Hacking Humans 8.6.20
Ep 110 | 8.6.20
Ignore the actor, focus on the behavior.
Transcript

Johnathan Hunt: My philosophy had changed to - we should ignore the person, and we should go after the behavior.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Johnathan Hunt from GitLab. He's going to share his perspective of dealing with bad actors - ignore them. 

Dave Bittner: All right, Joe. We've got some interesting stories to share this week. I am going to kick things off for us. My story comes from The Baltimore Sun, our hometown newspaper (laughter)... 

Joe Carrigan: Yes. 

Dave Bittner: ...Written by Justin Fenton, who does a lot of good work over there at The Sun. I have to say, this is a horrific story. 

Joe Carrigan: Yeah. 

Dave Bittner: (Laughter) It's just awful. So be warned. This story - I'm going to read a lot from the article here because the details are deep and important. So there's a gentleman named Ahmad Kazzelbach, 26-year-old man, and he has been convicted of harassing a former girlfriend of his and also taking advantage of the justice system in order to do so. 

Joe Carrigan: Yeah - in the process. 

Dave Bittner: Yeah. And, in fact, his sentence - the judge in the case gave him a sentence that was longer than the recommended sentencing guidelines because of how just blatant and shameless this gentleman's... 

Joe Carrigan: Gentleman, Dave? 

Dave Bittner: ...Abuse... 

(LAUGHTER) 

Dave Bittner: By gentleman, I mean not a gentleman. 

Joe Carrigan: Right. 

Dave Bittner: ...His abuse of the system was. So this guy, Kazzelbach, who - he's pled guilty to cyberstalking and improper access of a computer. When he and his former girlfriend broke up, he went in and got control of several of her social media accounts. He had her email contact information. He also had - still had access to the apartment that they had shared together. He was still on the lease of that apartment. Evidently, he went in and ransacked it and took some items. He altered her personal health care information. He interfered with her work, which - according to this story - nearly cost her her job. 

Joe Carrigan: That's awful. 

Dave Bittner: It's awful. But at some point back into September of 2016, she received a text from a Florida-based number, and it said, prepare yourself for what's coming. The last three months were just the beginning. I have bigger plans for you. I love how easily manipulated you can be. 

Dave Bittner: And so Kazzelbach, he filed a domestic violence protective order against his former girlfriend... 

Joe Carrigan: Right. 

Dave Bittner: ...Saying that he had received violent threats from her via text message and social media and that she had physically abused him as well, and he had the evidence for that on his device. And a judge granted a temporary protective order. Now, the woman, the ex-girlfriend, she thought, well, I didn't do any of this so they can't prove any of this. I didn't do it. 

Joe Carrigan: Right. 

Dave Bittner: So a hearing was scheduled on the protective order. He filed an application for a statement of charges against her. And I have to say these are the times when I wish we had Ben Yelin on the line so he could just... 

Joe Carrigan: Right (laughter). 

Dave Bittner: He could explain what all these legal terms are. But... 

Joe Carrigan: Yeah. That would be very helpful. 

Dave Bittner: ...We'll follow along (laughter). He claimed that she continued to harass him and threaten him in violation of the temporary order, and so an arrest warrant was issued for her. He called the police over the next couple of days, showed police officers threatening text messages that he said she'd sent him. Two more arrest warrants were issued. He called again a few days after. This resulted in another warrant. 

Joe Carrigan: So now we're up to four warrants. 

Dave Bittner: Right. 

Joe Carrigan: Right. 

Dave Bittner: The hearing on the protective order was scheduled. She showed up. She categorically denied committing any of the conduct, but the judge issued a final protective order requiring her to stay away from him, and she was arrested on these warrants, was served with all of the cases. She spent two nights in jail. Again, he reported more harassing texts from her, but here's where things start to not go his way. He reported more harassing texts, but this woman was in jail. She was in jail when the texts were allegedly sent so she could not have sent them. 

Joe Carrigan: Really. 

Dave Bittner: And the police looked up the cellphone records, and they showed no activity between their phones. He continued to report threats from the woman. The police continued to issue charges. It's worth mentioning, by the way, over this period of time, he had gotten married to another woman. So the assistant U.S. attorney pointed out this is not a crime committed in the heat of passion. This was deliberate. He is planning this out. 

Joe Carrigan: This was long-running, too. 

Dave Bittner: Yes. 

Joe Carrigan: Right? 

Dave Bittner: Yes. 

