podcast

Stop and think before you click that link.

We've got followup from a listener on cognitive dissonance and behavioral science. Dave shares a listener story about a University Dean's List scam. Joe shares statistics from a government agency phishing test. Our catch of the day involves funds from the FBI, the IMF, and yes, Nigeria. Dave interviews Crane Hassold from Agari with phishing trends they've been tracking, plus his experiences as a former FBI agent.

Links to stories in today's show:

Transcript

Crane Hassold: [00:00:00] When it comes to phishing, those types of behavioral traits are really what phishing attacks exploit. Trust is a big one. Fear and anxiety are some other ones. And those are sort of behavioral characteristics that are ingrained in our human behavior about who we are. And it's very hard to override those.

Dave Bittner: [00:00:17] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast. This is the show where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from The CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:36] Hi, Dave.

Dave Bittner: [00:00:37] We've got some fun stories to share this week. And later in the show, we'll have my interview with Crane Hassold from Agari. He's going to share some trends that they're tracking when it comes to phishing. And he's also going to share his experiences as a former FBI agent. But first, a quick word from our sponsors at KnowBe4.

Dave Bittner: [00:00:53] So how do you train people to recognize and resist social engineering? There are some things people think. Test them. And if they fall for a test scam, fire them. Or other people say if someone flunks the test, shame them. Instead of employee of the month, it's dufus of the day. Or maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. So how about it? What do you think? Carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show.

Dave Bittner: [00:01:30] And we are back. Joe, before we get into our stories this week, we've got some follow-up.

Joe Carrigan: [00:01:35] Good.

Dave Bittner: [00:01:35] We've got - a listener named Angela (ph) wrote in. And she said, hi, I've become interested in using my psychology background to go into social engineering-related cybersecurity. And I love the "Hacking Humans" podcast - well, thank you, Angela.

Joe Carrigan: [00:01:47] Yes, indeed.

Dave Bittner: [00:01:48] I have a B.A. in psychology and an M.A. in clinical mental health counseling. And I have some criticisms of your January 31 episode - that was "The Excitement Of Tricking Someone Wears Off Quickly." That was our conversation with Jordan Harbinger.

Joe Carrigan: [00:02:01] I was hoping this was going to be a good letter.

(LAUGHTER)

Dave Bittner: [00:02:04] I think it is a good letter.

Joe Carrigan: [00:02:05] Oh, OK.

Dave Bittner: [00:02:06] She says, I want there to be more dialogue between psychology and tech. And I have to tell you the idea that the cognitive dissonance of scamming will weigh on someone too much eventually unfortunately is very untrue. Humans are incredibly good at dealing with cognitive dissonance. We do it constantly. It's always easier to see it when it's someone else. And then she says, I recommend the recent episode of the "Hidden Brain" podcast "A Founding Contradiction," which has a detailed discussion of this. I would concur that "Hidden Brain" is an excellent podcast, worth checking out if you have not already. I'm not just saying that because my friend Tara happens to be the producer of that show.

(LAUGHTER)

Dave Bittner: [00:02:43] But it's a good one.

Joe Carrigan: [00:02:44] Because it's actually a good show.

Dave Bittner: [00:02:45] It is a really good show, yeah. So Angela goes on to say psychology isn't as common sense as you think. I have another gripe with your episode - a bit of a petty gripe, I'll admit. But something I'm very passionate about was dismissed. Something was said about there being no such thing as parenting science. But that isn't true. Developmental psychology is parenting science. Unfortunately evidence-based findings of developmental psychology take a long time to enact changes in how children are treated. For example, sleep experts and developmental psychologists agree that the schedule high schoolers are expected to follow is counter to their sleep needs. But I digress. She says, I know psychology and tech have a lot to learn from each other, and I'm hoping to head things in that direction in my career.

Joe Carrigan: [00:03:28] I agree 100 percent that psychology and tech have a lot to learn from each other.

Dave Bittner: [00:03:32] Yeah.

Joe Carrigan: [00:03:32] And I've actually said things on this podcast to that effect. Like, there was something a couple of weeks ago - I can't remember, Dave. We go through so much stuff here.

(LAUGHTER)

Joe Carrigan: [00:03:40] That something could be quantified in the field of psychology, that there's probably some psychological research that could be done on something - some behavioral analysis.

Dave Bittner: [00:03:48] Yeah.

