Cybersecurity: Amplified And Intensified

Episode 25 - Threat Intelligence with John Wetzel of Recorded Future.

August 16, 2021 Shiva Maharaj/John Wetzel
Cybersecurity: Amplified And Intensified
Episode 25 - Threat Intelligence with John Wetzel of Recorded Future.
Chapters
Cybersecurity: Amplified And Intensified
Episode 25 - Threat Intelligence with John Wetzel of Recorded Future.
Aug 16, 2021
Shiva Maharaj/John Wetzel

John Wetzel is currently the Director of Intelligence Solutions at Recorded Future.

John is an experienced security intelligence leader building strategic, global teams. Hands-on technical leader passionately merging technical, business, product knowledge to achieve strategic business outcomes. Strong communicator for boards of directors and C-suite to practitioners. Previously DOD counterintelligence and compliance officer (NISPOM, ITAR, EAR) with strong relationships to federal law enforcement.

Writer and speaker on cyber threat intelligence applications, insider threat programs at SANS CTI Summit, Kaspersky SAS 2019, Predict host and trainer 2016-2020. Co-author, The Security Intelligence Handbook (available on Amazon).

John Wetzel
https://www.linkedin.com/in/johnawetzel
https://recordedfuture.com
https://twitter.com/johnwetzel

Eric Taylor
https://www.linkedin.com/in/ransomware/
https://twitter.com/barricadecyber
https://www.barricadecyber.com

Shiva Maharaj
https://www.linkedin.com/in/shivamaharaj
https://twitter.com/kontinuummsp
https://www.kontinuum.com/


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

John Wetzel is currently the Director of Intelligence Solutions at Recorded Future.

John is an experienced security intelligence leader building strategic, global teams. Hands-on technical leader passionately merging technical, business, product knowledge to achieve strategic business outcomes. Strong communicator for boards of directors and C-suite to practitioners. Previously DOD counterintelligence and compliance officer (NISPOM, ITAR, EAR) with strong relationships to federal law enforcement.

Writer and speaker on cyber threat intelligence applications, insider threat programs at SANS CTI Summit, Kaspersky SAS 2019, Predict host and trainer 2016-2020. Co-author, The Security Intelligence Handbook (available on Amazon).

John Wetzel
https://www.linkedin.com/in/johnawetzel
https://recordedfuture.com
https://twitter.com/johnwetzel

Eric Taylor
https://www.linkedin.com/in/ransomware/
https://twitter.com/barricadecyber
https://www.barricadecyber.com

Shiva Maharaj
https://www.linkedin.com/in/shivamaharaj
https://twitter.com/kontinuummsp
https://www.kontinuum.com/


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

Good morning, welcome to another episode of cybersecurity amplified and intensified. We have with us today, john weitzel. of recorded future. Hey, john, how's it going? Hello. So to get started, do you want to give us a little background info on you? And as well as what is recorded future? And what do you guys do over there?

John Wetzel:

Sure. Um, so I, like he said, I work at recorded future, we are an intelligence company, that basically, we were experts in data and intelligence, and we're trying to provide these types of services to security teams out there. I think a lot of times, when you're in a security team, you're looking at your attack service, or you're looking at your internal processes, you're like, Hey, we need we need this, the cyber threat intelligence data in here. And so I think that does a couple things. One, is you have this conception of like, how are we going to make yourself better, we're going to give ourselves all this data. And that's not usually the way to solve almost any problem, because you're going to get very quickly in the information overload. So when we try to do is provide a level of what the right data is, we provide really scoring around IPS and contexts that you can actually see. All right, not just it's ransomware see to somewhere, but like, what, what's involved in what's the history? What do we need to know about it, that kind of a glance, I'm currently the Director of intelligence solutions there, which means I do a little bit of stuff like this, a little bit of going out and just basically trying to help educate clients and users about how do we actually apply intelligence in ways that make sense in their environment? Um, I think it's, it's been a really interesting journey. I've been there for about five and a half years now, as we've kind of gradually made more inroads as an industry and figuring out like, how do we actually use intelligence in the right way to solve the kind of information security crisis we're currently in?

Shiva Maharaj:

Okay, and what's your background? How did you end up that recorded future?

John Wetzel:

A long and winding one. If you go back far enough, you'll find out that I actually went to Michigan State for piano performance, and then I shifted out of that into restaurants then went to work at the world of a story as a certified sommelier, then that's just a professional drinker. And then it was 2008. And the, you know, wall of stories, biggest clients for all places that kind of don't exist anymore. So during that time that I paid for school, I'd gone to a rack a couple times to let the I mean, to be a was a kind of intelligence agent that so I worked in Iraq, went to the the country there had some actually fairly delicious food. Then I came back, went back over again in Oh 910, and then spent five years working actually six years working with the Department of fence, doing counter intelligence that made a shift over to record a future, which kind of kind of makes sense, right? Like it's intelligence company at the startup, it's a different environment. Unlike the massive do D machine, you can actually have impact, which is great. And then and then on this wild read sense.

