[01:32] What’s the Address of Sherlock Holmes
Rachael: Today, we are so excited to have Lance James. He's the CEO of Unit 221B. It's a company that performs investigations and counter-intelligence operations for both the public and private sector. This is going to be an amazing conversation, everybody. So, take a seat, and let's get to the point.
Eric: I'm going to proclaim Lance a genius right now. But I got to tell you, I have no idea what 221B is.
Rachael: It's like, what was that show with Jackee?
Eric: I have no idea, but let's just ask Lance. Welcome to the show, Lance.
Lance: Do you guys know the address of Sherlock Holmes?
Eric: UK something.
Lance: 221B Baker Street. I'm going to tell you a funny story of how the company name came. I was at Deloitte, working as Head of Cyber Intelligence and I was leaving the company. They had given me a severance package that was going to go on for a couple of years.
Lance: I was like, I needed to have a company to put it in and stuff like that. I was at the RSA Conference. Over a few drinks, this is years ago, I don't drink anymore. My buddy who had worked with some secret squirrel stuff back in 2005, 2006. Lance: He's from the UK. He was like, "You have to name it something that's subtle, but Sherlock Holmes because that's what you do. That’s what you are for us." He’s the equivalent of an inspector. Basically he was a cop, but he was a federal cop.
Eric: But he compared you to Sherlock Holmes. Who Is Cyber’s Sherlock Holmes
Lance: He's like, "You're a cyber Sherlock Holmes." You have to do it subtly, though. It can't be too obvious.`` And I said, "I've got it." We were hanging out for a while, a couple hours later just popped in. I'm like, "I got it. Unit, as in both the apartment unit and a team of people, 221B."
Lance: I joked around because I was like, "Also, it will probably get banned by most blacklists of DNS. It looks like a Chinese domain." They always have numbers in their domains for phishing attacks or other things. I was actually right. There was a major company that actually people couldn't get to our website for a little bit. Lance: So, it becomes Unit 221B. A little bit about the company, it is a collective. I've had a good history of running a few companies or taking companies to acquisition. Vigilant got acquired by Deloitte. I was at Flashpoint the last couple of years ago. Jeez, time's kind of flown, but it's not.
Eric: It goes fast, you have to savor every day.
Lance: I'm either the guy that's that you want to come in as an executive and get your company acquired. Or I'm the guy who starts a company and goes for that. But the companies I've always owned, I've always wanted it to be organic. I don't really care about acquisition.
Lance: But, over the years that I've worked, it's basically all the best top people I've ever met. Worked with and got along with that are now probably even considered a level of family. Both in business, in cryptography, in law, in everything.
The Best People, the Best Soldiers Rest on Sundays
Lance: We've got Mark Rasch over there. He was the guy who actually came up with the Computer Fraud and Abuse Act, he wrote it. He prosecuted Kevin Mitnick, Kevin Poulsen, Bradley Manning, now Chelsea Manning. I don't know if you're supposed to say it in the past, or I don't know how that goes.
Eric: I think you covered both. So, you're good.
Lance: He's done some big cases, we have the cyber legal side covered. We have Allison Nixon, who's just a fan. I found her at Blackhat and accidentally pushed her in front of her boss back in the day. But she is probably the best hacker hunter on the planet. The Twitter hack that recently came out. Lance: She was on Hulu actually on New York Times Presents, about tracking the dude down. He's now sitting in a prison and is sentenced to 2.5 years. She's good at attribution. We've got just people that are great at cryptography. Just the best people I've ever met, both with heart and with their technical skills.
Lance: Heart actually comes first in our culture. Then, we also have a secret school going on where I have people that have been wanting to switch it. Because of COVID maybe they had an event business or they have this and that.
Lance: So, we also have every Tuesday and Thursdays. I run a school of people across the world right now. Training them in pen testing or forensics or data science or Python or things like that. Eric: I love that. We often talk about that on the show. There are so many people out there, artists, musicians, not to say they're different, waiters, you name it.
Soldiers Get Trained in Unit 221B
Eric: People who aren't in tech that could transfer over. You're actually doing it.
Lance: Yes. One guy I met on PokerStars, not the gambling version, but there's a VR. When COVID came around, I'm like, "Let's get VR equipment, because we're going to be sitting in our, you know." So, I like poker, I like that game. He was like the best player there, and a really good person, really good guy, from the UK.
Lance: I decided to write a poker HUD for the VR game so that we could do statistics. He’s so good at that. I bugged him about all the statistics I’d need in a poker HUD. Then I'm like, "You should get into coding." I've been working with him. I hear from these people mostly daily, but there's a signal group we have and everything like that.
Lance: They're working on pen testing this week, learning actual documentation of pen testing. How to organize it, not just the technical things like that. The biggest problem with it also is that people go and say, "Oh, you've done a bootcamp. But we can't hire you, you need a year of experience." Or, "Oh, you've done this." Well, they get to have the Unit 221B name on it for a year plus. That goes on their resume.
Eric: It gives them the experience.
Lance: If we get clients that are on and they're ready, we put them on the bench and they work with us. They get paid. But they get free learning the whole time, which still goes under the Unit 221B logo and it helps a lot. It opens that door of, "Oh, I've got a year as an intern or a year over at this company."
[07:07] It Benefits Both Sides When Soldiers Rest on Sundays
Lance: A lot of the time you get kicked out even if you have a degree. You have to have that experience. I'm like, "Well, how am I supposed to get that experience?" So, I try to provide, this is more of a voluntary thing, but it benefits both sides. I've had people from just, literally one of the guys was our waiter when my wife and I were first dating. That was so awesome that we became friends with him.
Lance: He's doing cybersecurity, working on his degree, and also taking courses here. We're just looking at situations where it's like, "All right, I've been in this situation or COVID screwed my business, or I'm this way." I just wanted to look at ways that we can make it fun, but also not have people stress.
Lance: Some of these people have children and things like that. We wanted to give them a path forward, no matter what your age is. No matter what your walk of life is, so that you can do something that you love. It turns out, all of them love doing this. So, it wasn't like, "Oh, I actually think this is boring or anything." They actually loved doing it and it worked out.