Joe Carrigan: [00:03:48] Thank you for writing in, Angela. I also vehemently agree with you about merging the two and think that the human factor in security is often overlooked - even now. And we need to put an end to that. I would welcome you into the field happily.

Dave Bittner: [00:04:01] (Laughter) All right, terrific. Well, yes, I concur. Thanks, Angela, for writing in - certainly a worthwhile point of view. And we appreciate you giving us your perspective on this. I think it's an important one. So thanks for writing in. All right, Joe, it's time for my story. This comes from a listener named Nathan (ph). He said, I hear examples of phishing messages received by listeners on the "Hacking Humans" podcast, and I think the one I've sent in is illustrative of some trends. So let me get to what he's sent here. This is an email message from Tufts University - or it alleges to be from Tufts University. And we see the Tufts University seal here. And it says, congratulations, Nathan. Tufts University has recognized you for earning a spot on the dean's list during fall 2018. Click on the link below to view your achievement. And then there's a link below that says view my achievement.

(LAUGHTER)

Dave Bittner: [00:04:53] And then there's some other things that help make it look legitimate. There's a logo for the Apple App Store, for the Google Play store. There's some links to some things that have the words Tufts University in them. But turns out, this is not actually from Tufts. And Nathan goes on to write - he says, this would have totally fooled me. He says, I did in fact make the dean's list last semester and received a standard notification about it. And I also was informed when I came here that there were some systems in place for sending meaningless stories about students to news organizations, which looks like this. He says, when I received this message, I thought it was a genuine notification and immediately deleted it because I didn't need to see anything, only later was it reported that this is a scam and pointed out that the mail address doesn't exist. Might I have checked the authenticity of the link, maybe. But I was saved from whatever is at the other end by not suspicion but more because I didn't care. The people behind this one are pretty good. I'm a computer science major specializing in security. And yet, I had very little suspicion about this message. Interesting.

Joe Carrigan: [00:05:55] Yeah.

Dave Bittner: [00:05:55] How do you make of this one, Joe?

Joe Carrigan: [00:05:56] This is a good - well crafted. I agree with Nathan on this one. They give you the actual full text of the link, and it starts with https://tufts.meritpages.com. And I don't know what meritpages.com is. And then it has a long URL that says Nathan's name recognized for academic excellence at Tufts University and then has some numbers after it. I almost want to check it out...

Dave Bittner: [00:06:20] (Laughter).

Joe Carrigan: [00:06:20] ...To see what it is.

Dave Bittner: [00:06:20] Not on my network you don't.

Joe Carrigan: [00:06:23] I will not.

(LAUGHTER)

Dave Bittner: [00:06:25] Yeah. Obviously, and, of course, Tufts is a well-respected university.

Joe Carrigan: [00:06:28] Yeah.

Dave Bittner: [00:06:29] I mean, they're no Johns Hopkins, right, Joe? But...

Joe Carrigan: [00:06:36] Well, of course not.

(LAUGHTER)

Joe Carrigan: [00:06:36] Who is?

(LAUGHTER)

Dave Bittner: [00:06:36] But oh, my. Here we - now, please don't write us. Please don't write us. Please don't write us. Yeah, this certainly looks like the real thing. Now, it's interesting. I suppose the dean's list is a list that's made public, do you think? Is that...

Joe Carrigan: [00:06:46] I don't know. I don't - maybe it is. It could be made public. It could be that there's somebody on the inside that got the information. It may be something you can buy from the university.

Dave Bittner: [00:06:55] Oh, that's interesting. It seems like something the university would crow about - would...

Joe Carrigan: [00:06:58] Yeah.

Dave Bittner: [00:06:58] ...Put out a press release that says congratulations to these students who made the dean's list...

Joe Carrigan: [00:07:02] Yeah.

Dave Bittner: [00:07:03] ...Last semester and...

Joe Carrigan: [00:07:03] I will bet that it is public.

Dave Bittner: [00:07:04] Yeah, that's interesting. All right. Well, that's my story this week. Nathan, thanks for sending that out. It's an interesting - a little different than anything we've seen before.

Joe Carrigan: [00:07:12] It's really interesting that Nathan actually is on the dean's list and that he got this.

Dave Bittner: [00:07:16] Right.

Joe Carrigan: [00:07:16] So I...

Dave Bittner: [00:07:17] Right. So it's - it is targeted.

