Are You ready for these 2025 threats?

Are You ready for these 2025 threats?

Show Video

we see things like um adversary in the middle  attacks for instance where a user will be um   redirected to a malicious website and be asked  to put in their credentials to log in and they   they're brought to a web page that looks like  yeah a regular login page for say their bank or   something like that but it's not and the the URL  might have like one uh character that's slightly   different it might be a 1 instead of an L or  something like that and they don't notice it   right and so they they put in their credentials  they hit click and that's it I mean that then   the threat actors got the keys. Some of the stuff  you shared now I didn't know and I'm sure a lot   of people didn't know it seems like crazy that a  pre-shared key can save me from quantum computers   that doesn't seem to make sense but you know  that's just like me saying random things so just   before we continue with the interview I've got  to say that this video is sponsored by Cisco but   they're not forcing me to say certain things this  is a video about making the world a more secure   place because it's cyber security month we're  not going to concentrate on Cisco product we I   just want to get experts sharing with us how we  can do things better and make our companies more   secure and make our selves more secure so back  to the interview. Everyone it's David Bombal   back with two very special guests Kendall, Kirsty  welcome! Thanks David! Thank you to be here! Great   to have you here now Kendall let's start with  you I was looking at your LinkedIn profile some   interesting organizations you've worked for  right? Yeah um I actually started out in the   uh US Intelligence Community uh before making my  way to private sector so um I worked for the NSA   and CIA uh for a period of time mostly doing  counterterrorism actually at that time so my   transition into cyber is sort of a probably a  bit of a unique story. And you currently work   for Talos right I do yeah Cisco Talos yep. What  do you do at Cisco Talos? Yeah so I'm a senior   intelligence analyst and strategic lead um I am  on their strategic analysis team so the work that   we do really focuses on looking at the threat  landscape at a 30,000 foot view so identifying   new trends and patterns trying to figure out what  threat actors are doing the same or differently   and then really trying to like level up um a lot  of the great work that my colleagues do um to   make it understandable for general audiences and  executives and try to pull out those trends that   can really help customers. But I love this I mean  you've worked for CIA NSA but you've also worked   for Visa right? yeah yeah just for a short time um  but that was kind of my pivot from the classified   world into private sector the easiest way was  kind of to take my um intelligence analysis and   strategic thinking skills and sort of parlay that  into the Cyber realm so it's still tracking bad   guys and identifying threats and all that stuff  and a lot of the work that I enjoy now is we do   produce so much in the Intel Community we would  call it Actionable Intelligence yeah but here   it's it's finding things that you know really  make a difference we can make new protections   for Cisco products we um can report on threats  that are emerging and those things really help   people people in in real life so it's it's very  rewarding. I love that we and you've been at at  

Talos about it's like seven years almost. Yep yep  that's right. yeah I love that because I was going   to say it just feels like the sky is falling  sometimes with all the threats out there. It   does it does and I you know there's just so many  parallels to the the counterterrorism world that   I used to work in and that's certainly one of them  um the sky always falling the bad guys are always   reinventing and it's sort of a constant game of  cat and mouse. I want to ask you some questions   about you know top threats thinks companies  are doing wrong how we can protect ourselves   but before we get there. Kirs you've also got an  interesting story you were a math teacher at one   point or math teacher for my American friends  yeah I was and that was incredibly fun 11 to 18   year old kids love learning math and then after  that I left and I went to the pay government of   the NCSC National Cyber Security Center which is  a part of GCHQ for those listeners who may not be   so familiar with it and they're the National  Technical Authority for the UK. So GCHQ just  

for people are not aware is similar to the NSA  is that correct? That's right yeah Government   Communications Headquarters . But you also did  math there right? yeah that's right yeah so this   is what I guess I'm showing it right now it's  more like me. I love it you I mean one of the   at the moment you work for Splunk. That's right  yeah so I'm a field CTO the EMEA region at Splunk   probably here I have a British accent and I'm  based in Switzerland in Geneva to speak a bit of   French as well my job is to go around and talk to  our customers about their big strategic security   problems. I love that I mean I um saw an interview  where you were talking about when you were working   for the UK government you were talking about you  were like looking at AI and Quantum Computing and   IoT and like that is now reality you were looking  into the future but now it's big today sorry go   on. That's right yes my job was to horizon scan  and find things that would affect the security   of the UK in 5 to 10 years time so what was great  about that job is I was doing it well because that   stuff is happening today so the things we see  in AI the developments in IoT security making   sure that we can't form large PNETs and basic  things like admin admin don't exist anymore   that regulation is now in place in the UK so it's  quite cool actually and I'm sure we'll talk about   can't stop. So I'm gonna to ask you some questions  now we I just for the audience I put some tweets  