Shiva Maharaj:

So I guess, with that history of yours, what do you think is a real threat that we're seeing these days in terms of security, and cyber security?

John Wetzel:

I think one of the big threats that we're seeing is this thing that actually started out in a really good place. You have this enablement of the individuals basically do so much that has huge impact on on organizations and society. And it sounds like a really, really great thing like, there is probably no better time than today. To get into cybersecurity. I was reading a comment on Twitter about the recent blackhat and some of the presentations there. And I had the same thought the quality of researchers that are out there is just so much better than what I grew up with and what I think that you've ever seen out there on there's amazing, technically detailed, really thorough research happening, you have people that have that are mainly just like hackers from back in the day that now we're learning are to dive deeply into it and really understand the data that they have there. I think the counterpoint to that is that adversaries are as well. Now as a, as a malicious actor, I have more capability to cause real world impact and damage than I think at any other point in history as well. And you're starting to see this and it doesn't just have to be people that came up through a nation state or got the training or education there or are backed by being organizations as individuals you can have an outsized impact on on security teams and on these organizations there and it leads to this really high Hard to map worlds where we don't just have kind of one attack surface and like big adversaries that you can track and you know, keep everything straight, you have a lot of really qualified adversaries who work in with a variety of tools in different ways, and that it's probably hard to block, let alone to even try and identify and capture.

Shiva Maharaj:

Do you think that ransomware is the real threat? Or is that just the end result of data? exfiltration and other intelligence gathering operations?

John Wetzel:

I think that you, you still have two kind of basic threats, right, you have one that's monetized and then you have one that is, is more information is that is the goal. Um, I think that you have to think of both. I think ransomware is just the latest monetization. And it happens to be a very successful one for adversaries where they're just trying to figure out, like, how do we keep raising revenues? How do we keep identifying it, I think, you know, like, almost a perverse way, like we've talked about it in a previous podcast about like, vendor responsibilities. In a perverse way, you can almost say that the malicious actors in an economic sense, and this is no way justifying their actions, but are almost taking advantage of the investment that wasn't made prior in, in securing software doing lb in securing networks and enterprises. And, you know, essentially, you're forcing payment on on the economy, because that you It's such a huge and dangerous threat there. That, you know, they're taking advantage of that being really, really successful for it.

Shiva Maharaj:

You know, speaking of that previous podcast that we did together over it, I think, rocket MSSP, with a great group of guys, you foresaw or foretold the consi and locked it up tech, which I think everyone's living through right now. And most recently, Accenture, who's probably number one in the world, and what they do just by scale, and probably the depth of their bench. How long have you guys been tracking this potential uptick? If you can discuss something like that for compsci and lock that too.

John Wetzel:

So we track those types of actors all the time. And I think it's, it's really critical, not just from a vendor space from just from the security space to really understand how those markets have evolved and shift. It is not uncommon to see actors actors emerge, and then in change and shifting grow. And so it's important if you have the resources to be able to kind of understand that so it's almost as soon as they're advertised as soon as they're out there. We're watching it and some of it comes from like earlier, evolutions. Now, you saw that, you see a lot of change in like, access, access brokers. Some of that came from like emo tech shutdowns earlier on in like, January, which seems like a lifetime ago. But you saw a lot of change up and shake up in that market as well. Um, so we basically been looking at it we have like one of our ransomware experts is down Liska. He looks at this stuff all the time, probably since I think 2016 2017 has been really just forecasting how bad this was going to be getting.

Shiva Maharaj:

What have you guys been seeing or in regards to the the old guys like Darkside? revol, who went on to I know, record a future recently did an interview with some reps from dark side. Yeah, I'm sorry. Black matter,

John Wetzel:

black matter? Yeah. I think you're still seeing a lot of the pattern repeat. You know, I talked about watching these actors and watching the space evolved, like you see, black matter kind of referring back to dark side, which really got his origins as well from, you know, previous scripts is all revealed was really just a rehash of, you know, previous gandcrab. So these groups don't necessarily disappear. And they're a lot more analogous than you might think they are. It's not just like one group. There's usually authors, there's affiliates, there's access brokers, all of these are different teams, all these different individuals, and they can shift between kind of the rock stars in their group, right, like some of the lead actors, like Riva was notorious for having a little bit more lockdown, kind of affiliate type base that we're there pushing out, kind of this is our gospel, and you can join our wagon to make money. But I think it's I think you're starting to see some interesting shifts happening in the landscape where people are coming to more recognition that affiliates are kind of free trading, they're really willing to shift between what ransomware and what monetization factor they're using. They're going between actual ransoming to extortion. And then you see the kind of the learning curve as they're coming up. They're like, I know a lot of it's been around, like, you know, some people are questioning lock bits, credibility, because they're, you know, they're trying to leak stuff and it looks like it took a couple days. And then this, they have information for Accenture out there but it's, it's really, really slow and really, really painful. But some of those are by design as well like distortion sites. In particular, most of them are really bad. Most of them are really slow, they don't want to give out a lot of data. They want to cause the fear and uncertainty of having that data out there, it gives them more time to negotiate with the organization more time for them to be able to actually get the big payout. Otherwise, they're just giving away information for free, so they don't really staff and serve it up. Well,

Shiva Maharaj:

gotcha. One of the articles I've been reading, and I'm trying to get my hands on the report is one the instinct group just put out, can you go into a little detail about what those guys do?

