Welcome, Jeremiah Baker

Rachael Lyon:
Hello, everyone. Welcome to this week's episode of To The Point podcast. I'm Rachael Lyon, here with my co-host, Jon Knepher. Jon, hello.

Jonathan Knepher:
Hello, Rachael.

Rachael Lyon:
So, fun fact of the day of the week, I guess. I love Wired. I get their email articles every day. Every day. There's always something fascinating and I have to, I guess sheepishly admit I did not realize that Elon Musk was a co-founder of OpenAI.

Jonathan Knepher:
Going back to the beginning, I think.

Rachael Lyon:
Yeah, like 2011. Right. I mean, back in the day. So I just, I love to learn new things and I just thought that was an interesting little nugget to learn

Jonathan Knepher:
I think there's been some drama since then on some things he's been saying too, since then.

Rachael Lyon:
Yes, yes, I'm steering clear of that conversation. But I, I did, you know, I did. I think that's pretty cool to be at the ground level of something like that and, and see what it's become and all the things that happen in the, in the meantime. But without further ado, let's get to why we're here today. Excited to welcome to the podcast Jeremiah Baker. He is an ethical hacker turned keynote speaker and author with more than 20 years of experience in cybersecurity. He's a proven business growth strategist. He scaled cybersecurity firm into a dominant industry player as an equity partner.

His commitment to security is rooted in his personal experience growing up with 56 foster children, which taught him that a data breach is a fundamental loss of stability for people. Today he leverages those lessons to protect companies and employees from cyber threats. Welcome, Jeremiah.

Jeremiah Baker:
Thank you, Rachael. Thank you, Jon. Thanks for having me.

[02:05] Financially Motivated Attacks: Wire Fraud and Ransomware

Jonathan Knepher:
Absolutely. Thanks, Jeremiah.

So let's kick this off with. Talk to us about what you've seen financially motivated attacks look like. I think we've all had in our minds ideas of what it looks like. But what's the reality?

Jeremiah Baker:
Yeah, that's a good question because it's. Unfortunately we live in an era of what I like to refer to as just modern-day bank robbery, without going to the bank. And this projects over those 20 years that Rachael had brought up is that the most common things with fund transfer fraud, things like wire fraud and ransomware, extortion, things like that remain constant and seem to be getting far more efficient, effective and prolific with the advent of things like AI. Because in our past growing up, we all remember getting those emails where something seemed a little broken in the English or something like that. And you could easily spot the attack, like, ah, this isn't real. This seems like it could be fake. And those days are long gone.

Now, with tools like AI and so forth, the attackers are able to write very efficient email phishing attacks, doing voice, doing video, and make it seem very legitimate. So those attacks are all too common. And I receive the phone calls more frequent than, of course, I would like to. I can't even tell you how many times I'm walking into, even most recently going in to do a keynote. And I'm in the airport getting ready to go on the plane and I receive a panic phone call from a CEO that I know, for example, saying someone called me and it sounded like it was my bank and they had all my details and they asked me for my username and password and I gave it to them and. But they couldn't get in because the line broke or there was static right when I was giving the last character of my password and they didn't get in, what do I do? And I'm getting alerts from my other bank accounts and I'm like, well, first of all, don't give your information to people over the phone. But this happens all the time. And oddly enough, I don't know if the listeners or if you are seeing this as well, but a lot of times these are very large dollar amounts that actually do get taken.

And it's usually an example where someone of authority, their email account gets taken over. They're not aware of it. A bad actor, a cybercriminal, is sitting inside the account watching how wire transfers happen. Average dollar amounts, patterns that they're looking for. And then this is a real-world story, but kind of anonymized to protect the innocent and the guilty per se. But where a CFO was out of office, or a vice president of sales rather in this particular scenario, and the bad guys were sitting in the account, there was no MFA on the account, no multi-factor authentication. They just needed to get the username and password. They sat, they watched as a large almost million-dollar transaction was about to happen.

