done it all the time and you mistakes.

Cameron D’Ambrosi [00:04:07] So fundamental human nature. Right?

John Bambenek [00:04:10] Right. You know, if we beat people into a bureaucratic regime, their minds close and the attackers know that. So when you when you talk about the interesting stuff that really, you know, researchers like digging into it, stuff that looks mostly good. But there’s a couple little things over there. If you’re looking at the whole picture that nobody has the time to do all the time you’re going to miss. And I’ve been at this a while, so some of my anecdotes are dated. I go back to the Target breach. Right? They had a great tool stack, but it was un tuned, generated a lot of false positives, and their sock basically was converted into button measures, which was right 99.99% of the time until it was wrong and then 30 million credit cards got stolen and then Target got sued. So we have to accommodate the fact that there’s just an immense volume. Right. And going back to when I was writing best practice guides in the 90, you need to do manual analysis of logs. It’s still technically a best practice. The problem is that that it was absurd in the nineties, and we’ve only added orders of magnitude to the data. There are just not enough people to do that work, even if they’re investing the mental energy to do it correctly every time. And it just makes no sense. So we need automated systems, not just behavioral analysis, you know, actual true anomaly detection and doing the work of data science. That really can only happen on normalized data.

Cameron D’Ambrosi [00:05:48] So in reading between the lines, it really sounds like, you know, you’re almost a force multiplier in in some ways, not necessarily. Helping generate, you know, more or new alerts. It’s about taking the existing manpower you have and freeing up those people away from, you know, proverbially speaking, continuing to press the reset button on the smoke alarm because, you know, you burn some toast and only really focusing them on paying attention like did the smoke alarm go off because my house is actually on fire this time.

John Bambenek [00:06:24] Exactly right. You know, that that I mean, that’s that’s a great analogy, right, Is you know, I want to say my son did this a couple weeks ago. The smoke alarm kept going off because the battery was dying. And, you know, I you 16, you didn’t know that. Oh, just change the battery. So I just kept hitting the reset button. And then eventually I found it in pieces on the floor in the basement. And it’s like, No, not really all you needed as a battery, but you know, there’s a benefit of some experience, you know, even a dealing with smoke detectors instead of, you know, let’s just hit a button because this annoys me.

Cameron D’Ambrosi [00:06:57] Yup. So, you know, as a threat, Hunter would love to just get a quick level check on, you know, what is out there, what’s the latest and greatest and maybe to add some extra new flair to it. You know, are we already beginning to see an impact from generative A.I. tools like Chat GPT and how, you know, cybercriminals are cobbling new threats together?

