Chris Glanden 01:50

Today I’m here with Grayson Milbourn, Director of security intelligence at Open Text. Grayson, welcome to Barcode. What’s going on?

 

Grayson Milbourne 01:59

Hey, Chris. Not too much. Happy to be here.

 

Chris Glanden 02:01

So, for those that don’t know, Open Text acquired Carbonite, and Webroot about a year ago, would you mind telling us how long you’ve been with the organization? And also, a bit more about your role at Open Text?

 

Grayson Milbourne 02:13

Yeah, absolutely. So, I work for the SMB and consumer division of Open Text, which includes Carbonite, and Webroot. So, Webroot was actually acquired by Carbonite in the end of 2018, and then 2019, Carbonite, and Webroot were acquired by open text. But I have a long history with Webroot. I worked for that company since 2004, and I’ve spent much of my career as a Malware Analyst, and eventually kind of climb through the ranks and became the director of our Threat Research team at Webroot and have since moved on into a product role, where I focus on ensuring our products are capable of providing efficacy against the most recent types of threats that we’re observing in the [inaudible 02:54] threat landscape. I also do a lot of thought leadership, and hence why I’m on this podcast, I like to talk about cybersecurity. I like to educate people and says is a great vehicle to do such.

 

Chris Glanden 03:04

Yeah, man, for sure, and I appreciate you bringing that knowledge into the bar, I have to ask you about the impact of COVID on business, how has it affected you and your typical day to day workflow?

 

Grayson Milbourne 03:17

Yeah, so personally, I did a lot of travel before COVID and through that, I also worked from home a lot, and so I was already personally in a kind of a 5050 in the office out of the office split but so now I’m just 100% out of the office, and I’m guess I’m somewhat fortunate in that I have a home office and so working remotely for me hasn’t been that much of a challenge. If anything, I know my wife loves it a lot more, since I’m always around and our pets as well. 

 

You know, from a company perspective, being in software is actually a pretty great thing for working remotely compared to several other businesses that really require more of that in person availability to operate. So, it was actually pretty surprising within about two weeks Open Text, which has north of 15,000 employees globally transitioned to a work from home to where we had, like 97% of our workforce, working from home, and of course, like with how bad COVID is in the United States right now, we’re still in that. Almost everybody is working from home. 

 

But ultimately, that’s actually been pretty good for business because it will be did closed several offices, and I think I’m sad about that, and I know, several of them are not planning to reopen, but also then think about, did we really ultimately need those offices and certainly, I liked the person-to-person connection and I think zoom and teams and other platforms that give you a piece of that. But what I’m really looking forward to is; getting beyond the pandemic and even if offices don’t reopen, I know at least Open Text and I expect other businesses to sort of do similar but we’re going to reinvest some of those savings into off site get togethers. So, we still have that social connection that is also very important in building and gaining trust and flushing out ideas that often just don’t happen during the scheduled work meetings.

 

Chris Glanden 05:10

Yeah, it’s very hard to translate that over a virtual meeting. There’s a human element there that, you know, just can’t be replicated.

 

Grayson Milbourne 05:18

Right, like the conferences, and hence this podcast. I think, of course, going to the conferences for the content is the primary goal, but I would say very close behind that is the network building and, you know, going to the after parties and just having a social element of things. I mean, come on, we’re human, that’s part of what we really love about life, and when you can blend work and pleasure together like that. I think that’s where real success happens. Yeah, no doubt.

 

Chris Glanden 05:42

So, for those organizations that plan to continue the work from home structure, post COVID, what are some of the risks they should be primarily focused on?

 

Grayson Milbourne 05:52

Yeah, so I mean, I think one of the things that we’re not going to see once the vaccines are out, and you know, we’re largely over the pandemic is that we’re just not going to go back to a 90 plus percent in the office presence, and I know from open text perspective, they’re aiming somewhere around a 5050 split, and having offices for the things that we need it for, but you know, not requiring employees who could easily work from anywhere having to come into the office, and so certainly, with COVID, we saw a rapid, I feel we were actually moving this way already, and what COVID did is I think it fast forwarded us about maybe five or 10 years, but pretty much overnight, most companies had to become software companies to some respect, they had to start supporting, like a VPN for their employees to connect to their home resources, and so basically, like the home became the new perimeter, and so for businesses to secure either their workforce, they’ve had to scramble quite a bit to provide that, and I think even today, we’re pretty far away from businesses feeling very confident that their work from home employees are as secure as those that would be in the office. 

 

So I think there’s a lot of challenges there, and I think one of the big ones is just personal devices versus managed devices, and it’s easy to use your manage devices, when you’re at the office, you have your desktop PC there, or, you know I did a lot of traveling, so I had a work laptop, which is great, it was small, but there’s no way that I want to work day in and day out on my little 13 inch laptop, and so at home, I have my personal PC, and we have surveyed lots of our customers to kind of get a gauge on this, it looks like north of 60% of our work from home employees are using their personal devices then connect to corporate resources, and this is often done through a VPN and then a Remote Desktop Connection, and again, just kind of what our data shows is, I mean, this shouldn’t come as a surprise to anybody. But consumer devices obviously see considerably more infections than their business counterparts. 

 

We use our personal devices differently managed devices have all of the security that the IT team wants to protect those devices, and it’s really one of the big things we saw was that as I work from home employees started installing VPN software’s to connect into their corporate networks. You know, those devices are already infected. You know, they didn’t have that same level of updates and being kept current with important patches, and so they ultimately just really introduced a soft point for access into corporate networks.