Joe Carrigan: [00:07:19] Yeah, it's definitely targeted.

Dave Bittner: [00:07:20] Yeah. All right, well, that's my story. Joe, what do you have this week?

Joe Carrigan: [00:07:23] My story this week comes from Derek Johnson over at fcw.com. There is an agency called FHFA, the Federal Housing Finance Agency.

Dave Bittner: [00:07:32] OK.

Joe Carrigan: [00:07:33] And FHFA oversees Fannie Mae, Freddie Mac and the federal home loan bank system. And they had an external penetration test last year in 2018.

Dave Bittner: [00:07:43] OK.

Joe Carrigan: [00:07:43] Overall, the report was good. They weren't able to exploit anything on the inside, although I don't know how tough this test was. I didn't actually see the test.

Dave Bittner: [00:07:52] Right.

Joe Carrigan: [00:07:52] But there was one key statistic that stood out. They selected 50 employees for a phishing test. That's a small agency. In 2017, according to their annual report, they had 630 employees.

Dave Bittner: [00:08:04] OK.

Joe Carrigan: [00:08:05] So that's a little less than 10 percent. Seventeen - that's 34 percent of the employees - failed the phishing test. What's a little more disconcerting about this is that if you read the redacted report - and it's really redacted, actually.

Dave Bittner: [00:08:23] (Laughter) It's highly redacted.

Joe Carrigan: [00:08:24] It's more highly redacted, I think, than it needs to be.

Dave Bittner: [00:08:26] OK.

Joe Carrigan: [00:08:26] But I don't know. I - that's just me speculating.

Dave Bittner: [00:08:29] Yeah.

Joe Carrigan: [00:08:29] Only three people reported this suspicious email to their spam system.

Dave Bittner: [00:08:36] Oh.

Joe Carrigan: [00:08:36] So you've got something going on here where you have this small agency with a civilian role in the banking industry, right?

Dave Bittner: [00:08:42] Right.

Joe Carrigan: [00:08:43] It's a pretty, I would think, good target for scammers to try to get in there to try to get some information.

Dave Bittner: [00:08:48] Yeah.

Joe Carrigan: [00:08:49] I don't know how they're related to Freddie Mac and Fannie Mae and the other - the home loan banking system. But I would imagine that it's a significant way that might be a foothold to get into those other organizations and - I don't know - get hold of a lot of personal information of people.

Dave Bittner: [00:09:03] Now, it's interesting to me that, as you said, only three people reported the phishing attempt.

Joe Carrigan: [00:09:08] Right.

Dave Bittner: [00:09:08] But those three people - not been in the same group of people who failed the phishing attempt because to me the people who reported it...

Joe Carrigan: [00:09:15] Right.

Dave Bittner: [00:09:15] ...Would've been people who didn't fall for it.

Joe Carrigan: [00:09:17] Correct.

Dave Bittner: [00:09:18] Does that...

Joe Carrigan: [00:09:18] Yeah, I would assume that's the case.

Dave Bittner: [00:09:18] ...Follow that line of thinking? Yeah.

Joe Carrigan: [00:09:18] Yeah, that you have 17 people that failed the phishing test, three people that reported the phishing attempt and 30 people that did nothing, which is probably the best course of action. But if you see it, you should probably report it. I don't think you'd get the same results if you ran the same test at, say, the National Security Agency.

Dave Bittner: [00:09:38] (Laughter) Yeah, you think?

Joe Carrigan: [00:09:39] Yeah, or the FBI.

Dave Bittner: [00:09:40] I would hope not.

Joe Carrigan: [00:09:41] I would think you would get different results. I would not be surprised to find similar results in similar organizations like the Social Security Administration or other civilian-leaning agencies or administrations within the government.

Dave Bittner: [00:09:53] So you're saying probably organizations whose missions do not revolve around security and...

Joe Carrigan: [00:10:00] Yeah.

Dave Bittner: [00:10:00] ...Awareness of those sorts of thing...

Joe Carrigan: [00:10:02] Right, they would probably be more susceptible to this. And I'll bet if you tested these other organizations, you'd find similar results.

Dave Bittner: [00:10:08] Interesting. All right. Well, we'll have a link to the write-up on this for folks who want to check it out. But it's time to move on to our Catch of the Day.