Lance: On the other side of it, obviously, the business side of 221B, we do investigations. We do some ransomware cracking. We cracked a major ransomware last year. Helped a lot of medium to small businesses and stuff like that with recovery. We do kind of specialized work. Not to brag, but I always think we're the people to call when you can't solve. Everybody else can't solve that problem.
Soldiers Rest on Sundays and Become Phenomenal At What They Do
Lance: Because like I said, these are the best people I've met. I think they're just phenomenal at what they do. So, it's not really a bragging thing. It's more like about them, that they're just so good. If it can't be solved, then nobody's going to solve it. But if it can, I think the people on board will figure it out.
Eric: One of the things that you're famous for, I guess, is the identification of Zeus.
Lance: Yes. A long time ago. Eric: Like way back. What was that? Lance: 2006. Eric: I was going to say 2007. Okay, I was close. Talk about a hard problem, but something that you actually did crack. Lance: That was my first company. We did that, similar models, I was just younger and more immature.
Eric: Hey, you identified Zeus.
Lance: The guy who helped me actually with the reversing and stuff came from sysadmin and never reversed before. He just turned out to be super awesome at it. So, that was freaking cool. Yes, we identified Zeus. Actually, ironically, if you fast forward to CryptoLocker. We helped take down the peer-to-peer Zeus that took down CryptoLocker, the infrastructure there. Zeus has been going on for a long time, some variants and things like that.
Eric: It's still out there, isn't it?
Eric: I mean, less of it now. Lance: It is, but it's like less of it now, but it kept going for most, it had at least, I'd say, a 10 year run easily. Eric: Did it go mobile? I want to say it made it to the Android platform. Russians Had Owned Everything Lance: I think the payloads did. I don't know if the actual malware did, but I think like, I've heard of some things, but I can't confirm that. Because I'm not sure about that. Mobile is not my area that I could know enough about. But yes, Zeus, that was back then. You know what was crazy about it? It’s finding how much data they had.
Lance: Even before that, before people really knew about info stealers and all this stuff. In 2002, 2003, we were finding something called, back in the Russians had. They had owned everything, government sites, everything, but no one knew about it. But we had found out. We partnered within the ISPs to say, "I'll do your forensics on that hard drive. You've got something on there, for free. You give me that hard drive."
Eric: So, you got the intelligence out of it. Lance: Actually, it was one of the first attempts to bridge industry together. I know we have our privacy laws and all this stuff, but we put ourselves under NDAs and all this stuff. It was more like an extension of security work. But it bridged out. It's how I got into understanding phishing and malware very quickly. We got access to their base camps.
Lance: The places where they actually use stuff and were hiding in doing their tools and stuff. So, you got a really good idea of what's going on in the early days. That advantage of not just being technical, but more of communicating out, reaching out to people. Doing all that stuff is more work and more of the effect there.
It’s All About Balance
Lance: I mean, you can be technical all day, but if you can't reach out and get that information. It's one of the reasons why I've taken a business law class and a few other law classes on purpose. So that I could understand privacy and things like that. I could work with how we do this in a cooperative manner without infringing on anybody's rights. It's all that balance.
Eric: And that's almost 20 years ago now.
Lance: Oh my God, you're dating me.
Eric: I don't mean to. But if you're talking about how much information the Russians had 20 years ago. Think about connectivity now, think about the attack surface now. How much do they have and how easy is this game for the adversary?
Lance: Well, here's an analogy one of our guys uses, so I'm borrowing it. It's like we're in the times when, with all the breaches, especially. We're in the time when people had castles and they had arrows and they were fighting the wars. But then suddenly gunpowder and guns got invented and you've got cannons, all these things taking down these castles.
Lance: So, the enemy or the adversaries become very armed and we're staying still. It's a big challenge to catch up. That time in history was probably pretty upsetting for at least 100 years too, to adjust and do that. I think the Edo period in Japan, where there were samurai, and then there were guns suddenly introduced.
Eric: Yes, the samurai didn't do as well. Lance: A lot of them wanted to stay in tradition and did not want to go to gun weapons. It took a long time.
We Were Losing Battles
Lance: But then they were losing battles, so they kind of were forced to move in that direction. It's the same thing here. Our payloads and everything that's happening now, we're the castles. You've got dynamic attacks coming at us left and right. Remember, in the first days of phishing, we thought it was just going to mainly be like attacking the user at home, but they're doing both now and it's just complicated. They call it advanced persistent threat. Lance: It's really an organized persistent threat. That advanced part or the organized part is really sometimes nine months of studying and planning and stuff like that. Because these advanced persistent threats are usually military-grade or things like that. So, they treat it more like they've combined their operations of security and military operations together.
Eric: Well, you look at Sunburst and the planning that went into that. It's really illustrative of how the adversary thinks. We did a podcast. I did a talk, I don't know if we did a podcast in the lead-up to it. Actually, we did. Marco Figueroa from SentinelOne was talking about the adversarial mindset leading into the actual attack. But it's interesting. I was reading Malcolm Gladwell's new book, The Bomber Mafia.
Lance: Oh, that's a new one.
Eric: Sunday. Quick read.
Lance: I'm going to read that.
Eric: I read it in less than a day.
Lance: These books are always a quick read. They're great though.
Eric: Oh my God, it's great. I love the way he thinks. It's all about these 12 guys, who in the '30s, figure out how to change war going forward.
[14:16] Soldiers Rest on Sundays and Save Lives
Eric: The idea is if you can drop a bomb from 30,000 feet into a pickle barrel, all of a sudden, you can save lives. You don't have people dying in trenches, trench warfare and everything else. It didn't work out, because the technology didn't keep up. But as I read it, and like I said, I love Gladwell. I kept putting it in the context of cyber. Cyber is almost like the aircraft of our day.
