Podcast
    Threat Intelligence

    Get Cyber Resilient Ep 77 | Digital Forensics and Cybercrime scenes - with Dr Chase Cunningham, CSO at Ericom Software

    Our guest this week is Dr Chase Cunningham, retired Navy Chief Cryptologist and currently the Chief Strategy Officer with Ericom Software.

    CR_podcast_general.png

    He has experience across a range of the three-letter agencies in the US and over 20 years experience in cyber forensics and analytic operations. He also has a PhD in isolating insider threats through combining technical precursors with human behaviour modelling. His deep technical expertise has also fed into his work as an author, with his 2020 title “Cyber Warfare: Truth, Tactics and Strategies” and more recently his move into fiction with gAbrIel.

    Chase and Gar dive into digital forensics in this episode along with Chase’s insights into ransomware, the misrepresentation and misunderstanding of AI, deepfakes, the machine learning and deepfakes being used for MasterPrints, and influence attacks.

     

    The Get Cyber Resilient Show Episode #77 Transcript

    Garrett O'Hara: Welcome to Get Cyber Resilient podcast, I'm Gar O'Hara. Today we're joined by Dr Chase Cunningham, retired navy chief cryptologist and today, chief strategy officer with Eircom software. Chase comes to the conversation via many of the three-letter agencies in the USA, with 20 year’s experience in cyber forensics and analytic operations. And also PhD research into isolating insider threats through combining technical precursors with h an behaviour modelling, so real Minority Report vibes on that one. His deep technical expertise feeds into his books, which include Cyber Warfare, Truth Tactics and Strategies, and more recently his move into fiction with Gabriel.

    In this episode, we cover digital forensics and good practice in that space; when to involve the Government and what it means when you do; ransomware; the misrepresentation, or maybe misunderstanding is a better way to say that, of AI; deepfakes and machine learning being used for master-prints; and then also influence attacks. Over to conversation.

    Welcome to the podcast. Today we're being joined by Dr Chase Cunningham. How you going today, Chase. Are you doing well?

    Dr Chase Cunningham: Yeah, it's, ah, late afternoon. Well, not late, but afternoon for me, early morning for you. So you're the one needing coffee, not me.

    Garrett O'Hara: I, I'm desperately waiting for it to kick in, if I'm honest. I, I made myself a, believe it or not, quadruple coffee. I've got a big day ahead so I'm hoping, hoping I don't get too jittery in this conversation as we go through. If I do, apologies to the audience [laughing]. it's great to finally connect. This, this kind of came about through actually Gabe Marzano, who's the head of cyber, ah, over at NEXTGEN, who mentioned you when I met her at, ah, [inaudible 00:01:45] back in, whenever that was. I think it was May here in Australia? yeah, we were actually as h ans, face to face, having a conversation. How, how weird is that.

    Dr Chase Cunningham: That's weird, and no one burst into flames?

    Garrett O'Hara: We, we made it through. so yeah, look we were talking about the pod and, and she, ah, your name came up. She, she was kind of raving about the work that you're doing and the things you're getting up to and we finally get to, to speak today. So really appreciate you taking the time. the, the first thing, look, we ask everybody, is just a quick kind of run through of, of how they got to where they are today. I have it in front of me here and it's, ah, there's a lot of three letter organizations in there and then a bunch of other stuff. be great to, yeah, just hear from you, how you got to, to where you are today and doing what you're doing today.

    Dr Chase Cunningham: Yeah, so I, ah, I started out in the US Navy. did my career supporting a whole bunch of different three letter agencies. I retired medically in 2011-ish, 2012-ish. After that, I went to work for the Government as a contractor did the contracting thing for some three letter agencies. And then worked my way through being, ah, director of, ah, cyber stuff at a company called Armor, and then after Armor I went over to Forrester for a few years. And at Forrester I created and ran, ah, the zero trust extended framework stuff that Forrester's been putting out. And then most recently I've been, ah, over at Eircom as the Chief Strategy Officer. So, and then in between all that time, ah, doing a doctorate and writing books and taking care of kids and just life in general.

    Garrett O'Hara: And, and is there sleep in there somewhere, or how does that work?

    Dr Chase Cunningham: No there's, I mean there's 24 hours in a day and I find a lot of people kind of, you know, sit around wasting time. I think there's I think a lot of, I mean honestly I get that question a lot. I'm just like, how much of your day do you actually use? I try and use as much as I can.

    Garrett O'Hara: Yeah, no I get that, absolutely. And you know, ah, Joseph Blankenship, right over at Forrester. I, I think you mentioned that last time we spoke.

    Dr Chase Cunningham: He was my boss. He's a, he's a taskmaster. He's a slave driver.

    Garrett O'Hara: And, and also a football fanatic. He was on a couple of months ago. We, we had a good chat, an awesome guy.   [inaudible 00:03:50]. Yeah, look and so the seed of this conversation, you know, originally when Gabe sort of mentioned your name was around digital forensics. I'd been looking for somebody to have this conversation with based on some, you know, things that I'd sort of read and seen and I was keen to speak to somebody who lived and breathed that, sort of, world. And we will clearly talk about other things as well but look, I mean, digital forensics is a big, big topic. And it would be great to maybe just frame what that is given, you know, you're a practitioner. What does that involve?