John Wetzel:

Sure. And if wish, we almost always make, at least eventually make some of those like bigger private reports more open while later on maybe not all of it. But we tried to be generally considered the community that incent group is our in house research group. insikt is actually a Swedish word for insight. And what they do is essentially what a lot of these other research teams do, we have a lot of data, we have a lot of information that we can't necessarily just pull into the machine that we've used manual harvesting, I think there's two ways that set the insect group apart from your like your traditional research team. Most research teams are gonna go out there, they have a treasure trove of data, whether it's like from antivirus software, or from some other type of organization they pulling it in, they process it and they've kind of looking at it for like, hey, this machine couldn't buy processes we need a human to really take a look at it aren't 16 did the same. But one of the things that sets them apart is that they will tune it and use it to identify new source and drive it back into like our core product. So though author reports, we obviously have reports that you can purchase if your client, we do public kind of facing reports. Some of the recent ones came out regarding China's attacks in India. We have reports around like concern ransomware that have come out there we conduct interviews with actors on more than the media side that scan that the Chinese wall over on the record that. But then we also have a lot of Kennelly detailed daily reports that come out for for our clients about like what's happening in the world, what do you really need to be paying attention to? What do you what can you focus on today? And then thinking about that, that shifting in? How do we actually source the right things in the right ways to get in the hands of our clients to make their lives a little bit better, because you don't always just want to have you let's be honest, all of us are kind of done reading like incredibly long, incredibly late the report sometimes it just need like, show me the information that I need right now. I got a report, just let me dump the iocs. And like go hunting with it. Let me get the yaar rule that you crafted off of it, I can tear it apart, then, you know, build my own for signature detection, my sound. And so we try to provide kind of that full scale services there.

Shiva Maharaj:

So in regard to the insect group, you guys just put out the China digital colonization report, is that something we can talk about? Sure. That's been a concern of mine over the last 15 years, I grew up in the Caribbean. So I am intimately aware of how China has been coming in my technology to take over everything. Oh, where do you what do you guys see there?

John Wetzel:

So that report was written by a good friend of mine charity, she has this wealth of experience of being able to dig up, you know, kind of where China has been carefully and strategically implanting itself globally. And I want to kind of draw this interesting divide there because like, I guess, you know, I'm of Asian descent, it's important to me to kind of like separate out like when we're talking about China, we're not talking about the people that history that stuff, they're really talking about, like a particular government away a particular nation tries to flex influence globally, when you're looking at this idea of digital colonization, really where they've been crafty is thinking about how to apply soft power in a, in a semi kinetic or more aggressive fashion than we previously seen. They've done it through technology, they've done it through kind of the technology advantage that they both have had inherent in that they are far more willing to kind of exploit their environment, you know, almost Industrial Age type of thing. And also willing to leverage the organizations that they have, as far as company technology companies, especially to be able to kind of spread and proliferate This, this, you know, Chinese infrastructure, and we've seen it in countries globally. You I think a lot of the geopolitical articles have been written around China's influence in for example, SubSaharan Africa, but you see it in other areas as well. They really tried to establish these regional spheres of influence without without also having kind of a global telecommunications spread as well. It's, it's scary because you're allowing one very tightly controlled, tightly knit oligarchical type of organization which that really is what the CCP is to be able to To have a broader influence and flex than we've seen almost ever in the history of humankind, right. Through the technology companies through their approaches in, in academia, through their approaches in being able to, especially with technology infrastructure, you saw us push back pretty hard to get some of these areas there and said, like, Look, this is this is a global threat to a free democracy. When you start having one organization that just had this my free will they control their.

Shiva Maharaj:

But a lot of their technology companies is also tied to taking loans that are funded by China. And you know, we, us has a lot of sovereign debt loans from China in terms. Are you familiar with the Hudson Yards in New York City? Yeah, the infrastructure loan there was, I think half a billion funded by the Chinese, one of the Chinese national banks. And a lot of these countries, especially in Africa, and I think to a certain degree in Australia, they were taking all the Huawei tech for Telecom, undersea cabling, and it was all funded by China. So at a certain point, how do we stop that? How do we get around those kinds of threats, especially when we don't have manufacturing here?

