Combating phishing, malware and hackers

Atif Mushtaq, founder and CEO of SlashNext, and Cyber Work host Chris Sienko discuss the current and future trends of web-based phishing and malware attacks.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • Transcript
    • Chris Sienko: As you probably know, October is National Cybersecurity Awareness Month. And, to celebrate, Infosec is giving away a free month of its Infosec Skills platform. It is a subscription-based skills-training platform for cybersecurity experts. If you’d like to learn more, please go to infosecinstitute.com/podcast, and don’t forget to claim your free offer before October 31st. Hello and welcome to another episode of the Cyber Work with Infosec Podcast. Each week, I sit down with a different industry thought leader to discuss the latest cybersecurity trends, as well as how those trends are affecting the work of infosec professionals, as well as tips for those trying to break in or move up the ladder in the cybersecurity industry. I’d just like to break out to note for a moment that, because of, in honor of Cybersecurity Awareness Month, Infosec is giving away a month free of its Infosec Skills subscription-based training platform. If you go to infosecinstitute.com/podcast you can find out more about this. Today’s guest, Atif Mushtaq, is the CEO of SlashNext, and has been fighting cyber crime for more than 15 years. His story is a series of dream jobs for people in the cybersecurity industry. He was previously a security scientist and system architect at FireEye, where he was one of the main architects in the company’s core malware detection technology. Atif has worked with law enforcement agencies to take down some of the world’s largest malware networks such as Rustock, Srizbi, Pushdo and Grum botnets. In his research, he found infinite threats originating in the web layer and discovered that cyber-criminals were launching browser-based phishing attacks to numerous sources. This led Atif to launch SlashNext, which combats those advanced, fast-paced threats. He’s worked just about every job you could name, from entry-leveL bug-zapper, to the founding of his own company. So today we are going to ask him about some of the highlights and lowlights along the way, and how to make the big jumps in both the knowledge and the job level. Atif, thank you for joining us today.

      Atif Mushtaq: Thanks, thanks for having me.

      Chris: So since your interest in computers and security likely goes back a long way, let’s start at the beginning. When was the first time you remember being interested in computers and, from there, when did you decide to focus specifically on issues around security?

      Atif: Well, my interest around computers goes back to the ’90s. I mean, my first love was mathematics. And as a matter of fact, one of the main reasons I became interested in computers was the practical application of mathematical concepts. So I got my degree in mathematics in the year 1998 and at that time it was more of a theoretical math and I was looking for a platform that can provide me an opportunity to kind of work some of these mathematical models that I was working on into pure applications. And it was simply not possible without the computers. Even those computers were slow but it was nowhere possible to convert those theories into any type of application. So this is where I thought, okay, you know what? This is the way where I really have to work on anything cutting edge. I need some practical tool and the computer was the thing to go with.

      Chris: Right, so has the cybersecurity landscape changed procedurally or directionally since you first got involved way back when?

      Atif: Of course. I think we are into the fourth generational landscape. When I started, became involved in security, it was the era where people were developing malware, or the viruses for fun purposes. So it was kind of a 1997 to 2004, it was the fun part. People were developing stuff. They did not have any financial motives or any big, I would say, you know what, intellectual property theft and all that. All they wanted to have was some fun, right. So for five years it was for fun, right. And around, and then we came into the second generation and that was about for-profit malware. So we started to see quite a bit of botnets where people thought okay, you know what? There’s no money in developing viruses for fun. Why don’t we embed some kind of data-stealing payload into our malware, and we can make some money out of that. So I would say, second era was from 2004 to 2007 timeframe. And then we enter into the third generation where it became targeted attack, APT attacks, where nation states started to say, well you know what, they can use it as a weapon, right. And the internet is broad, accessible, so why not take advantage of that? An interesting thing is that in the first three phases from the fun, for-profit, to the intellectual property, the most common method used by hackers were malware. All of them were using malware for different purposes, right. And now I believe we are entering into the fourth generation tech landscape and that is centered around for-profit and the intellectual property but the main difference is that instead of using malware the bad guys have started to use phishing instead.

