Today on Cyber Work, my guest is Marcus Fowler, Senior Vice President of Strategic Engagement and Threats at Darktrace. In today’s episode, we talk about attack vectors currently facing embedded journalists, their need to be available at all times for potential sources, and how that openness makes them their company and their confidential sources potential attack vectors for cyber criminals.
Marcus talks about security hardening strategies that don’t compromise journalistic availability, the work of threat research, and why people with a natural interest in cybersecurity will have their career path choose them and not the other way around. That’s all today on Cyber Work.
[00:01:40] CS: Welcome to this week’s episode of the Cyber Work with InfoSec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry.
Our guest today, Marcus Fowler, spent 15 years at the Central Intelligence Agency, developing global cyber operations and technical strategies, until joining Darktrace in 2019. He has led the cyber efforts with various US intelligence community elements and global partners and has extensive experience advising senior leaders on cyber efforts. He’s recognized as a leader in developing and deploying innovative cyber solutions.
Prior to serving at the CIA, Marcus was also an officer in the United States Marine Corps. Marcus has an engineering degree from the United States Naval Academy and a master’s degree in International Security Studies from the Fletcher School. He also completed Harvard Business School’s Executive Education Advanced Management Program.
So, today’s topic, Marcus pitched it to me. We’re going to talk specifically about cyber criminals and using, I believe, media and media sources in other countries as attack vectors. And I’m sure we’ll get into some other stuff as well. But that’s sort of the umbrella today. So Marcus, thank you for joining me today. Welcome to Cyber Work.
[00:02:56] Marcus Fowler: Oh! Chris, it’s fantastic to be here. I really appreciate it. It is an honor.
[00:03:00] CS: Pleasure. The pleasure is all mine. So I always like to reset the room. I mean, we got a nice bio from you here. But what first got you interested in computers and tech? And where did you first get excited about cybersecurity? Was it when you were at the CIA? Was it before that? Were you sort of on the command line since you were a child?
[00:03:18] MF: So I’m probably a late arrival to the cyber world. Engineering degree, but then in the Marine Corps, I was like a combat engineer, which means I either build things or I blew them up. Kind of a C4 or 2 by 4 type of role. And then grad school, I took a very really interesting class around technology and national security that started to really get me there. And then it wasn’t until I was at the CIA, and I really started to see the impact of what emerging and next generation technologies and their application by our adversaries. And specifically, around terrorists using the Internet. Because this was back in 2007, 2008, where really seeing that area as one of concern, but also one of what we weren’t, in my opinion, taking the greatest advantage that we could have. And that kind of got took me down a path of really learning more about the digital cyber technology space. How we’re leveraging it from data correlation and geolocation, to offensive cyber operations and intelligence collection and those type of things. And I very much gravitated towards wanting to be a person who could take the teams that were developing these amazing technologies, and help translate them to the mission impact of national security leaders that maybe didn’t have that same level of, certainly not expertise, but even comfort in how it translates and how they were thinking about resourcing, prioritizing.
And at the same time, kind of the reverse of that path of talking to those technical teams about what direction we should be thinking about the technology to have the greatest mission impact. Because what you could have is you could have a technical team that creates something amazing, and it’s groundbreaking. But if it doesn’t matter to mission, or doesn’t matter to business, then it’s just a shiny toy that a lot of money was spent on. No matter how innovative it is, right?
And the same impact for the business leader, if they aren’t – They might have all sorts of mission problems that really are perfect for an emerging and next generation technology, AI, machine learning. That if they’re not leveraging, they’re operating in kind of a substandard place.
[00:05:50] CS: Hmm. Okay, so how much of the security that you learned doing this work with the CIA was sort of on the job? And were you just kind of thrown in the deep end and sort of learned as you went? Like, how fast was the ramp up time in this case?
[00:06:05] MF: It was very much on the job and grabbing the time of experts in their fields that I knew I needed to utilize and to leverage. I did have to – I think there was probably a choice at some point where either I could like take a direction where I was going to try and be the expert, or I was going to be the informed voice and champion with the expert beside me in order to do it. And that just gravitated more for me and more for being able to have a quick mission impact. So it really was – And also being a very active kind of question asker and engaging. Like, “Hey, I see that you said we could go this direction? Well, why is that? What’s happening there? Let me understand more about your decision-making.” Because there’s always some conversation in technology that doesn’t require you to be able to know how to write the Python script to understand the value of the effort put in and how it could be leveraged by various elements of an organization.
[00:07:15] CS: Mm-hmm. Yeah, there’s the practical, and there’s the theoretical, and there’s the direct technical. And all of those are needed. And you don’t necessarily need to be the greatest of all time in all three of them to sort of throw your hands into the work.
[00:07:31] MF: Right. That’s exactly right.