Lance: Well, it's called fourth-generation warfare. If you read, Thomas Hammes. So, Thomas Hammes wrote a whole, I think, books and other things about this. Essentially, he invented the term. He wrote the first paper on what's called fourth-generation warfare. So, we're in the fifth domain. Cyber is the fifth domain. Land, air, sea, space, cyber.
Lance: But Thomas Hammes, I think he was a Colonel in the army or in the military somewhere. He did this paper on asymmetrical, what we call asymmetrical here, but really there's even more to it. Where insurgencies are more likely to win, not the big military. Do you know what I mean? That's what we're dealing with now.
Lance: The movement of insurgency, whether it's online, whether it's not, has a higher chance of winning because of the dynamics. The agility to attack movements, guerrilla warfare, things like that. Cyber, it's not that much different. When you see the Syrian Electronic Army back in the day, or this and that, they're all just insurgencies. Anonymous, QAnon, all these things are just forms of insurgencies. The power they have is information or misinformation.
Almost a New Weapon
Eric: It's almost a new weapon, just like the aircraft was in the early part of the 20th century. That's what my mind kept going to when I read the book, it was great and like I said, it's a short read, I think four hours or so. It started as an audio book. He's got a bunch of podcasts, but it did make you think about cyber. So, Lance, you're on Mr. Robot also.
Rachael: This is so cool. My favorite show.
Eric: With Andre McGregor on episode nine. I looked it up before the show, who was a tech advisor to Mr. Robot. But you were on the show and a cameo, I guess, in an episode of your own.
Lance: Well, it was an episode focused on what hackers think of the show. So, it had, I think, what's his name? Mudge from the old days.
Eric: Yes. We were working on getting him on the show also.
Lance: He's at Twitter now, isn't he?
Eric: Boy, that's a great question. I don't know. Lance: But yes, they had Mudge, a few other folks. Technically, if you go to Amazon, I think it's at the end of season one, last episode. It's like a promo about the show for the season, push for the season two, then get people into season one. Met the writers at CES, the speakers, dinner and stuff.
Lance: We were talking about ideas like, "You should get hackers talking about what they think about the show." I covered a lot of psychology and the character himself, about abandonment issues with his father, things like that. That plays very highly into the issues with hackers.
We Are Insecure
Lance: I had a therapist tell me once, he goes, "We're in security because we're insecure." So, really, it was one of the best sayings. I was like, "You got to love psychologists." It really does play into some of the way the character was, how he had his abandonment issues. There's a sense when you're abandoned or feeling abandoned, it's a sense of power that runs into you.
Lance: That hackers, youth hackers, we do a lot of work also with. This plays into, but we do a lot of work with the FBI. They have kids that get in trouble. They'll come work with us, that is too off the reservation or anything like that. They're really talented. They just, wrong crowd, wrong this and that. We do one-on-one with them as well.
Lance: It's not just work, but actually one-on-ones. How to get through your life now that you've got this against you, but how to keep moving forward. Things like that. We break down like where they want to go. It's the same with this character, where it's like, he's around a crowd, he's got a lot of skill. He's seeking a sense of power in himself in a wrong way. And he's got an ideology or a strong belief about certain things.
Lance: Obviously it represents very much the anonymous type manifesto, type belief system, right or wrong. His actions are illegal, but like right or wrong, it's a belief system. Those axiom beliefs tend to drive a lot of people as we've even seen today in our climate. So, yes, it was a fun experience. Actually, my makeup person was telling me about a few different actors they really liked.
Lance: I'm trying to remember the one, what's his name? What's that one when the frogs start raining down? I think Tom Cruise is in it.
Rachael: Oh, Magnolia.
Lance: Yes, Magnolia. The guy that died from, I think, a drug overdose, what's his name?
Rachael: Philip Seymour Hoffman?
Eric: Rachael on a roll.
Lance: Yes. I felt, you know what? I should just change this to a quiz show.
Eric: It's our podcast. We'll do whatever we want.
Lance: She was telling me that that guy was so intense as an actor. There was a movie he was doing where he's learning the violin and he literally spent a year learning the violin. And it's actually a thing for me. I'm a violinist and I get upset when people who are playing violin in the movies and they're not moving their fingers. They're not on the right string. And I'm like, "They're not even, it's like, at least snapshot a real violinist or something and do it."
Eric: They're not even faking. Eric: So, Philip Seymour Hoffman was very interesting.
Lance: He seemed really nice, but like a very intense actor in the sense of like, it's similar to Heath Ledger, where they put themselves into the role.
Rachael: Well, I love this idea of psychology though. It's so well-featured throughout every aspect of cyber today.
Lance: P-S-Y-B-E-R? As in P-S-Y, psyber? As in psychology, psyber?
Eric: We can go there.
Rachael: Yes. Eric, you've written a lot about this disinformation. Just the manipulation of how people think and to get them to act in a certain way.
[20:35] Soldiers Rest on Sundays Then Combat in a Meaningful Way
Rachael: The power of that is really fascinating. How do you combat that in a meaningful way? It's everywhere and you don't really have control over the social media channels. How do you curb free speech and all the other things that go into that. Where would you even start to address a problem like that, Lance?
Lance: Venn diagram.
Eric: Give me a moment to recover.
Lance: I think I have eight whiteboards in this house. You can see one of them in the back, in the kitchen right there. A few of them do have Venn diagrams on it. So, in, at least, let's just say, the last 10, 15 years, or like 20 actually, ever since Zeus. Lance: Since Zeus and before, there's security, cybersecurity, traditional cybersecurity. There's now the intelligence community stuff that's been going on for years. But that door is open, where there's a bridge between the cybersecurity hacker types and then the intel community like we talk about.
Lance: Like the FBI helping on stuff and in things like that, but it's all bridged together now. Then, there's a third piece. Data science is starting to come into play. Now, what's ironic is that all the social media stuff, we're seeing data science go the wrong way sometimes.
Eric: What do you mean by that?
Lance: It's creating echo chambers by accident. Now, there's a really funny joke here. Some moms are talking to their kids saying, "If your friends jumped off of a bridge, would you?" The kid would say, "No," if you ask the ML, it would say yes. So, machine learning. If you ask the AI, it would actually say yes, because it looks for trends and goes towards the trend. The pattern.