      Chris: Hmm, okay, so you think there’s a switch from phishing to malware, is there a particular reason for that?

      Atif: It’s a switch from malware to phishing, and I think it’s very difficult to have a malware undetected with the current technologies. So anti-malware technologies really struggle from 1995 to 2010 or so, and then they finally became reasonably good enough that they made their life quite difficult. So this is the thought to me anyway, it took around 15 years to develop certain technology that can combat malware. So now if we switch to phishing then there is an opportunity for us for the next 15 years.

      Chris: Right, you have this whole sort of social engineering aspect that anti-malware technology can’t help you with.

      Atif: That’s right.

      Chris: Letting them through. So let’s start a little bit, the point of the podcast at Cyber Work is we talk about, sort of, career journeys and how to jump from one career to the next. So based on some of what you told me in the highlights of your bio, you’ve been taking on huge projects for a long time. Whether it was with FireEye, law enforcement, or your own company. But everyone has to start at the beginning, so I’m wondering what your beginning was. What kind of job titles did you have along the way? Where did you, sort of, get the tools that were in your tool-belt to get you where you are now?

      Atif: Well, when I started getting into the security stuff, I don’t think there were event titles around ’99, ’98 timeframe, right. So it was just based on what problem you’re trying to solve, right. I started my career as an R and D engineer and it was a very generic title. I mean, there was nothing like all these fancy titles back in 2000, right. It was, these were the early days, and people were still trying to make sense out of what’s really happening around. So my first two or three title was pretty boring, just like a software engineer, right. But of course I was focused on security. The more formal titles started to appear around 2006, 2007 timeframe. The last job I had was at FireEye and my title there was Senior Staff Scientist. And right there I jumped into Founder and CEO.

      Chris: Right, now, so for someone who wants a career like yours, what are some, sort of, career or experiential milestones that they absolutely need to have on their resume to be considered?

      Atif: So you’re talking specifically about security?

      Chris: Yeah, and just general skills or background or certifications, like what do you need to see in a person to, sort of, continue promoting them. What experiences should they have? They should be good at this or that, or, you know, have a background or have, you know, worked at certain types of organizations, things like that.

      Atif: Well, it really, I think they should start with focus, I mean cybersecurity is huge and there’s nothing like a generic cybersecurity professional. You need to focus on one area. So I think the very first step for you is to pick the area that you want to focus on. And there are dozens and dozens of different, there’s penetration testing, there’s malware, there’s phishing, there’s compliance, right. So first step is to find what you really like doing. And after that, I think the second area where there’s a lot of knowledge bays that exist, for example on the penetration testing compliance, where definitely courses can help. Unfortunately, when it comes to malware and the cutting edge threats that bad guys are launching and rethinking every day, you need to have some hands-on experience. I’ll give you an example, right. I mean, we are seeing phishing attacks that nobody will speak about or talk about in the next one year, and certainly in 2020, someone will write an article, okay, this is the new type of phishing attack that is coming. Well, we observed that about a year ago, right. So if you really want to go into this hand-to-hand combat for phishing, malware and the active combat with hackers, you can’t learn it from any certification. You need to have hands-on experience. Go to dark web, try to learn from hackers themselves, instead of learning from books.

      Chris: Oh, so you recommend jumping in to the dark web and actually see what’s swimming around down there?

      Atif: That’s the only way, learn from the bad guys. Because no professor or scientist is gonna tell you how features are gonna behave in the next six months. You have to go there, get your hands dirty, and find it for yourself.

      Chris: Okay, yeah any other tips in that regard? You know, we get a lot of people who listen to the show who feel kind of stuck in where they’re at now. Like, is there, you know, something that they can do today that will, sort of, you know, help them to start moving their skills or their experiences in this direction?