[00:07:33] CS: Yeah. So, as you said, following your time at the CIA. You joined Darktrace as the Director of Strategic threat, before moving up to SVP of Strategic Engagements and Threat. So, can you talk about what precipitated this move from the federal or military sector into the private sector, and how your skills sort of moved across? If there was a big culture shift or a big – Another sort of having to relearn things from the beginning aspect to it?
[00:08:00] MF: Absolutely, I can share you with how my – I think, each journey for anybody that does that transition is different. And certainly, for me, I love the CIA. There’s amazing men and women that are doing fantastic work there. So it had nothing to do with needing to leave government or leave the CIA. But I had gotten to a point in my career. And I’d never been in the private sector. I mean, at 19, I was at the Naval Academy. And I stayed in the military and/or some version of service up until 2019. And for me, I just really wanted to understand – I came to that fork in the road where either I was going to stay until retirement, right? For the federal service. Or I was going to pivot – I was going to have a next act in the play, right?
[00:08:50] CS: You could feel that this was the moment.
[00:08:52] MF: Right. To evaluate, right? It wasn’t even like a short thing. It was more like, “All right. I’m going to take a very good look at what’s out there.” And I probably spent about a year. I probably talked to 20 plus companies ranging from data science work, cybersecurity work, threat intel, cyber threat intel work, and trying to – And I took any call. Because every call that I had was kind of – There were two pieces of it that were critical to me. One was why did this person choose to take this call with me? And what in my background is resonating with them? And the other is what are they saying that resonates or doesn’t resonate with me? And then starting to kind of form where I wanted to land or where I thought I wanted to land.
Because it’s one thing to be a lawyer in the public sector and go be a lawyer in the private sector, right? That’s a fairly direct. It’s another to be like an intelligence officer and another. Or I knew it was going to have to be a fairly dramatic pivot from an experience standpoint. I did have a – For my time during the Harvard, doing HBS’ Executive Education Program, I did have some confidence that my skills were sought after at the C-suite, right? Because that’s the biggest thing, right? Is you got to know that there’s a place out there for you, right? Or at least some interest and having it. And that just was a matter of finding the right fit.
[00:10:22] CS: Yeah. And I’m glad you expanded on that. We have a whole lot of people in the military and veterans who are reskilling, are looking to change, who are taking our classes. And so, there’s an awful lot of public sector. The private sector pivoting. And what do I do next? And how do I take these skills and convert them into that? So I think the importance of those kinds of personal stories is always really, really helpful to us and to our listeners.
So can you talk about some of the common day-to-day tasks, roles, responsibilities you have at Darktrace? And especially how those roles have changed or gotten larger with the title upgrade?
[00:10:58] MF: Sure, yeah. And it really has kind of been an evolving kind of role, I think. So, initially, in December, I said, still, my main focus has been kind of – And kind of always hearing my new title of engagements and threats. So in the threat side, emerging next generation. What’s happening? How are we thinking about the threat state, nation state, non-nation state actors? I had the pleasure of doing a webinar webinar earlier today talking Russia, Ukraine, cyber impact longer term. Those are the type of things that I like to kind of pull on, both my nation state activity kind of experience as well as kind of where we’re seeing some of our own trends through the Darktrace lens, through our own kind of SOC efforts and those types of things. So that was a big area.
And then also, the executive sponsor business engagement role of being able to talk about strategic value, strategic impact, taking that amazing, emerging or next generation technology and talking to the senior leader at that C-suite level, where you’re really talking about business. What matters to business? Business operations? Business need? With that, security is the through line or security decision making and risk being it. So that really was kind of the core, main core areas that I was initially brought on.
Where I have kind of evolved or expanded a bit is, one, I’ve gotten very interested in the strategy aspects behind the scenes of how we’re thinking about using people like me, or how they are being employed to assist the broader Darktrace community, or the industry engagement. And what we can do intentionally around that from a resource efficiency? But also, making sure that we’re out there as the resource when needed.
The other is some of the other bigger programs. Like Darktrace just announced the launch of its federal division just within the last week, week and a half. So, obviously, that’s a massive endeavor in terms of trying to think about how you move into that space, or how you want to kind of – What role you want to play in that space. So I’ve been very active and titled bringing together the right resources for that division to be successful and play a role in assisting more directly in national security.
[00:13:21] CS: Okay. So I think you kind of answered this, but I’ll ask anyway. But whenever I get to talk to a C-suite person, I’m always curious about the time split between the work of dealing with clients working sort of C-suite to C-suite, or at upper level things, versus the time you used to spend kind of getting your hands dirty researching threats or doing this. Are you able to find the balance? Are you fine with sort of leaving some of the sort of like hands-on work behind? Or do you still sort of engage in threat research and so forth as well on an active level?