out and some messages out uh on social media  asking for your questions and I've got some   of them here but some of them are my questions  hopefully these are questions that you've got that   you want answered I I get asked this kind of stuff  all the time so for either of you uh Kendall,   Kir just answer who you know either both of  you or whoever feels that you want to take   the question one of the top questions is I I think  it's really important like what are the top cyber   threats like top three or whatever your favorite  number is top cyber threats that we need to be   aware of you know in 2024 going into 2025? Yeah  I can I can start with that one the first one is   ransomware ransomware you know everybody's heard  about ransomware but it just continues to be a top   threat quarter over quarter year over-ear that  is impacting um our customers and I think what   this really shows is that um it's it continues to  work it's effective cyber criminals continue to   see ransomware as an effective way to um steal or  coers victims to to pay them money um there's been   some changes in that space we've seen an influx  of less skilled actors coming onto the scene with   some of the leaked ransomware code um and builders  hitting the internet uh which I can talk about but   ransomware looms large still and I think the other  bucket of threats that we're looking at and that   have been increasing are Identity-Based Attacks so  these are anything that um any way that an actor   can steal your identity co-opt your valid account  etc to do malicious things and this can take um so   many different forms they can steal credentials  from say um a previous data leak they can buy   stolen credentials on the dark web from initial  access Brokers that's a big Market password   spraying attacks Brute Force attacks any way that  they can get access to your legitimate account is   what this refers to and it's it's so effective  David because you know once they have access to   um a legitimate account it's so much easier for  them to hide yeah um their activity right because   Network Defenders seemingly aren't looking at  that account and the activity coming from that   account um with any suspicion um and then of  course once they're in the network they can do   any range of things um like create new accounts  um escalate privileges so they can um get access   to more sensitive information they can conduct  Network reconnaissance they can carry out internal   uh social engineering attacks like business email  compromise I mean it's really just a proliferation   of threats from that point forward so I'd say  pretty consistently this year uh we've seen   ransomware and then identity based attacks and  I think you know we'll likely see those continue   into 2025 as well. I saw in the Talos report  I think was is it 60% or something is identity   theft or is it like a really large number. Yeah I  think uh that might speak to initial access when   we've been able to determine initial access in  incident response engagements something like 60   or 66% is valid accounts so it it it is those  actors going in and compromising legitimate   users accounts um so you know we've got the data  right there to kind of show um that that's kind   of at the root of a lot of compromises today. So  you you mentioned uh BEC or BEC I don't know how  

you pronounce it Business Email Compromise can  you talk about what that is because it seems   to when I interviewed other people at tell us it  seems to be something that's ongoing. Yeah we've   seen we saw a rise in that last quarter um it's  it's not a new threat it's a type of phishing   um where an actor will pose as um a legitimate  person and try to trick the user um into sending   them money or transferring funds in some sort of  way so there's a financial component there but   it's heavily um reliant on social engineering and  sort of tricking the user and so when a user gets   access to a valid account and steals an identity  and they want to carry out a BEC attack it's much   more believable right because it's being sent  from um an actual like Corporate email account   or from someone you think you know um asking you  um you know to move money around or to do any sort   of nefarious activity. What about Vishing or like  you know where they rather than phishing like the   cell phones cuz I'm assuming that's a big thing  as well. Yeah we've seen Vishing so Vishing for   those uh who aren't familiar that is phishing but  over the phone pretty much so your threat actor   is uh making a call to it's usually somebody in  HR and pretending to be someone they're not and   they trick that person into divulging um usually  like user credentials or something like that that   they can then use to access the network and we've  actually seen Vishing quite frequently in MFA uh   bypass attacks that'll be when an actor um will  you know call um an IT help person and pretend to   be um some sort of legitimate actor or perhaps  even the user themselves get that it person to   uh share the MFA log in credentials and then the  actor can then authenticate and then they can add   additional devices and and sort of kick off off  their operations from there so that's that's also   a very real thing uh threat that we're seeing in  terms of identity um as it relates to the MFA side   of the house. The one that comes to mind is like  the Las Vegas casino attacks which I think was  

