- Welcome to the Cyber Five, where security experts and leaders answer five burning questions on one hot topic in actual intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host land Landon Winkelvoss co-founder of Nisos, a Managed Intelligence Company. In this episode, I talk with co-founder and chief technology officer of PiiQ Media, Aaron Barr. We discuss how data breaches are combined with other open source information to paint a more holistic target profile for bad actors. We also discuss the true information anchors and weaponization that can lead to an online attack against someone. Finally, we discuss what executives and individuals can do to protect themselves and how protective intelligence is playing a greater role with fiscal security. Stay with us. Aaron, welcome to the show. Would you mind sharing a little about your background with our listeners please? - Absolutely, Thanks for having me, Landon. Yeah, I'm Aaron Barr. I'm the CTO currently of PiiQ Media. We're a social media open source threat intelligence and risk analytics company. Background is long time out of the intelligence community, a short time in the entrepreneurial space, but I'm loving. - That's fantastic. I appreciate joining the show today. Personal information exposure that can lead to nightmare scenarios. I think that a lot of things that are happening in the news today, ransomware events, attacks on enterprise, cyber crime. A lot of times it leads the very point of the start of that is because there's some kind of personal information that's leaked. Whether it be from some application or some kind of breach that's out there. And certainly there are certain ways to protect one another and protect our executives and protect even ourselves. I think people are really kind of aware of. So set the stage without data breaches are combined with other open source information to paint a holistic target for bad actors. You come from the intelligence community, like a lot of us talk through how sources of information come together. And if you're one of the bad guys, how you weaponize that. - Sure, absolutely. I mean the data breaches that happen unfortunately on a regular basis now and the information that comes out of that, that bad actors take advantage of. I mean, that's just one piece of information that they use to put together the puzzle or develop the pathway for social engineering exploitation. Everything that we put on LinkedIn, on our other social media platforms, our CVs, I mean, all of this information now that's out there, the tools exist now, the processes exist to aggregate this information pretty easily. And when you aggregate this information, what we found and what we're trying to educate others and provide solutions for, is this paints a really clear picture of an individual, their role, what their interests are, what their likes are, who their key relationships are, all the information that you need to successfully exploit people with a high degree of consistency. - So what are the true information anchors that can lead to an online act? So like let's red team this to say, you're the bad guy. You're a dark side operator or are evil or one of these packer groups that's out there. Take us from step one, like what you're looking to ultimately use online to really exploit someone. - Absolutely. Well, I think the first thing you use to set the stage is, you need to talk about the three different pieces of information than an attacker needs to target specifically an individual. The first piece is, we as individuals, we may not be terribly interesting unless we're high net worth, high visibility celebrities, something like that, but it's really the job, the position, the company that we're tied to, that bad actors are targeting. So that first thing is, is the tie to an enterprise, the tie to an organization. The second piece is they need a means to communicate with us, to socially engineer us. So they need an email address, a social media platform, a mobile phone number, so they can send that link. They can send the malicious PDF or whatever it is in order to compromise us. And then the third piece is just context. I mean, if you're gonna do a successful, targeted social engineering campaign, you wanna have that information that's going to ensure your success. So you need that context. So now when you break those three apart, where does that information come from? The first thing, I mean, everybody, Facebook gets a bad rap, a lot of times for privacy and things like that. But by far the most concerning platform out there is LinkedIn because that's where we've got our entire CV that's loaded up for everybody to see. Where we work, what position we have. I came from the intelligence community, most people that work at, especially on the civilian, on the defense contractor side list that they have TS/SCI clearances. Because all of those things are being used to either potentially get the next job, develop a professional relationship, et cetera. So LinkedIn is the primary source and other platforms like at these professional networks that attackers will use to develop that context. And then once they have that, then they just expand out into the other personal sources of information, such as an Instagram account, a GitHub account, or the variety of other places that we put personal information in order to build that context. - I'm just curious from that perspective, what's some war stories that you have around how these things are weaponized. 'Cause I think that's usually what really hits home. I mean, I think that we see the end result a lot of times in the media around a hack or a ransomware event or a breach or something, but very rarely do actually see the details of what happens kind of behind the scenes of what ultimately kind of led to that. - Three really good examples come to mind. The first one isn't necessarily an overly nefarious one, but it really paints a good picture as to the information that can be exposed. So one of the companies I used to work with, a large defense contractor, I was working a red team role on a proposal we were going after for a large federal contract. It was classified contracts so the only thing that we knew from a red teaming standpoint, trying to pick apart the existing incumbents capabilities and find what their vulnerabilities were and ghost them in the proposal, et cetera. The only thing we knew who the prime was, which is another large defense contractor integrator, we didn't knew who all the subcontractors were that were providing the real capability. But, I took a few days and picked apart relationships on LinkedIn and some of the other job boards and professional networks. And within a couple of days, I was able to piece together who all of the