John Wetzel:

Yep, I think there's a couple of different things that you can start to approach there. One, I think you have to start looking at like global finance as as a tool for freedom and democracy and not just as a tool for providing loan and payment. I'm less concerned about the organization at the United States accepting money from China. I know that sounds kind of perverse, but like, hear me out, I'm less concerned about that than I am about like other nations accepting it. Because the differences in scale and freedom, there are debt considerations that you take in when you take money from almost anywhere. And there's a large organization, especially construction has almost always taken international finance money on the US has, though a lot more like kind of structures around it. And you're as a lender, you're taking on a lot more risk when you do that. And so the US is almost more sheltered today, where I start getting really concerned is when you start seeing whole nations borrowing vast amounts of money, or kind of coming in, or huge portions of their economy coming under vast influence of one particular nation. I think the you know that one of the historic examples coming from the Caribbean has always been like Haiti and their debt to France, and that still plagues them today. So for those of you who don't know, like Haiti, basically was the site of the only slave revolt, successful slave revolt, and they established their own country out of it. But the downside is, is that France kind of held this financial obligations that you have to pay us back for all of this land and all this thing, and that that still means over them today, and still hangs over in place their society, I think you worry about that same type of thing. When you're looking at places like SubSaharan Africa, when you have societies that are so heavily indebted to one particular nation, one particular nation that has like this control through their financial system, which is always kind of, you know, you can see the state control direction behind that, that to me gets very concerning, because now you're not just talking about like, you know, oh, hey, they could take over this company, they could, you know, kind of disrupt this particular little area or city, but now you're talking about, hey, they can push national policy and influence decision makers in ways that run counter to freedom run counter to the best interest of the populace there.

Shiva Maharaj:

But that also ties in to getting access to natural resources.

John Wetzel:

It absolutely does. Sorry, go ahead. No, I think like, that's gonna be, I think, like, not just the pure natural resources, kind of keep funding our massive like, you know, you can go on the consumerism debate there, but I think like, really, the one that really scares me is water. And you started seeing access to access to oil, because although the like places like in nature of the United States, were trying to push like green energy, do it, we're not doing super great at it, but we're still trying to have the investment in that. Whereas you see, other nations are still there, in order to really build their economy, they're really going to need, like, fuel, they're still gonna need water. And those kind of resources, as it become more constrained are going to be really critical when you're building societies. And it worries me when you start to look at like, if we can either borrow money to do this massive water infrastructure project from like China, because that's the only place that's gonna loan it to us in an exchange, they kind of get free wheel to run in that country and do whatever they want, and influence policymakers in ways that you know, kind of give them regional access and control or we can just not provide water to our people and you don't really have a choice at that stage.

Shiva Maharaj:

But how do we combat that? You know, that's my question, right? It's because now they have access to all the raw materials for chips. We our army is probably more technically advanced than it's ever been in history of the United States. And how can we be confident that our gear is not compromised? A major drawing a comparison here, and it's my favorite one. Super micro is said to have had chips embedded by the MSS.

Unknown:

Sure, well, there's

John Wetzel:

a couple, couple facets to that, that we should probably dive into. I think the broader question like how do you combat some of this stuff is it's you need the global policy, and we need to come to some some levels of agreement about kind of what the table stakes are, when you're setting it up. In the larger scopes. It's not that different. I mean, US and other countries have been flexing influence through soft power in other ways for a long time. But generally a bit more transparent on it. I know, I think to your particular question, when you're talking about like, how do we like, especially when you're talking about like war fighters? And how do we, you know, build this inherent and protect this inherent, you know, trusted ability to do stuff, there's a couple things that I kind of need to set the table on. The first is that the US is probably the only country in the world or one of the very few countries in the world that almost can completely build out their national defense infrastructure in just the US, we still have the capability. Yeah, a lot of raw materials, like, for example, rare earth materials are not that rare, we still have a lot of ability to both re harvest them through recycling and also being able to still kind of, you know, harvest and purchase from like other global supply chains for like the raw minerals and raw metals that we need. That being said, you know, when those things start getting constructed, you start having like supply chain regulation controls that start happening for us, those have been loosened over the last about 20 years, since you started seeing like, there are basically two bodies of laws that control it, you have IPR, and you have AI, those are the big ones. And then you also have like, you know, don't the whole OFAC don't do business with like these five countries kind of think that like, we'll leave them out of it for a second. If I'm going to build, let's say, an aircraft carrier, because that's probably one of the biggest and most complex things that I can build, you used to be almost everything on it was completely controlled. That's bad in a sense that if I'm a manufacturer, and I build a particular bolts for that aircraft carrier, I can never sell that bolt ever anywhere else in the world. We still have remnants of that in terms of say like trusted foundry. Trusted foundry is a program that is essentially saying like, Listen, there are certain places in the United States that we can manufacture chips, where they can run, limited runs of these particular types of chips that we need, whether they're e6 or FPGAs. For those of you don't know, and a six is like the chip that goes into your, your iPhone, or FPGA is like a like kind of the same chip design that you can change around in a few different ways. And you can make it fit a lot of different applications really useful manufacturing and other defense applications. where that comes into play is you still have these manufacturing houses that exists in the United States. But they're mainly slaved towards that defense industry. And the one thing that makes defense unique is lifetime buys, Department of fence will buy out everything they need to build a particular ship. And it's not just for a particular ship, it's for like the next 30 years. So if you ever look at like big shipyards, the United States, one of the things they do is they do lifetime buys. So they'll contract with a particular like chip manufacturer in the US, that is part of that trust accounting program, they'll say, Hey, we need enough of these chips to guarantee we can build however many chips we need, plus the net, you know, Ed services repairs that we need for the next 30 years. And then they'll keep that stuff around and running. That's why you see these things go into incredibly long life cycles there. I think that program is pretty sound and works pretty well. When you get into concerns is not the direct kind of like how do we guarantee the security of these programs from the physical standpoint, but it's from the software standpoint, and from the kind of that extended logistical infrastructure that you need to support it. So like, if the ship is fine, what about the software that goes into the ship? What about and that's where you saw a lot of these organizations that were being breached? Were not just like the big defense contractors, the smaller ones and you saw a big defense contractors, you know, getting hacked as well. When you start looking at like the Alright, let's not just the capabilities and the weapons capability of that, but what about the national communications infrastructure that's Reliant to feed into that ship to tell it where to go? How are we protecting, like I tunnel digital communications across the United States, like one of those systems where those routers, and that's really where you start getting into like that concern of like, what are we doing to protect like that individual router, which one or two of them, you know, if the main in China Probably not gonna be that conservative. But when you have millions of that across households, now you get a big enough sensor that that becomes really appealing for, like a government like China to say, Hey, is this something that we should be considered targeting? Is it something that we can kind of begin to target to bring enough sensor data that in the aggregate, it becomes really, really valuable test to me that the biggest threat there, it's like he is my cell phone a threat? Is my router, a threat, maybe not to you. But all of them together, in aggregate, create this really, really powerful signal that can be a threat to the United States.