 

Chris Glanden 08:17

Interesting. So, let me ask you, then do you think BYOD will become more relevant than because of that?

 

Grayson Milbourne 08:23

Yeah, and so this is kind of where I am expecting industry to pivot and provide solutions to solve this problem, and I think when we first started thinking about BYOD, it was, I think it was like, largely thinking about mobile phones, and how, how do we kind of bridge this gap of the risk of mobile devices, but now I think really like D is my PC more than it’s… Maybe my cell phone, just because I can do so much more on my personal device? And so, I think it’s like, how do we manage personal devices, and I think there’s lots of options, obviously, Windows provides lots of flexibility here, and you could have several domain accounts on a single PC, and I think it’s just, you know, having a conversation with remote workers and saying that, hey, we want to be flexible. We don’t want to make life working from home worse. But if you have a device, you’d prefer to use. Let’s just go through creating an account on that device that we can then at least install, manage security and provide some data protection, so that you reduce that risk of, of compromised through providing flexibility of using preferred device.

 

Chris Glanden 09:25

Right, and depending on the end user could be a foreign concept for them. So, you also need to provide that clear communication and deliver the message of that initiative properly?

 

Grayson Milbourne 09:37

Yeah, and I mean, I think users largely are also concerned about privacy, and they had the reason that their personal devices see more infections isn’t solely because of the security that’s on those devices. We use our personal devices however we want, and when it works or using a work device, we’re pretty much focused on. This is a work device, so let’s use it for that purpose.

 

Chris Glanden 09:57

Yep, yep, absolutely. So strictly from a home user perspective and concern for their own privacy while being connected to their corporate network via VPN. What controls could they implement, that their organization may not specifically point them to?

 

Grayson Milbourne 10:16

Yeah, I think it’s just having the conversation initially and just explaining that, we’re concerned about cybersecurity risk, and I think certainly 2020 has already given us some great reminders of how important cybersecurity is to protecting business IP, protecting business assets. So, I don’t think most employees should be that surprised to be engaged by their IT team to have this conversation. But I think that’s kind of like, the first step is saying, hey, let’s bridge this gap. 

 

Let’s make sure that everybody’s staying secure here, and we want to help it and it’s not a privacy thing. It’s a security thing, and then, of course, those things are kind of on opposite ends of the spectrum. But I think with transparency of what you’re protecting, that your employee should feel confident, and of course, if the employee doesn’t want to allow you to manage their personal device, then, you can say that, hey, well, we have a policy that you need to use a managed device for…. For example, for connecting to corporate network resources. 

 

So I think it’s a conversation that that is just going to become the new normal, because working from home has so many advantages, and as businesses see that employees are happier, they have more free time, they have more flexibility, and ultimately, I think it also opens up the job pool of candidates, and I know a lot of businesses shed some employees in this past year, and are really looking forward to regaining some of that headcount and rebounding, and when we think about relocating, and some of the complexities that go into finding the right job, like working from home, really, or working from anywhere, as I like to call it gives us that flexibility to not need to relocate and still be able to be effective. 

 

So, I think overall, I mean, we’re in the very beginning of defining this new procedure for how we connect to our corporate environments, and I think one thing maybe to pivot on here is the home network. I mean, we’ve talked so far, a lot about devices. But I think the device challenge in some ways, to me seems easier to solve with the software solutions and account creation. That’s specific to the task. But then when we look at the home network, there’s so much more diversity and complexity, I think there. 

 

So, I think that’s kind of where I’m excited to see industry to kind of pivot it and attempt to solve that home network security challenge, which I think also creates a great opportunity to educate the employee base, and instead of users looking at their home network router, as a black box, maybe getting familiar with that piece of hardware and understanding what it does, and what it provides you as far as visibility into what’s going on in your home. Which again, it’s even more important nowadays, when almost every new device that you buy for your house, whether it’s an appliance, or a TV or a receiver, or anything that pretty much requires electricity. 

 

Nowadays comes with an internet connection, and the ability to remotely manage it, which, which is really cool. But most of these things are never built with security, even in mind. It’s an afterthought sometimes, and you know, because of this, we’ve seen lots of IoT botnets, and things that are able to easily propagate and taking advantage of firmware that’s exploitable, and then what ultimately makes me nervous is, so many of these apps, or IoT devices are connected to your mobile phone through an app that they have you installed, and again, the security and thoughtfulness about that is often not there, and so what we see is very poorly secured IoT controlling apps, and when you think about that device, it’s on the network. You know, it knows passwords to get on the network. It’s aware of the other devices on the network, and it ultimately just again, it creates like a soft spot for exploitation. 

 

Chris Glanden 13:48

Yeah, I agree. IoT is developing at warp speed. What developments do you see happening with IoT in 2021?

 

Grayson Milbourne 13:55

Yeah, I think IoT security has been on the radar for quite a while, and there’s definitely no question that consumers love these devices. I see that only accelerating and ultimately, just in the ways in which we’re able to add technology to things that maybe didn’t have them before, and so one of the areas that we’re seeing a lot of that is [inaudible 14:16] wearables and smart watches and smart health devices, and, you know, okay, it’s cool to be able to track my light bulbs and turn those off remotely, but all of a sudden, I have all this biometric data that’s being uploaded to a cloud and has a very intimate knowledge and awareness of myself, and so I look at that as something that really absolutely has to be security forward. As we move forward with a benefiting from these devices. Yes, it’s great to be able to track this information, but security in that spaces is critical, and so there’s several ways in which we can go about this is one of the things I like is having standards, and you know, I’ve been an advocate for a security standard for IoT devices. 