Joe Carrigan: So, generally, when you think of a crime committed in the heat of passion, you think of something that's done and then is over with. But this is a long-running campaign of misinformation that this guy ran against his ex-girlfriend. 

Dave Bittner: Right. Right. So a prosecutor for the state's attorney's office for Anne Arundel County, which is where this was all taking place, asked for permission to download data from his iPhone and - connected with the investigation. And he said he would only allow a limited search, and because of that, they dismissed charges against his former girlfriend. 

Joe Carrigan: Good. 

Dave Bittner: He continued to file charges against her, and he switched (laughter) to authorities in Baltimore County, a neighboring county because, evidently, he was not satisfied with the police and justice system in Anne Arundel County. Baltimore County Police investigated the claims. They said that there was very little on his phone. He claimed that he was just - kept his phone tidy, didn't like to keep a lot of things on it. But, you know, in the meantime, it seems as though the police were on the trail here. 

Joe Carrigan: Yeah. But it says here that this woman was arrested for a second time and forced to wear an ankle bracelet. 

Dave Bittner: Right. So... 

Joe Carrigan: That's terrible. 

Dave Bittner: It is absolutely terrible. So eventually, out of frustration, this woman, who, let's remember here, has done nothing wrong. 

Joe Carrigan: Right. 

Dave Bittner: She got some help from her family. They hired a lawyer. And the lawyer contacted the FBI in response to this ongoing harassment. And the FBI got involved. They took up the case. And eventually, they arrested him in January of 2019. He admitted to hacking her accounts. And he has been sentenced to four years in jail for what he did to her. 

Joe Carrigan: Yeah, good. I don't think that's long enough. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: I really don't think that's long enough. There's a quote from the judge that sentences him in here saying that he "weaponized the justice system." 

Dave Bittner: Yeah. 

Joe Carrigan: That's a terrible act. The last thing anybody needs to be is under the inspection of the justice system for something they didn't do. That can really wreck your life. Just getting into that system is a terrible occurrence in your life. 

Dave Bittner: Right. 

Joe Carrigan: And this guy drug his girlfriend into that deliberately. 

Dave Bittner: Yeah. I also think about how when weighing the evidence here - because, initially, you have kind of a he-said-she-said, right? 

Joe Carrigan: Right. 

Dave Bittner: I say that this woman is harassing me. She says, I'm not. Well, if that's all it was, then it would probably not go any farther than that. But because this guy had the ability to hack her accounts and to create these text messages that appeared to come from her, well, now the police have evidence against her. And so her denials fall on deaf ears because here's the evidence. It's on his phone. Here are the text messages. 

Joe Carrigan: Right. 

Dave Bittner: And I have to say, I mean, that's kind of chilling, don't you think? 

Joe Carrigan: I do. I think it's very chilling. I think this is terrible. And it's not something that's terribly difficult to do. The only thing that's going to stop people from doing this is these harsh sentences. This guy is going to spend four years in a federal prison. There is no parole in the federal prison. That was eliminated back in the '80s, I think. 

Joe Carrigan: I don't know. I think this guy might have gotten off easy considering the magnitude of what he did. I mean, think of the resources he wasted and think of the time he cost this woman and the expenses. This woman had to hire a lawyer. That's not cheap, you know? 

Dave Bittner: Right. 

Joe Carrigan: And fortunately, she was able to do that. If she was not able to do that, what would the outcome have been? That lawyer is the one that got the FBI involved. Who knows what would have happened if she couldn't afford a lawyer? 

Dave Bittner: And I want to just emphasize here that by making these suggestions, I'm not blaming the victim - that I wonder had she had multi-factor authentication on some of these accounts, could that have... 

Joe Carrigan: Could that have made it more difficult? Yeah. 

Dave Bittner: Right. 

Joe Carrigan: That's just another reason for everybody to use multi-factor authentication. 

Dave Bittner: Yeah. 

Joe Carrigan: But he could have set up fake accounts, as well. And it looks like he did that to some extent. And no authentication is going to prevent that. 

Dave Bittner: Right. I guess, ultimately, she trusted him. You know, they had a relationship. They had an intimate relationship. She trusted him. She shared certain information. He took advantage of that trust. He abused that trust and to great effect. And she suffered because of it. But, ultimately, it looks like justice was served here. So... 

Joe Carrigan: Yeah. 

Dave Bittner: ...That's good. 

Joe Carrigan: I agree. 

Dave Bittner: All right. Well, that is my story this week. Joe, what do you have for us? 