[00:13:57] MF: So, prioritization of what I do in my day is key, because, no, I can’t do everything. And one of the things certainly that I don’t get to do as much as I like is some of that research. I do leverage, like, I certainly have the people that I know are doing it day-to-day. And so we’ll have a team chat going. We’ll throw some threads around of, “Why do you – How interesting that the Conti ransomware group align with Russia? Or what do we think about their implosion?” And we’ll all kind of kick around ideas, do some research, think about that. So that is very much something that you’re always kind of trying to get a little bit more.
But also, the other aspects of life, I’m a father and husband. You can’t do it all the time. But yeah, I think it is – I do enjoy that resource aspect. I also like kind of being out there trying to get these projects moving forward in internal communication, but also external. I mean, some of my favorite things is moderating executive roundtables or fireside chat with a Darktrace customer. They get to kind of hear [inaudible 00:15:01]. Those are always some of my kind of favorite engagements. I actually have the honor of being that co-Chair of our CXO council. So I get to have these great deep dive sessions with senior security leaders from across industries, across the kind of Darktrace landscape, and just love to hear kind of what they’re dealing with. And how their crosstalk happens, right? How they’re sharing and getting stronger from best practices and strategies.
Because I think security is one area where almost everybody wants to share and discuss and get better, right? Very few see it as a true competitive advantage of my security is better than your security. I mean, less so maybe for some of us that are vendors in the security space. But across the industries, there’s really that checking brand at the door of it, because they all know they’re in the same fight. And so it is a place where you want to share.
[00:15:58] CS: Yeah, it makes sense. Yeah, I mean, do you have a lot of sort of cross-company collaboration then in that regard with what would otherwise be competitors?
[00:16:08] MF: Wherever we can. I think wherever makes sense. I think, as you think about the security ecosystem environment, those that are value enablers, value collaborators, are going to be the best in breed, right? You’re not going to force a security team to throw everything they have in the trash and assimilate to the borg of Darktrace or another platform, right? You need to be brought on as something that is a positive gain. It is a collaborator with things you’re already doing your workflow.
Now, I think over time, you might say, “Okay, this level of overlap is very positive and good. And I like it. This level of overlap, there’s probably redundancy here. Let me reevaluate where I’m using what.” Right? But I think coming from an open integration, an open API standpoint, I mean, a perfect example is we have Darktrace for the endpoint. But I also integrate with CrowdStrike, right? Because they are more robust EDR. We’re doing some other – There’s some augmenting niche differences, but enough that I also don’t want – If you have CrowdStrike, yeah, I need to be able to see that telemetry. Like, Darktrace overall is going to be stronger for the availability of that Intel for the AI and machine learning to be positioned wherever it can to have that defensive superiority.
So I think that’s the approach you really – I mean, niche, one-off solutions that don’t talk with anything. If you have to go to another pane of glass, it really are more cumbersome very often than they’re worth for a lot of security teams.
[00:17:47] CS: Yeah, yeah, I believe that. So want to get into our main story today here. The frame story for today’s episode is going to be based around advanced persistent threats, or specifically nation state attacks that use media sources as one of their attack vectors. So we’ve talked about APTs before with David Balcar of Carbon Black, and Alissa Knight Ink. And had Eric Milam with Blackberry talking about his report on the Cybercrime group, BAHAMUT. So there’s always an area of interest in the show. But tell me about the News Corp hack by Chinese cyber criminals in the way that attacks like these can be used not only to target media outlets, and even not just journalists, but their in-country sources? I believe, am I getting that right?
[00:18:25] MF: You are, yeah. And I think the kind of inherent in that is the need for journalists and encode resources to communicate, right? To communicate however they can to get messages out. And when you have things like the Great Firewall, and others, like be very creative, or maybe more vulnerable in order to get things out.
So it also happens in email. I think, increasingly, you’re seeing these. And your signal and some of your more secure apps, right? You got to get out of some of this movement to that, specifically in an effort to combat the growing aggression cyber and other to journalists globally, right? Because they do want sources. They do want new intel. So they’re very open to a cold call, potentially, right? Because this could be an amazing source. And in that openness, where a lot of I think email teams, or email security teams, get to be like very – They could have a very high threshold for vetting or validating who’s reaching out. Journalists, almost by design, want to get – Because this could be the next –
[00:19:29] CS: The door has to be wide open, yeah.
[00:19:31] MF: I mean, and in fact, it aligns quite well with my old life, where we’re looking for intelligent sources, right? We’re looking for assets. Some asset writes into what have you and says, “I may have intel around a terrorist threat, or this leader, or this thing.” It would be foolhardy not to follow up on it. But you also are posing your own security resources access in building that bridge, right? And that is you could have a really heavy social engineering element to that, right? To what is a kind of dangle of a source, right? That then turns into rapport building. That then turns into sharing of information. And then exposing and then leveraging for the attacker. I mean, it can be a very – Even though the approach seems almost dated, and that it’s a grift on the street or something like that –
[00:20:35] CS: That’s still what works the best. Yeah.