John Bambenek [00:07:26] You know, when I’ve been asked this question a lot in the past couple of weeks, right, of chat GPT or just generative language models. Right. So I mean chatbot has guardrails, but the underlying technology is the same. You could just take off the guardrails and just use the same thing to do whatever you want. For fishing. I think it will just increase the scale of attacks because they can automate away their low value work. Writing fishing templates is boring in the in the general case, like in sophisticated spear phishing attacks where it has to be highly personalized. Probably not a tool for AI because you need the human creativity to to really be precise, but the spam, the earth stuff, you can start increasing the scale of your attacks to to generate more stuff instead of manually writing fish kits, which is their own kind of niche job in the eco cybercrime ecosystem. Now you can do some of that low value writing. You know, there’s lots of other threats I don’t think are fantastical. And I kind of go back to the hype around deepfakes of a few years ago. People like, oh, people going to impersonate politicians and start wars and whatever and realize none of that really happened because popular people are hard to impersonate with credibility because they’re in the public eye. Right? If they didn’t say something, it’s easy to figure out because everything they say is public. What we saw from the threat landscape of deepfakes was synthetic revenge porn. Right. You know, of targeting usually young women where, you know what, it’s close enough. It’s believable enough to be a great harassment tool. And I say great relative, not morally great. We get the threat wrong, is that a lot of the bulk of attacks are directed to people who don’t really have any protection. So I think the generative attacks using a side of like really increasing the scale and volume of fish gets I was thinking about this because there’s a summit coming up on business email compromise, which in part covers romance scams. If you think of just tools like Replica, it’s a smartphone that you can get on, get on your phone to basically create a virtual assistant language model, but you can train to develop companionship. Which is the key element for romance scams. There needs to be that emotional connection. I think tools like replica, or something recast where you could create something that gets trained to create that emotional connection. To do romance scams at scale, I think is more likely. And what you see if you go to like the Reddit forum on Replica, if people are creating essentially emotional bonds to their virtual assistant that they’ve trained in terms of how they want somebody to respond to them. And that’s the hook that’s needed is that emotional hook. And we do have tools that are helping create that that I think will be recast. I don’t know that we’re going to see some massive evolution of cybercrime. I mean, by volume, the biggest problem with Chat three is students turning in fake papers. You know, it’s like, I don’t really want to write a paper on Act two of Hamlet. Give me something as a joke. I created a fake A.P. research report on a threat actor I called Hot Cousin, sponsored by the Nigerian government, and it gave me a great two three-page executive summary on it. The only thing missing was indicators. So the tools will be great for synthetic narrative, for aggregating knowledge and summarizing it. Some other ones are good for that can be crafted and trained for emotional connection. But there’s these kinds of theoretical threats. Hey, attackers could write malware with it. We’ve had tools for AI to help assist software engineering, but as far as I know, Google’s really the only one who’s been able to deploy it successfully. It takes a lot of effort to get correct without detonating. And the fact is the attackers have more tools than they could ever use. Now, they don’t really need to innovate because they’re radically successful today and there’s no real risk of prosecution tomorrow.

Cameron D’Ambrosi [00:11:53] So what’s next in the broader cybersecurity landscape, in your opinion? You know, I think you’re well positioned to call out some of the trends you’re seeing from our perspective. We have continued to see. Right, vertical integration, you might say, right across the IT defense stack, as you know, to your earlier comments. Right. Threats become more pernicious and more critically, defenders are overloaded with information. You know, it’s not necessarily about trying to seal things off more effectively. It’s about trying to pass all of this great information that you already do have. What are your thoughts on what we can expect to see over the next year in the space more generally speaking?

John Bambenek [00:12:39] I think you mentioned one dynamic, but I think there’s something kind of underpinning it, right? The vertical integration of where you’ve got tools, where here you’re all on my stack, it all speaks the same language. So both Google and Microsoft have been making significant cybersecurity plays different flavors, right? But if you think Microsoft Sentinel, you’ve got all these Microsoft tools, they’re already speaking Microsoft. Now it’s just aggregating all the data into one place and helping you with the analytics. As an example of that vertical integration you’re talking about, that helps CISOs only manage one relationship. I mean, Microsoft has a huge center of gravity of a monopoly power, so it makes a very compelling case. Google’s play is a little bit more open where, hey, you can send us any data you want. Here’s our normalized data model, which in effect creates a very same thing, right? The same kind of events are normalized and codified the same way. So how Microsoft talks about a log in and a Linux device talks about a log in and IWC and Salesforce, whatever, right? If you’re representing the same class of activity the same way you’re starting to enable rapid analytics. One of the problems with the data dumpster approach is in just even doing data science on non normalized data is immensely difficult because you start having to code in all of the edge cases and pretty soon you realize everything is an edge case. There is no consistent case and it’s liver destroying realization that instead of doing the work, you’re doing normalization, which nobody really likes doing, or you’re paying the same engineer several hundred thousand dollars to have unlimited job security because you’re going to have to keep doing that work all the time. So there is there’s the verticalization, right? It’s just all on one platform. And CISOs like that because one vendor relationship, one set of all the the hassle that goes around with a vendor relationship, you know, or, you know, somebody with a different center of gravity of monopoly power says this is the way we’re going to do it. Here is tools to do it this way. So you have essentially the same kind of effect. So I think these large tech companies getting into it and the economic headwinds that we’re looking to be facing, that that may get worse here in the next 12 months is going to create kind of the perfect storm of the centralization of the security industry, where we’ve been relatively insulated from that. Right. You know, we’ve weathered economic headwinds for a long time, like 2008 for the technical people in the tech industry was kind of a nonevent unless you were underwater in your house. You know, the pandemic, you most of us really didn’t lose jobs. We’re only starting to see bulk layoffs and some of the signs of rapid consolidation that will create that economic dynamic also. So I think you’ve got technical reasons and economic reasons and practical reasons that these kind of things will happen. And it’s usually towards the center of gravity of large essential monopolies that that centralization goes to.