Joe Carrigan: Well, David, it's a switcheroo because you're doing the dark story, and I'm doing one that's not so dark. 

Dave Bittner: OK (Laughter). 

Joe Carrigan: My story comes from Sudeep Singh and Kaivalya Khursale. I hope I'm saying Kjursale's name correctly. If I'm not, I apologize in advance. They both work at Zscaler. Dave, do you get emails that notify you of a voicemail? 

Dave Bittner: I do, yes. 

Joe Carrigan: I do not. 

Dave Bittner: OK. 

Joe Carrigan: I don't get them. And I probably should get them. Or maybe there's something I haven't set up where - in our system at Hopkins where I haven't - I just haven't set up the system to do that. 

Dave Bittner: Pretty common thing, though. 

Joe Carrigan: Yeah, it is a common thing. Zscaler has identified a phishing campaign that impersonates this type of email. And this is nothing new, but they're saying it's on the rise. And do you know why it's on the rise? Why would you think it's on the rise? 

Dave Bittner: That's a good question. Is it related to folks working from home? 

Joe Carrigan: I would believe that's exactly right because I have to call in and check my voicemail. I don't get the email. I'm not sitting at my desk where that little, red light comes on every day anymore, right? 

Dave Bittner: Right, right. 

Joe Carrigan: I'm sitting at my home. I don't have any idea if that little, red light's on or off. 

Dave Bittner: That's bliss, yeah. 

Joe Carrigan: Right. It is. 

(LAUGHTER) 

Joe Carrigan: One of the many benefits of working from home. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I can now ignore another form of technology because it's not a big, red light sitting in my face. But if you get these emails and you click on a link, you will be redirected to a credential harvesting page. They are targeting enterprises, which is interesting. Presumably, they're either looking for IP to steal or possibly some ransomware targets. They're using a lot of JavaScript on different hosts and things of that nature that are technical that I'm not going to get into. There's a lot of technical information in the article if you want to look at that. There's going to be a link in the show notes. 

Joe Carrigan: But there are some interesting techniques that they're using to protect themselves. First, these phishers are using a CAPTCHA service from Google to keep web crawlers from going into their site and flagging it as malicious. So one of the things that is always going on is these web browsers will warn you if a site is dangerous. And the way they know that is they've looked at the site and analyzed it beforehand, right? 

Dave Bittner: Right. 

Joe Carrigan: There's a service out there that does that. And if that service can't get in to analyze the website and see that it's malicious, then they can't warn you about it. 

Dave Bittner: Yeah, can't tell you either way. 

Joe Carrigan: Right. The CAPTCHA service is there to provide protection for legitimate web services that don't want to be abused, right? So here's another case of a tool being used for evil. 

Dave Bittner: And then the CAPTCHAs are, you know, click on every part of this image that shows a chimney or... 

Joe Carrigan: Yeah. 

Dave Bittner: ...A traffic light or something like that. 

Joe Carrigan: They're awful. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: I really hate them. I get them frequently because I'm usually on a VPN, and that's one of the... 

Dave Bittner: OK. 

Joe Carrigan: ...Key factors that will make you get a CAPTCHA - if you're coming out of a VPN node. 

Joe Carrigan: They found one page that on the first attempt always gives a password incorrect message. So even if you enter your - well, I mean, it doesn't matter what you enter. You're going to get a password incorrect, which they think makes the user slow down and enter their password more cautiously next time. So these guys are looking to increase the quality of the data they steal, which I think is interesting. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Another thing they're doing is they've registered a domain called secure.ciscovoicemail.cf. That's a top-level domain for the Central African Republic, and we've seen this before as well, where people have registered the top-level domains from countries that look similar to other top-level domains. They're also abusing the .XYZ top-level domain. Dave, do you remember the good old days when there was only seven top-level domains and the country codes? 

Dave Bittner: (Laughter) I mean, I probably don't have specific memories of that, but, yes, I do remember a simpler time of the internet, for sure. 

Joe Carrigan: Right. You know how many top-level domains there are now? 

Dave Bittner: Oh, my goodness. I can't guess. 

Joe Carrigan: There's over a thousand - over a thousand top-level domains, and every one of those top-level domains - and a top-level domain, for the less technical among us, is the very end of a web address or an email address - the .com, .edu or, in this case, .cf, now .xyz. They have - there are thousands of these. And within that top-level domain, you can register names for just about anything. 

Dave Bittner: Yeah. 