The Challenge With the Approach
Lance: The challenge with the approach is even in your news feeds. I don't know if any of you guys have noticed. It's been more stressful to read the news in the last two years. Not just because of the people, but because of how it works. It kind of knows that you're reading that and then reading it more and reading it more. Then, the data science goes back like, Google's stuff, there Google's news. I can look up something once and it starts thinking that I care about that all day.
Eric: I was going to say, I feel like the news is becoming less unique. Because I'm an Apple News user, the browser brings up the same stuff. I have to really seek out interesting articles or something that's outside of what I've typically looked at. It just starts funneling me down this path. I find after a while, I don't know if you guys are the same way. I'm reading the same stuff over and over again, the same site, the same authors.
Lance: That's data science.
Eric: I'm not expanding my horizons. I've got these blinders on almost. I hate it.
Lance: Well, the beautiful part about that intersection we're talking about, especially data sciences, psychology and security and even news and information is data science. Our brains are kind of like a Bayesian network.
Lance: A Bayesian network, invented by Thomas Bayes in the 1600, is a statistical model system that weights certain things. So, like we see most of our anti-spam stuff. It weighs certain features like, Oh, there's a weird hash thing here, it says Viagra in a weird spelling or this and this and this.
When Things Get Too Much, Soldiers Rest on Sundays
Eric: Or there are numbers in the URL, so we're not going to let that go through or whatever.
Lance: Right. So, it classifies, it makes a weighted balance and says, "Okay, if it hits this threshold then this." Our brains are similar. You get it to go on a certain path, it'll start putting weights on that path and move, move, move. Now, what's happening though is data science is similar to psychology in a basic way. Our brain will neuroplastistically adjust.
Lance: It does calibrate like, okay, we've been in COVID for a year, first six months. We probably all have panic attacks. Now, we're starting to go, "I don't even know if I want to go outside yet." You know what I mean? So, the brain goes into an adjustment. In data science, it's called cross transformation where it can get too much, or it's basically, you're overfitting.
Eric: You're skewing the modeling almost.
Lance: Yes and you keep training it. And that's the thing, these are supervised, trained models by us. We're the ones, by reading it, it tells that it cares about us and that this is our information. What's happening though is it's overfitting the model, our brain's dopamine is responding to that overfit as well. So it's weird, like the feedback loop.
Eric: It's like a cycle, a complementary cycle almost.
Lance: It's a complementary cycle, but it also hurts us, because obviously we only have so much dopamine. Then we become stressed, then we become this and that. So, this, in a weird way, and it's an accidental yet maybe. I don't want to blame any corporations and say it i.
Eric: Why not, let's do it.
Feeding an Echo Chamber
Lance: It's just, it's feeding an echo chamber. It does play into some of the polarization. Besides just the politics, but just polarization of our beliefs and tribalism that's been going on along with the fear of COVID. That's an existential crisis. So, this information that keeps coming at us, it's hard for our brains to take on without like, do you guys ever take a break from the news? I'm sure you have. You've had to.
Rachael: Absolutely. Yes.
Lance: Because you're like, "Okay, I can't do this." Then you go back to it, you catch yourself back into it and things like that. I get it. It's all part of this system. But it's the intersection, that is, it can be problematic, whereas data science can overfit and cause this for our brains. There's also another way of like your main question was how do we counter some of these problems? It's going to be AI versus AI in some ways. But it's AI and people versus AI and kind of auto AI.
Lance: Because I'm not trying to be like a big corp is doing it. It's just, the incidental model of the information era is that we've gone so fast. Moore's law has spiked up and it makes a lot of money. So, it's hard to say no to those things. Those are all incentives that produce reward. When we look at misinformation and information today, those three intersections are interesting.
Lance: So, we have cybersecurity and the very technical people there. Some of the cybersecurity people are starting to get their minds around deep learning, AI, and take an interest. Right now, most of the very effective deep AI that I've seen in the vendor space and stuff.
The Challenge You Have Today
Lance: It’s mostly IPs domains, categorization, prioritization, things like that. Things that need to be solved for security. But what about information prioritization? The challenge you have today, I mean, Google has something like a perspective API. They check for violence in the media and in content, they check for semantic and non-semantic. Meaning like neutral, negative, positive, things like that. Now, data sciences are dumb machines.
Lance: They can do multi-classification, but you really train them to do one thing at a time. Then you combine another piece together and another piece together. Then you go, "Okay, can figure this out? That's that weight and it's this and that's that weight and it's this. Okay. Let's make a decision once we have enough things." What data sciences really do is to help you make a decision by processing the information overload.
Eric: I feel like old CTO at McAfee, Steve Grobman. He was an Intel fellow and had multiple patents. He talked a lot about and thought a lot about human-machine teaming. I think,
Lance, it's similar to what you're talking about here. You don't rely on the machines. Eric: You rely on them for what they're good at, but question. Understand what they're doing and then you can evolve the models too once you figure that out, but let them do the grunt work. Machine learning algorithms are great until they're not.
Lance: It's just a bigger calculator.
Eric: It's a faster calculator with a sanity check or some kind of check and balance on the end.
Lance: Correct. And every single time, and just like an intelligence, they have this tradecraft thing. People think they want to push technology into it.
[28:16] Be the Person That Always Validates
Lance: You’ll never get past more than 50% of a human needing to still be involved. It's just never going to hit that curve.
Eric: You think that's the number, 50%?
Lance: I think a human has to always validate. That's why I always feel bad when people think AI is going to take people's jobs. I'm like, "No, just create AI and be the person that has to validate all that stuff." For instance, we wrote, a while back, an antiterrorist AI model. It would identify Jihad and Sunni extremism both in Arabic and English by probability.
Lance: That would say, when this content came in, is this a likely terrorist type threat versus also benign things. Like articles about Jihad and all that other stuff. Also, the Quran is benign and the Bible's benign and you have to feed it. But we had to have analysts sitting at a university that were labeling every single thing. You can't just tell AI, "Go figure this out for me."