Shiva Maharaj:

From a cyber warfare perspective, what do you think is the bigger threat China or Russia, or Iran, North Korea?

John Wetzel:

I think that it's challenging when you bring that perspective, because cyber warfare gets into all of these other conceptions like, what do we actually consider that? Is it? Does it have to result in kinetic action? Is it just on the intrusions? How much does espionage play into it? Like I

Shiva Maharaj:

would say, at this point in time, the espionage and data collection is probably higher on their list. I don't think anyone wants to go kinetic at this point, even though China is gearing up a really strong Navy from the looks of it. But it's about data collection right now. And I've always been under the impression that from the beginning of ransomware, with the big groups, it's been a cover for data exfiltration back to one of those four countries for lack of anything else.

John Wetzel:

So the data exfiltration part worries me, I did a lot of time in counter intelligence. So anytime somebody stealing my knowledge, it's really concerning. But the one that I like, let me put this frame around cyber warfare for you. And I'll say this, I think we're seeing it right now. I think it gets fasci under reported. And I don't I'm gonna exclude espionage out of it. So let's take out the economic espionage and, and, and information stealing from it and let's take out the like, purely like access type of stuff from it. So like, you know, breaching supply chain or get broader access to pull down like, you know, email data list. So like solar winds is NACA, consider that in the realm of cyber warfare. Let's look at I think you're seeing regional threats happening in flexing a power because they're resource. They're relatively resource light. I'll bring two examples. One is when you look at Russia, and the way they're flexing, controlling power, inside of the former Soviet republics, everyone talks about Ukraine. Estonia is another example. You're seeing kind of low level intrusions that are relatively inexpensive for the country that's pursuing it, but costly in terms of time, energy, effort and focus in the country that's being being attacked in this way. Russia, you saw like in Russia has been doing this for a long time like, Well, before, you have like Ukraine blackouts you had is no new infrastructure getting taken down, you had these kind of harassment campaigns, that whether it's taking down power and energy companies, whether it's the fear that somebody could take down power and do water infrastructure companies, or just the time it takes to like when your businesses get taken down. I think the other example that you seen that we've reported on the LA riots, a group is you look at China versus India, on China's trying to my opinion on this is that you're seeing a lot of Chinese infrastructure attacks against India right now. And where they're targeting things like power and energy companies, they're targeting kind of commercial and government organizations that and I think you look at the overall scope of that, you have to ask yourself, why like, Why Why are they expanding these resources? why they're trying to attack like no, and do things that don't seem to be just data theft, but seem to be potentially, like harassing and potentially disruptive to those organizations to that to that country as a whole? And I think you start looking at that in my mind you saying like, well, China is looking for that same resource gain in the South China Sea right now, they are currently engaging most of their neighbors in India as a board and country. And in both resource and kind of constrained policy. When you look at India, there, the naval presence, probably one of the most formidable in that kind of the Indian Ocean there. And you start asking yourself questions like China, if I'm trying to and I need to kind of contain a country that borders me. And I need to try and think about ways that I don't I can't bomb them, I can't strike them. I don't really want to get into foreign warfare because it's not going to be productive for anyone because you know, we'll come in and a bunch of other places will come and be like, you can't do warfare now. How do I fight that? How do I like be aggressive without being like too aggressive, and cyber is that perfect round for it. So I can harass I can contain I can make you spend resources, time, effort, energy, just to keep your economy up and functioning. And all of this by By the way, is in a pandemic, which India's been a horrifically hit by. And now, where do I focus on, if I'm the country of India, I'm trying to protect and build up an economy. But yet somebody is actively harassing and running campaigns against my government that I can't, I can't block I don't have an ability to kind of sustain and they seem to be very persistent at it. That's, that's a hard thing. I'm able to fly like as a country like China can say, I can flex power against that without necessarily having like the kind of negotiate with you or trying to, like, you know, give you a bunch of gifts and stuff like that. It's a way to cheaply show you I can have dominance over.