Joe Carrigan: And these guys in the Central African Republic domain have registered ciscovoicemail.cf, which is a great way to spoof the Cisco voicemail client. 

Dave Bittner: Yeah. So many of these voicemail systems are run on Cisco hardware. 

Joe Carrigan: Right. So, really, the only protection here is vigilance. If you have one of these systems where you can remotely access your voicemail, bookmark that and use the bookmark. Don't click on the link in the email that's sent to you. And then you can access your voicemail directly. 

Dave Bittner: Most of the systems I'm familiar with these days, they include the voicemail in the email. You get a little audio file. 

Joe Carrigan: Right. 

Dave Bittner: Right? They're in the email, so you don't even have to leave your email client to listen to the message. 

Joe Carrigan: Right. Now that's a great solution. 

Dave Bittner: If you get one of these and it doesn't include the audio file, that could be a tipoff that... 

Joe Carrigan: OK. 

Dave Bittner: ...It's not legit. 

Joe Carrigan: Yeah. That's... 

Dave Bittner: Because most do these days, yeah. 

Joe Carrigan: So people should just be aware that people are actually increasing the targeting of credential harvesting using these voicemail impersonation phishing attacks. 

Dave Bittner: Yeah. All right, well, that's an interesting one, as well. It is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: Joe, you found our Catch of the Day this week. Why don't you describe it to us? 

Joe Carrigan: I did. It comes from a Reddit user, OkamiLife (ph), and it's an exchange on some messaging client. I'm not sure what it is, but it's obviously starting off as a scam. And OkamiLife realizes this immediately and starts having a good time with the scammer. Dave, why don't you be the scammer, and I will play the part of the intended scamee. 

Dave Bittner: All right. Very good. Here we go. 

Dave Bittner: (Reading) Good day. I hope you're doing great. I'm Braxton Gilbert (ph), and I'm the director of human resources of CGI Global Inc. I'm contacting you in the regard of your resume posted. Let me know if you're interested. 

Joe Carrigan: (Reading) Totally. Tell me more, Brandon (ph). 

Dave Bittner: (Reading) Opening positions - data entry, administrative assistant, IT manager, accounting manager, receptionist, customer service, project manager, front desk, et cetera. Which do you best fit in? Pays $50.65 per hour and $25 during training hours. 

Joe Carrigan: (Reading) I think a phone interview would be more appropriate, Bernard (ph). I qualify for all those positions and think they all fit me to some extent. 

Dave Bittner: (Reading) Sound good. Your resume was reviewed by the human resources department, and you were selected for an online interview. The interview will be conducted via online. That way, it's faster. I believe your Gmail account is still intact. 

Joe Carrigan: (Reading) I'm happy to hear it, Bridget (ph). Tell them to call my phone number, and we can chat it up. 

Dave Bittner: (Reading) Good. I need you to get online now and download a Google Hangout (ph) app using your email and add up the hiring manager, Mr. Martin Bruce (ph). He will be online waiting on you to tell you more about the job offer. Wish you the best of luck in your interview. 

Joe Carrigan: (Reading) I don't have Google Handouts (ph). I want to speak on the phone. I'm missing eight fingers and talking is easier. 

Dave Bittner: (Reading) Online interview is an online research method in which participants are asked a question about a position aided by the use of computer-mediated communication tools such as instant messaging, email or video chat technology. But what are we doing now? 

Joe Carrigan: (Reading) I see what you're saying, Bolton (ph), but will it be a video chat? I just got my face did, and I need to see if it's employer-approved. You've got to work with me. 

Dave Bittner: (Reading) Good. I need you to get online now and download a Google Hangout (ph) app using your email and add up the hiring manager, Mr. Martin Bruce. He will be online waiting on you to tell you more about the job offer. Wish you best of luck in your interview. 

Joe Carrigan: (Reading) You sound hella cute, B-Pop (ph). How about we forget the job interview and I interview you for the position of being the new guy I keep in my basement? The one I have now is getting old. 

Dave Bittner: (Reading) What? 

Joe Carrigan: And that's where the conversation ended. 

(LAUGHTER) 

Joe Carrigan: Surprise, surprise. 

Dave Bittner: Yeah. Too much fun. All right. Well, pretty clear what's going on here, right, Joe? 

Joe Carrigan: Yeah it's probably the prelude to a check-floating scam, where these guys are going to say, hey, great. You got the job. And then they're going to say, we're going to send you a check. And as soon as you get the check, you're to spend money at this website on this thing. And then, of course, the check will bounce. And the person's going to be out the money that they spent. 