[00:20:39] MF: Some of my best friends are humans, other ones are dogs. Increasingly, their dogs. But we are fallible. And very often, we’re very social creatures, right? We are open to having a conversation. And those in line of work where you’re talking about, a journalist, this, that, it just is a natural thing for them. So what they’re really need to be thinking about is how can I have that level of exposure and engagement with the levels of protection and security I need in place to make sure that it’s not taken advantage of, right?
And the biggest ones being multi-factor authentication, validation, of being able to – And thankfully, journalists are outstanding researchers. How can I bet and validate the individual? What questions can I ask that might make their social engineering more complicated, right? And you shouldn’t take things at face value. And usually, very often, that social engineering goes only so far until they start to have to fabricate, and their story starts to unravel. Now, the more sophisticated actor, the more deep that fabrication can go.
But I would say going to your lying journalist, it’s probably more of a standard playbook rather than a truly targeted, truly deep, and what we would call backstops approach where they have a Facebook that wasn’t created a week ago. They have Twitter that actually follows and retweets, right? They actually have some level. I mean, you could start to dig into the level of –
[00:22:19] CS: The depth of complexity.
[00:22:20] MF: Right. And reality. But again, they have to take the time. So if it’s something fast moving, and that’s where they’ll get you, right? If it’s just something that is quick turnaround, immediate, urgent –
[00:22:30] CS: Yeah. It’s also the sort of – It’s the job where you’re most closely connected to you need to open this now, or it could go away. I mean, we always talk about the fact that social engineering sort of relies on you to make the decision before you’ve thought about it. And I suppose if you’re looking for – And especially if you’ve been like hitting your head against a brick wall, right? When someone finally says, “I have this information that you need.” Like, you’re just going – Unless you stop yourself, you’re just going to go, “Great. Thank goodness. No one else has.”
[00:23:01] MF: That’s right. You can already see the Pulitzer Award. You could already – Like, you’re going to get a headline. Because there’s that – They could be like, “Oh, I’ll just send this to – Sorry, Washington Post. If you’re not going to respond to me, the Wall Street Journal is dying to post this.” I mean, you don’t know that, right? But if I can weave that web, you’re like, “No, no, no, no, no. No. I trust you. Send me that link. And I’ll go right to the page. Or we can engage that way.” Because, again, you’re chasing a deadline to some extent.
[00:23:30] CS: Yeah. Now, I mean, you’ve mentioned it pretty well here. But could you sort of walk me through some of these attack vectors? I mean, are people – Are journalists mostly getting these on their phones? Through their Facebook? Through their laptops? Like, is it a combination? Is there any particular pattern that you can see?
[00:23:47] MF: I think it is fairly mixed. I mean, email being the most common, right? Email, which you could get anywhere, right? Email I think is the most common. Anytime you’re – But I would say, increasingly, any of your SaaS applications or communications are going to be looked at, right? Are going to be attempted in the password. I mean, the most common and the consistent, and this is true with so many of the cybersecurity, is going to be email. It’s an easy route. Your email address is being put out there almost at the bottom of your byline or at your website, contact me. I mean, there’s an open invitation. But that one – I almost want the journalists to make sure that they’re viewing that almost as a spam folder, right? And not as their trusted asset.
And it also has phases, right? Okay. You emailed into this. I’m now going to move you into something that is more secure. Or I’m going to move you into something that has more security for me over time. But it usually involves clicking on a link or taking into a website that then might look very much like, “Oh, I just need to log back into my Microsoft Outlook account.” Right?
I mean, the number of times we’ve seen the pristine looking website. I mean, I think people almost have a dated thought of like, “Well, it’s going to be a website fill?” But spelling errors, or conduct sites. Like –
[00:25:03] CS: HTML 1.0. Yeah, right. Right.
[00:25:06] MF: Right. Right. If you have that, then you have a bottom feeder. But you also have some that are going to be check that URL, reroute, go to the actual website. Type in the URL that is correct to get to it, right? Because they’re really doing a dual thing, right? One, their account harvesting to use them and then use that password against all your other accounts. They’re brute enforcing, right? They’re just throwing tons of accounts, tons of email passwords at your account. So using the classic personal cyber hygiene of complex and long passwords.
I think using a password vault where you have those complex and you’re not trying to remember anything. I think that is a growing best practice. And certainly, in multifactor authentication, right? You should have that on everything. If you don’t or if have somebody that you’re interacting with doesn’t, then you need to heighten your security, because you’re interacting with someone that isn’t as high as you would like it.
[00:26:14] CS: Yeah. Now, is there kind of a steep learning curve with journalists that you’re finding? Obviously, a couple are getting burned and facing terrible consequences. But do you think that the sort of journalistic community as a whole is sort of understanding the scope of this and hardening their defenses? Or is this something that we’re still trying to get the message out off?