last year sometime? Yes, yes I remember um seeing  that in the news and um you know that goes to show   how such a simple attack can affect you know um  a company or or an organization that you think   would probably be immune from that type of low  sophistication attack so that's a great example.   So I mean I've got to ask this Rachel Tobac who I  highly respect um did these uh demonstrations with   CNN where she was able to use a phone just to like  take over a reporter's account or the one I really   like is where she used AI to fake voice and she  phoned I think it was the secretary or personal   assistant of someone um at 60 minutes and was  able to get the passport details of that person   just by mimicking the voice so that seems to be a  big problem Kirsty with your you know background   in maths and you know AI stuff that you've be  looking at I mean this is a major nightmare?   Yeah it's interesting how really there's two  ends of the spectrum here we're still seeing   people get hammered by the most basic attacks  you know not having their basic cyber hygiene   the other end of the spectrum some threat actors  are turning to AI because their stakes are so high   and MFA bypass is quite a sophisticated thing at  this point they're really having to dig in and   find these different CTPs to be able to access  things I think phishing is quite sophisticated   and I would just caution organizations to make  sure that they are fixing the problems they have   so it's quite nice to say we're defending AI  attacks and those exist but they're not the   most common attacks and so you really need to  make sure that your your cyber security hygiene   is good enough that people are actually needing  to turn to AI to attack you in a way it's kind a   good position to be in it's obviously more ideal  it's just a whole new threat landscape now that   people have to work with. I saw Splunk have this  document and I'll link all of these below and I'm   glad you mentioned that because they in this  document about like AI it's you know reality   versus you know the anxiety people have and like  you just hit there like I mentioned there's people   are worried about AI because you see like Tom  Cruz being mimicked online and stuff but it   sounds like that isn't as common place right? I  mean I would still say people are worried about   AI phishing like phishing generated by AI but  in truth how do you how do you defend against   phishing at the moment you should educate your  users you should stop the mail ever getting to   them you should minimize the risks if they do  click the link you should create a reporting   culture so that they're rewarded for saying yeah  I made a mistake and now we're exposed right that   applies whether the phish came from a personal an  AI so there's always something about going back   to basics and of making sure your defenses are  robust at every level and it will help you against   AI for sure but also against this huge swing of attacks that we still see today. So I mean   let's let's talk about mistakes companies are  making so is not not looking after to the basics   right so do you have like top three mistakes or  something along those lines things that companies   are doing wrong and then you know what things  can they do better so either of you you know what   mistakes you seen companies making out there and  like what are the top three things that they can   perhaps do better? I would say like straight off  the back ransomware is still a problem still do   backups check your backups exercise regularly  put them somewhere not on the place we'll get   ransomware word right like just straight up  just do that that's my number one. Yeah and   I I think you know absolutely that's you know  you know you think about going back to security   fundamentals right and the the first thing that  comes to mind is Multi-factor Authentication   MFA like we we see so many cases of companies  and organizations that could have prevented   an attack if they had MFA deployed and some some  organizations will roll out um MFA partially but   it needs to be throughout your organization on  every endpoint on every system especially those   Network facing devices is huge and and secondly  um and this might sound obvious again but patching   patching patching patching we see you know so many  compromises it's still happening where actors are   exploiting known vulnerabilities um we know that  there's challenges to patching for organizations   you know um especially on those Network facing  devices perhaps they don't fall within the normal   patch Management schedule or patching might cause  downtime but as much as organizations can you know   you've got to have a a good patch management  strategy in place and that'll stop like a lot   of the the the attacks off the bat. I totally  agree and it goes to that point that yeah it's   great to say we need to defend against AI and zero  days but actually vulnerabilities that are years   of are still being used against organizations so  patching absolutely an MFA I couldn't agree more   I think we would have be having a very difficult  conversation today every organization needs MFA   throughout the organization. To Kirsty point  too about um user education I think that is  

so huge especially as we look at the data around  identity based attacks and how that's increasing   you know there's there's Security Solutions are  great um but you know to a large degree so much of   this really depends on the user um knowing how to  spot something that looks suspicious knowing what   the current um you know trends are out there in  terms of uh TTPs Tactics Techniques and Procedures   or TTPs um and that'll really help the you know  an average user um be that first line of defense   against a lot of those social engineering attacks  that that were happening. And actually to spin on   that when you have users that are willing and  excited to do security encourage them right so   if you spot something that is malicious towards  that user you reported a phish great you were   the first person to do that we give you a gift  card right how many more reports would you get   if that was the culture in your organization. Yeah  it's interesting in this Splunk report again human   beings are the common denominator right? Yeah I  mean well we said social engineering it preys on   fear, it preys on urgency these are human emotions  and psychologically when you you make a mistake at   work in any profession who sits there and says  yes that was me I I'm the add in the room it's   much more common to try and hunker down to try  to cover your mistake and we say yes you should   recort if you click a link but actually people  are embarrassed they're ashamed they don't think   they're going to be rewarded they think they're  going to be punished they may even think they'll   be fired so how can you encourage users to report  a phish all the time and consistently and quickly   because that will actually reduce your risk the  quicker you know about a problem the better you   can um advance your defenses respond to that  incident and you can contain any damage that's   been done so we need to think about human slide  bit in defense as well. I definitely agree being   able to self-report um is is key but there's so  many social engineering attacks where users don't   even know that they've been compromised we see  things like um adversary in the- Middle attacks   for instance where a user will be um redirected  to a malicious website and be asked to put in   their credentials to log in and they they they're  brought to a web page that looks like a regular   login page for say their bank or something like  that but it's not and the the URL might have like   one uh character that's slightly different it  might be a 1 instead of an L or something like   that and they don't notice it right and so they  they put in their credentials they hit click and   that's it I mean the then the threat actors got  the keys and so um it's one thing to self-report   I think is another thing to just be aware of  like at a very high level at least what threat   actors are doing um to just just be a little bit  more judicious I think in kind of your day-to-day   activities. Yeah so my next question was going  to be okay how do we solve it right you can't   blame the users like you've just said uh is it MFA  what what what are the solutions what do companies   need to do? I think the discussion here is you  know just underscores it's it's both right um   there's we have so much data from our incident  response engagements to back up the the the   problem that is lack of MFA misconfigured MFA um  valid accounts and identity based attacks as the   um initial access vectors and those are all um you  know a lot of that patching um can be on like the   technical and sort of security side of the house  um but but there's also of course this um user   education component that is essential to spotting  at least some of those social engineering attacks   so I do think it's it's um a mix of both. If I was  going to look at really the big picture I might   think in the ecosystem how we fix it right as big  cyber security Community could we demand better   things of our UIs so that when I access something  in a browser it will tell me oh this is a new site   you know this isn't a site you've visited before  something like that right there have to be um   Advanced systemic places where this is easier for  users as well so there's really a lot of places it   could change everything Kendall said of stuff we  can do today and we should be doing today. Yeah I  