Lance: There are some things that people say that they did, but, the AI can't exist without the people creating it. So, maybe someday we will have Skynet, just kidding. But like I said, they're kind of dumb. They are dumb, but they're smart. They're crunching numbers, it's all based on coefficiencies, all this crazy modeling and stuff.
Lance: But the math is there. The math is explained. But to counter the problems that we're seeing, we almost have to go reverse. Start looking at like, "Okay, we have all of this information out." Some of it's now over biased because it's also being, data science is sending it out as an over bias.
Lance: So, what do we do to counter all the information? We have to have unbiased feeds. We need to have all this information, like Apple News will only send you what they think you care about. That's not a good way to train a model.
Eric: Well, that's my problem.
Lance: Misinformation today is trouble. Also the motives of the media today are very different. When it was paper, it's very, very different. Subscription, you just got your paper, you read it, this and that. Journalistic integrity was a thing, which some people still really like to have. Unfortunately, to get paid, they got to have clicks.
Lance: So, it's all about that headline. Most people don't actually read past like probably two paragraphs of the headline. I don't. Half the time when I do, I find it's like, "Oh man, it was an ad."
Eric: See, I do. I actually do.
Lance: I do if it's the Atlantic, The New Yorker, the Vanity Fairs, I like those articles. Because they actually have journalistic integrity. But a lot of the time it's almost like briefing. So, there's briefings and then there's a good article. That's why you're seeing so many articles the same, because multiple authors are writing it.
Lance: You were suddenly interested in it, data science pushes it forward to you and overfitting. There's not someone sitting there trying to make sure, I mean, there's probably a quality control team. It's going to take a while to get that quality control every single time. So, it's missing a balance. But then there's also just the internet.
The Speed Is so Much Faster When Soldiers Rest on Sundays
Lance: I guess there could be a fourth quadrant. The internet has so much information. So, I don't know if we're still in the information age, but we're in a pendulum of dealing with the information age. We all are connected, it's not like in the '80s where there's an Iran-Contra affair. I'm sitting in a room watching Dan Rather's, there's no middleman anymore for news information.
Eric: Or misinformation.
Lance: Or misinformation, a blog could be what people consider news. I mean, OAN and all these things. They just started up and suddenly they're accredited news sources. I'm not saying they don't have moments.
Eric: It drives me crazy.
Eric: And the speed, the speed is so much faster.
Lance: Correct. So, it's like an information worm when you think about it. So, 2016, we talk about the elections, the Russians, and the intangibilities. And this is why people don't want to believe it because you can't really tangibilize PSYOPs or tradecraft.
Lance: Psychological operations would actually work and how does that actually work? Now, the only people that can tangibilize it are the people. The people who've actually confirmed that it was these memes came from Russia or this and that. Eric: And the conspiracy theorists, who dream up all kinds of stuff. Know exactly how it works, not to pick on any one group.
Lance: I'm pretty sure some of those conspiracy theorists come from foreign uniformed parties.
Eric: Or even in the US, but yes.
Lance: Well, that's what I found funny. Politically speaking, WikiLeaks used to be a very liberal left-libertarian thing. Then, when it benefited a certain political party, it was suddenly now.
The Biggest Problem with Misinformation
Lance: The shifts have gone because of the benefits and the incentives. That's the biggest problem with misinformation. The brain is always looking for a reward. When we get something, for instance, the QAnon. Let's discuss QAnon and what happened here, I'm not going to get into the details.
Eric: You're making Rachael very uncomfortable. She hates political talk. Let's do it.
Lance: Oh, no. I want to talk more about how it works, not the actual politics of it.
Eric: She'll be less uncomfortable, but let's go, Lance.
Lance: All right. So, COVID, you got people sitting around dealing with an existential crisis of, "Am I going to die?" That's a psychological crisis that's going on. "Is my family going to be safe? Am I going to be living in my house for more than two months?"
Eric: "What do I do?"
Lance: "What do I do?" Because of the news being all over the place at that time, it's scary. It plays into the amygdala acting up a little bit more than the prefrontal cortex. Prefrontal cortex is your strategy room. Your amygdala is your fear. Then, you also have boredom. You're at home with your kids, it's way harder for a lot of people. "They're driving me crazy," which is normal, like they're supposed to.
Lance: They're going crazy because they're not getting out, all this stuff. This is politics aside, this is just the reality that's occurred. Something like QAnon, people want to feel they have purpose. It's easy to cultivate something that gives someone a feeling that they're fighting for something. Especially during a fight-or-flight moment of life, which is what's going on. If they are going to die, I want to go out knowing I did something.
Something to Cling Onto
Eric: I believe in something. Especially when they're searching for that, because they don't know that uncertainty. Lance: Right. So, the brain's going to be searching for whether it's stable or not. They're going to be searching for something to give them to cling onto so that they can have a little. In a metaphorical way, a blanket.
Lance: Yes, and a control. The problem with anxiety is searching for control. That's how this actually occurs is that you're like, "So many people got into this and this and that?" Whether the information is all this and that, but there's so many believers at a cult-like level. You're just wondering, "How did that occur?" You have this complete mix of problems here, which has nothing to do with computer science.
Lance: I don't know if you could actually solve that, because the middleman is gone. The information's there and no one has really sourced or put together 8chan's good and this is bad. This is good, and this is bad. I've never been on 8chan, because it just doesn't seem like the type of things I want to even look at.
Eric: 8chan being a news group, it's not news, what would you call it?
Lance: 8chan or 8kun or whatever. It's a forum, but it's some of the worst crap on there that you'll probably ever see. It's uncensored.
Eric: Kind of Reddit-like but not. Lance: Yes, you can see the worst of everybody in some aspects. Then they get into groups and then they start talking and things like that. The challenge is with this bag of mix, the COVID, the way that everything's been going, the chaos, all that stuff.