 

So, it’s kind of like something like ENERGY STAR for your refrigerator or your heater so you know that it takes into account the energy savings. So, you know, if you had something else that was a security standard protocol that ensured that the devices were able to auto update that they took proper security practices in place, and it has like an entity to validate that but then as a consumer, I would probably maybe shell out a couple extra bucks to buy an IoT device that I knew cared about protecting my data.

 

 

Chris Glanden 15:28

Definitely. It could be an IoT security verification check.

 

Grayson Milbourne 15:32

Right? I mean, especially when we start getting into really sensitive data, like, I’m sorry, but I just wouldn’t trust wearing a biometric device that that uploads data to a cloud that, you know, so much of compromise occurs because of our, of our trust of somebody else to do it. Right, and so when I, you know, how many times has a password of yours been hacked or leaked, because the website that was holding it started in properly and got compromised, right this is not a rare occurrence, and with biometric data, I think that’s something that…. Personally, I love this, I work in this industry, and privacy is very dear to my heart, and I love the benefit of technology. But at the same time, I think you have to be careful about the tradeoffs we make.

 

Chris Glanden 16:11

Very true, and yes, a verification system is much needed.

 

Grayson Milbourne 16:16

Yeah, we’ll have to see where it goes. But I think like something like that is going to be needed, and there’s also a lot, I think, attractive to the consumer, so that often that combination typically leads to something happening.

 

Chris Glanden 16:25

Yeah, absolutely. So, what other challenges do you see us facing within the next year?

 

 

Grayson Milbourne 16:30

Yeah. So after 2020, I am really looking forward to 2021 but I think it still introduces a lot of new challenges, and based on what we’ve seen so far, in 2020, the fact that we’re not past this pandemic, there are several things that I expect to see, and one is that the skills gap is going to continue to widen, and that’s unfortunate, and I think this is a skills gap that has been widening for several years, actually, nearly a decade, and I think that’s challenging, and especially it’s exacerbated by all these companies now having to have an IT department or hiring an MSP to provide that remote connectivity for their workforce. 

 

So, that creates an opportunity, I think, whenever you have a skills gap, of course, you want to train and build that back up. But it also creates a great opportunity for industry to create solutions to help solve that gap, and I think Webroot, for example, has been in that business for a long time, and in many of our focus is on supporting those SMBs and MSPs with easy-to-use solutions. We primarily play in the endpoint protection game, one of the emerging technologies for the last several years has been, ER solutions, or what I would call maybe like XDr, because it doesn’t necessarily just need to be focusing on the endpoint. 

 

Really, for things to be effective, you have to have that cross-platform visibility. So being able to understand endpoint type of like MITRE attack framework [inaudible 17:54] type of data, but not only just looking at the endpoint, but looking at Cloud and looking at network, to ensure and even mobile, you know, to basically be able to tie the dots together for when something has really slipped through, and unfortunately, I think the challenge with these solutions, like to date has been the volume of event data, and so I think what we’re really looking at is how do we make sure that when an event takes place, that might be suspicious that we don’t overwhelm those who are responsible for, for monitoring and taking or controlling that software. 

 

So, I mean, if you need a dedicated SOX team to manage your EDR is that necessarily solving your problem, and maybe for enterprises it is. But I think the SMB space is also heavily under focus, and so I expect to see improvements in these technologies that really reduce the number of false positives, and then the R side of like response, and I think AR has always been very under undersold in these solutions. You know, they’re like, hey, these are the problems. 

 

But how do I respond to it has often been neglected, and I think largely because the solutions are focused at the enterprise level, and they expect to have an IT team or SOX team that knows how to respond. But I think when we start looking at the lower market, these are solution providers, like MSP’s, don’t want to have to write the response plan, and I think these solutions are going to continue to mature. So that we’ll see better response, like an all-encompassing solution that says, Okay, it looks like you may have been compromised. You know, here’s what we can tie together. Here’s likely when it happened, here are the resources that you need to validate it kind of giving a playbook for how to respond to security incidences. 

 

Chris Glanden 19:31

Yeah, that would be nice. Let me ask you about cybersecurity spend or tool investment. What would be your advice to organizations in terms of what their top priority should be?

 

Grayson Milbourne 19:42

Yeah. So, I think like I have lots of opinions in this answer. You know, one thing that I think is far underserved for our businesses, employees are just education, and then when I think about… When I on an annual basis, I have to go through so many different mandated training courses like for compliance, and it’s silly to me that there’s not like a cybersecurity compliance standard, largely because the users are often the target, right. 

 

So, if they get tricked into clicking on something, or take a phone call and get tricked into doing something, that’s how so many attacks begin. So, I think one of the things I like to see more of is just educating the workforce about the threats that they face, and keeping it current not to like pitch our products. But one of the things we invested in several years ago was kind of leading the effort in this, we have like a security awareness training platform that allows you to send out phishing attacks against your employee base, and has lots of templates that we keep very current with examples from the wild. 

 

So we’re in a constant process of discovering these types of email based threats and phishing attacks, tactics in the wild, and then very quickly, turn them into templates that companies can use, and what’s actually interesting about it is, you know, now that we’ve had this service out for over three years, now, we can look at our customer data, again, to kind of gauge the, the efficacy and so there’s one way to look at the efficacy as in that, when we start sending out phishing simulations against like a business. Initially, people are clicking about 30% of the time, and after they’ve done maybe four or five trainings, this will be recommend doing it like on a monthly basis, just like a little stress test against your employee base. 