      Atif: I think, and there’s so much information available. I would say it all starts with hard work. I can’t think of a reason that if I’m interested in one area of security and I can’t find enough people who can help me out, or enough material on the internet that I can learn from, right. So in my opinion, just find one thing that you really like and then stick to it, and there’s plenty of help on the internet, in my opinion.

      Chris: Yeah, okay, yeah absolutely. Get on Google and get started. So now that we’ve talked a little bit about career strategies, let’s have a little fun and get to some of your personal history. Can you tell us about your time taking down malware networks like Rustock and others? Were you fighting these networks when law enforcement contacted you, or were you kind of going to war yourself, and what types of strategies and tactics did you use to take ’em out?

      Atif: Sure, my first encounter, direct encounter with bad guys started around 2008, and the first encounter was without law enforcement help, right. So I can touch base on that. So in 2008 the spam botnets were really, really very popular and they were pumping billions of spam messages in your inbox, right. And every day there would be a new headline. Look there’s a sinister botnet, it’s pumping 2.2 billion messages. There’s another one that is pumping 1.7 billion. And everybody had an understanding that okay, all of these are different gangs and different botnets that were trying to compete with each other, right. So I really became interested in that to look at why there are five or six different botnets and what exactly they’re trying to do. And I started to write a series of blogs on these botnets in early 2008, and during my research I found that most of these guys, who look like apparent rival gangs, are using the same infrastructure to host their spam. And I started to wonder if these are rivals then why are they using the same data centers? And it’s amazing is that the data center they were using was located in San Jose, Silicon Valley. And eventually I found that was 90% spam is being controlled from San Jose. There is one tower in San Jose where there’s a data center called McColo that is being leased by a Russian national, and if you take down that data center you’re gonna kill worldwide spam by 90% in one day. And this is exactly what we did at FireEye. I, with the help of my colleague Alex Lanstein, we went after these guys and we just took down one data center and worldwide spam was down 90% in a single day. And in that process there was no law enforcement involved at all.

      Chris: Yeah, they were probably not even aware of the fact that they could get involved in something like that.

      Atif: Yeah, I mean you need to have enough understanding of these botnets, or maybe there was no focus from the law enforcement side, right. So we took it down with the help of some friends, different orgs, Spamhaus and all that. And then the law enforcement got involved when we tried to take down a botnet called Ozdock, it was another big spam botnet. We took it down, and apparently it was just another take-down, we took it down, all the spam was killed, right. Interesting things happened when an FBI report came next year, and they actually told us a very interesting story. And that story was that in 2011, the guys from FireEye, naming me, Atif Mushtaq, was trying to take down the Ozdock botnet, and the FBI was aware of this guy who’s running this botnet, and he was visiting Las Vegas for a car show. And they were about to catch this guy, and on the exact same moment I took down his botnet. And he had to flee the U.S. in a rush, and so FBI had an opportunity to arrest this guy, but they missed due to me. I mean, I didn’t really plan for that, right. And then of course that guy made a mistake again, and he came, visited Las Vegas again in 2012 and at that time the FBI arrested there and they completed their report, right. And then that guy got in prison for five years. So at that time we provided them all the threat intelligence, all the proof, just to show that, okay, this is indeed the guy who owns all the assets in that U.S. data center that was controlling pretty much the worldwide spam. So he got convicted. He served his prison, five years, I think he’s out of jail now and back to Russia.

      Chris: So what, I mean, spam went down for a time, by 90%, I imagine but did other botnets and other organizations kind of fill in the gap fairly quickly? You know, I don’t, I’m trying to think of a time when suddenly there wasn’t a lot of spam in my inbox, but, you know, probably there was.

      Atif: It came back, but it never came back to the historical 2008 level. As a matter of fact, 2008 was the peak time. It never recovered from there, it never, ever. So it went down 90%, then came back, then we kept on taking it down. Then Microsoft actually jumped in and they took a couple of botnets down as well. So historically, the worldwide spam is very low if you compare with 2008.

      Chris: Where it was.

      Atif: Yeah.