    Dr Chase Cunningham: Well, I mean really what you're looking at there is kind of the, if you think about all the the criminal sort of crime TV shows where people look at crime scenes and, you know, you're looking for blood on the wall and all those, you know, things that they do for the CSI side. Imagine doing that in the cyber space, and basically you're working with digital blood on the wall. and if, if you can kind of wrap your head around how, ah, regimented you have to be, how careful you have to be the many, many little details you have to put together. Like, you're, you're trying to build a case for something. I mean, you have to be very careful about how you go about it and it's a, ah, a long involved process to be perfectly honest.

    Garrett O'Hara: So it was an eye opener to me, right? I, I've sort of done a few courses where it's been peripheral, it's not really the core of it but, you know, it gets a kind of surface mention. But we had a, a guy who joined one of the courses I was doing talk through the, the process. he was, yeah, a practitioner. I wouldn't say [inaudible 00:05:18] j ped in to, to find the digital blood on the wall, as you say. and it was an eye opener. Like, what he was describing to me was way more, way, way more intense than I had realized. And, you know, in terms of taking photos of positions of machines and, you know, making sure you don't touch things. what, what do you see as good practice? I'm guessing a lot of people who maybe even live and breathe cyber, don't really get that side of it and don't really know when it all goes wrong, like, in the moment what's good practice for them to do so they don't mess things up later on?

    Dr Chase Cunningham: Well there's kind of two pieces of it. There's the forensic side where you're actually trying to put a case together that you know you're going to have to present, like in court. And if you're gonna do that, that's a, that is a very, very detailed, involved process where you're doing things like taking pictures, camera, ah, you're making sure you don't move anything, that you wear a clean suit, that you, ah, don't hit any buttons with your fingerprints being exposed. Like all those, all those super, super forensic-y things that you have to do because eventually you're going to present that as evidence in court. And in some cases, actually the most famous one that I, I recall is, ah, have you ever heard of the serial killer BTK? He was caught because of digital forensics. and that was a-

    Garrett O'Hara: Okay.

    Dr Chase Cunningham: He, the guy murdered people for 30 years, got away with it. He winds up getting caught because of a disk that he sent the cops. so I mean you can literally, you know, ah, get involved in murder cases in for- digital forensics, so you have to be extremely cautious about how you do that. And you, you've got to remember at all times, you're going to present this to a jury where they may or may not understand what you're talking about. And you have to be able to make sure that your evidence is bulletproof. So that's one side.

    The other side is the kind of, what I would call corporate digital forensics where something weird happens and you're trying just to figure out what happened and why and was someone culpable? Or was it just kind of an oopsie, you know, ah, was it an EPT malware type of attack? So you can, and that, that's not quite as, ah, I would call it, ah, evidentiary as you would have with a court case.

    Garrett O'Hara: Yeah it's, it's interesting using a, like, as you said, when I think cyber I instantly just think cyber forensics is around, ah, you know, cyber attacks and, yeah, hadn't even thought about the implications as to broader, the broader kind of crime. We, we had a case recently actually and it's, I don't think it's probably hardcore cyber forensics, but a couple of cops here were done for being sort of inappropriate, let's say off off-duty with, ah, someone who turned out to be underage. And it was actually their phone, they sort of thought they had deleted the evidence from their phone and,  -

    Dr Chase Cunningham: It's never deleted [laughing].

    Garrett O'Hara: Yeah, ah, I can well imagine. I was looking as part of the research for this conversation, was looking through some of the tools that are available to do forensics. And I'm guessing there's probably some hardcore stuff that people in three letter agencies have access to that are, that we don't know about. But even some of the stuff that's available through VMs and I think, like, Sandsift and there was a, a couple of things there, that look pretty impressive on the, the surface of them.

    Dr Chase Cunningham: Yeah.

    Garrett O'Hara: how accessible is it as a, as a practice? I was also reading that it's an apprenticeship rather than something you can train for. Like, you have to do it to really understand it.

    Dr Chase Cunningham: Yeah, you need to be, ah, keys, you know, fingers on keyboard for a long time. You need to have someone that's you know, ah, I guess you'd say vetted in the space, kind of teach you how to do it.

    Garrett O'Hara: Yep.

    Dr Chase Cunningham: And honestly, like I said, for, if you're going to get involved in those cases, like you're dealing with cops or, you know, underage kids or something, what seems to be a pretty common forensics issue. you need to be sure that you can, you know, present in court and actually stand up to cross-examination, which is also a, a skill you've got to learn.

    Garrett O'Hara: And I, I can imagine what you're describing, like that presentation part of forensics, when I think about the complexity of some of the things you'd have to do to prove evidence. Like how, I mean this is a huge question, it may not even be answerable on a podcast, but how do you even go about explaining that to laypeople?

    Dr Chase Cunningham: Ah, I call it colouring with crayons. and it's not to be offensive to people that aren't in cyber but, I mean, really, you know, anything that you, ah, that you're going to present to anybody... you know, my wife's a nurse. She talks about cardiologist stuff all the time, whatever else, and I tell her, like she starts talking about how the heart does this and whatever else. I'm like look, here's a piece of paper and a pencil. Like, draw that out for me so that I can understand what's going on there. You, you're, you have to be able to break it down to people where it is kind of colour with crayons and you literally can say, look this thing does this and this is what that means and, I mean, it has to be a very simple but clear picture of what, what occurred.