 

But after like three or four times, the grades drop below 10%, which shows that employees are getting smarter, but how does this really ultimately equate into the bigger picture, and when we look at our customer base, for example, that uses our security awareness training and our endpoint solution, they see 90% less infections, 90% less infections, and an equal part of our customer base that doesn’t use security awareness training, and it’s like, for me, it’s like, man, if you could just take a 90% reduction, because you invested a little bit of educating your workforce about it, because maybe the threat landscape moves very quickly. We see within minutes of a news story being broken, you’re going to find sites that are going to index quickly to the top of Google searches that are malicious, and then we also see it seasonally. 

 

So right now, we’re going through open enrollment and for health insurance, and things like that in the United States, and so we see that every year like clockwork, email that attempts to take advantage of that, and they know its difficult spam filters struggle to block things that are that are very, very similar to normal email. So, I guess I would start with education. I think that’s one of the least expensive and most effective ways to improve cybersecurity, and it really also fits along with this working from home, right, like, let’s reinvest in making sure that we’re all a little bit more cybersecurity, aware. Understand how routers work, understand the importance of clicking Yes, update and restart, and monitoring your browser making sure your browser is up to date. I mean, it’s not a very hard list of things to do. But I think if you go through it. It really makes a huge difference in security.

 

Chris Glanden 23:03

Yep, so tooling is important, but it’s not the silver bullet.

 

Grayson Milbourne 23:06

Yeah. I mean, absolutely. I wouldn’t only rely on education. But I think, miters attack framework has been out for a couple of years now, and I think it does a great job of showing all of the creativity and that document continues to grow as we see new evasive tactics used by threat actors, and I think it’s a it provides a good framework for understanding some of the critical points to have visibility. So especially with things like RDP, we see RDP, as an entry point for compromise so often, and if you fish the right person’s credentials, and you can get in and in this case we see often is that, you know, they’ll eventually get to a domain admin account, and then they’ll disable all the antivirus, they’ll disable all the backup solutions, they will do the reconnaissance and steal the data, and then they’ll deploy it with a policy update across the entire network all at once, a ransomware, and that could all be prevented with stricter, remote desktop protocol, access enforcement. 

 

So obviously 2 FA is one thing that’s important to do, and I’ll just touch on that one really quick, because one of the things that we’ve seen, again, improperly done. 2 FA is it effective, strengthening tool for authentication, but it needs to be device separated, and what I mean by that is that, like on my home PC, if I connect to their VPN, I could install that the second factor authentication token generator on my same PC, or I can install it on my phone, and it’s like, it needs to be on my phone, right? Because if my device were compromised, and somebody can just see my my pin and all of a sudden if they were able to remote access my machine, they could then make that same connection without needing my personal device to get that pin. 

 

So, it’s like using to have a properly and effectively. The other thing with RDP is just setting the access limitations in access restrictions. So that if we see like RDP was developed without any sort of brute force mitigations by default, and so you’re setting accounts to lock after like two or three missed password attempts, and also just having visibility into where do people connect from, and so there should be some patterns that look normal, and then should stick out if you have somebody connecting from you, normally from this IP range, and all of a sudden, there’s somewhere else. So that there’s lots of little things you can do to improve remote security. But I think that’s a big one that we ask our customers to really try to lock down. 

 

So, cybercrime as a service is expected to rise at an unprecedented rate this year. What are your thoughts on that? Yeah, absolutely. So I mean, one of the biggest things that we see, so there are several big botnets that are out there, but ones that’s been the most resilient to take down is called emo tech, and it’s been around for five plus years now, and initially, it started off as a botnet that really just aimed to collect information about the devices that it had infected, and it’s sort of matured through its success and its ability to propagate that they now operate as, what I get exactly cybercrime as a service, and so it’s easy enough to get in touch with these guys, and to request the ability to deploy malware, and so typically, this is just done through providing access remote access to compromised devices, and they certainly work with some groups much more than others, but you’d be surprised how inexpensive some of these credentials can be, and so what will happen is basically, there’s different levels of hacking organizations, you have very well organized groups all the way down to your script kiddies, and those teenage hackers who are maybe trying just to, to explore more than really trying to create harm, but you often start with trying to gain access, and so, gaining access can sometimes just be as easy as purchasing credentials, Remote Access Protocol, will get you right in, and then basically, you can kind of go from there, and depending on what you see, in that environment, you will see either ransomware, or in many cases, if there’s not a lot of value or not expected value, we just see remote access Trojans and things that collect data, or other times we’ll see, you know, financial based Trojans and things that look to collect or interfere with the browsing experience. 

 

But yeah, I don’t know, it’s one of these things that that we see still very effective using social engineering as a tactic to propagate and so for emo tech as an example, typically starts as a spam email, has an attachment, and we see a lot of exploiting UPS and FedEx and all these delivery services as their bait, because here we are close to Christmas and they know that people are, hey, did somebody send me something? Do I got to click on that tracking link? Like, should I open this document, and so they’re pretty effective at getting people to basically install the infection, and then once it’s installed it, it gathers information, other email contacts, and basically then sends itself on, it propagates that way. But through that, I mean, they have, millions of infected devices, and those can be used, again, for like a DDoS, for example and this is really more, I think, for the larger organized crime syndicates, that you have more resources to maybe launch a DDoS attack at somebody. I mean, oftentimes, DDoS attacks don’t really, they’re not really done for profit, they’re really more done for disabling something or taking something offline as… there’s several reasons to do that.

 

Chris Glanden 28:26

Exactly. It could just be someone out for vengeance?

 

Grayson Milbourne 28:29

Yeah. 