      Chris: Okay, got you. So I guess you mentioned this a little bit before, but have these types of malware networks persisted, but it sounds like basically, rather than malware now, we’re talking about, sort of, phishing attacks. So how did that, you mentioned that the tech finally sort of squashed malware in certain ways, but when did the switch to phishing as a primary attack vector come?

      Atif: That’s a very good question. So I started to see this switch while I was at FireEye and around 2011 and 2012 timeframe. Around 2014 when I left FireEye it was almost 50/50. But the amazing thing is that nobody was talking about that switch at that time. 2014 was the time where you see a lot of next-gen anti-malware companies started to emerge. So there was something very interesting happening. Obviously being at FireEye, which is a cutting edge anti-malware company, I am seeing that, okay, a lot of attacks are moving to phishing, and at the same time I’m seeing a lot of new anti-malware technology companies who are kind of impressed by FireEye’s success and want to replace it. And I was thinking that, okay, this trend is really changing. This is the fourth, we are entering into the fourth generation tech landscape, right. And so when I left FireEye I thought, you know what? I mean, right now it’s 50/50 and even now people are not talking about that. So what if this problem is going to be this big, almost as big as malware, then there needs to be a purpose-built anti-phishing company. There’s 60-plus dedicated anti-malware companies in the world, right. There must be a purpose-built anti-phishing company. At least 10 of them. And there was none. All were narrowly focused on email-based phishing, just a small subset of the overall phishing. So this is how SlashNext was born, on an assumption that, okay, this problem is gonna go big so everything that we ever did for malware, we have to repeat it for phishing as well. And that’s–

      Chris: Firstly–

      Atif: Yeah?

      Chris: Sorry, go ahead, go ahead.

      Atif: And if you see in 2019, this is exactly what happened right now, based on third-party stats and our stats. 95% of the threats that an online user is facing today is phishing, and the malware is just 5% of it. The trend has completely changed.

      Chris: So what, I guess this is a good opportunity to talk about SlashNext, but also, what does an anti-phishing company look like in the way, like, we know how anti-malware works. We know what you’re getting when you’re getting an anti-malware package. But what are the components of an anti-phishing tactic or campaign, or tool or whatever?

      Atif: Well phishing is the psychological manipulation of an online user, right, and typically hackers exploit three human emotions, right. I mean, fear, trust and reward. Fear is that there might be a page that will say, “Okay, you over there, a virus is on your computer. “You need to call this 1800-number.” Someone is using scare tactics to get you to something stupid, right. Sometimes people use trust, for example someone can send you an email pretending to be your CEO, and because you trust your CEO you’re gonna do something on that guy’s behalf, right. Or you send a phishing link that is a fake replica of Microsoft, and now you trust Microsoft and so you’re gonna do whatever they’re gonna say. And the third emotion is the reward. We’re seeing a lot of phishing attacks that are just exploiting the human greed element, where someone is promising you a free iPhone and asking you for your information. So if you really want to design a good anti-phishing and anti-social-engineering solution, you need to have a completed software that can understand these three human emotions. Unless you have a system that can understand these human emotions, you won’t be able to develop an anti-phishing solution. So again, understanding how hackers are exploiting those fears, how they approach that thing, how they set the bait, and then try to understand that, just like a human would do. For example, if someone asks you to transfer $50,000 to my bank account, there’s no malware in it. There’s no JavaScript in it, right. So now as a human, I’m a pretty smart online user, so I’ll say, okay, I’m not gonna transfer, give you $50,000. But a non-technical user would, right. So now if you want to develop a software then that software must understand what does the script, “Transfer me $50,000” mean? So you need to give that software an ability to read different languages, and understand the context out of that. At the same–

      Chris: So we’re not talking specifically about a security awareness platform. You’re specifically talking about a, sort of, online tool that can sort of read the language of a phishing email and, kind of like the way that on Facebook now if they show you an article they’ll show you a fact-checked version of the article. Like is this something that is basically showing you, this could be spam because of this specific language, or this specific link, something like that?

