新しい調査:ランサムウェアのグローバルコスト調査。どのようなbreaches によってコストがかかっているかを確認してください。
レポートを入手

Breach を経験しましたか?

|
お問い合わせ
|
+1 855 426 3983
A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
The Perception of Reality
Season Three
· Episode
4

The Perception of Reality

In this eye-opening episode of The Segment, we welcome Brett Johnson—once known as the "Original Internet Godfather" and a former U.S. Most Wanted cybercriminal. Now a reformed expert, Brett works to help law enforcement and organizations stay ahead of digital threats.

トランスクリプト

Raghu Nandakumara  00:12

Dear Segment listeners, welcome back to another episode of our dear podcast, The Segment: A Zero Trust Leadership Podcast. Today, I'm so excited to be joined by the legendary Brett Johnson. If you don't know who Brett is, then just Googling him will probably give you a handful of results to give you his background. But let's just say this, he is a legend in the cybercrime community. I'd say now he's a reformed cybercriminal, educating and helping law enforcers catch the criminals. But at one time, he liked to be known as the “Godfather of Cybercrime.” So, with that, I welcome to this show — the first time we've ever featured someone who has been on the U.S. most wanted list, Brett Johnson, Welcome to The Segment!  

Brett Johnson  01:11

Thank you so much. I appreciate it. I don't know if I'm legendary, I would say more notorious.

Raghu Nandakumara  01:17

Well, one person's notoriety is another person's legend, so I think it's a bit of both. So, Brett, it's great to have you, and I'm so excited to speak to you. Your back story is really interesting, but you've covered that on a lot of podcasts and sort of TEDTalks, etc., that you've done. But one constant theme that I'm going to start with, and you repeat this, and I've got it written down here, you say the perception of reality is more important than reality itself. Let's start there. Explain.

Brett Johnson  01:47

Sure, it doesn't matter what the truth is. It matters what I can convince you of, all right? And we see that the interesting thing is, is that we see that now more than ever, more than ever. Does it really matter? Does it really matter what team DOGE is doing, or does it matter what they're convincing you that they're doing and that's the whole point? Now, when I was a criminal, what that actually meant was, hey, it doesn't matter if I actually own that bank account. What really matters is if I can convince customer service of your bank that I'm you and that I own the account, that's what really matters. The truth doesn't matter at all. That's what I was talking about back in the day. These days, that's changed, though, and if you think about it, if you're looking at an online attack, there's only really three motivations for why that happens: it's status, it's cash, or it's ideology. It's status, I'm trying to impress my criminal peers. It's cash, I'm trying to make money. Or you've pissed me off, and I'm trying to get you. If you think about those motivations, and you think about that statement, “The perception of reality is more important than reality itself.” That matters, because now it's not just about cash. Now it's about different ideologies. It's about political agendas. It's about convincing a populace that something is right or wrong, whether it is or not, that statement has, geez, man, from when I started saying that back in the Shadow Crew days to today, that statement, I think now is more important than it's ever been.  

Raghu Nandakumara  03:28

Yeah, absolutely right. And I think you absolutely hit the nail on the head there with particularly sort of the weaponization of the internet, right. And all kinds of media platforms, the weaponization of AI, particularly in that area, right? To be able to create a perception that is more believable than reality that is added to the uncertainty of the digital world. That's my perception, what's your thoughts?  

Brett Johnson  03:56

I'm glad you brought up AI. So, the perception of AI since its real implementation, over the past couple of years, has been, hey, criminals are using it en masse. And really that's not been the truth. There's been a lot of chatter on the criminal side, but as far as actual use cases, there's not been many. But now that being said, here's the interesting thing I mentioned just a couple of moments ago, that motivations for online attacks: status, cash ideology. Think about business, email compromise. That's a cash-based attack. That's something that I'm looking to profit. It's me trying to convince that company to send a payment to me instead of the existing payee on their system. Now one of the ways to do that, the most popular way, the most successful way to do that, is using a unicode domain and convincing that the new email address is the actual email address. One of the things that's really effective, though, is using deep fakes, whether deep fake is audio or video. Now, it's very successful and very if you think about it, and I'm sorry to be kind of, kind of bouncing around on this, in order for me to defraud you, I have to get to that potential victim, whether at a company or an individual. I have to get that potential victim to trust me. How does trust work in an online environment. Well, it works through tools, through technology, and then finally, social engineering. So, the technology, we inherently trust those cell phones, we trust our laptops, our desktops, we trust the websites we go to, the software we use, the hardware we use. We don't really understand that attackers use a variety of tools to manipulate that technology, so that we don't see the phone number that they're calling from. We see the phone number of a client. We see the phone number of a financial institution. They use spoof phone calls. They use SOCKS5 proxies so that we don't know that they're coming from Ghana or Nigeria or Alabama, like I am. We see them coming from Europe or New York or Brazil. So, they use those tools to manipulate the technology and that tends to open the door of trust. Once that door is open, we see how good of a con man a liar, or if you're in tech, how good of a social engineer that attacker is in manipulating you into giving up information, access, data or cash. And this is where deep fakes come in. So, we inherently trust that technology. We inherently trust that Zoom call to be the person that is supposed to be there. And our eyes are tricking us into thinking that, yes, that is the CEO of the company. That establishes that trust, that layers that trust. And that convinces that payroll person to send that payment over to whoever now where AI is actually is starting to play a role in this. And AI is being used by criminals to a degree we're seeing it layer trust and stuff like that. Where it's where it's becoming really effective is in the deep fake creation process. Because deep fakes have been historically, they've not been real time. It's been something that's had been recorded and then put forth toward that victim. But as deep fakes continue to progress and evolve we're getting to the point where deep fakes are going to be real time. So, for a cash-based attack, you've got the CEO of your company that's having a real time conversation, no delay whatsoever, having real time conversation with payroll, “I need you to send this payment to this new bank account. They've changed addresses, and do it now,” well, that's very effective, and that's going to work like a charm. That's just one motivation for a deep fake, though, think about that deep fake that, you know, we saw the United States. We saw the United States blow up during COVID because evidently, law enforcement likes to shoot unarmed black men. So, the country exploded. We had riots. We had looting. What happens when we see a video in the future of law enforcement gunning down an unarmed individual? The city explodes, then a couple of days later, it comes out, hey, turns out that was a deep fake. Turns out that the assailant did have a gun. The assailant was firing on law enforcement, but artificial intelligence was able to remove and edit that video and create a new video where it appeared that law enforcement was just wantonly murdering this individual. The damage is already done at that point. So, this is what we're going to see as far as deep face and AI goes. It's going to really. Here's my worry. Right now, we're seeing the creation of deep fakes and the detection of deep fakes. It's kind of cat and mouse. So, you see, the attackers come out with a deep fake, maybe, or maybe not, the security company can recognize it as that. If the company doesn't, they tweak their algorithm where it now identifies the deep fake attackers go out and tweak theirs back and forth, back and forth. I really think that we get to the point, potentially, where AI is able to come up with such good deep fakes that the good guys aren't able to detect the end time to the damage being done. And because of that, I really think that we stand a very good chance as a society of reaching that point where we're not able to really trust or believe anything. The perception of reality is more important than reality itself. It doesn't matter anymore. It matters what you can convince someone of.