 

Chris Glanden 28:30

So, what’s your take on ransomware at the moment. You see these extremely advanced ransomware variants, you know, now you have one that will send the ransom note to your printer?

 

Grayson Milbourne 28:39

Yeah. So, I think I’ve been following ransomware for a very long time. I mean, I remember, you know, the early crypto lockers and even before that really, we will use always was fake AV, and AV, they would try to tell you, you’re infected, and just through this evolution, we’ve seen a lot of tactical changes, and certainly over like the past five years since the dawn of crypto locker, and all the evolution since then, we’ve seen so many different things like, the Free File, share that it works, tech support. Most recently, I even saw cold calling, and so I forget the particular ransomware variant, but they would start calling people or organizations that they had infected to over the phone, try to convince them to pay the ransom, and so every year, we will we see often is a rebranding. 

 

So, there’s probably north of 200 different named variants of malware of ransomware, it’s probably a bit higher than that by this point, and so, you know, rebranding is just a tactic to, to make yourself look new and different but often through that process, we see some improvements in the overall functionality of how the ransomware operates, and so your ransomware obviously, very devastating type of attack to suffer, and so lots of technology is come out to try to identify that to try to prevent that, and so what we’ve seen is ransomware are shifting their tactics to use what we call living off the land binaries to… We’ve seen ransomware attacks that are that are entirely script and capsulated that use only windows components to generate the two-key pair for encryption, to index the files to do the encryption to generate the note. All of that was done really without introducing any application to the environment. 

 

So, we’re starting to see those types of tactics within the application itself, or within how ransomware is achieving its goal. But we’ve also seen shifts in who ransomware actors are targeting, and so for the last several years, we and I think we’ll continue to see this, but you’re focusing on the soft targets, things like government agencies, schools, hospitals, but oftentimes those are not very high paying targets, right? They don’t puzzle don’t have deep pockets; local government agencies don’t have deep pockets. Certainly, hospitals do not know if they really want to haul in a bigger payload, what we started to see are pivots towards manufacturing, and so getting into the middle of like a supply chain of manufacturing. If you can interrupt the right thing, you then set people downstream from you, and all of a sudden you have a maybe more motivation to pay quickly. So, we see that with ransomware, specifically in the past year, definitely.

 

Chris Glanden 31:16

How about looking at the recent COVID vaccine cold chain attack? Do you see ransomware emerging there?

 

Grayson Milbourne 31:22

Yeah, you know that’s interesting, and certainly, I mean, can you imagine if like Pfizer or like modern got infected, they would probably pay, and you know, it’s interesting. We saw some really big ransomware payouts in this past year. You know, Garmin got hit in June, I believe, and they paid out 10 million, and then we saw Foxconn get hit just a couple weeks ago and they paid out 34 million, and I was like, Man, that’s a lot of money. 

 

But I didn’t realize actually how big of a company Foxconn is, and they reportedly made Darian revenue $170 billion last year, and of course, revenue, not profit. But then we started doing some math, I’m like, wait a second $34 million is like, really small change to them. If you really wanted, why didn’t you ask for like 100 million, like, even 100 million for a company that makes 170 billion annually is as again, it’s like, it’s not as I don’t know. 

 

So, I honestly predict in 2021, we’re going to see 100 million or better ransom paid. I mean, I certainly expect like phishing campaigns and these things to continue to use COVID, especially with the vaccine, and unfortunately, we’re just not out of this mess yet, and cybercriminals definitely love newsworthy events, and we were just kind of living in this perpetual newsworthy event that, that they’re going to continue to exploit.

 

Chris Glanden 32:37

Yeah, speaking of newsworthy event, solar winds have just completely taken over my Twitter feed.

 

Grayson Milbourne 32:43

I know, I tell you what my last week has been. It’s been interesting, and honestly, it’s almost like, how did 2020 not end without this? Right. So there had to be some sort of cybersecurity, nightmare that is on par with everything else and in 2020, and man if solar winds isn’t that then I don’t know what is, and it’s been interesting, as we’ve looked in Seoul do there’s a lot to learn, and a lot of companies who have certainly been impacted that haven’t come clean about it. But to me, I think what’s scary about this is again, it’s the trust of somebody else, right, and in your solar winds had a lot of very big clients and those clients trusted that solar winds was protecting themselves against this type of an attack, and like all too often in the past, that trust broke down and cost a lot of people becoming compromised. 

 

So, for what I find it really interesting about this is went unnoticed by solar winds, because we’ve had a little over a week now to analyze the samples that are related, in some ways. What’s nice about this is solar winds. Orion network monitoring software is written in dotnet, and that’s great for analyzing the code, because it’s very easy to take dotnet binaries and look at the source code, and so, when we go and I mean, Solar Wind is a big company, right? Like they’re Orion software has been out for a long time, and so when we started going back and looking at all the variants of the specific DLL that got compromised, you can kind of see the timeline for when the malicious classes entered into the DLL. 

 

So that actually happened in November of last year, and then it wasn’t until March of this year that… The class basically was introduced, the namespaces introduced but laid dormant and empty for five months, and threat actors then introduce the malicious code, and so to me, it’s like okay, well, there was already like, why did that happen? Like, where’s the QA process in here to review these things. 

 

So, I guess, in some ways like to meet it feels like almost like an inside job to some degree. I’m not surprised if attribution ends up being another nation state, but I scratched my head when I look at our internal all been processed, I just don’t see how something like this could have happened, and I think it’s causing a lot of security software companies to look internally and make sure that they haven’t fallen victim to something similar, and really that’s what we’re kind of looking at. Again, we have to see what happens and what what’s released, but it’s looking like VMware may have also been compromised, and if you think about what could be worse than a solar wind compromise, it would be a VMware, like, sandbox escape vulnerability, and to me, that would be, you know, that’s probably like, what could be worse than that? You know, if you can imagine how reliant we are on VMware.