(SOUNDBITE OF REELING IN FISHING LINE)

Dave Bittner: [00:10:19] And this week's Catch of the Day comes from a listener named Chris. Chris sent this (laughter) into us. This is a good one. This comes from the Federal Bureau of Investigation, the anti-terrorist and monetary crime division...

Joe Carrigan: [00:10:31] Sure, it does.

Dave Bittner: [00:10:31] ...International Monetary Fund. You know, Joe, that's at the J. Edgar Hoover Building in Washington, D.C.

Joe Carrigan: [00:10:36] I bend down to the IMF.

Dave Bittner: [00:10:38] (Laughter) Well, it goes like this. Dear beneficiary, series of meetings have been held over the past seven months with the secretary general of the United Nations organization. This ended three days ago. It is obvious that you have not received your fund, which is to the tune of $2.3 million, USD, due to past corrupt governmental officials who almost held the fund to themselves for their selfish reason. And some individuals who have taken advantage of your fund all in an attempt to swindle your fund, which has led to so many losses from your end and unnecessary delay in the receipt of your fund.

Joe Carrigan: [00:11:11] Those jerks.

Dave Bittner: [00:11:12] The National Central Bureau of INTERPOL, enhanced by the United Nations and Federal Bureau of Investigation and the International Monetary Funds (ph), have successfully passed a mandate to the current president of Nigeria...

Joe Carrigan: [00:11:25] A-ha.

Dave Bittner: [00:11:26] ...(Laughter) his Excellency, President Muhammadu Buhari, to boost the exercise of clearing all foreign debts owed to you and other individuals and organizations who have found not to have received their contracts, some lottery/gambling inheritance and the likes. Now, how would you like to receive your payment? Because we have two method of payment, which is by check or by ATM card. ATM card - we will be issuing you a custom PIN-based ATM card which you will use to withdraw up to $5,000 per day from any ATM machine that has the Mastercard logo on it. And the card will have to be renewed in four years' time, which is 2022.

Dave Bittner: [00:12:02] Also, with the ATM card, you will be able to transfer your funds to your local bank. The ATM card comes with a handbook or manual to enlighten you about how to use it even if you do not have a bank account - or by check, to be deposited in your bank for it to be cleared within three working days. Your payment would be sent to you via any of your preferred options and would be mailed to you via UPS. Because we have signed a contract with UPS, which should expire in the next three weeks, you will only need to pay $500 instead of $1,200, saving you $700.

Joe Carrigan: [00:12:34] Fortunately. How about that?

Dave Bittner: [00:12:36] So if you pay before the three weeks, you save $700. Take note that anyone asking you for some kind of money above the usual fee is definitely a fraudsters.

Joe Carrigan: [00:12:46] (Laughter).

Dave Bittner: [00:12:46] And you will have to stop any communication with every other person if you have been in contact with any. Also, remember that all you will ever have to spend is $500, nothing more, nothing less. And we guarantee the receipt of your fund to be successfully delivered to you within the next 24 hours after the receipt of payment has been confirmed. Note, everything has been taken care of by the federal government of Nigeria...

Joe Carrigan: [00:13:09] (Laughter).

Dave Bittner: [00:13:09] ...The International Monetary Funds, the United Nations and also the FBI and including taxes, custom paper and clearance duty so all you will ever need to pay is $500. Whew (ph).

Joe Carrigan: [00:13:23] (Laughter).

Dave Bittner: [00:13:23] (Laughter) Do not send money to anyone until you read this. The actual fees for shipping your ATM card is $700. But because UPS have temporarily discontinued the COD, which gives you the chance to pay when package is delivered for international shipping, we had to sign contract with them for bulk shipping, which makes the fees reduced from the actual fee of $1,200 to $500, nothing more and no hidden fees of any sort. To effect the release of your fund, valued at U.S. $2.3 million, you are advised to contact your correspondent in Africa, a delivery officer, Mr. Stephen Munchin (ph). Wow.

Joe Carrigan: [00:13:55] (Laughter) That is awesome.

Dave Bittner: [00:13:56] Yeah. A lot here.

Joe Carrigan: [00:13:57] I'm so glad that we can get such a great bargain...

Dave Bittner: [00:14:00] (Laughter).

Joe Carrigan: [00:14:00] ...On shipping our ATM card or our check to us, Dave.

Dave Bittner: [00:14:04] Well, when you're sending millions of dollars around the world, you can probably strike a good deal with UPS for a discount on the shipping to only pay $500.