[35:50] Soldiers Rest on Sundays and Get Closer to Their Faith
Lance: It's an easy thing to get into a faith, whether it's QAnon or some other kind of religion. Or your own, clean, closer to your faith or whatever. Anytime you're dealing with death at your door, this is why, psychologically, this plays. Now, the question is, how does this affect, for instance, I'm going to lead this one. How do we deal with this now that we're going back into life slowly? Insiders at work, QAnon believes, not saying they're all the enemies.
Lance: Some people are not doing illegal stuff, they just might believe it or whatever. But things that are our concern, even on the left side, there's a lot of extremism too. Let me be fair, and not just to pick on QAnon, but there's extremism on both sides. But now we're finally seeing that. We're seeing more weird attacks. Whether it's racial or whether it's insurrection-type stuff or just something on a belief or just irrational behavior right now.
Eric: It's certainly increasing.
Lance: It’s the norm when everybody feels like the world is ending, but it's increasing. Hopefully the idea is to calm it down, but what happens is then the craziness goes inward and pent-up again. It's not like it's not there anymore. It doesn't just go away. It's going to be pent-up. That's where insider threats and dealing with information become very difficult.
Lance: This is where we go back to that Venn diagram of treating it with data science. Auditing, monitoring, protecting the need to know sensitive data. In a way that has more than one to two people that may be like, "I need to look at this document.
The World We Have to Get to
Lance: Okay, you're checking this document out. I know you have it for six hours." That might be the world we have to get to when you think about that, while still maintaining privacy. We're not going to go out and start monitoring everybody's Slack and stuff. But Slack has a feature that if you had to call back stuff, you have discovery. No different than the firewall, if you keep the logs on, they're there.
Lance: It's such a balance, because you can't be a minority report about insider threat. You can't be like, "I'm going to precog this and think that they're going to do something. But I actually do think the defense isn't as technical as we'd like, I think it's more cultural. It's an adjustment. Some companies, I think, saw a company that decided, "Don't talk politics at work blah blah blah." And then some people left. I think it was Basecamp.
Lance: Some people are adapting to the Black Lives Matter diversity stuff, obviously within reason. Not the extreme stuff, but more the middle of the road like how can we better be at diversity? Which is a great question to ask whether this was going on or not. Then, maybe companies are going to start to have to deal with what is white extremism? The right-wing supremacy stuff.
Lance: Because it's an equal problem to deal with, you can't just go, "Oh, Black Lives Matter." And then not deal, figure out what that data looks like. Today's data science can help with that. The neat thing about that is all of these areas, whether it's politics or whether it's views.
Lance: Beliefs or just fraud or whatever you're worried about, any kind of information. They all have code words with their language. Just like our technology stuff has a pen test for cybersecurity. We have code words. So, topic modeling or getting the topics out of those are the easiest part. Then, it's just looking at how we find motive, intent-based on it. Once you have the topic, I'm going to go into a chat channel that's got white supremacy.
Lance: Or I'm going to go to into chat that has Jihadist stuff or this and that. It's then labeling, figuring out, but there's a lot of work to do. Even child pornography. If you're a citizen and not part of the government, you can't make it a tool that would do that. You can't look at the stuff that no one would want to. But can you build technologies that would look like there's a child in this picture, whether it's benign or not.
Lance: Then combine it with, this is not suitable for work here and that kind of stuff? The potential is there to build technologies. To protect your inside information, whether it's whatever belief it is, whatever it is. The problem today though is with all these beliefs. That they're going to soon kind of close down and get pent-up again is similar to Mr. Robot.
Lance: We have anti-corporation. But what happens if you have an anti-corporation or you work at a Procter & Gamble or something. And there's some political belief that comes in or there's anti-vaccine. Whatever belief it is that suddenly you work at Pfizer and you get behind the anti-vaccine thing? What if you get too far with that? What if it goes too far?
Lance: It motivates or it plays into something you might do, sabotage this or that. There was a case of a medical person, personnel that sabotaged a bunch of vaccines or whatever. This is politics aside on the beliefs of vaccines or not. It's just more of like, these are going to pose future threats, because everybody's going black and white right now.
Lance: Because of the fear that's going on, the amygdalas run like, "I got to make one choice or another." So, when things calm down, there's going to be those few percenters that are going to be inside companies. They could pose a valid threat, a valid concern. There's been movements to bomb 5G cell towers. You have to deal with external intelligence, chats, things like that.
Lance: Inside companies need to start looking at what's the actual information out there. What's that look like? Then there's also like, is there anybody inside that we're concerned with or connecting into those things? A lot of companies now do things like DLP. Things that will say, "Alert me if someone went on the dark web from our company." Things like that and what IP address. Now, it doesn't necessarily mean they get the details on this and that.
Lance: But there's the balance between privacy and there's also, most of the time, waivers. Let's come to the assumption of privacy waiver inside of when you work for a company that all of the elements are theirs. So, anything you do within that company is their property. The we concept, the collective we concept comes in. Meaning, that company is responsible for going on the dark web.
[42:16] How Do You Protect the Workforce
Eric: But there are a lot of general councils who are really against looking at what their personnel are doing. Especially with work from home, you're using your corporate laptop and you go to pay your kid's medical bill or something. The companies don't want anything to do with that. They don't want to collect anything and I fully understand that.
Eric: But then how do you protect the workforce? At the same time with that work device that may have malware on it, that's in the house and your liability? It's really tough. I'm reminded about the conversation we had months ago on disinformation. You were asking me to write a little bit about what a government employer does, or employee.
Eric: How does the government better protect its employees from misinformation, disinformation? I didn't have a lot of good answers. What do you do without spying on them and without telling them what to believe?
Lance: Transparency and training.
Eric: That's most of what I came up with.
Lance: So, what do they say? Disinfectant is the best cleanser for deception. And misinformation, whether it's good intent or just bad information on the internet. It's a form of deception and it's untrue. We wrestle with not only privacy, but freedom of speech and all that stuff. But we wrestle at the deep corporate level of privacy.
Lance: But let me ask you this, for instance, if we had training and awareness. Just like we're supposed to have with security breaches and all these other things. We have regular training and awareness practice on what is misinformation, how it can get you.