Cameron D’Ambrosi [00:16:09] And on the threat side, you know what’s making waves from new and exciting, you know, threat vectors. Is it a gradual evolution? You know, I know you’re alluding to some of the most pernicious threats being ones that are slight wrinkles that are close enough to maybe some of the existing alerts that are coming in that they slip through the cracks? What’s keeping you up at night from that threat perspective?

John Bambenek [00:16:36] Oh, I think I’m sufficiently numb at this point not to be kept up at night. Right. You know, it’s between you know, I just know that we’re all, you know, we’re doomed. Right? As I kind of go back to a philosophical construct, people like, why can’t we fix security is like if you look at our earliest documented human history, we’ve been killing and thieving. Forever. Right now, we can do at least the thieving part online. The human nature is there. Technology just allows for it to happen at higher scale and greater distances than before. But it’s the same human behavior. We can’t fix the problem. So I don’t really emotionally attached to, Hey, this can happen. Or there could be ransomware or fraud. It’s it’s that’s life. There’s no fixing it. I can make it less likely. I can make it easier to detect. And that’s the key that I kind of focus on professionally is like, I can’t stop theft. I can make it easier to detect and sooner to detect. So ransomware is a threat that’s on everybody’s mind, and there’s lots of tools to detect ransomware as it operates, Right? It’s a very clear pattern. Open a fight or do a search. Find all my list of eligible files. Open a file, encrypt a file, close the file, remove the shadow volume copies. Do that thousands of times. I can detect that, Sure. But by the time I’ve detected it, the data is destroyed anyway. And really, a detection model after the fact for ransomware is irrelevant because the attacker eventually, usually fairly quickly, lets you know what they did because they want to get paid. You know, it’s in their business model to sit there and say, I got you now, pay up now. Hostage takers are not discrete. And that’s essentially what we’re dealing with. What we need to do is detect things earlier on in the attack lifecycle faster and more obvious. That might be subtle. One of the things that I go to in a lot of my talks that that is used prolifically and sophisticated threats, advanced cybercrime is PowerShell. Because the attackers know our avian endpoint tools are very poor at detecting malicious scripting languages. Because it’s very easy to tweak things and evade stuff versus binary signatures. You know, malware detection of an elf binary or or Windows 32. Fairly straightforward. It may be something net new. You got to write a signature for, but for a scripting language. It’s pretty hard. There’s some behavioral stuff, maybe. But if you can solve that problem of just PowerShell or privilege escalation. You don’t have to worry about ransomware because ransomware is going to need to escalate privilege and it’s going to need to use something like PowerShell to deploy everywhere. You find misuse of those stuff and interdict right away early on. Everything calms down very quickly. Right. Your C so can play golf again. Instead of being on conference calls at 8 a.m. because the data centers are 8 p.m., because the data centers on fire. So it’s really about creating the ability to find things that are bad quicker. And unfortunately, like where we are. Tech Stack How do you distinguish between a good or a bad privilege escalation? There’s no signature to be had. It’s all behavioral analytics, right? And there’s done and there’s ways to do it, of course… It’s something I need lots of data from different products to help me have the data points to make that determination. And if I could do that quickly and interdict it quickly, I’ve greatly reduced the scope of at least the problem in my constituency. Right. It leaves open to go back kind of full circle. The synthetic revenge porn or romance scams. These are just people, folk out in the wild. Nobody’s really developing products for that because there’s no VC or private equity funding. So I going to guess the good news is, is in 6 to 12 months, there might be none of either for anybody considering where the banking crisis, the the banking troubles are going. I don’t know if it’s a crisis, you know, but the broader society isn’t protected to begin with. Right. So if there’s anything that that approaches, I wouldn’t say keeping me awake at night. But where my concern is, you know, as a professional is I can protect an enterprise. They can pay my salary, who’s protecting my daughter online? Right. And obviously I have a role. But, you know, there’s plenty of other people with plenty of other daughters who have non-tech savvy parents who’s protecting them online because the cost of failure there of like a victim of revenge porn, you know, can be measured in suicide. You know, the worst that happens to me is, you know, ransomware affects the organization. They get an insurance claim and I’m out of a job for four weeks, and then I get another job and start all over again. But I’m not even really in the throat to choke phase. Right? It’s the Caesar that gets fired. It’s not the people underneath the C, So usually. So I’m even, you know, even if I miss something, I’m employable forever. You know, the real harm is faced in the broader society, and there’s not enough focus on solving those problems because there’s no big dollars backing it.