    'Cause you're right, organizations, audiences, leaders, court people, they don't understand this stuff. And it gives the prosecution or defence, depending on which side you're on, a good avenue to basically throw your testimony out if you're not careful.

    Garrett O'Hara: It, it sounds like a nightmare, like, almost like technicalities but based on understanding, or maybe I'm misunderstanding that actually, is it-

    Dr Chase Cunningham: That's right. I mean-

    Garrett O'Hara: It is, yeah, okay.

    Dr Chase Cunningham: You can have a, a whole court case thrown out on just a, a bad key stroke. I mean, it's that-

    Garrett O'Hara: Yeah, yeah it sounds like a little bit of pressure there to, to make sure it goes well. I'm guessing then there's times where, you know, people will or organizations will go through incidents that maybe hit a point that they're large enough incidents or maybe the implications or the vertical that they work in means that there's probably a call that should go into Government agencies. What, like is there a way to kind of make that judgment call of, like, what's the point where you need to call in those three letter agencies or whoever the local-

    Dr Chase Cunningham: Well, so the thing that I remind people is you need to understand that when you're gonna call in the three letter agencies, you've, you've given up control of that situation. And what I mean by that is, n ber one, the three letter agencies have got a stack of cases that they have to get through and you're probably way at the bottom of 'em, so they may get to you two years from now, which is way long in the cyber world. But the other thing is, once they show up in their black Suburbans and, ah, you know, suits whatever they want, they're taking and you may not ever get it back. So you need to be very aware that once that process, once that, ah, you know, 10-ton boulder starts rolling, and it is, it's not stopping. And whether you like it or not, you're in it.

    So, I advise people all the time 'cause I get, as a matter of fact just yesterday I had a guy email me about some stuff and he needed me to do a little bit of forensic looking around. He's like, do I call the, the feds? and I mean my response to him was, I'm not gonna say yes or no yet 'cause I don't know the totality of what's going on, but number two, ah, I asked him, I was like, "Are you willing to give up everything that touches this system for the federal investigation?" And his response was, "No." Okay, then we probably don't want to call the feds yet.

    Garrett O'Hara: It, it creates an interesting tension. There's, there's a bill that's going through Parliament here at the moment for critical national infrastructure and, you know, I understand that the US is going through some similar changes at a Government level. where for certain organizations or, or industry types it's pretty broad actually you know, the, the idea with this bill is that the, the value of those organizations and the impact is so big if they get [hacked 00:12:30] that the, you know, the Government can basically come in.

    And it's less probably around the forensic side but more I suppose, you know, the kind of stopping the bad thing from happening, like the energy grid going down et cetera. What are your thoughts there in terms of, like, to, to your point, you were able to give that person a, well hold off, make a decision, I don't know just yet. But if you get to the point where there's a regulation that says you pretty much have to any, any thoughts or opinions on that?

    Dr Chase Cunningham: Well I mean I'm not an expert in the Australian side of things obviously and the US side changes a bit, too. And I, ah, I mean I haven't done a case in that sector in quite a while. but I mean what the, the question quickly becomes is forensics or is the investigation actually going to deal with the threat? And usually the, the problem is, I mean if you think about it in the context of a, a murder scene if I walk in after somebody's been blasted all over the wall, it doesn't do me much good to say, you know, "Hey let's go investigate this," and think that that's going to stop them from doing another crime or, or hurting another person, 'cause it, it's going to happen.

    So in the cyber space, we move even faster and there's usually not nearly as much grey matter on the ceiling, if you will, as you would have in a murder scene. So you have to be, you know, willing to kind of say, we'll do the forensics later, let's deal with the threat now because this is more, especially for infrastructure, I need to fix this problem. I don't necessarily need to worry about the whole forensic picture, I can get to that eventually. Logs are a great thing. If you're in, if you're a forensic person, logs are your best friend.

    Garrett O'Hara: Yeah, understood. There, there has been some comments around like I think you used the 10-ton boulders, you know, the kind of analogy that there's some concern that that 10-ton boulder may not know the systems that they're going in to protect well enough in Australia. And it certainly seems some of the contributions from local industry and there, you know, it's often global organizations saying that our worry is that, you know, the 10-ton, the 10-ton boulder comes in to help but actually because they don't really know the systems, they actually may cause kind of bigger issues.

    Dr Chase Cunningham: Yeah, I mean I, I think that that's a valid point and it's a valid concern but if you're dealing with critical infrastructure you're, you need the, you need the help of those organizations because they have access and resources that most corporate, or especially small and, like, local localities, don't.

    Garrett O'Hara: Yep.

    Dr Chase Cunningham: And you need that, you need that heft and you need the, the ability. And sometimes it's just about getting a system back online. It's not about the investigation side of it.

    Garrett O'Hara: Yep, no definitely get that. we had Dmitri Alperovitch on speaking about the those smaller organizations that are sort of feeders or suppliers into critical national infrastructure and the comment, well his comment was that you, if you can't do security well enough then you shouldn't be in that space. But then, you know, maybe what you're talking about there is that you get to offset some of that concern because if you're in there, those agencies can come in and sort of help if things do, do go wrong.