think I mean push back from the audience right  um because I'm going to play devil's advocate   here talking about backups is terribly boring and  it's the stuff you've been saying in the cyber   security Community for the last 20 years so is it  just the same old boring stuff we have to get the   basics right? I'm bored of saying it if it helps  if you're bored of hearing it bored of saying it.   We wrote a while ago um a blog or something and  and part of the title was like what's what's old   is new yeah right like the the same things that  work for threat actors they're gonna keep doing   those um those same techniques and so um you know  we're often looking for like new trends to report   out and um sort of interesting findings to flag  but you know the truth is a lot of it is you know   things stay the same because as long as this is  you know continues to be effective for the threat   actor there's really no reason for them to change  it up. So we need to get better at storytelling   I think as a community like you say Kender about  taking something what's the impact of that thing   happening let's put meat on the bones make it much  less dry much more interesting for people. I find  

it like on YouTube just as an analogy get a  lot of push back when I show like hacks but   it's like if you can show people what's possible  and how easy it is to do these hacks it really   hammers at home I think sometimes the community  that shows these kinds of stuff ethically and   teaching educating people through like a cool demo  hopefully drives at home right? Yeah absolutely.   Kendall you mentioned MFA a few times but MFA  fatigue is a big problem I did a video recently   where I was talking about this UK teenager he was  in a hotel just up the road from where I am and he   hacked Rockstar Games um bunch of companies  just through MFA fatigue so that is a problem.   Yeah absolutely we're seeing that in our data  as well um in incident response engagements   that's definitely one of the ways that actors  are you know circumventing MFA um so for folks   that aren't familiar that you know when you you  have your mobile device you go to log to um your   secure network or your your work um email or what  what have you and you get a push notification to   your device so MFA fatigue is when a threat actor  will flood your device with MFA requests in hopes   that eventually you'll be like oh well that that  must be a real one let me just accept it right   so you're fatigued by the number of requests  so that's a tough one that's a tough one to um   defend against I think again the Kirsty's point  that might be a self-reporting uh situation you   know having that awareness to say this is weird  I'm you know I got all these requests I wasn't   even trying to log in you know let me let me level  that up to somebody um but you're absolutely right   David that's that's something we're definitely  seeing um in the data. It's already raising the   bar though for an attacker you know instead of  just having nothing there because there's no MFA   now they have to do another state another stage  in the attack right add something else they have   to fatigue somebody into accepting the MFA request  so that's already raising the bar and that's the   thing none of these solutions of silver bullets  it's not going to fix every attack ever it's   just going to make things harder and why not make  things harder why not make you less of a valuable   target it's I have MFA and Kendall doesn't  who are you going to attack right it's it's   just about raising the bar so that it's harder for  everyone to to get attacked in. Yeah I love that   analogy I mean it's um it's like physical home  security it's horrible to say this but I mean   I think just generally you want to make sure your  security is better than your neighbors right? I I   think the same you know line of thinking goes with  patching it's it's not exciting to talk about it's   kind of boring but you know in if you if you take  Kirsty's example you know a thread actor that sees   unknown vulnerability as patched they're probably  going to pivot to a different organization that   doesn't have that patch because it's easier right  so it's just that sort of first line of defense um   sort of deter them when you can. I'm going to  have to push you on this because I know we're   talking about the basics but I think based on  the questions I received from the audience the   number one question was about AI so I got to  address this AI for hacking, AI for defenders,   in the report from Splunk I saw that you know AI  in the past the attackers had the advantage of AI   like writing emails, perhaps umm the Voice cloning  all that kind of stuff but it seems to people are   feeling that you know AI AI is more balanced now  so it's not just the attackers that are winning   but it still feels that way so you know what's  your take on AI for attackers versus Defenders   how's it going to change things so I'm just going  to open it up like AI changing the landscape,   also AI for jobs you know is it going to  take jobs away that kind of thing because you you've had a lot of you know background in AI  perhaps you can you know take you take this and   you know it's what is what is like hype versus  reality? Yeah there's so so much to answer here   so as you said AI for Defenders AI for hacking,  there's a third stream people forget about which   is securing AI itself so if you are using it  don't forget that's another supply software   supply chain issue that's another vendor you have  to manage potentially it's another attack surface   so don't forget about protecting your models  itself right and to do that a lot of it is good   software development practice just do a lot of  that stuff and you'll be pretty covered as Splunk   surge released some um research on applying OS top  10 to machine learning and AI workload so making   sure you can still protect that stuff itself  um on attackers versus Defenders who's winning   doesn't it feel like the attackers always winning  because they just have to be successful one time   just one time um so I see why people feel that  way I think in truth the winner will be whoever   uses it right so initially a lot of Defenders were  very hesitant to use it they didn't want to have   this kind of data exposure risk there was all this  kind of rumors about not being GDPR complied for   certain providers and um people didn't want to  expose their data think it's very reasonable but   attackers have no such ethics or concerns they can  use the tools as they like and so they did so as   we started um accepting more and more AI into our  workflows into our streams and with our analysts   we're seeing balance tool. You know we see this  in the threat landscape any new technology that  