 

Chris Glanden 35:36

Yeah, Cisco was affected as well, I don’t know if you saw that?

 

Grayson Milbourne 35:39

I did. I did. I mean, I saw this morning, the list of people that they’ve now identified, they, they basically, brute force the DGA for the CT server, so they can see the various… It’s part of the URL string that they communicate back and forth with that contains the identifier for the company. 

 

Chris Glanden 35:57

It’ll be interesting to see how this investigation plays out, and if we’ll get to see any indictments.

 

Grayson Milbourne 36:01

Being under cyber espionage has not been this is not new, right. Like, I think from a federal agency perspective, the government’s done a really poor job, you know, going all the way back into the 2000 till now in providing proper punishment for these types of attacks. Because at this point, I mean, this was very much like cyber espionage, right? Like, all these people wanted to do is was learn and take and listen, you know, ransomware is deployed. Right? I mean, this was just a big listening operation. But I don’t think there’s a way to even put $1 amount on the intellectual property loss that these companies have suffered. So, you know, supply chain is certainly something that…. I think you we’re all going to look very closely at as the as we move forward into 2021, and beyond. 

 

Chris Glanden 36:47

I’ve taken notice to an increase in attackers abusing law bans. Could you explain what a law ban is? And how attackers can leverage law bans in fireless attacks?

 

Grayson Milbourne 36:57

Yeah, exactly. So, like, these are the they’re called living off the land binaries, and so living off the land is a technique that’s been popular for several years now. But, you know, so much technology is focused on how something new is introduced. But sometimes nothing new is introduced, and really all you’re using is the embedded functionality within Windows. So, there’s actually a very long list of, of what we call law bans, that can be used as part of an attack to achieve, you know, the goal of the attacker, and probably the most notorious would-be PowerShell, and we always advocate that if you don’t need PowerShell, then disable it for your users, because that application itself has so much capability. 

 

So, others are like script interpreters. So some of the scripting languages that are supported natively by Windows, you have like, [inaudible 37:37] so the windows management interface, or instrumentation, and this again, gives you just lots of flexibility into setting policies, and basically, I mean, through these tools, and there’s several others, you can build an entire executable on the device, without ever having to say, extracted from a website or getting into their some other way, and I think what’s, what’s challenging about this is that these are all good processes, they’re digitally signed by Microsoft, they are for all tend to purpose, a good application that then can be used for malicious purpose, and so what we’re starting to see is, you know, I talked a little bit about this with how ransomware is taking advantage of these two, right to fly under the radar, and so I think industry has been faced with the challenge of how do we have the proper visibility into these applications? 

 

How do we properly secure them for the proper use and detect the malicious use? And so, we’ve seen a lot of innovation in that space, particularly around like script detection and improper…. It’s almost like heuristics, it’s like, you know, should Java, write an application to an app data temp directory or should windward, be allowed to open up PowerShell and download a file, and so there’s lots of ways that we see commonality and how these things are used, but a lot of technologies still doesn’t have the visibility into them. So, without that you kind of risk to attacks that take advantage of bobbins.

 

Chris Glanden 39:14

I see. It sounds as if detection could certainly be a challenge there. 

 

Grayson Milbourne 39:19

It can be absolutely. 

 

Chris Glanden 39:21

With ml, or UBA base tool help with detection.

 

Grayson Milbourne 39:24

Yeah, I think like, ml can help to some degree. I mean, so what part of we’ve been looking at is just a variety of command data that comes through these types of applications, and so, we have things that we look for that we say like PowerShell shouldn’t be allowed to do this or w script shouldn’t be allowed to do this, and so for us, we’ve been really looking at. 

 

There’s a lot of commonalities to take in and so I guess in some cases, or in a lot of cases in cybercrime, code reuse is a pretty common thing, and so somebody figured out a way to do it, and then copy and paste types of attacks, and so, even though you know, things could be easily obfuscated or changed, we see a lot of that but I also think like, yeah, UBA is understanding like, what should something be doing? And when is it outside of its expected behavior? And how do you then ultimately, provide protection? So, okay, something is… Now done something wrong? Is it too late? Do I have to have a reaction plan or was this something I was able to stop preventively? 

 

So, I think that we look at a more of the definition side of an approach to, okay, like this type of command shouldn’t be executed. That’s easy to do. But when you look at behavior and analytics, sometimes that’s after the fact, and it’s like, Okay, this thing was outside of its bound. Oh, something has happened, right, as opposed to, No, you’re not allowed to do this. So I think it’s somewhere in the middle, and I absolutely think ml is going to play a big role in is that this again, like the challenge here is like sifting through the big data, and I think that’s really where ml shines. So, I expect that type of technology to refine and strengthen these solutions. 

 

Chris Glanden 40:52

Got it? Well, staying on the topic of AI, I’ve always been fascinated with deep fake technology, although you don’t typically see it being used by attackers. What do you think that is? And when do you think we will start seeing deep fake attacks?

 

Grayson Milbourne 41:06

Yeah, so I couldn’t agree more. I think deep fakes are fascinating. They’re also frightening. Humans obviously wired to see and hear and trust and when that can be manipulated so easily to have people to obviously say things that they didn’t really say. So far, we’ve largely seen this for misinformation, or for comedy, and unfortunately, I think it’s going to start making its way into compromises, and really where I see this is not necessarily with video deep fakes, but with audio deep fakes, and one of the biggest threats that we’ll be continuing to see it and talk a lot about this for what I expected 2021, but this is certainly one of the big ones is… Business email compromise, is a really costly type of attack, and it’s a largely social engineering attack, and it costs US businesses north of $2 billion in 2020, and I’ve no doubt that that’s going to grow in 2021. 