      Atif: Exactly that. So yeah, if you want to develop an automated system it needs to think like a human. Otherwise it won’t be able to catch phishing.

      Chris: Okay, oh, very interesting. So, wow, that’s really cool. I don’t think I was aware of that particular angle on social engineering. We do security awareness training here, and get people to stop instinctively clicking on the free pizza coupon and stuff, but it’s good to know that there’s also this sort of electronic component that’s also sort of reading incoming messages and looking at incoming fake invoices and what-not, and keeping you abreast of that. So speaking again about career work, what you do now, what are some of the downsides to the types of work you do. Since your job looks like kind of a dream job to many security folks, what are some of the, you know, it’s 2:00 a.m. and I’m still dealing with these nonsense aspects of the work that they should know about as well before they jump in?

      Atif: So security as a professional and as a business is a tricky one, right. Because it’s driven by what bad guys are doing. For example, I have a great anti-phishing system, right, and suddenly one day I find that the bad guys are changing their tactics. Market is exactly the same thing, demand is there, everything is there. The bad guys, that’s the hidden element, is changing their tactics. Now I must act upon that, right. So as a security professional you need to be switching pretty quickly, because unlike many other fields, that is driven by markets, how consumers are reacting to it, security is driven by bad guys. One day they’re gonna say, okay, we’re gonna attack users like this, and you should be ready for that. I think that’s one of the biggest challenges for a security professional, right. You’re dealing with very fast-moving hackers who are making millions of dollars, and who can do everything possible in order to makes those millions of dollars. So you have one assumption today, in one month I have to change maybe everything in order to catch those bad guys. So the element of of surprise, just like a a normal work but it’s really theater, and that I think is the biggest challenge to run a security company, and at the same time becoming a security professional, or a software developer who’s coding software solutions that requirements can change any time. You’re not taking requirements from customers. You’re taking requirements from bad guys, and they don’t care about you, right.

      Chris: Yeah, I mean, we’re seeing similar things like that just in general with, training and what they’re calling the half-life of cybersecurity knowledge, that after something like two years 50% of the knowledge you had is already becoming obsolete, just ’cause of the fast pace of technology and what-have-you. So were there any particularly surprising attack types that you saw out in the wild, in your years as either a malware-zapper or as a phishing person. Is there any particular attack vector or malware strategy that made you kind of shake your head and say, “Wow, that’s pretty impressive.”

      Atif: A lot of them, right, I think. People speak about changing tech landscape and people think that it’s the process of years. We are seeing that landscape changing every month. I’ve seen some phishing attacks that I never even thought are possible, and I’ve started seeing them a couple of months ago, right. I’ll give you an example, right. I started to see phishing attacks, when you click on a phishing email they ask for a CAPTCHA, right. So what happens that, what they’re trying to do, is to fool the automated system, right. So they know that a normal user would solve that CAPTCHA and you’ll eventually land onto the phishing page, right. But how about an email-scanning engine, right? How are they gonna break the CAPTCHA to see the phishing page, right? So it was a very clever attempt to fool the automated engines, by scanning the URLs, because you have to break the CAPTCHA before you can even visit that website. And they were using Google CAPTCHA, the picture-based stuff, which is almost impossible to break, right. So that was a pretty surprising attack for us, and it was pretty clear that the bad guys are watching security companies very, very closely, and they exactly know how they’re trying to catch them and they’re coming up with a range of techniques. So that was kind of a bad moment. I also recently saw a multi-stage attack where you get a phishing email, you click on a link, and they ask you a series of benign-looking questions, so you have to move your mouse, you have to enter something through your keyboard, and then eventually you see the phishing page. So now they’re assuming that a normal user would be able to answer all these benign-looking questions and the gestures, but an automated system will never be able to solve the roadblocks in order to reach this thing. So it was completely shock for me to at least see that kind of stuff is happening, where you need to be exactly like a human to reach to that phishing page, so that you can detect it.