Almost Like Phishing Texts
Lance: Maybe even someone coming in there showing them how exactly it got how many people, almost like phishing tests. Where it's like, "Oh, it got you. It got you. It got you." And it could be as easy as that. Once people actually go and see that, their prefrontal cortex goes, "Whoa!" Because right now they're fighting that like, "I can't be prone to that."
Lance: But once they see that, they can kind of relate and go, "Whoa." And that little, I guess, wake-up call with the training can be powerful. It's similar to when someone says, "Okay, phish test or hack into the CEO's thing while doing the training. Prove that it's not that hard to break into the company while you're in the meeting or something."
Lance: The special moments that they have, where they permit it. But you show that, similar to addressing firewalls IPs and all this stuff, we don't stare at the logs all day. Some SIM systems do and everything like that. But there's no chance that everybody's just staring at inoculate, basically benign information all day.
Lance: So, data science can still maintain the privacy where you just send it. Like, there was an alert on this at this time, you can even anonymize it for the lawyers. And say, "This user on this alert," but like, this is the only concern. And you could say a topic, it doesn't actually have to be a thing. It's something like that.
Eric: Doesn't have to name the user until they open an investigation or do something. Agreed.
Lance: Unless they open an investigation.
A Balance Is Achieved When Soldiers Rest on Sundays
Eric: But I still find a lot of organizations are uncomfortable even going there.
Lance: But it's weird. Technically corporations are liable for that in the long run. They have to think strategically, they don't need to get overboard with it. It's a balance.
Eric: My experience is the general council deals with issues when they come up. They deal with risk avoidance until something comes up. And the risk of privacy seems right now to be outweighing the risk of damage.
Lance: That's a discussion that needs to start happening more, almost like a tabletop exercise. Almost like business continuity plans in a weird way is part of that. It all falls under your business continuity plan of the tabletop exercise. What to do if section, subsection, insider threat. I've worked at companies where they didn’t know how to do any legal action against the person that actually did something.
Lance: So, they just sit there and go, "Well, I guess that's just happened." And it's like, you guys would know how to do that if you were prepared at that tabletop level. Spend the money on the lawyers in the first part of things, the more expensive parts, so that the reaction isn't so costly. Because the counter goes higher when the reaction's costly.
Eric: I haven't found that, I mean, I've sold email archiving. I've sold insider risk, insider threat capabilities, and rather than getting ahead of it and rather than spending money, there are a lot of organizations that are just, they'll deal with it when an issue comes up. But until an issue does, they don't want to go preventative in that way.
Getting Rid of Data
Eric: In fact, they love getting rid of data, because it takes some liability off the table when something happens. It's almost like the credit card companies who build in a certain percentage of their cost on the risk side. Like, "We're going to have stolen credit cards. We're going to have fraud and abuse." It's almost like they think in that way.
Eric: I'll tell you, my experience, and I'm on the government side, the government is the worst. You go into any DOD or intelligence computer, when you log in. The first thing you see, splash screen is this US Government property, blah, blah, blah. We have the right to see and observe everything you're doing, blah, blah, blah. You can be prosecuted in accordance with all the laws. They're the worst at willing to actually look at what their people are doing.
Lance: We've heard of this. There was a whistleblower Titan Rain I think was a famous one, Shawn Carpenter. No one wanted to look at the problem, when there was an APT or this and that and all that stuff. I don't mean to make fun of the government, but I kind of laugh at that. Because a lot of times you go into intelligence thinking you're going to actually do some action.
Lance: Then know most of the time, you're just letting it go by. Like, "Here's some intelligence, there we go." It takes us back to what actions are available and things like that. But I think we're all pipe, dreaming that people would think strategically. Like there's realism and then there's philosophy here. Because we only get pen tests now. There's SB-1386 and a few other different laws out here.
A Compliance Requirement
Eric: There's a compliance requirement that tells you to do something so you can check it off.
Lance: GDPR, lose 5%. So, if there's not money taken away from you, there's no incentive to do it.
Eric: You don't do it.
Lance: I was doing a whole year of GDPR at my previous company. And it was only because it was threatening their livelihoods as a company that literally made them respond to it. It was literally, "Okay, we got to be strategic. It's a pain in the butt, but we've got to be strategic for a whole year." It's why finance and accounting and stuff like that. They are always like that because there are all these SEC laws and all these other laws that motivate them.
Eric: They know exactly what you do and how to do it because they're told.
Lance: Right. They're told to. So, we don't have that kind of board or body that's really doing it unless it's some Congress thing. And of course, that would require some major incident to occur. It's like, "So, what can we do now? Let's try to be realistic."
Lance: So, culture, right. I always joke around and say, if you want to fix an insider threat, give your employees a hug. Well, obviously, culturally speaking and literally speaking don't really give them a hug unless they're comfortable.
Eric: That's my boss, he's like, "We need to hug our employees. It's a rough time right now, you need to pair hug your employees."
Lance: I literally had that in my Deloitte office. I put free hugs on my Deloitte office. And it said, "One per employee per day."
Soldiers Rest on Sundays All Within Limits
Eric: Oh my God, I love employees, I hate hugging. I don't care who it is other than my kids and wife. I hate hugging.
Lance: Again, it was their option, but I actually had people come in and go, "Hey, can I get a hug." You're like, "Cool."
Lance: All right, handshake, whatever. My point is, metaphorically speaking, the challenge is we go back to both technology and psychology. We have to find this balance. People expect privacy, they don't want to be monitored all day. That never works as a good environment unless you're Bridgewater. Sorry. But extreme, radical transparency, and it might work for some people. But not everybody works there, if you know what I mean.
Lance: But I think the balance is culture transparency, training. When I say culture, addressing the issues that are coming up. People are people. You've got the Basecamp situation on one side, but allowing people to have a space where they can talk through that. Whether it's outside of work, but still like a work function or this and that. Allowing them to have that, all within limits, things like that. Lance: One of the things also, for instance, I was at my last job, they started including mindfulness things. They started including, as things got more stressful, for instance, the people that work on jihadist stuff. They would see beheadings all day. So, they started providing monthly therapy as a perk, things like that, to discuss what they're seeing.