[00:26:35] MF: So I think some have some of the best practice that I’m confident I could learn something from, right. So I think those season – Those that have been in those types of situations before. But again, you’re always going to have the person who’s new to that beat, or you have this kind of turnover, right? And you don’t have a sense for the level of mentoring of, “Hey, let’s talk about your specific security –”
[00:26:59] CS: Specifically, security issues. Yeah. Right. Or whether your journalistic source even has a sort of policy on that sort of thing.
[00:27:06] MF: Right. I do know some companies that certainly are putting a premium on bringing on a head of security or a chief of security. It isn’t just about the security for their company, for themselves. But also, how do you extend that and train up and get smart those journalists that are on the front line, right? And I think we’ve seen this really mature, I would have said over the last six years. I think, certainly, many journalists felt during – And parking all politics here. But over, say, the Trump presidency where you might have more left-wing journalists are more considered to fight. I mean, the way that the media has been framed as a potential adversary to certain elements. Even from a kind of Continental US type of level of awareness and security has been heightened. I think that only translates that many more or that much more when you’re talking about international actors.
[00:28:08] CS: Can you sort of – I mean, you said all this sort of pieces separately. But can you help me visualize what a truly secure journalistic source looks like? I’d say like a malicious thing comes in through your email or through your phone, like what is it having to swim through before you get caught if you’re if you’re securing it well? Like you said, two-factor. You said proper identification and stuff. But what are some of the other sort of buffers that you can use to keep it up?
[00:28:37] MF: Yeah. I mean, for the individual, I think that – Unfortunately, it comes into the email. And again, you’re a journalist. You want that. You want that email. You want that outreach. Let’s assume it’s not hard to fabricate that. I don’t think that’s hard to generate interest. I’d say I’m checking for like trying to move me to links. Like, there’s a link in there. Why is it there? What’s it associated with?
Before I would click on it, absolutely, I would research the site. I mean, you could see the URL there. You could start to do some general research around that link. I mean, there really wouldn’t be too much of a need outside of maybe I’m passing you, “Hey, I had the stack of documents. Go to this FTP site. And just log in there.” If you need to log in to a place you’ve never logged into before, definitely create that new password for it. Do not use a password you always use to remember it. Because they’re going to harvest that password you use. Even though this is the first time you put it in that website, if I get that, I’m going to use that atop – Yeah. Atop of my brute force. I’m going to surf in there. I’m going to do I’m going to do iterations on that, right? The AI and the capability for the computer to now brute force around some good indicators is only speeding up and increasing. So I’d be careful of that.
I would bet the individual, whether that’s asking them specific questions of where they claim to be. And I mean, they can be guarded, right? They can, “Hey, I can’t tell you exactly where I am, because this.” But you could ask easy questions. You’re reporting to me from Russia. What time is it there? How’s the weather? Or what’s going on? I mean, you can weave in some of your own type of probing indicators, right? Kind of almost reverse social engineering, if you will, where you’re kind of trying to catch them in there. Because if they had to take five minutes to tell you the weather, they probably went and searched the weather. I mean, I can look outside and tell you in DC it is chillier today than it was yesterday. I got a sweater. I mean, it is all those things.
I think, also – Yeah, I’m sorry to –
[00:30:44] CS: Oh, no. Go ahead. Go ahead. Go ahead. I’m sorry. No.
[00:30:46] MF: I think the other is getting them on FaceTime if you’re comfortable with that, right? Because that very much is like, “Oh, wait a minute, what’s going on? You could get aspects of their personality of their location just in the surroundings, right? All of a sudden, they come up with a lot of, “My camera doesn’t work. I don’t have a camera. I can’t get that.” I mean, obviously, they can fabricate. And again, they may be genuine. But if they have a lot of excuses for why they can’t do things like that, again, be ever heightening that sense of security awareness.
[00:31:20] CS: Oh, yeah. Yeah, well, what I was going to say was that I feel like for folks who are listening who might have clicked on the free pizza coupon in their email and feel bad about it later, like, these are the exact same techniques that are happening at all levels. I mean, the complexity may have increased a little bit. But at the heart of it, you still have either that invoice, or that link, or that desperate phone call to give me your information as quickly as possible and stuff like that. It’s still all the sort of the same point of entry.
[00:31:55] MF: Yep. I mean, I think the worst thing we could do is underestimate how sophisticated they can be, right? And I think you do really need to trust your gut a bit. If something just seems weird, just a little extra scrutiny, a little extra investigation. It’s not ever a bad thing to do anyways. So if it just feels wrong, to make sure – Get your level of confidence.
[00:32:14] CS: Take a breath.