Shiva Maharaj:

But couldn't the same be said of China in the US at this point?

John Wetzel:

It could be I think, the challenge there is that on one hand, I think you have a little bit of a nascent fear of US and US capabilities, and it's residual on and it's, it's pretty strong, because I think most countries and most, most researchers in the cybersecurity field, they're just gonna generally throw a statement out there. Equation group is that sleeping lion, right, like, we don't know, what we don't know. But the things that we've seen are really scary and really interesting. And you have, let's say, you take the US cyber capability versus like Russia, cyber capability, they have different approaches to it, the US went out there was aggressive was hyper complex and really interesting, but seemed to be very targeted and narrow as well on that path, which is you look at kind of like Russia as the as the opposite example, there. Russia seemed to almost advertise their capabilities through these broader scale attacks. I've seen some go out there and say like, if you look at not Pecha, or you look at bad rabbit campaigns, those almost appeared. Like they, they were meant to be massive, but somewhat truncated in in, in scope, because they could have been a lot worse. And it almost seemed as if they were saying, we have these capabilities, you don't want to know what else we have here. Better fall in line.

Shiva Maharaj:

Do you think we slept on Russia and China over the last 20 years while we're focusing on the Middle East?

John Wetzel:

I think that we had to make trade offs as a country and one threat, we didn't know how bad it was and what to really do about it and approach. We also thought that we probably had the better capability, which which might have been true, as far as an aggressor standpoint, rather than like a defensive standpoint. security expert named Mara, Tom, Mr. Tam, she's spoken a lot of app like troopers and other things like that. She wrote this really interesting paper talking about anti patterns in like ICT and other United Nations kind of approaches to this idea of like, cyber norms. And bring it up, because one of the things that she brings up is that She cites this other researcher, basically, it said, like 20 years ago, Russia Federation actually brought a proposal to the United Nations saying, hey, let's set a standard that like, there are some weapons that are just too bad to use in the cyber route. Can we agree like, let's that some stuff is just too bad, we should just all agree on this right now. And the US outright rejected it. And the reason they rejected the Russian Revolution, Russia Russian revolution that was brought to the UN is that at least part of the thinking was, well, why should we why we should we limit ourselves when we're, we're probably better in our estimation, we're far more advanced than these other countries, why not just keep our own advantage? Why would we ever give that up? Um, has that resulted in kind of where we are today, where now you see like, nation state attacks that can then be leveraged, leverage and weighed down by like criminal actors and the way that market is interacting and in ways that we might not have been able to predict? Do we regret that? I don't know, I don't speak for us policymakers right now. But I don't think it's I don't think it's necessarily fair to say that we slept on it so much as it was a novel threat, we didn't have a full understanding of it. And we felt as if the US had the upper hand, so why not just take it for a while and ride?

Shiva Maharaj:

Gotcha. Where do you think we stand in terms of the cybersecurity posture of the defense industrial base? And the reason I asked this is because three months ago, I went in to do an assessment at a government contractor. And they have been 10 ways till Sunday, and their product is in every government agency in the US multiple governments around the world and hundreds of 1000s of businesses. I had a call with them yesterday, and they still haven't begun remediating anything. And I can't imagine they're much different from any of our some our DB supply chain.