comes out it's a race between threat actors and  Defenders um as to who's going to harness it sort   of first and best and we're seeing this with AI um  and and yeah it is a lot of the time this Doom and   Gloom reporting right about threat actors use AI  to do this or that and the the stories that aren't   reported out are what sort of how Defenders are  leveraging AI um you know and and there's a whole   range of ways that that we can and are doing  that um we can use AI to help with threat um   intelligence when you talk about you know um  extracting uh lists of IOC's from a report or   miter uh techniques from a report that can you  can then use to prioritize uh certain defenses   in your organization you know you can use AI to  help understand if a certain vulnerability has   been exploited, if so how frequently? if so in  what industries right and that can sort of help   your security organization prioritize where to  put their security resources I challenge folks   to kind think about how we can harness AI in the  security world and I think there's probably jobs   in that field that we don't even know about yet  right because we're still figuring out figuring   it out as we go um but I think you know that  that's certainly a trend we see um in this space   I mean you look at one of the things that came to  mind was QR codes yeah you know there's been this   rise in actors using um phishing campaigns with QR  codes that require users to like scan the QR code   and then it redirects them to a malicious page  that was a new technology right yeah well now   we have um uh email detections that can catch QR  code phishing emails right and using um the same   technology to kind of bolster our defenses so when  any sort of new technology comes on to the market   um it's going to be this case of you know good  guys and bad guys trying to leverage it um but   I think there's definitely opportunities as as  Kirsty laid out for Defenders to take advantage   of it as well. Because I mean this this was a  thread in the questions um and I'll just like   kind of summarize know where where do you see  network security shifting in the next 5 to 10   years with regards to AI capabilities and machine  learning but also like the big one is am I going   to be obsolete right so is it worth a question I  often get on YouTube is is it worth getting into   cyber security if I you know if I'm younger or  just want to get into this industry because in   5 to 10 years I won't have a job? oh you'll have  a job you'll always in my view it's it's one of   those things you'll always have something to do  what you do will change I think you know maybe   today maybe we'll look back in 10 years time and  go how funny people were still being ransomwared we thank goodness we've got past that now you  know may maybe the job will change but I would   say what that means is instead of learning a  particular coding language or a particular set   of um techniques or something the best thing you  can do is prioritize adaptability because the job   today is not the same job it was 10 years ago  and it will not be the same job in 10 year of   time so yes you could learn prompt engineering  but people who are working in the stock today   and and joined 10 years ago they didn't know  prompt engineering they've had to learn it and   they can because they're adaptable they're curious  they're open and they're humble so those are the   things you should be prioritizing in terms of  soft skills and that will make you successful   in cyber security. Yeah I I agree and I you know I  this might sound sort of you know um idealistic or   or you know uh fantastical or whatever but I just  feel like the the job that you know uh if somebody   listening who's a teenager or in their um you  know about to start college or something like   that I just feel like the job that you are going  to have in 10 years is a job you don't even   know exists right now or that you're not even  tracking it's not even on your radar somebody   said hey what do you want to be when you grow  up like that probably isn't even entering your   consciousness because you don't know that it's  even a possibility and so you know I think that   plays to Kirsty's point around being adaptable and  I think too if you can lean into the things that   you're good at like yes um infosec uh fundamentals  are important you know coding programming that'll   definitely give you a leg up but think about  you know what you're passionate about and what   your skills are maybe that's communication maybe  that's strategic thinking maybe that's I don't   know like taking things apart and putting them  back together whatever that is that can probably   be translated into the security world and that's  certainly what I did I didn't have a technical   background um but I found this thing that I was  good at which was you know um sort of looking   at seemingly desperate pieces of information and  trying to make um you know more strategic meaning   out of it and and thinking in an analytical way  and um now I'm I'm a bit of a unicorn um honestly   on my team everybody's highly Technical and and  and I'm kind of um looking at things through a   different lens and so that's not something that I  you know anticipated doing uh when I was younger   right but yeah um you know through sort of finding  my passion I was able to sort of relate that to   the field and so I think as we as we look at what  what's happening in the field year-over-year you   know get get get those um infosec fundamentals  down sure you know do your trainings but you   know if if there's other soft skills that you're  good at or that that you like you know there's   probably a way to leverage those as well in  the field. I love this I mean we've already   got into this conversation but I I'll I'll ask the  question anyway if you spoke to your younger self   what would you advise? I guess for me I like I I  would probably say Kendall take some programming   and coding classes because I entered the you know  cyber security world I guess proba I mean there   are a lot of former Intel folks I work with but  a lot of them did do technical work um in their   previous careers I did not um and so you know  I but but I like threat hunting I like hunting   the bad guys I like um looking at trends I like um  you know leveling up um things that are important   for executives and and companies and just really  taking that high level strategic vantage point so   I've had to kind of like hone my technical skills  um you know on the run as I've been here over the   last seven years and I've done that so I I mean  for me if I had known I was going into cyber 100%   like beefed up my my technical skills a bit  more um but that's probably opposite than a   lot of folks that may be watching. I mean I think  it's a good point but I probably would say you're   technical enough like to everyone right like  I think if I could tell my younger self I'd   be like you know you're technical enough like yes  you don't know every programming language in the   world no one does right yes you can code someone  else doesn't mean anything actually like you're   technical enough to do the job right and and I  think anything you don't know you can learn it's   really not about knowledge it's much more about  skills so I think probably that would be the   message I would take that you only have to really  study something it could be an attack it could be   a TTP it could be one actor if you really went  for it and you did nothing but that for a month   you would probably be one of the global experts  at it right because there's so much there just   so much that it's very rare for somebody to have  the time to specialize in that thing so really it   doesn't take long for you to become a true expert  in something if you're dedicated and if you're   looking at it so pick what that thing is what  you would like like to do and hone in on that   but really it's about skills not knowledge because  knowledge ages off and skills are ever green so   try to prioritize the kind of things you want  to do rather than the things you want to know.  