A few months go by, and when it's about to happen, they said, hey, acting as the VP of sales, send the money here. And the person did. Over $700,000 was sent to the cybercriminal's account and they were never able to, to the best of my knowledge, recover those funds. And like I said, it was a simple attack. It wasn't super complicated. It was just the fact that the attacker only needed to get the username and password into the account, set up some rules to hide their interactions, and they were able to carry out over $700,000 theft at the end of the day. And that is a very common thing. Around half a million dollars or so seems to be what I see.

It might be a subset of that where it's 250 here, 250 there, but it's always the same case. In my experience, and I can only speak from my experience in that, it's usually because the basics were not in place and/or the victim didn't know that this type of attack could happen before it was too late. So it's all of those things from the phishing to the wire fraud. It usually starts with the email account and. Or an impersonation scam. I'm your CEO and they text you, hurry up, send me some gift cards, you know. And it keeps happening year after year after year. Even though we all know we hear these stories, they still happen and it's very common.

But wire fraud is the most common. Second, I would say, in terms of dollar amounts would be the extortion, like the ransomware and things like that, or just pure extortion, like we saw some information and we're going to release it. Unless you give us $500,000 in Bitcoin, we're going to send it to the world and you don't want the world to see this, whatever is that they captured. Those are probably the most common real-world cases that I'm continuing to see starting 20 years ago, all the way through today.

Rachael Lyon:
That's crazy. It's like the tried-and-true, it just keeps working and gets more efficient. And with AI, the language now, you can expand that to what used to be very difficult languages to impersonate. The voice cloning part really freaks me out. I'm a big fan of social media and TikTok in particular. And it's becoming harder and harder to discern what's real and what's not. AI and if they don't have the AI-generated tag, you're like, is this really real? Because I know that's not Keanu Reeves vacuuming his house

Jeremiah Baker:
or calling us right to give us this special investment opportunity.

Rachael Lyon:
How do you get my number? But how do you find trust in this world, Jeremiah? I mean, I've gotten to where if I get a text message from the post office or FedEx saying I owe them money, I just. I'm like, you know what? If it's important, they're gonna mail me.

Jeremiah Baker:
Correct. That's important.

Rachael Lyon:
I'm not even going to touch it. But it's this whole world of skepticism now. I don't trust anything or anybody. And that just seems kind of terrible. But it's where we live today.

Jeremiah Baker:
Yeah, I think honestly, that's something we talk about internally and with our clients. And as you said, I do give quite a few keynotes every year in front of large audiences across multiple industries. Unfortunately, that's where we are today. I think we really have to do real zero trust. This whole concept of trust-but-verify or benefit of the doubt is the worst when it comes to risk mitigation. Simple framing to think about that is not to be overly terrified or super, you know, alert. It's just if I'm not willing to lose it, then I have to not trust and put measures in place to verify the trust before I give it. And that's where most of the time, when someone gets caught up or taken advantage of or becomes a victim of one of these things, it's because they didn't follow that and they were giving benefit of the doubt.

They were not following zero trust protocols and so forth. And then the theme, the talk that I give, I titled it Confessions of a Hacker, one, because it's a little catchy. But also the subheading is important in that you know how to protect yourself before it's too late.

Rachael Lyon:
Right.

Jeremiah Baker:
And that's the problem that I see is most of us are not aware of what can happen to us until the moment it does. But that is a critical point where we don't have a lot of recovery capabilities. So in this case, the old saying that like, an ounce of, you know, preparation or prevention, it goes a long way. It really does in this case. And it's really just a matter of how we think about it and that. And again, from my opinion, from my experience in that it's best to look at it like, if I'm not willing to lose it, then I have to verify, verify, verify. And this benefit of the doubt, trust-but-verify is not a good game to play if you care about mitigating risk.

Rachael Lyon:
And sometimes you just have to not worry. It's, you know, if I hurt your feelings, I'm sorry. But, you know, you have to have that blanket behavior because to your point, just you give an inch and they come right on through.

Jeremiah Baker:
Yeah, and it can be catastrophic. You know, we see it with small businesses specifically. They can't recover from one of these large half-million-dollar, million-dollar attacks or like their systems getting frozen up to where they can't operate because of ransomware. And they're scrambling for a long period of time, for example, their business stops, their reputation gets damaged. It's very, very real. And those are the times when I receive those phone calls. It's really troubling. It literally gives me goosebumps even thinking about it when I received the call saying, what do we do? What do we do? And I realize there's no option for recovery other than completely reset their business.