Lance: They do this, technically, at the FBI, if you work in the illicit images program as well to make sure you're okay. I don't know if they do it for the benefit of the employee.
[52:03] Soldiers Rest on Sundays Because They’re Humans
Lance: The company I was looking at, they're doing it for the benefit.
Eric: I'm bringing some of that in for my people and they just think I'm lacking. Sometimes they just look at me like, "What? We are talking work-life balance here? We're talking about how I should be spending more time with my family and what do I value?" And they look at me like I'm crazy.
Lance: But misinformation is actually countered at the individual level. It is with mindfulness. It's not special tradecraft techniques. It is non-reactivity training. It's like keeping your cool in situations, not reacting to every headline. Reflexive control theory, which is a Tradecraft that was dubbed by the Russians. It's been everywhere. Headlines are the concept of it, where it impacts your decision making. It's there to disrupt it, but it's designed by reflex. Headlines are a reflexive thing and it controls you.
Lance: So, when you think about that, instilling non-reactivity, and instilling, whether it's subtle or just by choice. They can go to it or not, having the option is more of a thing there. At our company, we try not to work past 5:00 PM. We have a little different boundaries, because they're my friends. But I'm like, "Hey, are you getting sleep?", things like that.
Eric: No, I do the same.
Lance: But it's just called leadership. Leadership, you can't take out the EQ, you can't take out the person out of the work job. There's not an assembly line here, we're all working.
Eric: Because we're machines, we are humans.
Lance: We are humans. I've had, years ago, I would spot the person secretly crying in the back of the room in their job.
Soldiers Rest on Sundays and Go for Walks
Lance: I’d be like, "Hey, you want to go for a walk?" When maybe their boss hasn't walked in that room for a week or two, because they're in a SIM operation. Like in the SIM systems and they're just whatever, I would purposely realize that that was going on. I wouldn't criticize the boss.
Lance: I’d just go in there every day and make them laugh and go for walks with a couple of them and this and that. That can change the difference between someone staying there, staying happy. Then, I started adding a training session to bridge our groups and stuff together. They started learning new things. It's operant conditioning.
Lance: If you have too much negative on one balance of it, you're going to start looking for something outward. It could be misinformation, could be something else like this. But if you're happy at work through things and projects, it doesn't have to be like sitting there mindfully. I just meant like the mindful concept of each other. The consideration, looking out for each other, building a culture to look out for each other.
Lance: So, that also, if you had to report like, "Hey, someone's having a bad day, kind of little concerned with them." That's not an uncomfortable feeling and both sides won't feel like that. It's just more like, "Hey, your work is here for you just as much as your home life is. We borrow the majority of your time over your family anyways." As much as we want to come with a technological solution, which obviously we've discussed, it's also, you can't.
The Human Aspect of Data Science
Lance: Just like the human aspect of data science, we can't overfit it, we have to balance it. And that balancing is producing good content, good belief in systems and things like that. People having a way to express. I mean, you get a little personal, but last job I had, I guess, they call people ops now. But my son passed away and I was able to just cry in a room when I needed to.
Lance: When I came back to work with the person at people ops as I needed, as I was going through things. Or I could go meditate or sit by myself for a little bit, even if it took a little bit of time. I mean, I've even had a panic attack in front of my team because of that situation. The support I got, a product manager just sitting with me for like two hours. Do you know what I mean?
Lance: That's the thing, we need to breed decent human behavior. That way it's just low-hanging fruit. We'll always get crazy at the office once in a while, you do. They're usually easy to spot if you have a culture of decent behavior though. Because even the silent types that we all worry about and say, "Oh, he's so quiet and dah, dah, dah."
Lance: You start inviting them, they change, you know what I mean? Things like that. As much as I want to be like, "This is a tech talk." It's also very much, you gotta put the work in on the other side of it so that you can do that.
More Standards in the Work Environment
Lance: I wish there were a little more standards in the work environment. Then it would just be like, "Hey, we're all aligned. Nothing has to be too left or right. It doesn't have to go all the crazies," just standard human decency while supporting them.
Lance: That way, if they feel like, "Hey, we do monitor stuff, but we don't watch it, things like that." They're not going to feel just as much at ease. They don't feel like they're going to have to hide anything because it's a transparent culturally effective company. If that makes sense.
Eric: I think that is the answer I was searching for or a huge part of it. In my mind, once again, the algorithms were sending me technical. It's like, "What does a government manager do?" But on that, I think we do have to wrap. I know we're on time.
Eric: Well, thank you for joining us. Rachael, what do we do if we love the podcast?
Rachael: Well, that we say to subscribe, smash that subscription button. Get a fresh episode delivered to your inbox every single week on Tuesday.
Eric: Awesome. With that Rachael, Lance, thank you so much, until next week. Take care.
About Our Guest
Lance James is an internationally renowned information security specialist. He has more than 20 years of experience in programming, network security, digital forensics, malware research, cryptography design, cryptanalysis, counterintelligence, protocol exploitation, and executive leadership. He provides advisory services to a wide range of government agencies and Fortune 500 organizations including North America’s top financial services institutions.
Credited with the identification of Zeus and other malware, James is an active contributor to the evolution of security practices and counterintelligence tactics and strategies. Over the years, he has championed several FBI-led takedown operations of criminal organizations through his strategic alliances with industry, academia, and law enforcement.
James has contributed to a number of industry publications including Phishing Exposed (Syngress, 2005), Emerging Threat Analysis (Syngress, 2006), and Reverse Deception (McGraw Hill Professional, 2012). He is regularly sought out as a keynote speaker worldwide, has been a frequent commentator on MSNBC, was featured on an episode of USA Network's hit television series “Mr. Robot,” and recently delivered a powerful Ted Talk on “How Attackers Can Use Your Brain Against You in Psy-Ops.”