 

But to combat that, what businesses are doing is they’re increasing verification processes, they’re having a second set of eyes, there might be, Hey, get on the phone with the CFO and make sure that you have authorization and everything is right. So, it’s almost in that space that I see deep fakes being used, and I forget the name of the site that does this, but you can upload a small amount of audio recording, and it can generate an audio model that you can then type into it will speak.

 

Chris Glanden 42:33

Yeah, I think it’s called lyrebird, and it used to be open source, if I’m not mistaken.

 

Grayson Milbourne 42:38

Yeah, it doesn’t take much, right. So, like, I mean, if you imagine like, okay, CFOs, and these types of people might not be too hard, if they’re like a public company, he can listen to their quarterly, investor briefing, and they’re alone, you’re going to have the audio that you probably need to get any of the sea levels that you might target. So, I look at that as being something is a way that we might see deep fake technology used to facilitate a business email compromised type of attack. But what I also think is cool is like, there’s a lot of great technology that helps you identify, is it a deep fake? tech can very easily spot deep fakes. 

 

But I think it’s like, how do we get the tech in the right spot? So, for example, it’s easy to tell if it’s a doctored audio, but how do you get that audio stream through something that detects it? And it alerts the CFO or that person in finance that they’re actually not talking to, or that there’s something fishy about this? And of course, then there’s false positives and these things as well, and it’s not going to be a perfect thing. But I do think technology has a role to play in protecting against misinformation, disinformation, and deep fakes. 

 

 

Chris Glanden 43:39

So personally, I’m not aware of any specific technology that can detect deep fakes. Do you happen to know the name of one?

 

Grayson Milbourne 43:46

So I actually I saw a couple of presentations at Blackhat last year that they looked at this, and I don’t remember off the top of my head, but they actually looked at using they trained mice to detect deep fake audio. 

 

Chris Glanden 43:59

Oh, wow. 

 

Grayson Milbourne 43:59

It was really interesting about how they went about this, but there were some neuroscientists from, I think, Stanford University, and they showed lots of different things. So one of the things that they showed was that just when they broke down language into small pieces, that that mice would react differently to the doctrine versus the normal, and it was really interesting. I mean, it was some very smart people. But that was one approach to it. But also, I mean, just looking at the stream of data, and when something has been doctored by AI, there are markers of that and the consistency of how certain things are done that are just not completely natural to how humans speak.

 

Chris Glanden 44:44

Yeah, it’s becoming so good.

 

Grayson Milbourne 44:46

I’m very nervous about how this is going to unfold for it just because I think misinformation is a huge threat to society. I think there’s technology has a role to play to at least identify things like deep fakes, but I just wanted to say going through this selection [ not clear 45:02] season, and how like…. Your social media gets thrown under the bus and has to tag misinformation. But then mainstream media spreads a lot of misinformation as to but nobody has to, like tag any story on their sites, and it’s like, Okay, well, at some point, we’re going to have to have a reconciliation here, and you have to figure out, how do we how do we validate information so that we can inform ourselves without being misled? And I think it’s going to be a big challenge to solve. 

 

Chris Glanden 45:31

100%. So, I want to ask you about iOS and Android, what does your prediction look like for mobile threats in the coming year?

 

Grayson Milbourne 45:39

Yeah, so I think, iOS certainly had sort of a 2020 moment, this year, and I guess, maybe just rewind a bit from that is… I guess, entering what year 13, out of the smartphone era and iOS and Android have obviously our lives are very different today than they were before smartphones. But unfortunately, the security track record of both Android and iOS is not great, and I remember, going back all the way to like, 2010, you know, every year at Blackhat, there would be some new, just devastating exploit for Android, and it would just blow away any of the security protocols that were there, you know, you could very easily route the device or, install an app that could route the device, and very easy to own the devices, and here we are today, all these years later, and we continue to see security to be a very big challenge on these devices, and an iOS, or an Apple will probably tell you that they’re extremely secure, but the reality is like, we just continue to see some very dangerous exploits, and one that type was discovered and disclosed by Google’s Project Zero, was a radio proximity exploit for iOS, that that took advantage of the iOS mesh network protocol, which is something that’s like proprietary for Apple devices, but it helps them communicate with one another, and it’s on by default, and so one researcher over the course of six months, basically built an exploit that  if you were next to his device would own your device, without any user interaction, like on the Google project, zero blog, it’s fantastic blog, by the way at the very top is a video that just basically shows it, and he’s got, I think, 30 different iOS, iPhones, I think 2015 to current day, and he runs the thing, and you just watch them all within 10 seconds, they all reboot.

 

Chris Glanden 47:29

Wow, that’s crazy.

 

Grayson Milbourne 47:32

And through that, he can install remote. So, this is one researcher, right? So, you can imagine nation states, they look at mobile devices, as the goal to…. if they could, in fact, one thing, it’s going to be the mobile device of their target, because obviously, you know, that you don’t have to explain to your users, what mobile device do but it’s obvious if you can compromise that you have spies happy to stream. 