subcontractors were on a classified government program. That's just one person just putting in a little bit of sweat equity and a little bit of know-how was able to put that information together. Just doing some relationship analysis, using some of these platforms. Another really good example is, an unfortunate engineer that worked for Apple back in 2010, a really popular case, his name was Gray Powell and he unfortunately lost one of the prototype iPhones just outside of San Francisco in a bar. And when you piece together, some of the pieces of information that we say he lost, but when you looked at his LinkedIn profile, he listed as a job title, field tester for iPhone working at Apple. He wasn't the only one. I remember going back and doing the research. At the time, there were 32 other employees at Apple that listed that they were field testers for iPhone. So that gives you a very small group of people to easily target. And again, as I mentioned before, we cross-referenced that now to personal platforms back in 2010, Foursquare was a real popular social media platform that probably a lot of people remember you could check in and become the mayor, virtual mayor at all these different places. Well, there was one bar that Gray Powell frequented very regularly. He had multiple check-ins over a very small period of time well that's where he quote unquote, lost the iPhone. We don't know for sure if that's the way that if he was targeted or if he truly lost it, but you go back and do the investigation all of those pieces were clearly available for somebody to target him individually. And the last example I'll give you is one that unfortunately is painful and it's hit a lot of companies. We participated in an investigation for an insurance company that was filling out a claim. And this individual that worked at the company was going on a ski trip. Posted all kinds of pictures on LinkedIn, getting ready, going on the trip. Well, it just so happened that his company was a victim of a business email compromise. His account was compromised. And then somebody, the adversary, inserted themselves into the communications chain to fill out a particular claim. In this case, it was about $10 million. Changed the routing, the bank routing information, we've all heard these types of unfortunate stories and there was $10 million gone. All of this information and him becoming a target because of the information that he was posting on his Instagram account. - How do you think that information on his Instagram account was weaponized in that business email compromise specifically? - Well, the attacker's knew, this came out later in the investigation, the attackers were able to figure out that this individual was going to be incommunicado for long periods of time during the day, because he was on a remote ski trip. And so the attackers based off the information, the frequency of posting this information on Instagram was able to take advantage of these gaps and the fact that he was going on a trip and sending emails to other employees with inside the organization, impersonating him talking about the fact that he needed to get some of this stuff done during certain periods of time. That he wasn't gonna be available that they were able to take advantage of those gaps in communications, as well as the time sensitive nature of getting this done in order to successfully execute the attack. - Did that come out as a assumption in the investigation or did that come out in actually from actually arresting the perpetrators and they actually kind of said this? - Yeah, that came out. It took obviously a long period of time for the investigation. We actually never caught the attackers. It came from somewhere in China, the attackers were never apprehended. So this came up as an assumption based off the investigation. - That gets into the next point, you know, how VIP's are. They wanna be able to live their life and a lot of times they're very private and take personal privacy very, very important. And I mean, it did, I'm just trying to like, think out loud, right? If you went to a VIP and said, you can't post your ski trip on Instagram, because we're afraid that you're gonna get hit with a business email compromise. They're going ahead and they're gonna say, I'm gonna take that risk, have a nice day. So I guess like understanding that from that aspect, from the VIP perspective, what can certainly the enterprises do? What can individuals do? - Sure, the first thing is just like with so many of the things in life is just be smart. In this case, this particular executive, you don't necessarily have to tell them well, because of the position you have within the company, you should not post on social media, restricting them. But be smart. Is there any reason why that information to be public? I mean, his Instagram account was completely wide open. It's not like he is trying to be a social media influencer. He's already a senior executive in an enterprise. Make that stuff private, be careful about the things that you post that are public. It doesn't necessarily even have to be executive in a company, but even just the regular, if you will, employees with inside organizations. Unless you have, take LinkedIn again, as an example, unless you are searching for a new position, actively searching for new employment or the next position or specific professional relationships, is it necessary you have your entire employment history on your LinkedIn profile. Do you need to list your universities? Can you be generic? I mean, if you look at my individual LinkedIn profile, I've tried to pick a balance. And I've done that for a couple of different reasons. One is because I wanna demonstrate to other individuals, some of the steps that you can take that still show some type of an employment history, if that's what you wanna use it for, but that doesn't just give away all the keys. Doesn't provide all of the context that an adversary might need to exploit you. We just ask people to be a little bit smarter about that. We've developed a more detailed social media use policy that we provide for free, for organizations to use that has a checklist at the bottom of it that individuals can use to, again, not delete their profiles, but just make sure that their information is protected in the way that they wanna protect it. - What about removing information online? And from a proactive perspective, what are ways that they can even reduce their online profile? - As far as removing information? - Correct. - Yeah that old adage that once it's on the internet, it's on the internet forever, but you and I both know that that's not true. There are some things that obviously do remain and that are persistent, but there's a lot of information that