[00:32:16] MF: That’s right. That’s right. Because, I mean, the amount of social engineering or the amount of social media scraping and harvesting, that can scale. I think, truly targeted, tailored social engineering attacks years ago was cumbersome, was harder to do all the research and the work. Today, a lot of it can be automated. A lot of it with more NLP where you’re – Showing me they can scale better, which means they can just kind of go after many – Where maybe, historically, you’d be too small a fish or too corner of the Internet. Today, the opportunity and the resource costs are such that they’ve kind of flipped.
[00:32:58] CS: Yeah. Now, can you – I don’t want to play a worst-case scenario here. But can you sort of explain, say, a reporter where their source gets compromised? Like, how far up can that escalate in terms of damage? Can it go straight into the news source and to government sources? Like, at what point is the limit reached, if any?
[00:33:22] MF: Yeah. I mean – And certainly, journalists can have a very sensitive set of asset networks that are placed in various – And on top of that, if they’re government individuals that are sharing information, that information could then be used to blackmail that individual, right? Because they’re probably not supposed to be talking to a journalist. But because they are, right?
So, I think what journalists certainly can do is do the best they can to separate certain communication lines and channels to different areas, right? Like, you can don’t have every single contact in one email mailing list in which if someone got access to that, they can see every contact you have, right? I think wherever they can transition off of true name, that true location, for someone that has been bedded and is kind of proven to be a core asset. I think that’s certainly true.
And then how they could use it to leverage your account. I mean, also be very mindful of what emails seem to be going out. Now again, a good practitioner will use your password to get into your email, harvest what information they can. Maybe then use an impersonation, a hijacking of your account to send an email, right? So now I’m doing that with a link to the target. And then I’m deleting the email in the outbox, right?
So the way we certainly approach email security is all about some of that really awkward behavior in identifying in highly social engineering and impersonation attacks, because never sent this email. This email has never looked like this. This is an odd time for the individual. But all that context easily is lost when it’s human-to-human interaction. So I do think they can escalate privileges. They can escalate their activity. They can just sit and watch. I think there’s a number of different ways that they could – And stages, practically, right? Once they’re there, they can just watch and see the information that’s coming in, evaluate it. Maybe from an espionage standpoint, just use it. They could then choose – If there’s not much value there, see if your account could be used to piggyback into another account, right? And kind of daisy chain from what was a communications supply chain attack, rather than – Because why not use you as a trusted contact of Chris? Well, if I’m having trouble getting Chris, if I can have the email comes from Marcus, I’m already three steps into the kind of trust circle.
[00:36:00] CS: Sphere. Yeah. Okay. So, have you take off your security awareness hat and put on your sort of threat research hat, can you talk about some of the main security threats? Some threat actors that you’re currently researching or dealing with? Are there particular trends, malware types, or threat actors that kind of keep you awake at night?
[00:36:17] MF: Sure. I mean, the things that keep me up tonight are less non-state cyber actors and more the what’s going to happen next in terms of Russia and Ukraine. Again, it’s hard to talk about cyber when we sure kind of know what’s happening on the ground and the crisis and everything. But I think it is important for us to recognize that I don’t think the cyber chapter in this conflict has been yet to be written. And that does keep me up the hacktivism, the non-state actors that are in there. Also, concerning in terms of they’re in the mix of when Russia chooses to reciprocate economic disruption and economic pressure on the US and its allies. Critical infrastructure, obviously, of concern.
I mean, one of my kind of – And I’m still wrapping my head around it. But one of my biggest concerns is actually an event, like Colonial Pipelines, but conducted against the Russians. So if a hacktivist group, or a non-state actor takes a vigilante, not USG, takes it upon themselves to see if they could do something to a Russian company that impacts Russian infrastructure. And all of a sudden, you have Putin, who has maybe the justification to escalate. So a miscalculation that escalates the conflict, right?
I think when you’re thinking about for those that are sitting at the computer and thinking about vigilante going at it, I mean, like, be the defensive vigilante. Like, help your local, small and medium business, right?
[00:38:03] CS: There’s plenty of work to be done that doesn’t need to be.
[00:38:06] MF: Right, right.
[00:38:07] CS: Yeah. [inaudible 00:38:07]. Yeah.
[00:38:08] MF: It’s not like we don’t have A team of people that can. And there’ll be factoring in all the pieces of Intel and potential implications of an offensive action. So that is probably one of the things I worry most about, because it’s really chaotic out there right now. And the number of people that are in the mix is really high.
[00:38:32] CS: And unaccountable. Yeah, right.
[00:38:33] MF: Right.
[00:38:35] CS: So, I want to kind of move from the headlines to the sort of more career cyber work oriented part of the discussions. We discussed previously, there’s a lot of gradations and careers and jobs relating to things like threat research, or threat intelligence, incident response, and so forth. So for folks who are interested in what you do and sort of from a threat research standpoint, can you talk about the types of skills, knowledge, experience, certifications, study, whatever, that they should be looking into to make them desirable to people hiring this type of work?