 

So, I think from a platform perspective, there’s a lot of vulnerabilities still, but then we also look at the app space, and maybe I’ll pick on Android here instead of iOS. But there’s a what we called The Joker malware on Android, that’s been pretty prevalent over the past couple of years, there have been several 100,000 plus installs removed from Google Play, and often I mean, these are just malicious apps that… the app space is really cluttered, and so there’s, you know, 1000 different flashlight apps. But what they try to do is they go after what’s popular, and they create a bare bones kind of app that kind of does, yeah, it’s a little flashlight or some other app like this. 

 

But then it contains an advertising platform that contains Joker, and then slowly over the next several weeks of installation components of Joker then downloaded through that app, and ultimately, what it does is it spies on the device, and then it did monetize through signing you up through premium services, and so it will either [inaudible 49:01] by other apps that are part of their network that costs money, or it will sign you up for recurring services. So that’s just one example. I mean, we see, I think, maybe the other thing I’m most concerned with on the mobile front is just the prevalence of what I call spy phone apps, and these are often things like, track your kids or, remote monitoring software for the phones, and oftentimes, it’s installed covertly, it’s difficult to remove and then it can report everything that you do with your device. 

 

So, we see a lot of that like when we look at Webroot also has a mobile solution, and when we look at what do we see? What do we detect the most in the wild? It’s definitely those types of apps.

 

Chris Glanden 49:45

Nice. Yeah, I didn’t know Webroot had a mobile solution.

 

Grayson Milbourne 49:48

Yeah, actually, what’s kind of cool about it is; so, when you think about the mobile device, like Google continues to really lock down they’re trying to fix security. But really like the internet browser is really one of the areas that we still use See prime for exploitation, and that could be landing on a phishing site or being misled some way, and so our latest release, actually, we pivot away from being an app itself, and we’re basically built on the chromium stack. 

 

So, the benefit of that is like you can use Google Chrome browser, and we can still then protects that browsing experience, and then of course, it you know, it protects as far as malicious apps, but the amount of malicious apps we see on mobile devices, compared to malware on PCs is still a tiny fraction but we really look at the browsing component is what we want to secure. So provides both

 

Chris Glanden 50:38

Gotcha. Yeah, I’m always getting asked is Apple more secure than Android devices?

 

Grayson Milbourne 50:43

Apple is more secure. But I don’t think it’s by like a large, like amount, and I think I mean, if you look at Apple’s patch notes for all of their… Recent releases there’s a lot of security that they’re constantly fixing. I think the application space for Apple is is better, because it’s so controlled, right? Like it has to be an apple certified signed app to run and Android it’s very easy to install apps from anywhere. So I think it’s kind of like the flexibility of what you get. I think the app landscape for Android is more diverse than for iOS. But maybe iOS is a bit more secure, just from the app space.

 

 

Chris Glanden 51:23

Understood. So, Grayson, you’re located on the Denver area, right?

 

Grayson Milbourne 51:27

Yeah, its headquarters is actually in Broomfield, which is about 15 miles northwest of Denver.

 

Chris Glanden 51:33

Nice, nice. So, let’s talk about the bar landscape. What’s the best bar to go to out there?

 

Grayson Milbourne 51:39

Oh, man. so, Colorado, we’re really big into craft brew, or beers, and so there’s actually a lot of great restaurant bars that you can go in and have. Let’s see, like the boulder beer company. There’s every brewery, they’re great. Did you go in you can you try lots of different beers, and then they out there have tours that will take you through the brewery house. That’s kind of fun to do. 

 

Chris Glanden 52:00

Oh, nice. So, a lot of breweries. I know courses out there. Who else is out there?

 

Grayson Milbourne 52:04

We have like lots of really small brews. So, it’s lots of microbrews I mean, there’s so many. But if you want me to be more of like a traditional bar, there’s a place called the burns pub and restaurant that’s really famous in Broomfield, and it’s right up by the Rocky Mountain Metropolitan airport, and it is a fantastic scotch bar, and they have some of the greatest old whiskies and a menu of drinks that’s several pages long, and fantastic food as well. So typically, when we have people out from at least to the office, it’s right next to our office. So that’s often a really great place to go as well.

 

Chris Glanden 52:42

Sweet. So, when you go out to a bar, what is your drink of choice?

 

Grayson Milbourne 52:46

I like beer. You know, there’s so many great micro-breweries out here that we have several different tap houses that…. it’s just nice to try to variety. So I’m kind of beer guy.

 

Chris Glanden 52:58

So, it’s last call here barcode. So, I have one final question for you. If you opened a cybersecurity themed bar, what would the name be? And what would your signature drink be called?

 

 

Grayson Milbourne 53:10

Oh, my goodness. That’s a hard question. I voted I call my bar, I call it Oh, man. Okay, maybe it could be like the malicious mixer. Okay, so that could be the bar name, and then and then we’d have like a variety of different like, malware themed drinks. So, we can have like the Trojan horse, the ransomware the spyware, these could be like different cocktails of some sort.

 

Chris Glanden 53:42

Nice, as long as you don’t get infected?

 

Grayson Milbourne 53:44

Well, you get infected but just with the warm, fuzzy feeling of alcohol.

 

Chris Glanden 53:50

It evades all defensive controls.

 

Grayson Milbourne 53:53

Indeed, indeed.

 

Chris Glanden 53:55

All right. Well, Grayson, I appreciate your time. Thank you so much for speaking with me and discussing your approach and mindset to infosec.

 

Grayson Milbourne 54:02

Christ, thanks for reaching out, and this is a lot of fun. I love talking about cybersecurity, and perhaps I’ll get to do one of these again in the future. 

 

Chris Glanden 54:11

Definitely. Next time, let’s catch up at a real bar. 

 

Grayson Milbourne 54:14

Hey, you got it.