Joe Carrigan: [00:14:13] Yeah. I like how it does have this artificial time constraint, that, you know, if you don't send us the $500 within three weeks, you're going to have to send us $1,200.

Dave Bittner: [00:14:21] Right. Yeah. So there's a call to action there, the time pressure.

Joe Carrigan: [00:14:25] Right.

Dave Bittner: [00:14:26] I like the convenience of being able to have an ATM card. I wonder what the scam side of that is. Being able to withdraw five grand a day from the card, I suspect you'll have to provide them with some banking information.

Joe Carrigan: [00:14:36] I think it's just you send them the 500 bucks, and that's it. And that's the end of the scam.

Dave Bittner: [00:14:41] Oh, you think?

Joe Carrigan: [00:14:41] Yeah.

Dave Bittner: [00:14:42] Yeah.

Joe Carrigan: [00:14:43] I think they're...

Dave Bittner: [00:14:43] Although I can't help but wondering, though, if they get you for the 500 bucks, if they're going to try to string you along for more than that.

Joe Carrigan: [00:14:49] Oh, sure.

Dave Bittner: [00:14:49] They could. They got a hot one, you know?

Joe Carrigan: [00:14:50] Yeah. That's exactly what they do. They - (laughter) like I said last week, they're going to - they've struck oil. They're going to pump till the well's dry (laughter).

Dave Bittner: [00:14:56] Yeah, yeah. That's true. All right. Well, that's a fun one. Thanks, Chris (ph), for sending that in. That is our catch of the day. Coming up next, we've got my interview with Crane Hassold from Agari. He's going to share what they are seeing when it comes to phishing. And he's going to share his experiences as a former FBI agent.

Dave Bittner: [00:15:16] Let's return to our sponsor KnowBe4's question, carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture, and sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Hear more of Stu's perspectives at KnowBe4's weekly "Cyberheist News." We read it, and we think you'll find it valuable too. Sign up for "Cyberheist News" at knowbe4.com/news. That's knowbe4.com/news.

Dave Bittner: [00:16:04] Joe, I recently had the pleasure of speaking with Crane Hassold. He is from Agari. And at Agari, they do a lot of tracking when it comes to social engineering, phishing and those sorts of things. So he's going to share some of the things they've seen there. But Crane was also - before he was at Agari, he was an FBI agent, so he's got some interesting stories to share from that part of his life as well. Here's my interview with Crane Hassold.

Crane Hassold: [00:16:26] One of the things that I think that we're seeing is a big shift just in a general threat landscape for phishing from individual consumers to enterprises. And really, I think part of that has to come - what we've seen in the past couple of years, starting with ransomware that we saw in 2016. That's where the shift really began. But, really, what third actors are seeing is that they can use the information and the accounts that they obtain from businesses in a more diverse fashion as well as they can be more financially lucrative.

Dave Bittner: [00:16:55] So are the tactics different?

Crane Hassold: [00:16:58] A little bit. Really, when we're looking at enterprise phishing threats, you know, we are conditioned to see cyber threats as technical. But really, when it comes to enterprise-focused phishing threats, a lot of those are very non-technical in nature. So BEC, the CEO fraud types of attacks, and general credential phishing attacks are really the more common types of attacks targeting businesses.

Dave Bittner: [00:17:22] And what are your recommendations for folks to best protect themselves? How much of it is a technical solution? How much of it is training and awareness?

Crane Hassold: [00:17:29] So a lot of it has to do with awareness and not just, you know, having security awareness training but getting people to stop and think and pause for a second about what they're doing when they receive an email. You know, so as technology has sort of ingrained our lives, we see emails every single day. And we just react to them every single day, every single time we get one of these things. And we never really think about it. And so I think having people and employees stop and think about clicking on a link or - is this coming from the right place? - really makes up a lot of the protection that we see.

Dave Bittner: [00:18:09] Now, before joining Agari, you had some time you spent with the FBI. And you helped spin up the FBI's Cyber Behavioral Analysis Center. Can you take us through - what was the origin of that project?

Crane Hassold: [00:18:21] So behavioral analysis or profiling has been around in the FBI for decades now. And, you know, when it first started, it started as looking at violent criminal offenders, like serial killers and things like that. And it's evolved over time. And there was a team that looked at counterterrorism. There was a team that looked at counterintelligence. And in 2012, we saw the need to create a team that looked at cyber-based threats. And so myself and two other individuals sort of built that team back in 2012 as a way to sort of take the traditional concepts that have been used for decades in the violent crime world for behavioral analysis and apply those to cyber adversaries.