Raghu Nandakumara  09:42

I mean, that sort of progression to that future state that you described is hugely, hugely concerning, because I think trust is so fundamental to everything that we do to some extent or the other. Yeah. Whether that is in the real world or in the digital world, right? We put some kind of there is a level of implicit trust that we depend on. So, as that dependency, or our ability to depend on that, reduces, how do we combat that, right? So, how could we continue to function with confidence in a world where we're not able to differentiate between reality and fiction?  

Brett Johnson  10:29

To me, it boils down to real personal relationships. How do you defeat business email compromise? Well, you defeat it by having a personal relationship with that CEO, not just online, but “Hey, can we talk? Can I pick up the phone and call you back?” Can I have that? Do we have this, this old school secret phrase that's not been discussed anyplace else except between you and I personally? Do we have that? So, it becomes this, it becomes going back to old school ways of security. It's more than that, though, you have to realize that social media likes to put us in our own little echo chambers. It doesn't like us being objective. It likes us being subjective. It likes us arguing with each other. So, it becomes this idea of you have to strive toward being objective, being open-minded, being accepting, understanding, and admitting when you're wrong. Which is very difficult if you're on Twitter, because once you admit you're wrong, the sharks are going to come in and eat you alive. But you have to understand that is not the real world. You know, we live in a society today, that over the past few generations, we we've been trained that, hey, look out for A, number one. That's you. You know, you have to look out for you, because no one else is going to but that is not the way a proper, functioning society works. A society is just that: a society. It's not individuals; it's everyone looking out for each other. Because when we look out for each other, everyone becomes better at the end of the day, more successful at the end of the day, and more profitable at the end of the day. That's the thing and when we're looking out for ourselves, ultimately things fall that's the thing. When I was a criminal, you know, and I still call myself a criminal, but when I was actively breaking the law, one of the reasons that I went into a life of crime, and I've put a lot of thought into this. One of the reasons I went into a life of crime is I wanted to be able to control my own fate. I didn't want to have to rely on anyone else at all. And I'll tell you, when you're committing crime and it's successful, that illusion works like a charm. It absolutely, that's 100% the case. But when everything falls, and it does, when everything falls, you come crashing down to the ground, you find out that that real life depends on you working with everyone else and relying on other people. You know, a lot of men, we don't like to ask other people for things. We don't like to rely on other people. But the truth of the matter is, when I, when I was able to, when I was given the opportunity of turning my life around, and I took that opportunity. The way that I was able to do that, yeah, it was my choice. But at the same time, if I didn't have a community, the cybersecurity community, the FBI, my friends, family members, associates, if they weren't there to support me and call me out on my bullshit when I had it, and I still do have some bullshit. If they weren't doing that, I would have never been able to be where I am today. I would be back in prison for 20 years. I'm absolutely convinced of that, and it's something that we as a society have to understand that, that it's not just the single person, it's, it's the group that matters, and it's helping each other that matters, because that's what, that's what we're supposed to be doing.  

Raghu Nandakumara  14:12

So, talk about that concept of society when you establish or running of Shadow Crew, was there a lot of those properties of a civil society that came into how sort of Shadow Crew operated like that collectively, people were sort of helping each other to, I mean, yes, of course it was to support cybercrime, but was there a lot of that sort of implicit trust within that community?