Yeah and I would say I would say two other things  that aren't specific to any particular fields that   come to mind first one is internships I think  internships can really set somebody apart in   the interview process not only does it give you a  chance to sort of test the waters and see what you   like you know it's it's one thing to have a list  of skills on your resume on paper but to actually   have an experience where you put those skills  into practice and then you can talk about that   in an interview I think um is just like incredibly  valuable and the second thing and I learned this   a little bit later in my career but the value of  networking yeah and I think I think that that's   something that a lot of folks in this field shy  away from because a lot of us are introverts   myself included and it wasn't until like later  in my career that I really understood the value   of you know um how relationships can help you in  your career um and so I would encourage folks to   as much as you can you know push yourself outside  your social comfort zone to make those connections   um you know in college professionally with your  colleagues because you never know down the road   where you might want to call on them to you  know refer you to a job or um they might have   you in mind when something comes up um you just  never know know so I think I think that that's   definitely something I'd pass along too. I totally  agree on both those I think as well sometimes I've   heard people say I can't get an internship so I'm  stuck you know I'm stuck I applied for things I   can't get there so don't let that hold you back  you know the question I always used to ask in   interviews this what's the most complex technical  project you've ever done and it doesn't matter if   that's in an internship in your University degree  just at home right if you get a raspberry pie   and you decide you're going to ping some API and  you're going to line up an LED screen in a certain   way depending on the temperature that day cool  right tell me how you did that what you really   if you're enthusiastic you can do quite a lot as  a hobbyist you don't need to wait for a job to   do that we have a lot of resources that are openly  available and of course it takes time you know but   if you've got time and really are passionate about  getting in the field make your rail projects do   something you want to do what what is annoying you  I had a friend who um every day used to leave the   house and he would be checking on his phone when  the train was if it was delayed and he check the   weather so he knew if he had to take an umbrella  or if he if he was overdrafted and going to be   really sweating on the train whatever it was and  he was like you know what this is insane I'm going   to start projecting that on a screen so not only  can I see it my partner can see it and halfway   through the day it flips so that they knew when  he was going to be coming home if the train was   going to be delayed etc etc what a cool project  and no one told him to do it he just thought you   know what I could do this I'll just poke around  I'll learn some stuff the way fantastic what a   great project done. I'm not sure if it's possible  to answer this but I'm assuming both of you have   have have hired people or interviewed people so  I'd like to get your like input you know from the   other side what do you what what makes a candidate  stand out like um cause you mentioned like the   Raspberry Pi example I mean stuff like that I  you know make someone look different to say all   the other candidates but there any sort of tips  and tricks you can give to someone to you know   get ahead? So what I'm actually really looking  for is curiosity and passion and those are the   two things so if you have 10 coding languages or  you have zero I don't really mind I'm looking for   this kind of aptitude this curiosity to learn more  and a passion for doing so so there's obviously a   natural bit of aptitude how coding works logical  flows things like that but I don't really usually   care if you've got this language or that language  so I would say try to think more about why you're   interested in the subject you know a great  question led to ask on interviews is how does   internet work everyone has some understanding of  how the internet works right even even someone   incredibly in technical go I connect to the Wi-Fi  and then I to a browser and the internet is there   and and you can just Pro like how much further  can you go what what happens when you connect to   the Wi-Fi where does that go and sometimes people  say it's just the internet's just in the Wi-Fi box   you're like but where does it go and they're  like no just back to your phone yeah so they   really think the entire internet is on the Wi-Fi  router and that tolds me a lot right they don't   have this kind of attitude they've never been  curious about learning more it's questions like   that that are very open-ended I think make the  best interview questions because I'm not looking   for a laundry list have you done this yes no it  that's kind of boring to me what I want to know   is are you interested are you passionate are you  curious do you have an attitude even if you don't   know exactly how the internet's working can you  figure it out it's the worldwide where there's a   clue you know so that that's the kind of thing I  would always ask in an interview. yeah I I love   that I I certainly ask like a lot of um sort of  problem solving type questions right like but but   I think I think one of the things I'm looking for  when I interview people is um how can they tell a   narrative about like regardless of what question  they're answering can they can they uh form an   argument can they have evidence that backs that  up and are they are they communicating to me in   a way where I can easily identify like what their  main takeaway is yeah what is the what is the key   part of their answer that they're trying to tell  me um and does their supporting evidence um make   a case for that and that tells me a lot about  not only how they can communicate but probably   how how they can write but most importantly how  do they perceive the information in front of them   what what skills do they have to identify what  the most important things are um what is kind of   minutia and then are they able to tell me kind  of what the impact of that is and you know we   talked earlier about how communicating in that way  can be so important today because so much of the   security guidance is um often the same right yeah  and I think a a very important part of our work   is being able to communicate and I think a lot of  that gets lost and I think you know you look at a   lot of the security trainings that are available  today there's not a whole lot um that's available   in the realm of like strategic thinking and  intelligence analysis and you know communicating   to non-technical audiences and I think to the  extent that somebody can come off you know really   polished um in an interview that just goes so far  in this field you know so just practice get get in   front of a mirror or you know as you're driving  in the car just just practice practice practice   talking through those answers but I'll tell you I  mean you can come across really sharp if you can   if you can just you know get your point across  couple ticks of evidence um and I think that   really goes a long way. Kirsty you've got the  math background and you've done a lot of work  