Dave Bittner: [00:19:02] Can you describe to us - what were some of the concepts that came from the violent crime world?

Crane Hassold: [00:19:08] So a lot of the concepts are the same, just looking at it in a different perspective. So I'll give you an example. So one of the things that we did in CBAC was what we called malware author profiling. So that is, essentially, looking at the code in malware and understanding the sort of behavioral characteristics of the offender who wrote that malware. So when we're looking at this, what's really interesting is that malware and malware author profiling is very similar to, in sort of the violent crime world, when you're looking at bomb-making and - because both of those types of activities are relatively personal to the person who's either building a bomb or writing a piece of malware. There's a lot of little, personal niches that are in each type of activity.

Crane Hassold: [00:19:54] And so we've used some of the same concepts in bomber profiling that we did in malware author profiling as a way to get a better understanding of who the person is who is writing the malware, writing the code.

Dave Bittner: [00:20:05] And is there a difference between, say, someone who's doing it for criminal reasons and someone who's doing it for, say, a nation state purpose?

Crane Hassold: [00:20:12] Absolutely. So motivation certainly goes into understanding the threat actor behind the scenes. One of the really interesting aspects that we saw was that when we're looking at cybercrime and online crime, each online crime, really, has a real-world correlate. So you take something like vandalism in the real world can be something - is similar in nature to web defacement in the virtual world. A bank robbery in the real world is similar in nature to a financial exfiltration in the online world. And what we saw was that when we're looking at the actors who commit both types of crimes in both worlds, the motivations and behavioral characteristics are, actually, quite similar. The big difference is why the actors choose to use a computer as a mechanism to commit the crime.

Dave Bittner: [00:21:02] Can you take us through it? What are some of the top motivations?

Crane Hassold: [00:21:05] So financial is, by far, the most common motivation that you'll see that's out there. Sort of thrill is a big one, especially in the cybercrime world. Some of the crimes that we see as more nuisance crimes in the real world are more present and more visible in the online world but have the same motivations there. And then you have the - sort of the more sophisticated actors, the nation states that are doing cyber-espionage or intellectual property theft that are up there as well.

Dave Bittner: [00:21:33] Can you take us through sort of the mindset that goes behind the folks who are doing this? I'm thinking - my sense is that people have a - maybe a false sense of security because they're sitting behind the keyboard doing something, perhaps something they know they're up to no good, which, I guess, is different than walking into a bank and holding somebody up.

Crane Hassold: [00:21:51] Yeah, I think that's true. I think anonymity helps breed certain types of cybercriminals. And I think that is what causes a lot of people who wouldn't commit a crime in the real world to commit crimes in the cyber world. And that's really what we see as the difference between the two populations of individuals is the people who commit a crime in the cyber world, they do it for different reasons. And one of those reasons is they don't have the physical or social ability to do it in the real world, even though if they had those capabilities, they probably would.

Dave Bittner: [00:22:24] That's interesting. Were there any things that you found in your FBI work that was particularly surprising that was unexpected?

Crane Hassold: [00:22:30] I think one of the things that I saw from my time at the FBI is that some of the nation states that we see as - that we assume are very sophisticated and we hear on the news a lot, really, make the same types of mistakes that everyday, unsophisticated cybercriminals make. We put some of those actors on a pedestal, I think, to a certain degree. And - but when you look at it, they are human beings just like the rest of us. And they make very common operational security mistakes. They have - also have sort of behavioral characteristics that can be exploited for certain purposes.

Dave Bittner: [00:23:10] You know, getting back to the work you do with Agari, can you describe for us - how do you all actively engage when it comes to protecting folks against things like business email compromise?

Crane Hassold: [00:23:21] One of the things that my team and I do to understand the threats and the threat actors that are targeting businesses is engage with them. So we will sort of - we'll get a - an email that's been sent to us by either a customer or one of our internal employees. And it may be a BEC email. And what we'll do is we'll start engaging with the threat actor to try to elicit additional information about the accounts that they're using as well as to get more information about sort of them so we can get some artifacts about them that we can then sort of pivot to open-source analysis to gather some additional intelligence on them. We also use some proprietary tools as a way to get additional visibility into different aspects of the group, which really gives us really good insight into some functionality and some mechanisms that we don't really see on an everyday basis about these groups.