Brett Johnson  14:42

So, I was in Dubai, and I'm going back to Dubai in a couple of months, but I was keynoting the security part of the GITEX conference in Dubai, and I was on a panel, and I was listening to everyone else on the panel, and I was sitting there going, you know, they're saying a lot of nice stuff. And it finally got my turn to talk, and They asked me a question, and I ignored the question completely, and I said, “Hey,” and I looked at the audience, I was like, “Hey, do you want to know why the bad guys are winning and you guys are losing every single day?” And the answer is, and it's still the answer today. We the bad guys, we are better at sharing and collaborating than you guys. We're more of a, as you just mentioned, more of a society than you guys are. You guys are worried about regulations. You're worried about competitive edges, and you're worried about yourself. We understood with Shadow Crew, and it's not like we sat down and we kind of plotted it out. We didn't. What we did was, is there the genesis of modern cybercrime it's actually three websites. It's Counterfeit Library, Shadow Crew, and Carter Planet. I ran counterfeit and Shadow Crew, a Ukrainian associate of mine, Dmitri Golov, he started Carter planet, those three sites. It wasn't someone sitting down and plotting things out. There were problems that arose as these things grew, and we solved the problems. And that's how this stuff happens. One of the things that we've quickly understood with Counterfeit and Shadow Crew is that it's important to share and exchange information. It's important to look out for your fellow criminal. And the reason we understood that is we also quickly understood that, hey, we're committing crime, and if we don't look out for each other, we're going to have a lot of security guys, and more importantly, we're going to have a lot of police officers in here that's going to arrest us and send us to prison forever. So, it became very important to look out for your fellow human being. Yes, even though we were criminals, we absolutely looked out for each other. We helped each other break the law. We helped each, we helped educate each other. If we had, if we had personal problems, usually we would handle those with each other. It became a real community. And that's one of the interesting things that we're not seeing that much anymore. You know, we live in neighborhoods these days where typically we don't know our next-door neighbor, we don't speak to them. We keep our blinds drawn in the front so that we can't see out and no one else can see in; we continue to isolate ourselves and live more of our lives online, in our own little echo chambers, where we refuse to even entertain the opposite opinion of someone else. If someone else has an opposing view of us, they all of a sudden become our enemy. And that is not the way to grow as people. It's not the way to expand your knowledge or your horizon or your Outlook or insight to anything at all. But certainly with even today, if you look at criminal communities, whether it be on telegram or on the dark web or even on the surface web, if you look at those criminal communities, you see that core of collaborating, of assisting, of looking out for each other, and it's unfortunate that that's more alive in the criminal world than it is in the good guy world.  

Raghu Nandakumara  18:15

That's fascinating. It's concerning, because I think what you then touch on is, is that some of these values that historically, we have sort of felt as being important for society, for a productive society, we're actually forgetting in what we call a sort of legal, right, or the non-criminal world. But whereas in the criminal world, some of those key, qualities are actually preserved and in fact, sort of very, very rigorously practiced in order to be successful. I think that there is a lesson in that of itself, particularly around the sharing of information and the sharing of knowledge. I think that's so important. That's only how we develop. So, I want to go back to the motivations that you repeatedly stress around cybercrime, right? Status, ideology, money. And I think we, we all sort of understand the money piece. We, to an extent, understand the ideology piece. But I'd love to get your perspective on status, or, as I'd say, right, when you, as a cybercriminal, just want to flex your muscles a bit, right? Just show, just sort of show the guns, and just show you've been working out. So, how would you do that?  

Brett Johnson  19:28

So, understand what I'm talking about is, and you see this, you know, I see all the time on LinkedIn or on Twitter, some security or law enforcement guy, he'll post a video of some kid that's on Facebook or on telegram waving stacks of cash, or some rap artist talking about all the fraud they're committing. And they'll typically say that guy is a freaking idiot. And the response is, yeah, that guy is a freaking idiot, but you're not really understanding or appreciating what's actually going on there. You have to understand that even though those criminal communities are all about making sure that everyone succeeds, those criminal communities are also big dog and little dog; that's exactly what those are. So, it's big dog eats little dog, and if you have a higher status, that means that you're respected more by every single member in that community, and that respect, at the end of the day, does equate to profit. So, think about it and understand that not all criminals are good, and by that I mean skilled. So,me of them absolutely don't know anything at all. They're buying everything off the shelf because these days, it doesn't matter what the crime is. You can buy every component of committing that crime off the shelf, ready-made. You can take you can buy tutorials. You can take live instruction classes. You don't have to understand any dynamics of the crime that you're committing, and you can still succeed. So, if you're one of these guys that doesn't understand the crime that you're committing, but you're able to steal a lot of money, how do you gain the respect of members within that community? Well, the only thing that you have left is to be able to show I'm able to steal 30 PS5s, I'm able to make $30,000 a week doing unemployment insurance claims, and you waive the cash. And that absolutely does matter at the end of the day. So, when I talk about that, it's can you do something that no one else within that community can do? Can you build ransomware? Can you deploy ransomware? Because that's what really matters. Can you launch successful social engineering attacks? Can you launch phishing campaigns? Can you do man and middle attacks? Can you build and deploy botnets? Can you use stolen credit card details to defraud Amazon or Apple when no one on the planet can do that? If you can, then you gain the respect of everyone within that community, and that respect matters. What that actually means is you will have members coming to you asking for your advice. They will share more information with you. “Hey, I just found out this is working in my area, this specific type of crime, and it's, it's working against this company”, and then you can have them offline, on signal or whatever, having a conversation with them. “Okay, how's this working? What tools are you using?” But it means you're more profitable, more knowledgeable at the end of the day. So, once that respect starts to build, you get more people coming in, sharing more information with you. You're able to then share that with other people, privately first, and then more publicly after that, and that increases your status overall, until finally, you start to become top of the food chain. Because again, it's big dog versus little dog, and that's what matters. So, status is one of these things that absolutely matters that no one really appreciates or understands on the good guy side, and as we're going forward, if you think about it, if cybercrime were a country today, it would have the third largest economy on the planet. That's huge, that's huge. And to dismiss or not understand the importance of status within those types of groups is really missing the entire point of why a lot of these crimes are committed.