Cameron D’Ambrosi [00:22:20] So what role do you see identity as playing? You know, this is ostensibly an identity focused podcast. I like to bring in outside perspectives, especially from cyber, around identity related questions. You know, you talked about privilege, escalation. You know, how would you say identity and things like, you know, is this just a privileged access management challenge in terms of stopping that escalation? Or what role does identity have to play in in thwarting these kinds of privilege escalation threats?

John Bambenek [00:22:53] Well, I think identity is the core problem. You know, I mean, there’s two fundamental cybersecurity problems, right? And they can all be reduced to one of these two. One is how to safely process data that’s on untrusted inputs. So like buffer overflow SQL injection, go through it like how to safely process data, write that, and then how to authenticate that the person at the keyboard is who they say they are. And we’re really nowhere on solving those problems. We’ve made them marginally better, you know. But buffer overflows and SQL injection are still a thing decades after the fact. Authentication has always been a problem. You know, now there’s things we can do with multifactor and, you know, there’s a lot of advanced attacks that, you know, I’ve seen in AMEA that really involve victims that don’t have good MFA in place. And I mean MFA. I don’t mean text based, you know, here’s your six-digit code, right? You know that that works for low rent stuff. Sure. But not for enterprises. But it’s also kind of a pain, you know. You know, I’ve got this phone right here. I’ve got an 1890 iPhone 14 pro max sitting behind me. I’ve had for a month. I need to migrate my phone. But what’s going to break and cause me to lose a day of productivity is moving all of my MFA tokens from phone one to phone two for upgrading. You know, and that’s just an example. It’s like I’m tech savvy, I can do this. I just don’t want to invest the time in it. And I’ve got a $1,300 smartphone behind me that’s a paperweight because I keep putting that task off, which shows that while we have the answers have. Good answers. Not complete, but good starts to answers. There’s also real usability problems, right? I mean, the same is true for like email encryption. We know that emails insecure, we tell people forever don’t do significant business on it, but it’s the tool we have. We can’t make it secure and all the tools are on email. Encryption suck like BGP or GPG hasn’t evolved in 20 years and nobody really knows how to make like the most anybody but the most geeky people in our industry use it. Even security professionals don’t want to use it. If somebody said, Hey, come to a key signing party, I’d be like, I’ve got some other things to do. I’m 45. I got to schedule a colonoscopy, right?

Cameron D’Ambrosi [00:25:28] That’s amazing. No, look, I mean, it’s always great to hear, you know, folks share the perspective that kind of, you know, identity more than anything else is really the linchpin of all of this. But obviously, it it’s a truism to some degree, Right. Like, if you understand who is behind every device within your network, then you’re not going to have a fundamental cybersecurity problem. Obviously, then insider threats is a whole different ball of wax. What’s next? Let’s bring this to a close. Last question here. You know, where do you see net enrich going from here? What is the next frontier in this broader cybersecurity space? And where do you see there is being kind of these blue ocean opportunities for continuing to help organizations enhance their cybersecurity postures?