    Dr Chase Cunningham: Well-

    Garrett O'Hara: Excuse me.

    Dr Chase Cunningham: ... what [inaudible 00:15:33] see with those smaller and legacy organizations is, and I, I'm a big fan of Dmitri's, but I think where that kind of is a little bit myopic is that if we did that we wouldn't have, I don't know, 70 percent of the organizations out there doing anything that we need.

    Garrett O'Hara: Mm-hmm [affirmative].

    Dr Chase Cunningham: So, you know, the, the sort of ability to catch up on security is, is there and a lot of times this, you know, to be more secure doesn't mean you have to be awesome at it. You've just got to be better than the next weak link.

    Garrett O'Hara: Yep, yeah and when we were talking I think I kind of raised it that you end up with a sort of, almost a dual layer. You know, the organizations that can afford to do it and then the ones you can't, and it sort of set up a almost a, you know, reinforcing cycle. so you never, you know, would never be able to grow to service fed.

    Dr Chase Cunningham: I think a lot of times what we miss in this space is the value of deterrence. it's not, we always look for, like, how to be, how to never have a hack or never have a bad thing happen or whatever else. That's not real, like, you're, you know, the odds of you being perfect are pretty minimal. However, like, I like to wrap this around, like think about your home. Imagine two houses sitting next to each other and one of 'em has got a protected by ADT sign and a Doberman walking around out front and a big Schlage lock on the door. And you're the bad guy, right? You walk by, dog barks at you, ADT sign, hard to get through that Schlage lock. And then you look at the next house and the windows are open, the front door's open, and the owner is passed out drunk in the front yard. Like, who am I gonna rob? You know, you go for the easy target, you don't go for, you know, the house with the Doberman. Deterrence has got massive value here and we don't, we don't focus on that enough.

    Garrett O'Hara: Yep, no definitely take that point. We m- may pivot a little bit here and talk to your PhD dissertation. again, you know, I was just kind of reading through your profile. This one kind of rang a bell in my mind 'cause I could see Tom Cruise in a cool glove doing some doing some amazing sci-fi stuff. Your, your PhD basically it, it sounded like Minority Report to me, you know, combining technical precursors, indicators, with h an behaviour modelling, with a view to identifying and isolating the insider before they kind of do the bad thing, essentially. can you talk to us about that? That really does sound, it sounds like Minority Report.

    Dr Chase Cunningham: Yeah, I actually, ah, funny enough I called the project, ah, pit viper because it was sniffing out the rats. And basically what, what it was, was I was able to take a whole lot of log data from when people, and I had a bunch of, I had a hundred-something subjects and I said look, you guys be my bad people and here's a file. Go get the file. And basically they were, they were acting as insider threats and they went looking for the file and they grabbed it, and funny enough, you take enough data over time you see that they do the same things to find the file that they're looking for to steal the information. So what you wind up with is indicators of a progression of compromise and then you take those indicators and you [boil 00:18:28] them up against an algorithm. And if your algorithm is really good, you can say if this happens, this is the likely outcome. And mine was 90-something percent effective at saying if these things occur, somebody's getting ready to steal your stuff.

    Garrett O'Hara: So do you get to the point where you could build a broader algorithm that can just look at all the behaviours that a h an may do on a machine or on a network? Is that the end goal?

    Dr Chase Cunningham: [inaudible 00:18:50] yeah, theoretically you could and I think a lot of the insider threaty stuff that's evolved, 'cause I mean I published my dissertation back in 2014, so good lord, I'm getting old, it's 2021 now. so I mean in that amount of time there's been a lot of innovation in the space with, smarter people than me have come up with other approaches to the problem. but, you know, theoretically you can continue to apply that to more and more data and ultimately you get a really, really accurate, ah, prediction model.

    Garrett O'Hara: Yeah, we had a guest called, ah, [Sinel Sal 00:19:18] who was on, he's from Minter Ellison, and he talked about using, end user behaviour analysis. And I think, like, with good success and then COVID hit and, ah, all the models broke. You know, people were working from weird places at weird times and yeah he said that was, that was an interesting time to go through each sort of, you know, you go back to zero almost in terms of the models.

    Dr Chase Cunningham: Mm-hmm [affirmative], mm-hmm [affirmative].

    Garrett O'Hara: But yeah, kind of is what it is, I suppose. What else did your research uncover? Was there anything else in there?

    Dr Chase Cunningham: Ah, I think one of the things that I came out of that with that was really interesting was I also, as I got through that I also came up with a, a pre-employment survey. And, you know, everybody wants to, to kind of think that you're super unique and whatever else. I hate to break it to you but there are sort of personality indicators that you can boil against h an modelling and sort of see these, these certain individuals with these behaviours and this past activity, do have a higher predilection for doing things that are less than scrupulous. And it's not to say you're bad because you've done bad things in the past, but you could take my algorithm for seeing what they were doing on the network and then take the sort of pre-employment thing and go, something's off here, you should act quickly 'cause things are getting bad fast.

    Garrett O'Hara: So that starts to get really interesting to me. like, the personality overlays.

    Dr Chase Cunningham: Yeah, it gets a little bit creepy-ish, so yeah.