Raghu Nandakumara  23:24

I mean, that's fascinating. And I want to ask you, so if you're able to share, what are some of the key things that you did to achieve that big dog, that Godfather status in the community,  

Brett Johnson  23:37

All right, so, geez, man, where to where to start, where to start? So, when cybercrime, as you know today, when it first starts, I really was on the ground floor of that. The site was Counterfeit Library, and it was already an existing site. They had a forum on there that was defunct. Really, no one was using it. I was one of the first members of that forum. And the reason I was a member of that forum is I had been ripped off. I didn't know anything at all. I mean, I knew how to do eBay fraud and PayPal fraud. I didn't know really understand the dynamics of a lot of cybercrime at them. And I was looking for a fake ID, a guy ripped me off. Big surprise. I got pissed off. Still needed a fake ID and found this Counterfeit Library, that what they were dealing with was counterfeit degrees and certificates, and that was the closest thing that I could find to a cybercrime channel at that point. So, I got on their forum. No one was using it, and literally the only thing I did was bitch moan and complain every single day about being ripped off. And about the same time I was on there. These other two individuals were there too. One was by the screen name of Mr. X, he was out of Los Angeles. The other one went by the screen name of Beelzebub, he was out of Moose Jaw, Saskatchewan, of all places. So, we became this kind of, you know, buddy group. And one day we used to use ICQ. To message each other. And one day, Beelzebub gets me on ICQ sends me a message. I went by the screen name of Gollum. He was like, “Gollum!” I was like, “Yeah, man.” He was like, “I can make you a fake driver's license.” And I was like, “Well, dude, do it.” And he was like, “No, I'm gonna charge you for it.” Well, by that point in time, I had bitched, moaned, and complained so much that the real owners of Counterfeit Library, they liked me, and I knew him, and we got along really well. He's like, “I would have charged it.” I was like, “Yeah, like hell you are.” He's like, “No, I'm going to charge you, man.” He said, “The reason I want to charge is, if you're going to be in this business, you have to be able to trust someone at some point.” Well, I was like, okay, so I told him. I was like, “Dude, I'm gonna send you $200 and when you rip me off, I'm gonna have your ass banned from this site, and I don't have to worry about you anymore.” He's like, “Bet.” I was like, “Okay,” so I sent him $200 I sent him my picture. A couple weeks later, I get a fake driver's license in the name of Stephen Schwake. Real guy works to this day, works at ADP payroll, and I didn't know what I was looking at. To me, it was the best fake driver's license on the planet. Turns out it wasn't. It was passable, but you only need passable to commit fraud, and I use that driver's license to open up bank accounts, to cash out checks, all this other stuff. The deal became, Mr. X made a very good or passable social security card. Beelzebub made a passable Ohio driver's license. I didn't know anything at all at that point. I knew how to do eBay and PayPal fraud. So, the deal was, Beelzebub wanted to sell driver's licenses. Mr. X's wanted to sell social security cards. I didn't have any skill, Beelzebub proposed that I become the reviewer, and they would sell the products. I would be this outside, independent reviewer. Anybody that wanted to sell anything at all, they would have to send me a copy of it. I would learn how to use it, learn what was good and what was not. And that would build this community. And that's exactly what happened. It became this, almost a field of dreams, if you build it, they will come, for criminal activity. I became this reviewer. Every single product and service went through me, and at one point, that's exactly what happened. Every single business deal went through Johnson. So, I became this, this God of if it's if I gave an approval, people made money. If I didn't, people went bankrupt. So, that there's, that I'm the guy that built the initial trust mechanism that criminals use, that process of review, of vouching for people, and what that means of Escrow channels. I'm the guy that initially built that. I'm the first guy that sold stolen bank accounts, or not stolen but, but created dump bank accounts online. I began to create tax return identity theft. So, the reason everyone's tax return is delayed every single year is this SOB that's talking to you right now. There's, there's a host. I'm the guy who brought all the Ukrainians stateside. That associate that I mentioned from Carter, planet, Dmitri Golov. He saw the success that we were having with Counterfeit Library. He wants he was a spammer. He was getting all these credit card details. And he was like, I wonder if people would buy stolen credit card details. Turns out they will. So, he picks up the phone. He calls his buddies. They call theirs. They have a physical conference in Odessa. 150 of these criminals show up, and they launch Carter Planet, which is the genesis of modern credit card theft, as we call it. The problem with them, they had, they had done so much fraud on the eastern side of Europe that all the cards were shut down. So, Dimitri comes to me, and he was like, “hey, we need to be able to cash out.” So, I'm the guy that was responsible for bridging that Ukrainian English-speaking relationship between cyber criminals that that lasted up. Well, it lasted several years. It's still there to a point, but the number of criminal firsts that I'm responsible for is, Jesus man, it's, it's, it's a lot. I mean, I could spend a lot of time on that. There's a reason that the Secret Service called me the original Internet Godfather, and it's not a good term. And there's a reason that I was on the United States’ most wanted list. I'll tell you, boys and girls, anyone that's on the United States most wanted list. You're not a good guy at that point. I mean, you're, you're, you're a dangerous dude. It's, it's, it's nothing to be proud of at all.  

Raghu Nandakumara  29:30

They're not there to give you a medal, that's for sure.

Brett Johnson  29:33

No, oh well, they're there to put you in metal.

Raghu Nandakumara  29:38

So, let's switch over, because you've provided so much perspective there on essentially the cybercriminal and to some extent the attacker's mindset, right? And I think, going back, something that you said is, is that right? Cybercrime is just going like, it's increasing in volume, it's increasing in value. Like, what is it? From if you now put sort of on the defender’s side, right, what are the mistakes defenders are making such that it feels that we're not getting actually any better at preventing cybercrime?