Dave Bittner: [00:24:13] So a lot of connecting the dots there, combining the - that human capability but also some automation there as well.

Crane Hassold: [00:24:20] Absolutely.

Dave Bittner: [00:24:21] Yeah. So what are your recommendations for folks to help protect themselves? When it comes to things like phishing threats to things like business email compromise, what do you suggest for folks to do a better job with it?

Crane Hassold: [00:24:32] So part of it is, you know, these same types of recommendations that, I think, we've heard for years. And a lot of it is stopping and thinking about what you're receiving, what you're looking at. Is it contextually appropriate? Is it something that I'm expecting to receive? Does it look right? Does it feel right? And then also from a BEC perspective, you know, verifying the request that you're receiving. Don't just trust what you're seeing. Sort of verify it with the person.

Crane Hassold: [00:24:58] And really, when it comes to phishing, those types of behavioral traits are really what phishing attacks exploit. Trust is a big one. Fear and anxiety are some other ones. And those are sort of behavioral characteristics that are ingrained in our human behavior about who we are. And it's very hard to override those. But as best as we can, we need to stop and think about what we see before we take any action on an email that we receive.

Dave Bittner: [00:25:24] Joe, what'd you think?

Joe Carrigan: [00:25:25] It was an interesting interview, Dave. I find his comparison of, like, say, bomb-makers and malware authors being the similar kind of people. Interesting - strikes me as an interesting parallel that he draws - as well as, you know, web defacers and vandals and bank robbers...

Dave Bittner: [00:25:41] Yeah.

Joe Carrigan: [00:25:41] ...And people who exfiltrate cash from - electronically.

Dave Bittner: [00:25:45] I can see there being a methodical nature to the type of work.

Joe Carrigan: [00:25:49] Right.

Dave Bittner: [00:25:50] You know, being kind of goal-oriented...

Joe Carrigan: [00:25:52] And taking pride in your work and...

Dave Bittner: [00:25:54] ...But also having to separate yourself from the effects that your actions are going to have on other people...

Joe Carrigan: [00:26:01] Right.

Dave Bittner: [00:26:01] ...That sort of thing. Obviously, a bomb-builder - you're talking about loss of life...

Joe Carrigan: [00:26:05] Right.

Dave Bittner: [00:26:05] ...Versus loss of money.

Joe Carrigan: [00:26:07] Right, exactly.

Dave Bittner: [00:26:08] You know, you suppose someone who's messing with some kind of industrial control system or something like that could lead to...

Joe Carrigan: [00:26:12] Could very well lead to the same thing.

Dave Bittner: [00:26:14] Yeah, it could lead to loss of life. So it's interesting.

Joe Carrigan: [00:26:17] Also, one of his final statements towards the end of the interview - trust and fear are tough to override. You know, we as humans do have this innate trust that we use to trust people in our tribe, so to speak.

Dave Bittner: [00:26:28] Yeah.

Joe Carrigan: [00:26:28] And fear is one of those things - if you can scare somebody, you can short-circuit a lot of their thinking.

Dave Bittner: [00:26:34] Right. He said a couple of times that you need to pause.

Joe Carrigan: [00:26:37] Right.

Dave Bittner: [00:26:38] And we say that over and over again.

Joe Carrigan: [00:26:39] Right.

Dave Bittner: [00:26:40] Step away. Pause. Talk to somebody.

Joe Carrigan: [00:26:42] Make a cup of tea. You know, that's...

Dave Bittner: [00:26:44] Give yourself some time to think about it to let those emotions...

Joe Carrigan: [00:26:48] Subside.

Dave Bittner: [00:26:48] ...Simmer down.

Joe Carrigan: [00:26:49] Right.

Dave Bittner: [00:26:49] Right.

Joe Carrigan: [00:26:50] Good advice.

Dave Bittner: [00:26:50] Yeah. All right. Well, thanks to Crane Hassold from Agari for joining us, for taking the time to speak with us this week. That is our podcast.

Dave Bittner: [00:26:58] We want to thank our sponsors KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their CyberheistNews at knowbe4.com/news. Think of KnowBe4 for your security training.

Dave Bittner: [00:27:16] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:27:40] And I'm Joe Carrigan.

Dave Bittner: [00:27:41] Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
KnowBe4 Logo
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music
Follow the CyberWire