[00:39:10] MF: Sure. And I think anybody – I mean, the first thing you need is just a general interest, right? I don’t want to say passion, because that can get a little crazy where people are like, “You have to be obsessed with cybersecurity. Or you don’t earn it on if you don’t wear like a sleeve and a brand.”
[00:39:26] CS: Right. You just have to know that you can’t just get away with just hitting the button and letting the machine. You got to know why you’re doing it, right?
[00:39:32] MF: That’s right. And I think there are a number of different areas. I mean, honestly, I get a lot from the InfoSec and cybersecurity discussions and threads that happen in your Twitter or your LinkedIn. Though, there’s great conversations. Yes, they take their natural Twitter on right turn, and then you just got to move on.
But I think some of the most interesting and fastest breaking research and analysis that’s happening is there that you can then kind of learn more from. I think a well-curated, kind of who you like. And you also, I think, are going to get a much better exposure to the diversity of backgrounds and diversity of people that are doing this through that space, right? I think no one wants to be in an echo chamber where you look and sound like everyone else around you, right?
[00:40:31] CS: And all the solutions are exactly coming from the same angle. And, yeah –
[00:40:35] MF: That’s right. That’s exactly right. And I mean – And this is a little bias. I think I know, we do a lot of our own blogs, and we have great subject matter experts. And we try and put that stuff out there as best. Yeah, I mean, we have great pen testers, former NCSC in the UK stuff, CIA folks, NSA folks, putting blogs out on threats we’re seeing, trends we’re seeing. We are trying to, I think, do more of that. I think every company looks at it and goes, “Can we give more to the industry?” Right?
So, I think for us, we’re putting out a little bit more around our AI research and some of the machine learning stuff, and maybe some more academic and putting more papers out there through our research center that are abstracts and academic or research approach in nature. I think that’s very powerful. I mean, I think we are not – No shortage of smart people doing really interesting things. So I think it’s just start somewhere, and then it’s going to take you kind of now in different paths.
[00:41:38] CS: Yeah. Again, the natural curiosity is going to take you where you want to go anyway.
[00:41:42] MF: It’s exactly right. And then for those that want to get deep technical, you can go that route and find those people. Those that want to stay strategic or some mix therein, you can do that. And I recommend trying to kind of almost gravitate between both. Because I love to go – Because every time I try and go technical, I can go a little further than I did before, right? Because, tech, “Oh, that? I learned about that now.” Yeah, stretch yourself, and be open to all the good voices that are out there sharing what they know.
I think my sense of the InfoSec community is a lot of it is putting stuff out there, right? And then sometimes its negative, which is always never a good thing for a conversation. And sometimes you do have those fakes that are out there that aren’t writing – But you’ll sniff them out. The InfoSec is a very good community to call out those that maybe are passing –
[00:42:41] CS: Not communicating in good faith. Yeah, yeah.
[00:42:43] MF: Right, right, right. Or honestly. So it is a mixed bag. So you got to take it like that. But I find there’s a lot of good conversation that does happen out there.
[00:42:52] CS: So I asked us of a past guest, and this was specifically, as I said, someone who did the report on the BAHAMUT threat group. And I know that you’re not necessarily as closely identified with any particular cyber criminal or threat group. But I know maybe a lot of people would like to contribute to this industry, but who might reflexively be sort of wary about being so directly in the crosshairs of actual cyber criminals? I mean, can you talk about sort of safety measures are sort of adjacent lines of work in this area that don’t make you sort of public enemy number one? Whether it’s threat modeling, or incident response, or other types of things?
[00:43:30] MF: Sure. And I think there are some that, especially when you’re talking about those that are some of the first to do attacker attribution, right? That, I think, gets interests, right? Because they want to – Those APTs want to sit in the shadows. So if someone’s done the good research to kind of call them out and be able to point to the reasons why, and then an FBI notice comes out, or an action is taken to bring out that botnet. I think it is a real change in risk that you should be aware of. And not too different from what we mentioned around the journalists need to be worried about, right? I mean, as you get out there and talk about things and what you know, or what you don’t know, or what you’re doing, just be mindful of it that the word gets out, right?
I mean, I’m not on the frontlines of kind of the research. And so I talk about some of the strategies that I see and kind of speak to it from an analysis and facts as known type of approach. When those that are doing real kind of groundbreaking research or things that people haven’t – I mean, that is – And using those people, if they’re able to do that research, they have that same sense of understanding how to protect themselves. Like, they’re savvy enough on both sides of that coin.
[00:44:54] CS: And they also sort of know what they’re getting into. Yeah, yeah.
[00:44:56] MF: Yeah. And they’re often very, very sensitive to their own security, like they tend to be those people that are in that basement without – That everything goes through a P.O Box. But there’s reason for that. So I think one is to like not – Don’t fear monger or don’t go to like, “Oh, I’ve said the one in Russia. And now they’re coming at me.” But the other is recognize that as you get into that discourse, your risk profile in the company. I work for a very good cybersecurity company. So I feel very good about what I have on my laptop and what I use and the distance I have between what I use here and what I use personally. And that is intentional.