John Bambenek [00:26:19] I think one of the kind of biggest areas that’s new, I mean, just for enterprise self-protection, but even the broader society is the amount computing is put in other things, right? We’ve talked about Iot for a while, but there’s lots of niche Iot devices and the only real threat manifested in Mirai. But if you’re thinking about we’ve had some customers who are doing medical device telemetry, for instance. Right. And all of these things are running on embedded version of Windows, which means to the same underlying risks and vulnerabilities of normal devices. I mean, I’m on a MacBook, but actually behind me is a Windows box, except you can’t patch it. You don’t have a console, you can’t put EDR on it. Now I’ve got to protect it because of a medical device goes down. That’s life sustaining. That’s a life ending event. Right. You know, if your ventilator is running on Windows XP and somebody drops an SMB one, exploit on it, knocks it offline, somebody ain’t breathing. And we’re adopting more and more technologies where there’s that that those kinds of risks to attend to. We didn’t talk much about it in my PhD. I’m getting a Ph.D., but it’s in data science. I mean cybersecurity, data science, but data science nonetheless. We’re creating image recognition systems that power self-driving cars. If somebody could trick those systems to recognize a pedestrian as a crosswalk, you’ve got cars running over people. And ultimately, it’s a technology problem. But now you’re creating physical risk, which is a new world of problems. Right. Is that for the most part, all I’ve dealt with for most of my career is either lost money or lost secrets. And I’m not going to underplay those at all. But that’s different than lost lives. I can get I can get an insurance part policy to make you whole for lost money. Well, kind of. I guess cyber insurance is pulling back and creating more problems, right? You know, lost data is a problem, but any company should be creating more trade secrets over time, not just resting on its laurels or you’ve got monopoly power and you’ve just got the center of gravity that comes with monopoly power. And it doesn’t matter what you do. And we could name names, but I’ll probably get in trouble if I do. You know, but when you start dealing with lost lives, I mean, yeah, there’s life insurance, but that doesn’t solve that trauma. That doesn’t deal with the missing person or some of the technologies who are doing the facial recognition now, deploying and law enforcement. And that’s creating human rights issues. So these tools and technologies that exist in the context we’re used to operating them of on prem or even in a cloud, deploying them everywhere else and creating lost lives or lost human rights, which is an entirely different world that I think even the psychological impacts that have of protection professionals protecting those systems, like if you miss something and somebody dies, that is an entirely level new level of trauma that a working professional has to deal with that I don’t even think as an industry were prepared with.

Cameron D’Ambrosi [00:29:38] All right, final hit here. I call it Shameless plug opportunity. If folks want to learn more about net enrich, get in touch with you to harvest some of your insights for their gain and to protect their organizations further. What is the best place for them to go to learn more or to reach out to you?

John Bambenek [00:29:59] Sure. We’ve got a website. Net enrich dot com NRDC dot com. So lots of good information there about our product drives, resolution, intelligence cloud and some of the other offerings we have around it. I’m on LinkedIn as John Bambenek on Twitter is just at BAM and always happy to communicate and just share war stories or give people advice or, you know, whatever questions they have. So feel free to reach out. I’m pretty prolific on social media and easy to find.

Cameron D’Ambrosi [00:30:30] Fantastic. Thank you so much again for your time. Greatly appreciate it. And we’ll talk to you soon.

John Bambenek [00:30:35] Thank you very much.

Cameron D’Ambrosi [00:30:43] That’s it for today’s State of Identity podcast. If you’re looking for more insights, Liminal membership offers access to our team of experts, providing you with exclusive insights and strategic guidance unavailable anywhere else from quarterly reports to daily briefings. Our repository of research and insights keeps you ahead of the curve experienced industry leading events and unparalleled networking opportunities with like-minded professionals, all while pushing the boundaries of possibility and capability within the digital identity industry. Visit us at Liminal DOT CO to learn more and become a member today.