And that can be catastrophic, as you can imagine.

[10:45] Why Small Businesses are Prime Targets

Jonathan Knepher:
So what do these people need to be doing proactively to protect themselves?

Jeremiah Baker:
Right.

Jonathan Knepher:
Like you mentioned MFA and like just the thought that somebody might not have MFA to me now seems so foreign. But like, are you still seeing that what people need to do?

Rachael Lyon:
It's kind of a hassle.

Jonathan Knepher:
It is a hassle.

Jeremiah Baker:
No, it is, Jon. It's not funny like ha-ha funny, but it's funny in the sense that it's true. Like especially in smaller businesses, like larger corporations tend to be implementing, you know, company-wide identity management, multi-factor authentication, these types of things. But when it comes to smaller businesses, cybersecurity oftentimes what I'm seeing, and this again, it projects out year after year, is that cybersecurity is kind of a secondary part of their business. It's not baked into the DNA of how they do things. And that's why this before it's too late thing is so problematic because generally speaking it becomes important to them once something happens. And I've even seen this in larger orgs. We used to speak at something called the Billion Dollar roundtable every year.

And one of the roundtables was a Chief Legal Officer roundtable. And as you can imagine, they're the first ones or very close to the first ones that get called in the middle of the night or whenever something really bad happens. And that's when they said, hey, we've kind of been doing what everybody else is doing, like across our industry peers. But we keep seeing that not working. What should we do? From their perspective, they were able to implement these things across the board, inside their companies because they're well-funded, they're well-staffed and so forth. But in the smaller organizations, I've even spoken in small groups where I described all of the attacks. Confessions of a Hacker, for example, walks through all of the common attacks, how they're happening, what you can do to prevent them, and what to do if something does happen. And I would get calls years later from some of the attendees saying, hey, somebody just sent an email that looked like it was our client asking us to wire $35,000.

We had just paid them, so we thought maybe we owed them some more money. And it turns out that it was someone in our email system had done an email account takeover, and it was not the client sending us that. It was a bad attacker. What do we do? And I said, well, did you end up after our last meeting? Did you put multi-factor? Did you do this? Did you? And they said, unfortunately, we didn't. So a lot of times it's really on us just not doing the basic things that we should. And then maybe equally as important is staying very up to date on security awareness and really thinking like a hacker or a cybercriminal to beat a hacker, and staying very up to date on exactly how they're attacking. Because it's constantly evolving, especially with the automated attacks that come out of things like AI and so forth. We really can't look at cybersecurity as a secondary component.

I think it has to be right in there, just like sales and marketing and growth. It's just as important. And part of the business is that,

Rachael Lyon:
Do you find small businesses, you know, kind of historically, it's. Why would they target me, right? You know, I'm just a mom-and-pop shop. You know, what value do I have? And, you know, but it's. There's an example of a plastic surgeon in LA, right? And access to those client records would be gold, potentially. So do you see, A, is that still kind of the prevalent thinking, or is that starting to change? And then B, kind of. On the other point you made, you hear a lot too, about ransomware. They'll attack through a vector, and then that vector's not secured so they can come back for a second round. And are you seeing that as well? And I imagine for a small business that would just be catastrophic.

But I'd be interested in what you're seeing out there today.

Jeremiah Baker:
Yeah, it's a good question, Rachael. Yes, the answer is yes, yes, yes. So what? So with the small, small businesses, and this is across the board, this is one of the big problems that we see is that a lot of folks say things like, well, we don't accept credit cards, we don't take payments, we don't do this. And I'm like, well, I call that kind of. I refer to that anyway as reverse paranoia where it's kind of like instead of being paranoid to go after like oh my gosh, I got to be protected. It's, well, I can't deal with this mentally. So what I'm going to do is say I'm not a target. That is absolutely not true.