Dave Bittner: Right. All right. Well, that was a lot of fun. Thanks to that Reddit user UkamiLife (ph) for posting that and sharing it. It was our pleasure to read it. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Johnathan Hunt from GitLab. And he shared some of his perspective of dealing with bad actors. He thinks it's not so much who they are. It's what they're up to that needs to attract your attention. Here's my conversation with Johnathan Hunt. 

Johnathan Hunt: For probably several years in my career, I noticed that the operational team that would lead would attack the bad actors, whether it was through trying to block IP addresses, whether it was just trying to block the specific activity that they were trying to do or exploit, the scans they were running. And then we would continue to see the same behavior over and over - and whether it came from different IP addresses, whether it seemed to come from different types of profiles, whether it came from different areas within the service itself or the application itself. And we quickly realized that that's a losing battle. Like, you're not going to win playing defense. 

Johnathan Hunt: And so it was at that time my philosophy had changed to, we should ignore the person, and we should go after the behavior. We should go after the activity. We should be looking at what it is that they're trying to do, what - the control they're trying to circumvent, the types of attacks that they're using, the areas of the application that they're looking to expose. And how can we address the problem? How can we get to the root of the problem and address that behavior within the product or service that we're offering? 

Dave Bittner: Well, can you give me some specific examples of how this would play out? 

Johnathan Hunt: A good example is we - especially here at GitLab, we run a complete DevOps lifecycle tool. Part of that is source code repositories. Within the source code repositories, we have had actors that have exploited the platform itself or service itself for cryptomining practices. So, of course, we could go after and start kicking off each individual person that's doing cryptomining within our service. And initially, that's what we were doing. And then we had to spin up a team to do that because it ended up - the problem got worse. (Laughter) When - you know, after a while, you realize, we're not fixing the problem. We just keep hiring more people to try or mitigate this problem quicker. 

Johnathan Hunt: So then what we did was we hired a couple experts in machine learning and devised a tool, if you will, or a sort of, like, automate - you know, security automation or scripted automation to detect and block this behavior in the short term. So what we did in the short term to mitigate the cryptomining activity. And in the long term, then, we simply fixed the service itself, prevented that type of activity from occurring on the service itself. And so that's how we attacked the behavior versus constantly trying to mitigate and kick off bad actors off the platform. 

Dave Bittner: I mean, it's an interesting approach. I mean, what it reminds me of - and I suppose this is an imperfect analogy - but suppose if you have an issue with mice in your break room. You can set out mouse traps, but perhaps the real issue is that your employees aren't cleaning up after themselves. You know, they're leaving crumbs and food. And until you tackle that, you can put out all the mouse traps in the world. You're still going to have trouble with mice. 

Johnathan Hunt: I think it's a great analogy. That is exactly what we're trying to do. And I also want to point out that it doesn't have to be malicious activity from the outside, although that's probably what you would think of first, right? Mice are nuisances, right? So yes, we did have nuisances within our service. We did have a nuisance from external forces interacting with our service, trying to exploit our platform, trying to compromise our services or customers. But it could also be internal behaviors that we're looking at, right? It could be - it doesn't always have to be malicious. It could be unintentional bad behavior that originates from employees, from the way we build services to the way that we code the platform or the application itself. 

Dave Bittner: Can you understand the impulse from the security team to want to go after these things, to want to, you know, put a name on it and block those bad actors specifically. 

Johnathan Hunt: Absolutely. And even to some degree, we still do a little bit of both. I don't - I wouldn't say that we absolutely just - you know, some person is attacking our service, and we then spin up a three-month project on how to combat that behavior. I wouldn't say that that is the only thing that we do. We, of course, attempt to mitigate the activity from - you know, initially to prevent further compromise, further damage, further whatever, right? - whatever the situation is. 

Johnathan Hunt: But then, of course, what we're looking at is the behavior itself. So then we have grown an internal SIRT team, if you will - or a security instant response team. That team has almost doubled in size. And they now have a reactive arm and a proactive arm. 

Johnathan Hunt: So the reactive arm is the arm that is 24 by 7, gives us real-time coverage across the globe and can respond to these incidents immediately. And then now we have this proactive team that's involved with analysis like threat analytics, data analysis, trying to identify abnormal behavior, trying to get to the root causes of the events that we've uncovered or we've investigated. They're doing research. They're doing learning. They're doing security automation. And we're doing a lot of different things on the platform to then prevent the behavior from being repeated because, as you know, these types of tactics are learned by many, not just few. 