Unknown:

So

John Wetzel:

I think that It's been a challenge for the government, the US government to try and figure out like, exactly how do we secure this, this base, and there's been a lot of push, I mean, the the CMMC really started going down that pathway of like, let's set some broad standards or like where you can go and where you can have access when you're trying to do it. And the other side of that came in the information control side, where there was this big push, and there still is a big push around like unclassified but sensitive type of information there are like this, you know, control that had classified this see why type of information that I think it's important to understand that they're, they're kind of like tears when you're looking at the defense industrial base, the top tier are all the biggest names in when you think of like big and best real complex, like names that those are, those have really magnificent teams like I've worked with some of the teams. They are really great, like you're talking about your your Raytheon's, your Lockheed, your, you know, Grumman's, those are really, really good teams that they have a really good understanding of it, where you start losing it, where it starts getting a little bit more unwieldy, is once you get down to like widget manufacturers and everybody else who worked with those big companies, as product manufacturers and suppliers, they can have really broad reach right to your point, they can have products that go into a lot of different applications. They're almost like any other mom and pop shop in the United States, they do have regulations controls, they have a little bit more relationship that they have to comply with, with like the US government as far as regulation goes. But they're they're ultimately resource constrained like any other small businesses. These are like manufacturing firms that are just like a single building in the middle of new, you know, the Northeast, or this can be like a small place that just does, like some type of like small computer component or like customized chips, and the Pacific Northwest. I think it's important to understand like they have the same problems as any other, like print shop or retail place that you have throughout the United States, and so big when, as far as their security, I think there are layers there, I think there's been a test by the government to try and set policy to try and come in there. That's where the CMMC has come in, there's been a long dialogue between God and industry are guiding should there be contractual requirements that those companies provide uncompromised products, but like, you know, how are you going to judge that?

Shiva Maharaj:

But are those already in place those kind of contractual obligations or isn't part of you know, the FedRAMP side of the government trying to audit these people to make sure there's a certain amount of competency behind their infrastructure to produce? So there's,

John Wetzel:

there's a couple challenges that, yes, there are, there are audits that happen on the security side, but a lot of that auditing process still has to be held to like an accountability like framework. And so you still have a lot of that old, on like conformance type of security, rather than having, like, you know, proactive type of security. As far as like how we approach it, I think we were talking about on the, the rocket MSP show, and you talked about, like, Hey, I just want to get people to stop, you know, self accredited, like, they shouldn't be able to do that, like, he's just, you should have to force them to do it. You see that all over the place, though, because you have a lot of these shops that Listen, if you're going to hire a security professional work, now your organization and just that's all they do, and you're gonna give them a bunch of work. At a minimum, you're talking $100,000 a year layout that's for the person for whatever program that bring in for everything else that you're going to do just for baseline clients. And that's usually just for national security side. That's the classified work that's making sure you're meeting your contractual obligations, that everything else there, now talk about information security, and it becomes a lot more complex, like how do you secure an environment where you don't, you're looking at like, kind of a lot of old practices, you're looking at companies that operate like any mom and pop, like, maybe the owner has the manufacturing place, but they also have an ice hockey rig that their nephew plays at, and they really, really want their IT guy to go over there and fix the Wi Fi. Um, I think then, you know, you start getting into that way of like, Alright, how do we actually mature this? I think part of it comes from regulatory controls of like more than just checklists. Like, you can't just go in there and check the page file that particular thing. You say, okay, it's been clear. You can't just go in there with this checkbox type of security approach, and say that these systems are inherently secure. You have to go in there with it. How are we meeting up with, like, you know, the 20. CSC controls. I think that's one of the big things that they're trying to push with like the CMMC. Can we go in there and be a little bit more thoughtful as to how we're approaching and how we're applying that proactive stance and like what is all the components of Oh, really good. Security Program for the scale that we're at

Shiva Maharaj:

is recorded future tracking the threats into the ICS World, specifically CNC machines and such like that, that do work for the DB.

John Wetzel:

So, we do track threats into like the OT and ICS space, they are more challenging because those, by the very nature, those attacks are gonna be a lot more targeted. Um, it's, it's hard to, like you haven't really seen like an OT warm happened yet, knock on wood that they got. And part of its because almost every one of those environments is unique. There, they require a lot of thought they require a lot of planning as you're going into them if you're going to be like an attacker. And so it's like, a lot harder to necessarily kind of like, go in there identify and then like, kind of broad scale track, like what those actors are doing, which is why you don't really see a lot of it, right? Like we've only heard, like, with colonial pipeline, they shut down their ot network out of hesitancy and, and just oh, you know, abundance of safety not because they actually saw that the ransom word made over that jump there. Um, I think for me, like you're seeing a lot more in like energy spaces, probably in like, you know, infrastructure, they're not so much into like mom and pop CNC machines there. I think that probably for a couple different reasons. The big one for me, though, is, I mean, I don't know, as an actor, what I'm gonna get if I pop a CNC machine, but the windows 95 test machine that's running right over there, maybe that's a little bit more interesting. But that's like, is that really ot since it's a testbed, it's isolated standalone, they've never patch it, but it's what they need to keep that one old. Whatever, whether it's a CNC or cutter or anything out there, I've been operating. And we've all seen it. We've all been in an if you've ever been in any company, any environment that's manufactured, they all have that type of thing, like ultra standalone testbed, we isolated from the network, but you know, we only even bother updating just get, just need to keep the thing running.

Shiva Maharaj:

So what would you read as the top threats? Just Just in general? Talk?