    Garrett O'Hara: Yeah, like is, is it sort of, so in my mind, you know, the, when I think of, like, HR functions using Myer Briggs or the Big 5 or, you know, any of those kind of psychometric testing to see suitability for a role. Is it, is it that vibe, except for cyber?

    Dr Chase Cunningham: I [inaudible 00:20:59], I mean yeah, I asked a lot of questions about, like, ah, honestly, like, ah, sort of feelings of ownership of material and it's fun- it's kind of funny, you see people that, like, "I created this, so it's mine." It's like, well you work for that company and they pay you for that, and they still say, "Well it's mine." Well, no it's not. You, it's, you, you've, you did that 'cause you were getting paid for it. And in the digital space because you're not physically picking something up and carrying it with you when you leave, people just go, "Well it's my file. I'm going to take my file." and that file might be the formula for Coca-Cola, you know.

    So, I mean, there's this other interesting side of this whole thing. If I was more of a humanities person, I think it'd be a rabbit-hole to go down of, like, why do, why do humans, sort of, not, like theft in the digital space is not nearly as ah, I guess you'd say, potentially traumatic as it is in the physical space.

    Garrett O'Hara: Yeah, I totally get what you're saying there. Like, there's the emotion or energy is not the same when you're taking a digital copy of something as it would be, you know, if I, I mean I'm certainly not going to do this, just so everybody knows, but, you know, my work laptop. You know, if I'm stealing that I can see it, it's a very visceral h an thing 'cause it's a physical object. But if it's a digital copy, well the company still has it, I'm just taking a copy. Maybe it's the same with music. You know, I think people, I'd never have stolen a, you know, a CD from HMV back in the day or, or vinyl.

    Dr Chase Cunningham: But Napster was fine, right?

    Garrett O'Hara: I'm not saying I did or I didn't, but there might have been Limewire in my past or, or Napster and, ah, maybe-

    Dr Chase Cunningham: [inaudible 00:22:29]

    Garrett O'Hara: and it just felt different. Now I still bought music, don't get my wrong. I probably spent more than most people did on, on music. but yeah, that's, that's a hundred percent. But not to go too far down this, but would you see a time where based on what you figured out in terms of those personality indicators, that you would change something like a acceptable use policies or, like, how, screening employees. Do you think you could get to that point where you could, you could, or limit, you know, people's access controls?

    Dr Chase Cunningham: That was the ultimate goal, was to get to a space where you could say look, here's, you know, here's an individual who has personality indicators that are X and then here's their activity, which is Y. But as those things start to intersect, you go, well I'm going to apply another control. You know, like I'm going to now, because you X, Y and Z, now I'm going to remove administrative rights. Okay, well administrative rights wasn't enough, now I'm going to put, you know, screen sharing on your machine. Like you, you continue to kind of just step it up a bit until finally either their machine and their access are so locked down they're no longer a threat, or they kind of go, like, someone's, someone's aware, right? And they, they stop the behaviour.

    Garrett O'Hara: Yeah, well it's back to deterrent, they know that you're kind of watching. That's enough to, to stop them. You, a lot of this stuff is going to use machine learning approaches I'm assuming, to build those patterns and, you know, the dreaded two letters of AI which, in our industry is definitely, gets a lot of raised or rolled, rolled eyes when it's kind of mentioned. and, you know, as part of the prep for this you've written a book called Cyber Warfare: Truth, Tactics and Strategies. cracking read, by the way. So anyone who's listening, definitely recommend it. It's accessible, well-written, so solid, solid stuff. But you talk about AI in that book and some of the, you know, maybe misunderstandings is the word. Can you kind of walk us through your perspective of that?

    Dr Chase Cunningham: Yeah, well actually funnily enough, I actually just published another book specifically on AI Gabriel, which is a, it's a novel but it's all based in real technology. So and that's all about artificial intelligence. But, like you said, I think I think where we get lost is people get stuck in the marketing side of AI and we don't [inaudible 00:24:43], we don't want AI. I think Elon Musk has said that, you know, and everybody seems to listen to him. We don't want AI, like, that's a bad thing. The last thing we want is some entity that's non-h an making decisions based on its, sort of, thoughts. That's, that's not cool. what we have is we have machine learning powered by really good process and compute, and really good mathematics. And all you're getting out of that is input, output sort of decision matrix. and that's fine. Like, that, that's where there is some value. You get some up-level capabilities, ah, and you can do things quicker, better, faster.

    Garrett O'Hara: Yeah, and so when you talk about quicker, better, faster, what's the utility in cyber for AI from your perspective?

    Dr Chase Cunningham: Ah, really it's in, in augmenting the h an sort of capacity that we have. Ah, you know, if you think about a lot of what we, sort of, say. Ah, the US I know especially we say there's a, a lack of h an capital in cyber, and I fundamentally disagree with that. I think what we have is, ah, lack of technology optimization to make humans better. and that's what ML really gets you is, I can have one person do the work of five or 10, and then I get the capability that I'm looking for from that one person. and as you, as you do that, you're upscaling and you're offsetting costs, and that's where there starts to be some real wins.