Brett Johnson  30:13

Friend of mine, he posted on LinkedIn yesterday, and what he said, it's really kind of, it's eye opening. And I've been alluding to this for a couple of years now. One of the reasons that cyber criminals are extremely successful is that when we act, when we do something, we do it because that's how we eat. If you're not successful, you don't eat that day. So, so those social engineering attacks that are out there, there's a difference between how a bad guy does a social engineering attack and a good guy does it. You know, a good guy, if you if you go to DEFCON or Black Hat, you've got the social engineering farm there, and everyone's stealing everyone's laptops and and all this other bullshit. That's not how social engineering really works. As a social engineer, if you're if you're really doing it to profit or to whatever the attack motivation is, you're trying to do something in the smallest way possible that causes that potential victim to think that they are just choosing to do that, and you don't want them to ever find out. Because when they find out, the gigs up. So, you've only got that space to act in. So, you want that space of them being unaware to be as long as possible. So, the way the good guys do something, I make the joke as well that, hey, DEFCON exists so that people can go and talk about exploits and attack methods that no real criminal will ever do. All right, that's a joke, but there's a lot of truth to that too. And I see this all the time, that people assume that they understand how criminals think, that I can think like a criminal. Well, no, you can't. If you could, you would be a criminal. That's that's one of the things I think people really miss out on. That doesn't mean that you can't anticipate what I may do. You can, but you have to be open minded. You have to be objective and not think that you know everything. And one of the problems, I also think, is that a lot of these companies have extremely large budgets for security. I don't think that you have to have a really large budget. I think a really large budget means that we have to find something to do with all that money. And sometimes it works and sometimes it doesn't, but let's spend a lot of money anyway. I think all that together, I think that it's proper cybersecurity and protection is not really public facing. It's not really romantic, it's just the nuts and bolts of doing the things that you need to do. We've got 8500+ security companies out there. We've got a lot of mass media out there that paints attackers as hackers, as computer geniuses. Is able to break into any type of computer system they want to. That's not really the case. Attacks happen because 90% plus of all attacks use known exploits. Yeah, it's not computer geniuses. It's stuff that we've been told about for years, that we're not doing anything about. That causes the threat landscape that's out there. 90% plus of attacks are star of breaches begin with phishing attacks. So, it's compromising the human. It's looking for known vulnerabilities. It's understanding these things. It's understanding an attacker. Most attacks are cash-based, and most attacks are opportunistic attacks. I'm looking for the easiest access that gives me the largest return on that criminal investment. If you understand that, and just put a modicum of security in, you're gonna be okay. But you have to do that. You can't just have a billion dollars. So,me of these banks have a billion-dollar security budget, and I won't tell you which bank, but I was talking to their VP of threats. And I asked her, I was like, “Hey, why haven't you guys been hit with ransomware yet?” And she was like, “I don't know. I'll ask.” So, about three weeks later, she comes back and she says, “Well, I got with my boss. He finally answers me, and he says, “Well, we have a billion-dollar security budget.” And I was like, “hell, that's a lot.” And she's like, “Yeah”, and then she said, “Then he paused, and he looked at me, and he said, and we're very lucky.” And I was like, Holy hell, luck is a strategy.

Brett Johnson  34:38

You know, if, if you're if a one hand, you're saying you're spending a billion dollars on security, and in the next instant, you're saying, and we're lucky, something is probably not right.

Raghu Nandakumara  34:50

That's brilliant, and I'm pretty sure that if they'd saved that billion dollars and just depended on luck, the outcome would probably still be fairly similar, probably similar.  

Brett Johnson  35:02

That's what's interesting. So, it's, you know, it's, it really is one of those things of just buckling down and not, you know, not thinking that you're a superstar, yeah, not thinking that it's a really romantic job. It's really about the nuts and bolts of things. You know, I saw a guy the other day. When I started speaking, there were two. There were actually just two real criminals out there that were speaking, me and Frank Avenue. Now there's several more, and some of them know what they're talking about. So,me of them don't. This. This one, this one guy posted about fraud awareness and security awareness training, and he gave the figures of you know, “companies that do security awareness training that they find a 63% decrease, and in a tax and they save 50% of money.” And he didn't know what he was talking about, because security awareness, fraud awareness training, it works as long as the training is ongoing. It's not something that you do for a couple of weeks, and it's effective. For those two weeks, it's effective, and then the numbers go right back to what they were. So, it's understanding that you have to do things in the right way. It's not just a dog and pony show. When I was in prison, we had dog and pony shows all the time. It's something that you have to continue on and make sure you're doing things properly at the same time.

Raghu Nandakumara  36:20

I think just all of that is so on point, and with coming from your background, I think it reinforces a lot of what continues to be said, but I feel isn't taken sufficient notice of, right? Because what you said was, this is not like cyber attackers, cyber criminals are like living off the land, right? It's the same set of exploits that they because all the tool kits exist for known exploits. So, why would you go and have to create a new toolkit for a potential new exploit when you can just repurpose what's out there, right? It costs less, it’s less of your effort. And again, right, with just enough luck, you're gonna, you're gonna get that outcome, you're gonna cash out, and you're gonna be able to move on. So, when you said, right, it's, it's not doing necessarily the sexy new things, right, but being able to be brilliant in the most basic, the fundamentals of cybersecurity, right? That's essentially where the biggest opportunity lies for defenders. Is that lesson being heard?  

Brett Johnson  37:32

You know, it is some places. It is some places. I think it's being heard more and more, the more public a lot of these breaches become. You take, for example, Colonial Pipeline. Colonial Pipeline. Why did that happen? Well, it happened because Colonial Pipeline knew that one of their VPN passwords was available on a dark web channel. They knew it, and they didn't do anything about it. They didn't change the password. That's why it happens. It happens because you know your password is solarwinds123, or that's one of the reasons it happens.

Brett Johnson  38:07

So, it it's if, you know, as that, as that stuff becomes more public facing, and as we understand that, you know, Colonial Pipeline tried to and Experian tried to put it off on an intern. You know, evidently, the same intern continues to be hired at all these companies that experience breaches, to hear them tell it. I think as more of that information becomes public, and as we see how these attacks are, not usually sophisticated attacks, but just opportunistic attacks. I think that the understanding that, and as we continue to have conversations like this, I think the understanding the awareness gets out there of, hey, it's not these sexy things, it's not these computer geniuses that operate in the shadows that no one can catch. It's not. It's these guys that are scanning these things. They're reading white papers. They're being diligent about looking for access. They're understanding that if they're in one vertical and they're able to compromise a company in that vertical with this attack that hey, probably this same attack will work in these other companies in the same vertical. So, it's understanding these things. It's understanding, it's sharing and collaborating. If I'm a company in a specific vertical, like infrastructure, financial, or whatever, and I'm seeing my company hit with this specific attack. If I'm sharing and collaborating with other companies in that same vertical, then that means those other companies can protect themselves before that attack happens. If I'm not doing that, then that means that I'm trying to work a competitive edge that I'll, you know, I'll implement security here and let my other competitors be eaten alive. It's, it's under, it's being open minded. It's being objective. It's understanding as we started out with that we need to look out for each other. It's, it's more than just looking out for ourselves.  