John Wetzel:

I think it's really hard to think of one that's more prolific right now than ransomware. And it's not so much that when you're scaling threats, you have to think about like real world. And, Pat, I think ransomware right now, is that threat, because it's so unwieldy. It's not targeted, it's not. You don't seek due care and diligence by a lot of these actors that you've seen some kind of lip service by some of them saying, Hey, we're not going to go after like hospitals are something like that. Okay, if that were really the case, then why as the number of ransomware attacks on schools and hospitals been so high, I think you have a lot of actors who have realized they can get into the rats war game for relatively cheap and start making money relatively quickly. And so they're testing out your abilities in places like, you know, schools and hospitals and other health care environments. And to me like that, if I'm a parent of two small kids, you start affecting my kids school, you start affecting their ability to get health care, those are real world impacts. And I think that's really kind of, ultimately, where we're most concerned about is that merger, oh, the physical and logical.

Shiva Maharaj:

We're coming up on time here. So I just want to be mindful of what you have going on. How do we get involved with recording future if we wanted to stop me, but just anyone, including me, but you know, well, I

John Wetzel:

like, like a lot of other three companies out there. I think, on one hand, we do have a plethora of materials that we put out there, both in technical reporting from Marion CIT group, they, we try to genuinely contribute to the community through the research that we can provide out there through I mean, obviously, there's, we're still in the business of selling things. So we do have like marketing stuff on there as well. But we provide out PDFs reports, we have our own GitHub page that we provide out like iocs, for any of the research that comes out from Instagram. We also have some technical tools that we provide out there to the community at large, we have a browser extension, which allows you to kind of kind of go over a page and quickly pick out the IOC from that page and understand like what we assess their risk to be. So if you're looking at a page that has like a dump of a bunch of IP addresses, we can quickly tell you like, Hey, why are these particular IP addresses like on this list, I reviewed them particularly concerning that we're not going to show you like your environment, because that's that would be what you have to know, at least in the browser extension, but we can show your kind of broad prioritization of like, hey, based on what we're seeing here, this IP as a C two or like a lot of these are accuracy tools for no particular malware. And that's available free for download for anybody. You just get it from the Chrome store or from like if you're using Firefox or anything like that. And then, you know, we do present a lot of conferences, a lot of places like shows like this kind of provide out commentary community, and we're all kind of just open vailable the chat, if you're looking to kind of go down the more commercial route and and say like, Hey, we want, we want a solution here, we need this thing to come in there on my first inclination is, well, I'm not a salesperson. But I would always tell people like, Listen, think about where you are, and think about really carefully about what data that you need in your environment. I think it's like, it's easy for like, you know, I worked for the company, and I wanted to kind of put a message out there. But we had organizations that come in, they bought threat intelligence, because they felt they needed it that fulfill some checklist or triangle requirement, and never get in there. And they're like, we want you to tell us what you should do with Rab intelligence. Well, how do we approach this? And we're more than willing to do that. But I think there's an approach where you need to look at your own organization and say, What exactly do we want to get out of it? How do we benchmark our success with taking this external data? Taking the systemic perspective? And, and where are we going to apply it? Do we need context in our sim? Do we need to help tune automation so that our automation and our saw product can actually work on the way that we want it to? Do we need prioritization on vulnerabilities, we want a better way than just looking at cbss scores and thinking about, alright, what's going on this vulnerability, maybe we want to bring in external data that says, hey, this being discussed on what markets This is, there are patches is being openly exploited. So I think just being thoughtful as you look at your entire security environment, thinking like, Hey, where do we want to bring in? Where do we want to invite in a partner here to help us with this? before you make that jump in to say, Alright, let's let's buy solutions, buy another product, and that I think we really want to be impactful when we're trying to come into an environment and helping organizations.

Shiva Maharaj:

No, I completely agree. I mean, it's like some of these guys, or some of these people who buy a SIM, just have a really fancy place to put some locks.

John Wetzel:

Yep. A there's a there's an old joke of mine, like Nacho Bella kind of analogy amongst people that like run sens, it's like, you saw people that just bought kind of one off the shelf. And sometimes they're harder to work with, because they don't inherently understand the technology that's underneath it. You talk about people that have just cut out homegrown one, or built one out of like an elk stack. They all know exactly what's going into their city. They all know exactly how it's tuned, because they don't have a choice. They're in that thing every day and they're making it work.

Shiva Maharaj:

Right? already. So how can people reach out to you? I know you're very active on Twitter, or at least I see you're very active on Twitter,

John Wetzel:

on Twitter, john, so like john wetzel there, you can reach out via email, I'm always happy to like, help and respond. That's just john at recorded future. One of the perks of being around the company that long. I am vailable on LinkedIn. And then if you have just general inquiries, you can actually just reach out to us via our like our website or anything else. They're like every other vendor out there we have a chat bot. I swear to God, though, it's not intrusive, and we're not gonna make you go through it to like read any of our reports.

Shiva Maharaj:

Sounds good. Thanks for joining us. Cool. Hey, thanks for having me.