    Garrett O'Hara: Yeah and I, I noticed you used the word "augment" there which I think is, is probably really, really important because, to your point, you know, the marketing brochures would have you believe sometimes that, you know, you roll out a sort of technology solution and then everyone can go and, you know, have a cup of tea or a beer and, you know, come back when the work is done. But clearly that is not the case. We're not even in, in most cases it seems like we're not even close to that. Is that fair to say?

    Dr Chase Cunningham: Yeah, I mean, ah, it's a lot like, ah, autopilot on Tesla. You know, people, I get an autopilot on Tesla, I can just sit back and drink a Coke as the car drives down the road, and there's been quite a few people that have died doing that. It's not, you can't abandon control and you can't abandon the mechanical requirements of operating the vehicle safely. However, you know, if you're going down the road and if things are relatively, ah, safe and straight, you can let the machine take over and you can kind of not be totally engaged. So, it's one of those things where there's a reality side of it and then there's the marketing side of, like, it's autopilot, you don't have to drive the car.

    Garrett O'Hara: Yeah, absolutely. And then the elimination of noise I think is such a big thing that we talk about, you know, the amount of signal versus noise and the ratio that is just so off, so, so much of the time. You know, where people are working in security operation centres and spend the vast majority of their time chasing things that turn out to be false positives and, and nothing that needs attention.

    Dr Chase Cunningham: [inaudible 00:27:25] it's kind of like bo-bo tasking, you know, is what I used to call it.

    Garrett O'Hara: What, what's that?

    Dr Chase Cunningham: Where, like, why should I have an L3 engineer go off and reset someone's password that they forgot?

    Garrett O'Hara: Yeah.

    Dr Chase Cunningham: And that, that somehow or another funnels its way into the [inaudible 00:27:38] ticketing system, and you're like why are we doing this? AI, like, AI, "ML" systems can handle that. You know, so there's a way to take a lot of those kind of bo-bo tasks and put 'em up and say, look machine, you know, if this happens, do this.

    Garrett O'Hara: I'm going to have to ask for an explanation of bo-bo task. I've not, not heard that one before.

    Dr Chase Cunningham: I don't know where I got it, I just remember in the military, like, when we had people, we had tasks that were just kind of like, my god I have to do this again? We'd call them bo-bo tasks and it was like, any bo-bo could do this.

    Garrett O'Hara: Okay, there you go. I've got a picture in my head of, of Bobo, ah, and so the, the picture works.   the, I've seen some of the stuff you've, you've been posting lately on LinkedIn. It's, it's kind of entertaining. It's the, the deepfake stuff with, with Braveheart.

    Dr Chase Cunningham: I don't know why I keep saying that when I do podcasts, I'm like, I'm slowly ruining my career but it's fun.

    Garrett O'Hara: Ah, it's awesome. It's very convincing. How did it feel to be [laughing], how did it feel to be Braveheart?

    Dr Chase Cunningham: Yeah, it was fun. I, ah, I've done, ah, gosh I've done Braveheart, I've done 300, I've done, ah, Ace Ventura, ah, Leslie Nielsen. I mean, it's just, it's kind of cool just to mess around and, you know, everybody's always wanted to be in a movie so why not just put yourself in one.

    Garrett O'Hara: It, a hundred percent, and you know, we're kind of laughing here but it actually, it's a pretty serious concern when you think about what you're able to do and the level of how convincing it is. I mean, there's little parts of it where you can sort of see there's something going on, but for the most part it's actually, it's, it's solid. You know, it's really, really convincing. Where does that leave us? You know, when you get to the point where when that gets really convincing and, you know, this is a leading question 'cause we're going to talk about influence attacks and, you know, a bunch of other stuff. But when you get to the point where I can see somebody who I clearly know isn't Braveheart, for various obvious reasons apart from the fact that we're not in Scotland and hundreds of years ago-

    Dr Chase Cunningham: Right.

    Garrett O'Hara: But, you know, for that moment it, it's convincing. I can easily see situations where you're my CEO or you're the leader of this country or, you know, fill in the blank.

    Dr Chase Cunningham: Yeah, I mean imagine a world where, like, I di- I go off and I target, I don't know, ah, someone that has 10 or 15 million followers on Twitter and those 10 or 15 million followers are really into a particular product. And then I go and get their Twitter account and I put a fake video up that says, "I'm no longer supporting this product, it's total bunk." And the you watch the stock price tank and you go off and buy the stock, and when it finally comes out that it's not them and it bounces back, you sell and make a profit. I mean, and that is stock market manipulation at its greatest. And today, like that's a very real thing. Or imagine you do it for someone, like, I don't know, the Chairman of the [inaudible 00:30:21] Chief of Staff of the United States and you go off and post a video that says, I don't know, "Hey, China, we're invading you tomorrow." by the time it's, you know, it's figured out that it's not realistic, it could be too late, honestly.

    Garrett O'Hara: Yeah it's, it's deeply frightening stuff. yeah, it, it really worries me. One of the things I think, I'm scanning my brain here, I think it was Equinix when that happens, there was commentary at that time that there was some transactions that maybe indicated, ah, there was a short contract on the stock at a very weird time given that it sort of pl meted very shortly afterwards. anyway yeah, like, the, the stock market manipulation is one that kind of has interested me for, for a while.

    I, I wanted to also, actually before we move in, in your book it's worth mentioning there's a you have a picture of h ans that don't exist.

