Risky Business Podcast

On this week’s show we’re chatting with Alex Tilley. He’s with Secureworks in Australia these days, but before that he spent a big chunk of his career with the Australian Federal Police.

He did a presentation a few weeks back at the AusCERT conference all about what fraud crews are up to these days. He’ll be joining us to walk through how much damage West African crime groups are doing with compromised office 365 accounts. We also talk a bit about trends in money muling, because that game has really changed.

This week’s show is brought to you by Cylance, and in this week’s sponsor interview we’ll be chatting with Cylance’s very own Jim Walter about how ransomware hasn’t really gone anywhere, despite most of the tech press getting sick of writing about it.

Adam Boileau, as usual, joins us to talk about the week’s news, including:

• The Vault7 guy is totally screwed
• US Senate scuttles Trump’s plan to save ZTE
• Chinese pwning satellite comms, telcos
• Olympic Destroyer crew is back

Links to everything are below and you can follow Patrick and Adam on Twitter if that’s your thing.

You might have noticed North Korea’s been in the news over the last couple of days. Well, we’re sticking with the theme – we’ve got a great feature interview for you this week with Andrea Berger. She’s a senior research associate at the US-based James Martin Centre for Nonproliferation Studies and the co-host of the Arms Control Wonk podcast. This week she speaks with Risky Business contributor Hilary Louise about a report the centre did into North Korea’s IT industry.

Yep, they have one, and you’ll be surprised by its scope and reach. That’s this week’s feature interview.

This week’s sponsor interview is with Signal Sciences co-founder and CEO Andrew Peterson. Andrew was at a Gartner event in DC last week, and I grabbed some time with him to talk about what’s new in DevSecOps, how people are applying various DevSecOps tools, and what the general awareness of good DevSecOps practices is out there. Andrew’s prior career was in development, not security. He and Zane Lackey worked together at Etsy and Signal Sciences was very much inspired by the work they both did there. Andrew says analysts are starting to understand that web application security isn’t something you drop on to a network in an appliance and things are actually changing.

Mark “Pipes” Piper is this week’s news guest. All the show links are below and you can follow Patrick, Pipes or Hilary, if that floats your boat.

On this week’s show we chat with Peter Wesley. Peter’s well known around the Australian security scene, but a few years back he relocated to China, where security is booming. He did a presentation at the AusCERT conference on the Gold Coast last week all about the Chinese hacker scene and security industry. He joins us in this week’s feature interview to tell us about how the Chinese scene evolved and what its current relationship with the Chinese government looks like.

This week’s sponsor interview is a cracker. We’ll be joined by Ryan Kalember, Senior Vice President of Strategy with Proofpoint, the email filtering company. Ryan is along to talk about a phenomenon the Proofpointers are very interested in – we’ve all heard of VIPs, but he’s here to talk about VAPs – Very Attacked People.

So much attacker behaviour these days is driven by email-based attacks, and the people getting hit the most with this sort of stuff might not be the ones you expect. Ryan joins us later on for that conversation in this week’s sponsor interview, with thanks to Proofpoint.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

On this week’s show we’ll be talking about a whole bunch of stuff – the FBI taking down a botnet in a very FBI way, we go deep on the Trisis malware popping up in the US following America’s withdrawal from the so-called Iran agreement. We look at the latest in the crypto debate, breaches, bugs and more!

We’ll hear from Tom Uren of Australia’s Strategic Policy Institute (ASPI) on the Trisis side of things. Tom worked in an interesting place in Australia’s defence department but these days spends his days think tanking for the Australian Strategic Policy Institute. He shares his thoughts on what it is Iran could be up to with Trisis.

This week’s show is brought to you by: Australia!

AustCYBER is a government-supported industry group here that is trying to get the Australian cybersecurity industry organised. There’s the VC-backed US model, the build a “cyber city” in the desert Israeli model, then there’s the Australia model, which is actually quite different. It’s much more about helping local startups win deals locally, then internationally, to get them on a path to profitability so they don’t have to sign the awful term sheets Australian VCs put in front of them.

Well, there’s more to it than that, but AustCYBER head honcho Michelle Price will be along in this week’s sponsor interview to walk us through what she’s trying to do for the Australian security industry and how foreign multinational companies can also benefit from that.

Soap Box is not our regular weekly show, it’s the monthly podcast here at Risky Biz HQ where vendors pay to come on to the show to talk about what it is they actually do.

Before EclecticIQ sponsored this edition, to be honest, I didn’t really know much about them. All I knew is that their positioning was very much around “threat intelligence,” which, as regular listeners would know, are two words that are usually followed by “derpa derpa” on the regular Risky Business podcast.

BUT! Here’s the thing. EclecticIQ don’t sell a “blinky light” box that receives a creaky feed of 12-month-old IOCs. They sell their solution to either massive organisations or very high risk organisations. They could be national cyber security centres, entire defence departments, very, very big enterprises; basically anyone that has an intelligence team and multiple constituent departments or agencies. They also play in ultra high risk sectors like defence contracting.