So, yeah, but I do think you’re right. I mean, that it shouldn’t prevent them from being out there kind of especially when it’s bringing light to actions of malicious or nefarious or can benefit the broader community, because we all get smarter from that research. But the other is when you do that, recognize that you might have moved up to a different tier within a target tech that you need to be equally security mindful as well.
[00:46:17] CS: Yeah, yeah. And yeah, and like I say, there’s still so many things that you can do even if you’re a little bit worried about that kind of thing. There’s so many adjacent career moves around this field that we’re where no one ever asked about. You’re never going to be in the crosshairs if you’re working help desk, or a SOC analyst, or whatever, or a security analyst.
[00:46:39] MF: That’s exactly right. I mean, if it’s –
[00:46:41] CS: So, I mean, it’s certainly well-known that there’s a lot more jobs, looking for people then there are people to do them in certain areas of cybersecurity. So if that’s a worry, then don’t worry about that. I’m not in the crosshairs. Yeah, right. And so aren’t other people that who do this kind of work.
[00:47:02] MF: Right.
[00:47:03] CS: Yeah. So as we wrap up today, Marcus, thank you for your time. By the way, this has been really fascinating. But can you tell our listeners about Darktrace and some of the services you provide and what products or projects or activities you’re excited to reveal in 2022?
[00:47:18] MF: Yeah, absolutely. So the big draw for me to come to Darktrace, and then we talked about novel emerging next generation technologies. But for me, it’s actually how they’re – Not only that it is an outstanding kind of using unsupervised learning and supervised learning in a way to really think about how one is approaching security. But it is a one that moves away the optic from the attacker to the actual business, right? I look at and understand business normal to then defend business normal. So I could be thread-agnostic. I could be – Right? And for me, that – And again, it’s all kind of digital ecosystem, whether it’s in SaaS. We talked about email. Certainly network. Even industrial. The idea of understanding normal to not only alert against abnormal, but also autonomously defend at the same time is so critical. So that to me was the big kind of draw and pull in for Darktrace. Some of the things that we’ve done on top of that that really kind of are just a sweet spot for me is, one, augmenting the human security team. How we’re using AI to do autonomous investigation, autonomous triage, to let the human get further, faster and do more.
The area where I’m really excited that we’re headed in the next year is better thinking through attack path modeling, attack surface understanding. Can you have a proactive approach and understanding threat paths? So you can now actually harden your environment before the attacker identifies? So can you make it so hard on the attacker because you’ve really thought about the different ways that they might want to move within your environment and harden those areas that becomes very difficult for the attacker. So that’s really exciting to me as another chapter to kind of where Darktrace is looking.
[00:49:06] CS: That’s fascinating. So, one last question. For all the marbles here, if our listeners want to learn more about Marcus Fowler or Darktrace, where should they go online?
[00:49:13] MF: Sure. You can find me on LinkedIn. I’m pretty active out there of things that I like, or things that I point to, or that I that I’m taking stuff from professionally as well as I put up things when things are out there. The other would be going to darktrace.com. The website is fantastic. You can go to the blogs. You could see a lot of the really cool research, and also how we’re defending, right? You can get into the positioning and kind of the differentiators, but as well as like, really, that concept of moving from it’s about breach, or everything needs to be left and breached. To actually being – And it can be right a breach. But it needs to be left to business disruption, right? Which is a really interesting space, right? Because it’s – Then when you past if-when, you get into active self-defense, active protection, business resilience. And that’s really the problem we’re all struggling with. Not how to harden or deepen the perimeter wall.
[00:50:12] CS: Okay, yeah, that makes perfect sense. All right, well, listeners go check that out. See what’s happening on the frontlines of perimeter and interior work. Marcus, thank you so much for joining me today. This has been a great chat.
[00:50:26] MF: Thanks, Chris. Yeah, it’s really fantastic. Appreciate the conversation.
[00:50:29] CS: And as always, I’d like to thank everyone that’s listening to and supporting Cyber Work, the podcast. New episodes of Cyber Work are available every Monday at 1pm Central both on video at our YouTube page and on audio wherever you download your podcasts. And I wanted to make sure you all know that we have a lot more than weekly interviews and cybersecurity careers. You can also learn cybersecurity for free on the special section of our InfoSec Skills Platform. Go to infosecinstitute.com/free to create your account. We have classes on cybersecurity foundations, cybersecurity leadership, digital forensics incident response, DevSecOps, Python for cybersecurity. And that’s just a fraction of it. So just go to infosecinstitute.com/free and start learning today.
Thank you very much once again to Marcus Fowler and Darktrace, and thank you all for watching and listening. And we will speak to you next week.