      Chris: So, I mean, that almost sounds like, they’re sort of playing up our inherent desire for gamified things, where you get two or three steps where you say, “Oh, that’s fun.” You know, “I can answer these easy questions.” And the next thing you know, you’re just kind of in that mode of, “Okay, what’s next?” And then next thing it gives you is a phishing page.

      Atif: Exactly, exactly.

      Chris: Wow. So in your bio you noted that in your research you found quote, “Infinite threats originating in the web layer “and that cyber-criminals were launching “browser-based phishing attacks,” which sounds a lot like we were talking about here, “through numerous sources noting “that growing problems of HTML attacks presented “by web-based phishing and malicious browser extensions.” So does that connect to this, or is that a parallel track?

      Atif: Actually, that’s a very interesting trend, and I think, I hate to say it, but I think that Google is responsible for that. So what happened that about six, seven years ago Google thought that if they can turn their browser into a platform, so instead of people downloading applications on Microsoft Windows, they can download these extensions, and these are the web apps on the browser then, so that they don’t have to go to the operating system. And they wanted to make, Chrome OS is the proper platform instead of the Microsoft Windows or OS X, right. So they put a huge R and D app for it and the marketing app for it on convincing developers, instead of writing the desktop applications start writing the browser extensions. And these are the unconventional applications that run, but then browsing only, and they offer quite a bit of functionality, right. And now you see there are more than 200,000 browser extensions on the Chrome store, right. So this is where the bad guys saw an opportunity. They knew that there are a lot of antivirus technologies running at the operating system level, looking for EXEs, binaries, and they say you know what? All the confidential stuff is happening within browser anyway, right. So what if we start releasing malware in the form of browser extensions? And one thing is that, first of all, we have a great vantage point. We can see exactly what the user is doing with browser by developing an extension. And at the same time, the antivirus are looking for bad binaries on the operating system. They are not looking for web apps that are running within the browser. So this is what we found, that people have started using phishing attacks to spread these browser extensions. People simply download and install an online radio, right, and that online radio is actually offering you streaming services, but at the same time, they are scraping your screen. So again, there’s legitimate functionality in those extensions, but there’s a hidden business going in the background. And so far it looks the anti-malware technology that we developed over the years to combat conventional malware running on the operating system, they are completely ineffective against these attacks. And this all started happening about a couple of years ago. So it’s gonna take a while for the anti-malware technologies to even develop a technology that can even, ability to see the behavior of these web apps so that they can stop it.

      Chris: Okay, so that sort of answered my next question. So it’s still down the road. There’s not really a step-by-step process right now of identifying and shutting down these types of browser-based attacks.

      Atif: We actually, SlashNext offers a solution. The way we offer it, we started at the very, very beginning, at the time, well, they are setting the bait to install these exchange. And so we track all these malicious advertisements, and by the time they set the bait to download this browser extension we stopped that attack. So again, we are stopping it before it gets installed on your browser. And it’s a completely preemptive approach, as compared to the antivirus guys who let that thing install in the system before they can stop it. We are stopping it at the stage number one. I think that is, in my opinion, is the best way to stop these attacks.

      Chris: Okay, so I mean we’ve been talking a lot about sort of technical solutions to phishing attacks and browser extensions and so forth. You know, but there’s, as we’ve also mentioned, that by its nature that social engineering plays a part in phishing attacks. So if you could put your social security awareness hat on for a moment, are there any up-to-the-minute strategies? I mean, we all know don’t put your password where, if something looks wrong, if the text looks garbled or the URL looks weird. But are there any new, you know these things are happening faster and changing constantly. Are there any new security awareness things that people should be involved with or think about, or be watching out for?