Dave Bittner: From a team point of view, the folks who are on your security team, is this approach more gratifying for them? Do they have a more complete picture of what they're up against? 

Johnathan Hunt: It's worked out really well. It's helped with team morale. It's helped with team satisfaction. It gives them a challenge. It gives them opportunities for growth and even - or behavior characteristics aside, right? 

Johnathan Hunt: Let's just put that aside for just a second, and the team itself is finding that they're not seeing the same incidents over and over again. And I've been parts of organizations and, initially, here - the teams and incident response engineers, they do get exhausted, right? It is a trying experience seeing the same thing over and over and over again and combating the same problems over and over again and then making requests for these issues to be fixed. And the product teams or the engineering teams are, you know, deprioritizing that. Or we'll get to that in Q4 of next year, right? You know, nine months away - and it's really challenging. 

Johnathan Hunt: Not only have these teams that - they can immediately work to mitigate incidents and kind of get the thrill and the adrenaline rush of working on, you know, current events, but then they also have the opportunity to research different parts of what you might call, like, the security domain, right? The security realm - they can look at the application security. They can look at infrastructure security. They can look at containers. They can start challenging themselves and growing not only in their space and in their profession but also helping the organization combat these problems over the long haul. 

Dave Bittner: What sort of advice do you have for other organizations who might be looking at following in your footsteps here, based on the things that you've learned evolving your own approach to this? Any tips for people who may want to adopt a similar approach? 

Johnathan Hunt: I do. So a lot of organizations run - tend to run lean, and that's certainly understandable, even at times like now, where hiring might be frozen, or maybe even some teams have been reduced in size. And what I can say is I know it's a daunting task. I know it can be a little frightening at first, but you do need to dedicate and allocate some time to being proactive versus reactive. And if that means that taking care of immediate events might take a little bit longer or it might be a little more - you may seem like you're losing ground in the beginning, dedicating that time is going to win the battle in the long term, right? 

Johnathan Hunt: Spending that time to proactively address the behaviors, the risks, the threats, looking into threat analytics, looking into, you know, the abnormal behavior that you've identified through a seam or through a data analytics team or something like that - doing that is going to reduce these events over time. It's going to allow you to run a leaner team more efficiently and more effectively and get ahead of this game. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: Dave, great interview - blocking IP addresses and stopping up specific activity is a never-ending game of whack-a-mole, to use a phrase that you like to use a lot. 

Dave Bittner: (Laughter). 

Joe Carrigan: I like that. That's a great analogy. So looking at behavior may be a better way to automate the process, right? 

Dave Bittner: Right. 

Joe Carrigan: And hiring more people to control a growing problem is just not scalable. For example, the example that Johnathan cites in the cryptomining problem they were having at GitLab, that's kind of a problem of threat modeling. They didn't consider the threat when they built the service. However, somebody found out that you could mine cryptocurrency, and they did it. Then they told other people, and the problem grew. 

Joe Carrigan: The reason this happens is because threat modeling is hard, right? You have to - you really have to think of everything that a bad actor can do and mitigate it beforehand. And no matter how good you do it, if you do it, you've missed something. I guarantee you've missed something. Malicious actors are very creative, and they're going to see something different than what you saw. 

Dave Bittner: And there's just so many more of them. 

Joe Carrigan: Right. Exactly. So they built this DevOps and DevSecOps tools - that they just didn't consider cryptomining as a threat, but it was. 

Joe Carrigan: So back to behavior, it looks like they're having success by analyzing behavior as opposed to trying to stop individuals at the firewall or at a user account level. And the impact has been really positive on their team. So instead of going after these recurring problems over and over again, they're addressing new and interesting problems. And they're going out and learning more about the security realm, as Johnathan calls it, and that's why they got into security in the first place, right? They hope that they're going to be doing interesting stuff fighting the bad guys, and they get to do the new stuff on a more frequent basis than - they don't just have to sit there clicking the same button over and over again, which will drive you mad. 

Dave Bittner: Right. So this approach, even beyond the benefits of increasing - of being more effective against the security issues that you're facing, it's better for your team. 

Joe Carrigan: Yeah. 

Dave Bittner: People have more job satisfaction. And, yeah, they're more fulfilled by the work they're doing. 

Joe Carrigan: Absolutely. 

Dave Bittner: Yeah. All right. Well, our thanks to Johnathan Hunt from GitLab for joining us. 

Dave Bittner: That is our show. We want to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.