Raghu Nandakumara  39:56

To that extent. Do you think with a lot of what is like? Regulations, etc., that are evolving over time, and there's a huge amount of importance being placed on reporting, a reporting of incidents, a reporting of impact, and so on. Do you think that is driving a much more transparent culture? Do you think organizations are more comfortable in reporting cyberattacks?

Brett Johnson  40:19

I'm not sure if they're more comfortable. The issue, take regulations, we tend to have people putting regulations in that have no understanding of the industry they're trying to regulate. You take some of those cryptocurrency hearings that were going on, you could see the glass eyes of the senators and representatives that were like and they're going to regulate things? Oh my god! So, that's one of the problems. Another problem is, is that the reporting, while I'm all for it being made public, I'm also for giving an opportunity to those other potential victims to secure themselves before it's made public. Because why was Equifax hit? Equifax was hit because Apache announced a patch. Equifax doesn't put it in; within 24 hours, they're eaten alive. I think that time needs to be given before it's made public for these other companies to put security in place, because an update is just a broadcast to every single criminal on the planet telling them which door to knock on. Yeah, I think there needs to be some sort of regulation in there that a company that's breached needs to first be able to share that with other companies in their vertical, those other companies need to immediately act on that, implement proper security. And at that point, it could then be made public so that those other companies aren't victimized by that announcement of a breach.  

Raghu Nandakumara  41:51

I think that's a really good point because, and you kind of spoke about it earlier, right as well, is, is that when an organization, one particular vertical, is a victim of a particular cyberattack that is exploiting a particular vulnerability or so, more often than not, that same sort of set of technologies is being used by the vast majority of the peer group. So, you're right. So, like in in the case of information sharing, it should be sort of like prioritize of sharing within your peer group, but also it's almost like Chatham House rules, right? That share it, but don't make it public till we've had enough time to do our own due diligence and ensure that we're at least protected, right? Because next time, one of us will be here and we're going to share it with you guys, and you're also going to benefit in the same way. So, just before we move on to the next thing, right? So, we see a lot of focus at the moment, and actually last few years, since, sort of MITRE codified the attack framework, and we see a lot of focus on like tactics, techniques and procedures. And my perspective on this is that attacker tactics really don't change, right? It's the same set of tactics that are repeatedly executed, the techniques and procedures may alter based on the technology, based on the maturity of the organization that they are trying to sort of attack. Like, I think sort of that understanding of TTPs is important. Do you think that we are overly focused on the TTPs versus like, going back to what you said is addressing the root cause of why those TTPs is accessible, which is a lack of the basics. What's your perspective?  

Brett Johnson  43:27

I think that first and foremost, you need to address those root causes, absolutely. At the same time, you know, like, like the AI chatter, you know, we've got, every company wants to have some sort of AI component, and every company wants to say that criminals are using AI. You may make a very good point, and this is what I say, I say that a criminal or an attacker is not going to change the way they're attacking unless something forces them to change that. Yeah, you know, why would I? Why would I start using AI if I'm already wild, wildly successful with what I'm doing? I wouldn't, I wouldn't. There has to be something that forces me to change. You know, to answer your question, I think that you need to there absolutely, by all means, continue on with the TTP, that. I don't think that's a bad thing at all. But understand that there's a lot of extraneous chatter out there that's trying to sell a security product. You know, that's why would I need to use AI. I actually have a use case for that before you start making that argument. As I said now, is it's, it's being used to a degree by criminals. There's a lot more chatter than use though. Understand that the idea of what is forcing an attacker to now change and then, then, then play with the TTP from there, but at all costs do the nuts and bolts of proper security. You know you can't overstate that 90% plus of attacks used on exploits, you can't you. That's NotPetya in a nutshell. You know, plug that and you're going to be more secure than not.  

Raghu Nandakumara  45:06

Yeah, totally. And I think that that's such a, it can't be repeated enough. And I think actually combining those two, two points that you made, if you address that 90% you're automatically going to force a change in the attackers behavior, because those things that that live off the land, you've kind of not used these words here, but you have in previous conversations is, there's not significant technical sophistication in the majority of tax right? They're living off the land. But if we give them, if we limit or minimize how much of the land they can live off, right? That is going to force increased technical sophistication, which is then going to either make it harder or give us more ways to detect and respond.  

Brett Johnson  45:54

You're right. I've not really specifically addressed that. We are not computer geniuses. All right, some of us are very good. So, me of us even are. But you don't have to be a hacker, you don't have to be a computer whiz kid in order to victimize a company or an individual, in order to succeed, you don't have to do that. What I do have to do is share, exchange, and collaborate with each other. That's the only thing I need to do to be wildly successful. Understand that, if you can get it out of your head that these attackers are sophisticated and computer geniuses, that point that pretty much levels the playing field, that open, that allows you to be open-minded enough to say, hey, these guys aren't geniuses. They're not, they're not really bright. I mean, some of them are, some of them are not. But once you open your mind to that, that allows your mind to start being able to say, “Hey, I can fix these problems.” I can. It is just the nuts and bolts. It's, it's scanning the landscape and saying, Hey, turns out I've got these ports open that they've been bitching about for years, that I need to close stuff like that. It turns out I'm, I'm, I'm allowing remote access. Yeah, yeah, it's stuff like that. So, you fix that and you're going to be okay. Honestly, it's not, it's not really complicated. It's not.