in this field I need to ask you there's this  fear again that all encryption is going to be   broken very soon like AES is going to die all the  rest of it you know because of quantum computer   so perhaps you can talk to that you know is it is  it true you know do we have to worry about Quantum   Computing how's the world going to change when is  it going to change again open-ended question. Yeah   fantastic so I actually wrote three blogs about  this um which I'm sure we can share around why   Quantum Computing is like fairy tales so first  question is you know is it the emperor's new   clothes does it really exist this threat and as  far as I remember the quantum Computing threat has   always been about 15 years away and it's been like  that for the last 30 years so a nice healthy dose   of realism here it's not going to happen tomorrow  we're going to have quite a bit of lead time up   to when it does happen but that's not to say  you shouldn't prepare for the possibility of an   eventual threat so the advice I always give is in  the case that quantum computer exists it will not   break um as is not the thing to worry about RSA  and Diffie-Hellman public key exchanges those are   things to worry about first then signatures why in  that order because signatures I care about at the   point of verification I don't actually care about  that um at Point side so we need to make sure that   the exchange that's happening key exchange that is  protected so that's the first thing people should   prioritize then signatures and then other kind  of block ciphers like AES um C so it's not the   case even that all encryption has gone it's  just a very few parts it um and so yeah when   you're making your plan make sure that you are  creating an asset inventory so you know what you   have to migrate and the order you should migrate  in as well think about the data because you need   that data to stay secret for a certain amount time  lots of data it doesn't matter today that it's not   encrypted in a postquantum way in a Quantum safe  cryptography it doesn't actually matter because   by the time a quantum computer arrives that data  is obsolete it's no I'll get de readed them so a   data teering strategy is very important um making  sure you know your assets is very important and   all of this is in the blog but um you know in  a hilarious way it's about The Boy Who Cried   Quantum Wolf you know the story kept saying it's  coming it's coming and then when it did come no   one believed him so I think as an industry we have  to be quite careful that we're not overhyping with   threats either we're not under hyping it either  and then the final blog that I wrote was about   Goldilocks and how you know her porridge was too  hot too cold and there was just right and a just   right time to migrate to Quantum cryptography so  you don't want to be too fast because you'll be   uh you won't be interoperable and possibly you'll  be moving to something with a poor implementation   something has been robustly tested nor do you  want to be too late so that you're vulnerable   to the threat you want to make just right um and  so the just right time is not yet I think you it   still be too soon um and for the large majority  of organizations that would be the case there are   some very particular use cases where you should  be thinking about um moving quite soon um but in   any case you should be making an asset inventry  it's good security practice anyway if you don't   know the assets you have in your organization  how can you protect them so that just helps you   and additionally help you the quantum to track  as well. When you say that we need to prepare   for this let's say I want to start now what do I  what does that actually mean? So you have to look   at all data you've got and decide for how long  you want it to remain secret and if the answer   is um you know 100 years then okay you should  be thinking about it if the answer is you know   after a week I delete that data that's probably  not your priority for migrating to the quantum   threat right if um if an adversary attacks your  data that is encrypted with classical cryptography   there's this store decrypt there's this store  and decrypt system where they have to save off   all of your data for a later date to decrypt  at a later date when a Quantum is available   so it's not an a minor adversary it's quite a  sophisticated adversary with lots of resources   that would be doing this so think about if you are  in that target group if you would be targeted by a   large um sophisticated adversary think about the  data you have if you need it to remain secret for   many many years or if actually you're deleting  that data anyway after a week don't migrate that   system first right so look at all the data you  have think about things that will age off you   know if you're replacing that legacy system in  the next year don't prioritize that for a Quantum   migration so that's what it means it means look  at all the things you have the system the data   and make an ordered list a priority of migration  make sure you know who those data owners are make   sure you know who's responsible and once you've  got that then start thinking about the types of   cryptography you're going to need to move to all  of the algorithms that have been standardized have   different properties they're larger or smaller  key sizes for example and think about what's most   appropriate for your use case but today I mean  there aren't robust implementations that exist all   of these it takes time for the ecosystem to build  up we have now the standards from NIST that's   quite recent and quite new but we still don't  have implementations in protocols for example   that's still being developed so we have to think  about um what's an appropriate time to migrate   and it's not yet you can certainly get yourself  prepared and ready. If let's I've got this hard   disk that I want to keep uh secret for 20 years  cuz it's my um my photo of my cat or whatever but   I need to keep it secret do I encrypt that with  like like RSA what do what do what do I need to   do today is it like for the quantum like change  or is it like still like just know what I need to   encrypt and then wait? Yeah so if you think um a  sophisticated adversary would store your data to   then decrypt it at a later date you should now be  thinking about the quantum cryptography you would   use to protect the key exchange and and make sure  whether you're using RSA or Diffie-Hellman that   you can change the cryptography being used for  that the cryptographic algorithm and use the new   postquantum standard. Kirsty do you think Quantum  Protocols are coming anytime soon um it it sounds  