The EclecticIQ platform isn’t for small organisations. It really is for orgs that have dedicated, externally-focussed intelligence teams. Their play isn’t “we feed you threat intelligence,” it’s use our tooling to go get your own threat intelligence, develop a strategy for dealing with the resulting product then distributing the strategy that flows from that process out to the relevant people in your organisation. I like to think of this approach as “killing your own meat”. That’s what EclecticIQ is all about. They give you the shotgun and a map, the last known locations of the deer, a cool room and a bunch of cleavers. Delicious. Apologies to any vegetarians listening for that metaphor.

Joep Gommers is our guest. He is the founder and CEO of EclecticIQ. Prior to founding EclecticIQ, Joep served as Head of Global Collection and Global Intelligence Operations at iSIGHT Partners, which was, of course, acquired by FireEye. Joep joined me to talk about what it is that EclecticIQ actually does and the resulting conversation, I hope, will be interesting to anyone who wants to understand how Threat intelligence is developed and disseminated at scale.

There’s a link to EclecticIQ’s website below, and you can follow Joep Gommers on Twitter here.

In this week’s feature interview we’ll be chatting with Shubham Shah and his friend Lord Tuskington about continuous asset discovery’s impact on testing methodologies. Shubs has worked as both a pentester and as a very successful bug bounty hunter. In fact he’s built an entire asset discovery platform that he and his buddies have been using to rip crazy amounts of cash out of bounty programs over the last few years and he’s turning that platform into a product. So I wanted to talk to him about that, but I also wanted to get a pentester’s perspective on how this type of continuous asset discovery tech could change the testing industry.

This week’s show is brought to you by Exabeam, a next generation SIEM company! And it’s amazing how nicely this week’s feature and sponsor interviews dovetail actually, because Exabeam’s Steve Gailey will be along in this week’s sponsor interview to have a chat about how SIEM technology has changed much faster than SOC operations methodologies. Because basically everyone has structured their operations around three levels of response and the workflows are so ingrained, nobody seems to know know what to do with a next generation SIEM.

Adam Boileau is also along, like always, to talk about the week’s security news.

The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Here it is – this week’s feature interview with Marisa Emerson! Marisa is a security researcher who did a great talk at BSides Canberra in March all about game cheating.

She was specifically talking about the cheating techniques PUBG gamers are using and just how advanced they are. The crazy thing is the cheaters here are rolling some pretty decent techniques. It’s reminiscent of the iPhone jailbreaking scene – a lot of good hackers who don’t know they’re good hackers.

Marisa is running a binary exploitation bootcamp in Brisbane that will have another session next semester. Details are here.

In this week’s weekly show we’re just going to drill in to the week’s extra long security news section with Adam Boileau then go straight to the sponsor interview. I’ve got a fantastic feature interview for you this week, but I’m going to publish it outside of the news show. It was either that or run stupidly long or cut too much from everything to make it all fit.

This week’s sponsor interview is a good one though. We’re chatting with the team behind DarkTrace. They make a machine learning-backed network monitor. A key different with this kit is it actually gets involved on the network. If it sees something it’s confident is attacker behaviour it will start spraying TCP resets to boot them off the network.

This is something the IPS systems of old used to do but it’s an approach that fell out of favour. We’ll find out why that approach was discarded and why it’s coming back, as well as generally discuss the role of machine learning in security with a company that has invested in it heavily. This isn’t a “for or against” interview segment. This is a discussion with one company that is getting value out of the approach, so stick around for that.

The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

On this week’s show we’re taking a look at some recent data out of Microsoft trumpeting its Defender antivirus install figures on Windows. They’ve got 18% market share on windows 7/9 and 50% on Win10.

For the AV and endpoint security industry Microsoft has always been the existential threat, but has the plane flown into the mountain already? We’ll speak with Securosis analyst and DisruptOps founder Rich Mogull about that in this week’s feature interview.

In this week’s sponsor interview we’re joined by the always entertaining Haroon Meer of Thinkst Canary. When we spoke Haroon had just wrapped up his first ever booth at the RSA conference. He’ll join us this week to tell us, surprisingly, that it was a really worthwhile exercise for Thinkst, but as you’ll hear he also thinks the broader industry can be a pack of dumbasses when it comes to actually marketing tech at events like RSA. If he becomes global ruler RSA booths will be gimmick-free and just show people product demos.

The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

In this edition of Soap Box we’re chatting with Root9b. They’ve just launched an updated version of their ORION platform. And I guess the way you’d describe Root9b is as a threat hunt product maker and managed threat hunt provider. And their approach is a bit different – their software is agentless. They basically authenticate to a machine, inject various payloads into memory, and use that to pull back all sorts of telemetry from machines.

They say this means it’s much less likely that attackers will see them and they offer this as a product, ORION, or they offer it as a service. They say their managed services customers come to them because pretty unhappy with their MDR and MSSP providers and want better signalling.

So I was joined by John Harbaugh, COO of Root9b, and Mike Morris, CTO. Both of these guys were US Air Force cyberdudes before jumping out to the private sector. The company actually started off doing training before developing their platform ORION.

John and Mike joined me by Skype for this podcast. Enjoy!