Raghu Nandakumara  47:17

I really like how you phrase that, because it's think like an attacker, but actually remember that the attacker is trying to do the simplest possible thing. So, think about what the simple things are that you need to address, and that's going to give you much more bang for your buck. I think that's what you're saying.  

Brett Johnson  47:36

Yeah, you start there. You start there. I'm not I'm not looking if most attacks are cash based, and they are, I'm looking for the easiest access, and that's why, that's why you come with that layered approach to security. Understanding that if I'm attacking you because of an ideological reason, I don't care how much security you've got, I'm looking to get through every single thing that you've got. And that's a problem, because every single security component that you've got that's in place, I can bypass if I put enough effort into it. But ideological attacks are a different type of attack. Most attacks are cash-based or status-based. So, that means that layered approach to security, you're trying to put so many layers in there that it's not worth my time or effort to go through them. I'm going to find another victim. Yep, and that's what matters.  

Raghu Nandakumara  48:27

Yeah, absolutely. So, let's kind of change track a bit, not massively. When organizations ask you for your advice about how they should improve their cybersecurity strategy, right? What is it that you typically offer them as those pearls of wisdom as a former cybercriminal?  

Brett Johnson  48:47

Well, we're talking about that right now. It is sharing, exchanging information, and that's one of the reasons I'm big on conferences. At least at conferences, you are able to meet other people that are in the same vertical that you're in, that work in the same type of positions that you work in, that even though rules may be there that you're not supposed to share and collaborate, you can pick up the phone and say, “Hey, Bill, this is what we're seeing over here. Maybe, maybe you want to do something about that.” So, you at least have that ability to make those connections and that network there that matters at the end of the day. The other thing is understanding, like I said just a moment ago, I don't care what the Security Service tour product is that you've got in place. There is, there is no silver bullet. There's not. You'll have security companies that are out there that will say, “You only need my product. It's going to cure everything.” That is what we call cybersecurity pillow talk. That's the same thing of saying, I'll still respect you in the morning. No, they won't. So, understand, understand that it takes that layered approach, but also understand that you. If you know why you're being attacked, status, cash, ideology, if you know who's attacking you, and there's only seven different types of attackers, you've got criminals, you've got hacktivists, you've got terrorists, you've got nation states, you've got insiders, you've got hackers for hire, you've got script kiddies. Those are the seven. You know who's attacking you. You can figure out why they're attacking you. From that, what are they looking for? Well, they're only looking for information, access data or cash. So, if you can understand those things, who they are, why they're attacking what they're looking for, and design security around that, what is that individual looking for? It's, it's you're not going to try to design security for something that no one's ever going to attack you, absolutely so. So, concentrate on what they're looking for, who they are, why they're attacking design security. It's understanding your place in that cybercrime spectrum, because you've got one. And the way that I'll attack you, it absolutely depends on who you are and what you do. Figure that out. Design security, do the nuts and bolts. You know, I'm not the guy I talked to a guy, geez has been, it's probably been five years ago. He worked at a financial institution, and he's like, “Hey, we got Splunk.” I was like, “yeah.” He's like, “I don't know how to use Splunk.” I was like, “Yeah, it's its own language, isn't it?” He's like, “Yeah, it's really difficult.” I was like, “So, what are you doing with it?” “Well, we've got it hooked up to a computer, and it's not connected to anything.” That’s the guy who has got more of a budget than you need, you know, and that's the federal government's bad about that. Of giving budgets and whatever the agency doesn't use has to go back, so that agency tries to find things to spend that money on. A lot of companies are like that. You know, it's if we don't use the budget, they're going to cut our budget next year. That's the wrong way to think it's you need to get past that mindset and understanding that your function is securing the environment for you and your customers or your clients. And we're not there yet. We're absolutely not there. But that's what I talk about, is that, you know, I talk about, if the types of components, you know, if you're in, if you're in financial, do you have that, that ID verification component, do you understand how attackers can get past that? So, then you need these other components in there as well to make sure you're looking at things, it's, it's looking at the data Overall. Like I, I worked for the company a couple years ago, and they made, they made me their Chief Criminal Officer. It was a gimmick. It was absolutely a gimmick. They deny it to this day that, “oh, no, we're serious. You were no, it was a gimmick.” So, while I was working there, we started to see this, this man in the middle attack, and it's because attackers read white papers. And they've been reading white papers for years as well, and they've understood that, hey, there's this push to get rid of passwords, so you're seeing a lot of session tokens being stolen now, a lot of cookie injection attacks. It was that attack, and still to this day, that attack, that is very successful against a lot of financial institutions. And the reason it works is because that financial institution is simply relying on that cookie. If you've got the cookie, you've got to be the right person. But if they took the time to look at all of the data that's available for that account, then they would see a change in device, or they would see a change in IP, or they would see these different anomalies pop up. So, what I what I also talk about is looking at the data, because that matters. The data will tell you the truth of the environment and the transaction that's happening. If you're not looking at the data, or you're just looking at small parts of the overall data, you're doing yourself a disservice and your customers a disservice. So, it's looking at the data as well.

Raghu Nandakumara  53:45

So, do you offer any advice on, like, key strategies that organizations should adopt, like, sort of the top, top of the conversation we were discussing, sort of trust, and what trust means. And over the last sort of 10-15, years, the whole Zero Trust strategy has become sort of front and center, like, what are your perspectives on the right strategy for organizations to take Zero Trust, etc.?  