    Dr Chase Cunningham: Yeah.

    Garrett O'Hara: Which, freaky, like so, so freaky. definitely worth, ah, worth checking that out as well. But I wanted to ask specifically-

    Dr Chase Cunningham: We even created their fingerprints. Those fingerprints were realistic enough that it passed master, so.

    Garrett O'Hara: That was literally what I was gonna ask, 'cause that was fascinating to me. You talk about the master print hacking, ah, fingerprints. I would love if you could just kind of walk us through that one.

    Dr Chase Cunningham: Yeah, so it was basically a, a research project, I believe it was Stanford or Berkeley, one of the two, and they said could we create fingerprints that would pass, ah, a forensic analysis as being realistic fingerprints and do it with absolutely not even, not even an image, just let, like, let the computer create the fingerprint. And sure enough it did it, and sure enough it was good enough to pass as a, a realistic h an being's fingerprint. 'Cause there's things in your fingerprint that people don't realize that you can't fake. Like there's, there's certain ways that the skin does what it does and whatever else that you can't fake that.

    So, yeah, I mean they were able to do this and then on the far end of that it was like, well can we manipulate this and say, let's take someone's fingerprint and create a realistic copy, and then see if that passes forensic analysis, and it did as well.

    Garrett O'Hara: Which is a worry, given biometrics. Yeah, I mean there's a lot of, yeah, you know, the, the level of false positive, false negative balancing. Like, there, it's, [inaudible 00:32:29] binary. Like, and I know where, there's a [inaudible 00:32:33] password-less strategy. any thoughts on that?

    Dr Chase Cunningham: I'm a huge fan of password-less. I think-

    Garrett O'Hara: Okay.

    Dr Chase Cunningham: I think we need more of the cell sovereign identity piece of that equation and I think we need more sort of multi-factor biometrics to make it really viable. But we're starting to get there a little bit. a little bit more day by day.

    Garrett O'Hara: And, and [inaudible 00:32:54], just given that you've highlighted, you know, with master prints the potential for [inaudible 00:32:58] a biometric and, and deepfakes for, you know, for faces and whatnot.

    Dr Chase Cunningham: The one thing in any, in any of those scenarios is always an, an additional out of band authentication. So some other way of saying, you know, ah, you know, what's the old triad. Something you have, something you are, and something you own. Making sure that, you know, there is a realistic h an on the other end of that whole thing, like-

    Garrett O'Hara: [inaudible 00:33:21] Yep, no definitely get that. And it, and it maybe points to the complexity of the world we're operating in and, and your book, you know, Cyber Warfare: Truth, Tactics and Strategies, that, that, you know, covers cyber warfare and, I suppose, sort of lends to how an organization should think about that and some of the things that they could do to prepare.

    Be- when, when we spoke prior to recording, you said, and I'm going to get this wrong, but it was something along the lines of look, if you're firing rounds then you're, you've already kind of lost the battle or you're behind where you should be can you kind of talk us through your perspective of the, the landscape and, you know, we talked about the cyber threat landscape blah, blah, blah. But, like, you know, thinking more in terms of the cyber warfare, nation stake type stuff, and what your, what your perspective of that is?

    Dr Chase Cunningham: Yeah, I think I think the misconception a lot of people have is businesses and persons just an general, is it's cyberspace and the internet is kind of this thing you use to talk to grandma and look at movies and whatever else. When in reality, you're engaged in the first time in history that his is the first level battlefield for every, every entity on planet Earth. And what I mean by that is-

    Garrett O'Hara: Yeah.

    Dr Chase Cunningham: ... North Korea can take on the United States and potentially cause, ah, a cataclysmic event. They can't, they can't, North Korea can't muster up the navy and sail across the Pacific and do anything to the US, but they can login and shut something down and cause that type of attack. So the, it's a dangerous place. It is a real battlefield environment and you're engaged in it the moment you start sending electrons. So people need to wrap their head around it, and it's not, it's not meant to scare anyone, but it is meant to be honest about things and that's what I remind people in my workshops, is like, like you have to think about this realistically and not in kind of the, you know, oh it won't happen to be type of thing.

    It's a, this is a battlefield environment and if you're running around on the battlefield long enough, sooner or later a round is gonna get you.

    Garrett O'Hara: Yeah, that's true, a stray bullet.

    Dr Chase Cunningham: Yeah, that's exactly it. It may not be targeted at you, but you may just be in the wrong place at the wrong time.

    Garrett O'Hara: Yep. And, and you know, this is probably just based on time maybe the last question, but, you know, you talk about those stray bullets and ransomware might be one of those examples where, you know, you can see the kind of fall-out of spray and prey attacks where I think we're starting to see the, the penny drop moments, with many of the Governments, ah, around the world, where they realize oh, you know, it, it could be that, ah, a water dam or a, an energy grid or a healthcare provider or whatever, gets caught by ransomware. And, you know, and then we're talking about the potential impact to h an life. it feels like we can't have a, a sort of podcast or street conversation these days without talking about ransomware. It would be great to get your thoughts on, like, where we're at today, where you see that evolving.