like you said the 15-year thing? They're already  here so technically if you've got a pre-shared key   in your um so Iike version one is quantum safe  actually so adding a pre-shared key makes you   Quantum safe um work has been done in the ITF to  prepare protocols for these larger cryptographic   um artifacts so bigger key sizes bigger  certificates so it's already being worked on   in Iike for example they've already published RSA's  to deal with message fragmentation and handling   larger cryptographic artifacts that come from post  post quantum cryptography but um work is ongoing still   say in TS group to work out how you can create  hybrid in a reliable consistent and secure way   and once those structures have been created then  the um cryptographic algorithms can be dropped in   combined as as needed as a slightly different  process on the side but the work is ongoing in   the ITF. I'm glad you said that because I mean I  think the that you know there's this concern that   Quantum is going to break everything that we have  today so you're saying that that's not true right   some of the stuff's already uh going to be safe  against Quantum? Yeah it's being worked on right   now anything that or used as a pre-shared key  that's actually quality and safe um ironically an   Ike version one but now it's been added to other  protocols as well is taken out of tabs in exactly   this reason so we have um some protections if people are  very concerned that they can put in today using   a pre-shared key so it's interesting that's not it  is postquantum cryptography but it's not using the   algorithm and standardized. Some of the stuff you shared  now I didn't know and I'm sure a lot of people   didn't know um do you have a like a place where we  can go to like see like the updates like the IKE   thing and you know how it seems like crazy that a  pre-shared key can save me from quantum computers   that doesn't seem to make sense but you know  that's just like me saying random things is there   a place we can go where you can actually see you  know what's happening? Yeah absolutely so the ITF um has   many protocols many groups working on different  things so they created one Central Group which is   called pquip. The pquip and that's a working group  that collates together all of the updates that  

are happening across the ITF so there's work  ongoing in the co protocol in TLS in IKE where   Engineers are working to integrate Quantum  structures and make sure that these protocols can   support the carrying of quantum artifacts  the keys are much larger certificates may   much larger so making sure that their protocols  can support that and all of those updates they're   on and a page we can link GitHub you will see each  of the drafts each of the um finished RFC's as   well and they're all cataloged there um so it's  a really good resource. Yeah I mean that's great   because I mean I think the concern is Diffie-Hellman is out the window RSA is out of the window all our   pre-shared keys sorry all our public and private keys  are out of the window IKE's out of the window but   it sounds like that's not that fear is is maybe  greater than people you know it's it's maybe just   fud really it's it it's already been worked  on? Yes yeah it's already been worked on and I   mean the next competition or process I can't remember  when it started but it was a long time ago and for   a long time cryptographers have been thinking  about this they've been doing lots of research   lots of testing lots of implementation and in the  ITF as early as 2019 there was a proposition in   the ITF to combine um classical and Quantum  cryptography into a sort of hybrid structure   so that even if the classical cryptography  is broken you are protected by the quantum   and vice versa so that was really helpful during  this period of transition while the algorithms   being tested there's a lot of rigor gone into  the process and some uh Quantum algorithms were   very famously broken quite publicly quite late  in the process but that's the beauty of having   this kind of transitional period where people can  feel that their data is still secured in either   case um and then as we come closer to the kind  of now it's been standardized now the protocol   work has been done there's a lot still ongoing  lots of discussion and a lot of bright people   working on it but once the standards exist in the  ITF we'll start to see um software libraries um   open cell and different open source libraries  browsers starting to adopt those new protocols   so I think don't panic and definitely don't roll  your own don't Implement your own code use these   big well understood libraries um and make sure  that you are keeping up to date with these um   updates and watching the IRTF RFC stream because  that's really the place to go from the most   up to-date um developments in protocols and content  cryptography. So Kirsty does is this like are there   real algorithms that exist and can you mention  some of them or you know tell us you know because   I know RSA I know AES but you know what are these  Quantum algorithms what are they called? I know I   was just gonna say there they're all named after  Star Wars and I only found this out quite late   because I'm not a Star Wars fan but originally  the there was New Hope back in 2015 If You're a   Star Wars fan can you're just not encouraging me  so I know that I'm on the right track um and then   we have crystals dilithium and crystals kyber  so they're the names of two of the algorithms   they're now called fits 205 you know it's not  not as exciting but when they were going through   development um there Sphincs blasts and Falcon  and so so far we've had one key encapsulation   mechanism standardized and three digital signature  algorithms standardized um and they use different   underlying um cryptography so RSA is based on  large primes and the difficulty of factorizing   um when two primes are multiplied together it's  very easy but it's very hard to factorize a very   large modulus when there two large primes are  the only factors that's the underlying hard   problem the underlying hard problem um involves  a different type of mathematics that is resistant   to attack or um it is based cryptography that's what  um the key encapsulation mechanism is based on   so these different underlying hard problems are  incredibly difficult for a Quantum user um and   a classical user whereas factorizing a large  modulus is takes seconds for a theoretical quantum   computer so that's the the difference between  the algorithms and the underlying hard problems   that they're based on. So Kirsty I've heard quite a  bit about Quantum from different experts I'm glad   that you've you you've made the point that like  don't cry wolf because you know that seems to   happen a lot with technologies so just start  getting prepared for it so I suppose the the   first thing is where can people goes is your  blog articles are a great place to start right?   Yeah definitely so the three blogs are available on  Splunk and they cover if the threat is real if you   know that the threat applies to you and how you  can decide the right times

2024-10-29 17:47

Show Video

Other news