Brett Johnson  54:10

I think that I'm absolutely having it for Zero Trust. I think that, and I talk about this to a degree, it's, it's, I mentioned that earlier, in order for me to victimize you, I have to establish a degree of trust. And I really believe this, every new engagement between the customer and the organization should be from a Zero Trust standpoint. You know, it's not something that, “Hey, we've trusted you before. We know that this login or this cookie was valid from the last session. So, it's coming in again. You're good to go.” No, it shouldn't be like that. It's understanding that as an attacker, it's very easy for me to steal a cookie. It's very easy for me to steal an identity or a credit card number or fake a browser fingerprint, and come in like that. So, it's making sure that each new interaction is verified. And that's it goes back to Reagan, right? Trust, but verify. You know, yeah, I'll trust you, but I'm going to verify every single thing you're saying. That's, that's what matters. At the same time and this is, this is, this is one of the things that that continues to be hard for me to appreciate. You don't want to cause so much friction in that environment that the customer goes somewhere else. Yeah, that becomes a huge issue. And, yeah, you can stop all the fraud in the world. The only thing you have to do is shut down the website, it’ll stop it. It's you don't want to you. You want to have that balance between security and friction, but that balance absolutely has to weigh more toward the security side. It has to. So, in the background, it's about putting things in place that you're able to anticipate how much verification needs to be thrown into each interaction that's coming in there. You know, is it coming from a different IP than usual? Does it look like it's coming from a potential proxy or rerouting from someplace? What's going on? Is it a new device? Is it an old device that's coming in? Has that same device or same IP range access to other accounts? How many times did they miss the password? Is it an old password that's being used is a password change request? I mean, all these things can be done in the background before the customer is hit with anything that would cause additional friction on their end. So, that's those are the things you need to be doing. Be doing, do everything that you can in the background to anticipate the potential for fraud and then act at that point. That's what becomes important. You know, there was a study done the other day on CAPTCHAs, basically that, I mean, they hammered the CAPTCHAs hard. And let's be honest, a lot of CAPTCHAs, they're out there. There are nothing but friction for the good guys. And that's, that's, that's something that you have to be careful of, all right. So, it's doing things in the background so that you don't have to delay that customer.  

Raghu Nandakumara  57:14

Which of these pictures has a cycle in it? Yeah, you end up, we were just talking about it, then you end up selecting everything, because suddenly everything looks like it's got some part of a cycle of it, and then it says the wrong try again, right? And it's and then you're 40 minutes later. Yeah, yeah, exactly, exactly. All right. You've given us so much of your time today, and we could go on forever. Brett, before we wrap, why don't you leave us with an amusing anecdote that we could all learn from?

Brett Johnson  57:45

An amusing anecdote? Okay, yeah, yeah. You know, I talked about trust and the first real online crime that I committed. And people may have heard me talk about this before, but it's kind of a microcosm for the way most scams work. I was, I was in Lexington, Kentucky. I wasn't doing really well with street scams. Found eBay, liked the hell out of eBay. Didn't know how to make money. And one night, I was watching Bill O’Riley as the host of inside edition. They were profiling Beanie Babies, and the Beanie Baby they were talking about was Peanut, the royal blue elephant, selling for $1,500. So, I started looking for Peanut. Can't find him. I ended up buying a gray Beanie Baby Elephant for $8 stopped by and bought some blue dye, went home, tried to dye the little guy. Turns out he was made out of polyester. Wouldn't hold dye very well. Get him out and he looks like he's got the mange. But I ripped the lady off of $1,500. I found a picture of a real one on mine. Posted it. She thought I had the real thing. She wins the bid. I ripped her off of $1,500, and that's when I learned the first lesson of cybercrime. She knew who I was, but if you delay a victim long enough, you just keep putting them off. A lot of them, they get exasperated, they throw their hands in the air, they walk away, and they don't report the crime. So, that's really the first lesson. Most people don't report the crime. Most people give up. All right, so that's the first lesson. But also, it's understanding that that one thing is also a microcosm of most of these scams. You've got a victim, there, a potential victim that has a desire for something. They're wanting something. Well, that desire allows me, as a criminal, to more easily gain that victim's trust, to make sure that they're reacting emotionally, not rationally or logically. So, she trusted the eBay platform. She trusted the technology. She didn't understand that I was using a tool, a picture of a real one, to gain trust, to open that door of trust. Once that door was open, how good of a social engineer? How good of a liar am I in manipulating her to give me cash? Which is what I did. So, the desire of the victim, the technology, tools, social engineering to establish trust online, and then finally, that person giving up, walking away and never reporting the crime to law enforcement. All that's kind of a microcosm for the way most of these scams, whether it be in crypto or eBay or PlayStation 5 or what have you. All these scams work online. Understand that. Understand that it's a desire. You're wanting something that desire means that you're going to react more emotionally than logically or rationally. It's understanding that while the platform is there, there's no reason you should inherently trust it. Same thing for the technology Zero Trust. You know, why should I trust it? There are attackers and there are predators everywhere. That's the anecdote I would use. Is understand these things in the real world, we tend to have a situational awareness that's pretty good. We know when we're in a bad neighborhood, when things are about to pop off or what have you. That does not translate very well to an online environment, but we need to understand that predators are everywhere. And if we understand that, that's not to lead your life paranoid, but that's to appreciate that, hey, attackers are everywhere. And if we understand that, our level of awareness will raise and will automatically be more secure because of that.  

Raghu Nandakumara  1:01:19

Fantastic, I mean, I think that's a perfect place to wrap this particular conversation. Brett, it's been such a privilege and a joy to speak to you. So, thank you so much for your time. No thank you and your and your honesty.  

Brett Johnson  1:01:35

I appreciate it. Thank you so much, and I've loved talking to you, truly. Thank you so much.  

Raghu Nandakumara  1:01:39

Thanks for tuning in to this week's episode of the segment for even more information and zero trust resources, check out our website at illumio.com you can also connect with us on LinkedIn and Twitter at Illumio, and if you like today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon.

先頭に戻る
もっと読む