    Dr Chase Cunningham: Yeah, I mean ransomware's become the kind of tool of choice of, of cyber criminals and the underground as well as nation states, 'cause it works and people will do whatever they can to get back to that data that they've lost. but in reality when you look at the, the, I like to always think about the physics of the problem, ransomware works because of a few very basic things, such as excessive privileges, lateral movements a couple of other things on the operating system. And anti-virus does not stop this type of thing from occurring, 'cause it's native to the OS. Like, if you want to think about it another way, like, ransomware is very much like, is much like cancer within a h an body. Cancer is, is your cells going rogue and doing things, but they're still native to your operating system, which is you. And that's why cancer grows.

    Same sort of thing in ransomware. You can't think of some sort of, ah, thing that doesn't deal with the physics of the issue as, as far as limiting ransomware. Like, you want to stop ransomware? I'll tell you how to do it in two steps, to begin with. Number one, don't allow USBs to connect to your computers that you don't know what's going on there. Number two, get rid of Powershell. Shut Powershell down, limit it, kind of deal. You solve 85% of ransomware right there.

    Garrett O'Hara: Yeah. Yeah, it's an interesting one. It feels like a boomerang in terms of the, the things that you can do to eliminate a lot of the problems that are out there that are often, to your point, you know, it's, in Australia we have the AST essential eight, which is kind of like a top eight of go do these things and you're here in a really good position as far as security goes. And these are not, like, shiny new, brand new technologies. They're really for the most part, things we've talked about for a really long time. But yeah, for, for whatever reason don't get implemented.

    , I said the ransomware question was the last one but maybe one more, which is around the recent announcement of the kind of collaboration between the US, the UK and Australia. And, you know, clearly the, the nuclear sub's been headline news. But Joe Biden kind of mentions in his portion of the, the sort of holy trinity, when they got up and did the announcement, ah, that cyber was part of this. And given your background, yeah, look any thoughts on that? Is, is there, is there a mountain somewhere with people in the US that have, you know, people in Australia on speed dial where they weren't on speed dial before? Like what has-

    Dr Chase Cunningham: They were there before.

    Garrett O'Hara: They were, yeah right.

    Dr Chase Cunningham: Now it's just been a little more a little more press put on it. But, ah, I mean the good thing is, is, you know, and I mean I worked in the intelligence community. Like, we've been collaborating for a long time so, like, that, that's been well established and there's lots of good things going on there. I think what's the real value proposition in this is, is that we actually realize collectively that we have kind of a, a dedicated effort needed to combat threats, and that's because we're connected.

    Garrett O'Hara: Yeah.

    Dr Chase Cunningham: the more connection we have, the more defensive space we also have, so we have to collaborate to do that better. And, you know, Australia, you guys have got one of the biggest cyber warfare operations in the planet in your backyard. You've got China and North Korea right there, so, and the UK is not that far from Russia geographically. The US, we're lucky, we're kind of a big island in the middle. so I mean, you know, we need to have those, ah, those assets on either side of the planet.

    Garrett O'Hara: Yep, yeah it's definitely interesting times. It does feel like we're, I mean, it's funny, to your point we're geographically isolated but, you know, proximity matters less, to your earlier point, when it comes to cyber. But it, it's funny how those two overlay or interact because of, you know, proximity. We're doing trade and there's relationships there that then become, that play into the reason why [inaudible 00:39:36] becomes more important to us as a region. But yeah, interesting to see how that one plays out going forward.

    Ah, Chase, thank you so much for joining us. fascinating conversation. We'll put links to your to both books actually, Cyber Warfare: Truth, Tactics and Strategies in the show notes, and then Gabriel as well, which by the way, in reading it, it did sound a little bit like Skynet. You know, AIs going to, it's, it sounded pretty intimidating based on what you'd said earlier about AI. But definitely looks like a good read. so we'll put links to that in there as well.

    Dr Chase Cunningham: Yeah, thanks. I, I, it's my first foray into fiction sort of stuff so I'm super, I'm like waiting on baited breath [laughing].

    Garrett O'Hara: Good times. yeah. It, it sort of looks like a really interesting, ah, concept. I haven't s- you know, not that I'm that well across all the fiction world, but it looks like an interesting angle on a story and I don't know that I've seen it before. Sort of like, it feels maybe a little bit like, is it like a Jack Reacher series and are you going to be the new the new, I can't remember the author's name now.

    Dr Chase Cunningham: Tom Clancy? Yeah.

    Garrett O'Hara: Yeah, like, do that after cyber?

    Dr Chase Cunningham: Yeah, that'd be fun ah provided somebody reads the book other than me and my mother, yeah.

    Garrett O'Hara: Well, well based on the enthusiasm I saw when you posted online about it I'm sure it's going to do really well. But thank you so much for, ah, for joining us. It's been an absolute pleasure to, ah, speak to you. And yeah, hopefully look forward to doing it again in the future sometime if you're keen.

    Dr Chase Cunningham: Any time. I appreciate it, thanks for your time and, ah, thanks for spreading the, the word on the far side of the pond.

    Garrett O'Hara: Thanks so much to Chase for joining us for that episode and to Gabe Marzano for the recommendation and intro. Thanks so much, Gabe. As always, thank you for listening to the Get Cyber Resilient podcast. J p into our back catalogue of episodes and like, subscribe and leave us a review. For now, stay safe and I look forward to catching you on the next episode.

    Haut de la page