      Atif: Well to be really frank, it’s tough. Over the years people have developed enough training modules for email-based phishing, but nowadays you are seeing phishing coming from your LinkedIn, from your WhatsApp, from Facebook. So I don’t even think that, when it comes to security awareness, people are aware of phishing hitting them from other communication mediums as much as they know about email. So in my opinion, even if you have a fully-trained email phishing trained user, he’s gonna struggle to find a phishing ad out of thousands of ads that person sees in a single day, right. So there’s a limit to the security awareness, and how much you can give. I mean, okay, so now you have a training module for email-based phishing that everyone is offering, right. Okay, now you need to have social media. And there’s so much information on the web right now to be really fake news, legitimate information. So our attention span is so, I would say less, that it’s very hard to make a very, I would say, informed decision every time you click on a thing.

      Chris: Yeah, you get worn down after a while.

      Atif: You won’t know, so I think it’s tough and especially with the fact that the way the bad guys are coming, I think it’s tough. I mean, I won’t say that I’m against security awareness, but I think it has clear limitations. And on top of that, we humans are not rational all the time. I mean, look, I’m talking to you right now. I’m pretty fresh this morning, right. How about you send me a phishing link, it’s two the morning when I’m almost half-dead. And I have all the training in the world, but I’m not even thinking straight like now, right. So humans, we are not in a stable mind condition all the time, right. So this is how the bad guys get in, right.

      Chris: Yeah, so I guess adding to that, as we wrap up today, since you’re on the front lines of phishing attacks and tactics, what are some other malicious tactics that you see on the horizon, beyond what’s here now? What are some of the things you think you’re gonna be fighting in 2020 and beyond in this regard?

      Atif: In terms of end-user security and the online threats, I think this phishing is gonna grow more, in my opinion, and the malware trend is gonna be downwards. I believe that I’m gonna see more rise in the non-email-based phishing, especially on the advertisements and the social media side. People are spending quite a lot of time on these social media sites, and I think the unconventional infection vectors like advertisements, search engines, WhatsApp, Skype, on the mobile devices, I think that’s gonna be an upward trend, and at the same time I think the phishing attacks will be much, much harder to detect in coming years. Bad guys have actually, they know that they’re focused on phishing, for a couple of years nobody was talking about that. Now everybody is talking about phishing. Hence all these security companies are jumping to develop some kind of technology, and this is where the race condition has begun now. So it’ll be much harder to catch phish and it’ll be much harder for an end user to spot phish.

      Chris: And so what are some of the tactics and so forth that SlashNext is working on in this regard? But not revealing any trade secrets, of course.

      Atif: Yes, I think again, the focus of the company has been, since the very beginning, that okay, if you have to stop phish we have to think like a well-trained end user. A well-trained end user has been historically successful in catching phishing attacks, just like you are, right. So all we keep on thinking that, okay, how a well-educated human user would detect it, and a lot of it has to do with by seeing things and reading things, right. So this is where we’re gonna focus on. We’re adding new new natural language processing modules. We are making our algorithm ability to see things much better, right. So that they can start analyzing or they see the email and the webpage exactly like a human user would do. And they can do it in a faster fashion, and that in my opinion is the way to go. Just try to catch phish just like a human do, right.

      Chris: Right, okay, so if people want to know more about Atif Mushtaq or SlashNext, where can they go online?

      Atif: Well the obvious thing is slashnext.com, you can go visit our website and you can learn about the system and at the same time quite a bit about the tech landscape. Our blog is pretty good. I mean, we keep on talking about some latest trends, and you should be a regular visitor of our blogs if you really want to learn about new phishing trends. And at any given stage you have info@slashnext.com, just send us an email or just give us a call.

      Chris: Sounds great, Atif, thank you for joining us today.

      Atif: Thank you so much.

      Chris: And thank you all for listening and watching. If you enjoyed today’s video you can find many more on our YouTube page. Just go to YouTube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews, and past webinars. If you’d rather have us in your ears during your work day, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in our favorite podcast catcher of choice. And to receive a free month of our Infosec Skills subscription-based platform in honor of National Cybersecurity Awareness Month, go to infosecinstitute.com/podcast or click the link in the description. Thank you once again to Atif Mushtaq and SlashNext, and thank you all for watching and listening. Speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.