you can change and you can help protect yourself in a more dynamic nature. So again, doing an assessment and external assessment of what's publicly available and making private, whether it's to get into some details, just whether it's profile images. Everybody changes their profile images on their social media profiles from time to time. A lot of people do. Well, those are public by nature. So even if you have all of your other settings to private, your profile picture is public. Any relationships that you have that interact with that public image then become in the public domain and are collectible by adversaries. So go clean that up periodically. Or if there's somebody with inside the security organization that can help do that for you. But it's important to go through, just like we've gotten in the mindset of doing password changes, whether it's quarterly or what have you going through and doing these privacy checks should be part and parcel in the same consistency as doing those types of checks, changing your passwords. The other thing we recommend is, people need to start treating their email addresses with a little bit more care. We recommend as a default that every individual should at least have three personal email addresses. You shouldn't be using the same email address that you use to log into your bank account as you use to sign up for some giveaway somewhere. Or to buy this one item from a company that you've never bought goods with from before. If you create email addresses and put them in silos and not only protects kind of the jewels, which is those email accounts that you use to communicate with close family and friends and maybe your financial institutions, but it also allows us to more quickly discern fake and malicious emails from not. So, for example, on my most private email address, if I get a spear phishing or phishing scam from say Instagram or LinkedIn, I know automatically it's bogus because that account's never been tied to a social media profile. Know what I mean? - I do, and dovetailing onto that, understanding the enterprise has historically placed emphasis on protective strategies, a lot of the technologies and products within the protecting enterprise and to protect the individuals, are you seeing a greater appetite proactively? Go gather information, gather intelligence to fold into these protective strategies. And I guess what's a strategy to think about how to do this? - Obviously, because this is a space I'm in I wish it was more. Organizations are, I think, have a greater appetite to take preventative strategies related to information exposure, but we're finding that it's still an educational process. Even for an editor for a large news organization, recently we were doing a piece for helping out with was unsure, I just popped into my head, was unsure it's like, well, why is this important? Whether or not I'm protecting information that exists on my social media account why is that important? It wasn't until I explained how all of these pieces can be tied together, that she was like, oh yeah, okay. We definitely wanna write this piece. I ended up doing interview with one of the journalists and wrote what I thought was a very good piece on information exposure and the importance of protecting information that's publicly accessible. And so we're still finding that in the enterprise too, is that making that connection was like, well, this is my personal Instagram and... What does it matter? I mean, I don't post anything that's inflammatory about whatever. I was like, no, that's not the point. The point is that this information put in context with all of these other pieces makes you easily exploitable, makes any individual easily exploitable. I mean the common statistic that comes out of a lot of the security and awareness training, the market space and companies in that space is that they're seeing anywhere between 25 to 30% success rates in clicks on phishing emails. Now, take that and put it at scale and make it contextualized, make it come from the football team that you like, or the restaurant that you frequent, or the alumni association of the school that you went to, or you name it. I mean, all of this information, one example is I use because it's so simple is almost all of our locations are publicly available on one or multiple social media platforms. I mean, even me, I mean, I say I currently live, on my LinkedIn profile, you can see that I currently live in Seattle or just south of Seattle Washington. I live in the area while there's one energy company that supplies energy to this particular region, just knowing location, I can craft a spear phishing email that looks like an upcoming power outage, or maybe an exorbitant high electricity bill that comes from the company. I mean, the success rates of spear phishing as this becomes more automated, as this data is aggregated, is just pretty frightening. But more back to your question about organizations. It is still an educational process. We're finding are the needs of educating organizations still exists. The appetite is greater, organizations understand more of the human layer, as important as the IT layer from an exploitation and from a protection standpoint. But there's only so much you can protect if you're leaving the doors unlocked. If you're putting the sign on the outside of your house that says, I've got a 50 inch television that's in the house and I'm gonna be gone from this day to this day, the locks on the door probably aren't gonna matter. So it is educational process. We are finding greater appetite, but it needs to be more, it's still a bit of a slow climb. I could always plug PiiQ Media, we focus on executive protection on corporate third-party risk, providing some of these solutions, security and awareness training we have where we automate the reconnaissance process of employees and executives for the purpose of identifying where the biggest vulnerabilities are. We have a spear phishing simulation capability where we contextualize that information to do spear phishing simulations. We're trying to do our part related to specifically human layer exploitation, and how to protect it, how to secure it. And if anybody is interested, go to PiiQmedia.com and I love to talk to you. - Aaron, love what you guys are doing at PiiQ Media. And thank you for joining the show. For the latest subject matter expertise around managed intelligence, please visit us at www.nisos.com. There we feature all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all Nisos teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane and conduct high state security investigations. Without the value of the team provides day in, day out, this podcast would not be possible. Thank you for listening.