As we all know, those days are over and they've been over from the beginning. But a lot of folks start thinking, oh my gosh, I'm going to have to spend money, I have to hire people, I don't know how to do this, what should I do? And it's not just about people that accept credit cards and payments. And for example, worked with an ultra-high-net-worth wealth manager and I'll keep it kind of anonymized. But they had a similar attack where someone had committed an account takeover on their email and were emailing out their list, a bitcoin investment opportunity for $15,000. They got very fortunate that one of their contacts said, hey, I know you, this is not like you. And they sent a screenshot. I was just landing in LaGuardia to go to a board meeting in New York and as I land, I turn on my phone, I'm seeing all these missed phone calls. So I from my seat took, opened up the call once we had landed and got, you know, got to the gate.

And the person said, hey, what do I do? What do I do? I don't know how to turn this off. What's going on? So I quickly got off the plane, found a spot to sit down. We went through the account to see what was happening and sure enough, as always, attacker got in. There was no MFA on the account, no multi-factor authentication. And they had set up a bunch of rules to hide these exchanges between the person's email list, their contact list. And we got really super lucky because I checked to see if the username and password had been changed and it had not. And unfortunately that's usually one of the first things they do so that you immediately lose control. So we went in and we changed the username and password.

We went in and put in MFA. We went in and got all the rules out of there and all that kind of stuff. Then, of course, reputational management have to reach out to your listing, something happened. If you receive this from me, don't act on it. Especially like if you're a wealth manager or accountant or something like this. And it wasn't really where they're trying to immediately take credit card payments or do wires. It was sending a scam investment opportunity out to the email list and that could have. For businesses where trust is everything like this, like, well, if I can't trust you to manage your own email account, how can I trust you to manage my wealth? Right.

So things like that can happen and it's getting a little bit better. But it's still more of our thinking, how we think about cybersecurity. I think it's still an afterthought for too many small businesses because the reverse paranoia kicks in and they say, I can't afford this, I'll deal with it later. And then sometimes, and oftentimes as we see we can all Google it, it can be very catastrophic and it is. A large portion of businesses go out of business after suffering from a successful breach and/or fund transfer fraud situation like this.

[17:52] Incident Response: What to Do When a Breach Hits

Jonathan Knepher:
So for all of us that don't have your cell phone number, what's the first 24, 48 hours after becoming aware of a breach? Like, what should people do? What's that look like? And do you see that people have made mistakes in that?

Jeremiah Baker:
Yeah. So just to clarify the question, like what did they do after they identified a breach?

Jonathan Knepher:
Yeah, exactly.

Jeremiah Baker:
Yeah. So that's usually when, as you know, immediately incident response team comes in with forensics trying to reverse engineer, diagnose what exactly happened and then quickly start plugging all the holes and locking everything up. And that's the problem is again, oftentimes it can be too late because a lot of damage has been done. And honestly, as we see in the. You can Google this as well in most of the news, like when a breach happens, I think IBM's latest report said that it's somewhere still around six months before a breach is detected. So like we know all the major breaches that happened in the news of major retailers and credit bureaus, bad guys got in, the company wasn't aware they were exfiltrating data, credit card information, PII, all that kind of stuff. And then eventually someone said, oh, something's happened, you know, but this has been months that went by. So the idea is unfortunately once something does happen, you have to get incident response in there with your forensics teams and so forth to quickly try to mitigate your risk and stop any kind of bleed and put yourself into more of a defensive, protective way.

But the real leverage comes from doing the right things on the front end, which is having all the identity management, zero trust, very good backups and recovery exercises if you get hit with ransomware. Because I can't tell you how many times I receive a phone call that says, we've been hit with ransomware. They're asking for five hundred thousand dollars in bitcoin. What do we do? And I asked, do you have backups? Have you practiced restoration exercises? And most of the time they say no. And then they say, do you have some bitcoin you could sell us? I said I don't. And then I hang up the phone. So it's, you know, again, it's, it's so imperative and not to be driving fear, but.

Rachael Lyon:
Right.

Jeremiah Baker:
The magic comes from doing things before the bad thing happens if you really want to mitigate damages and your risks.

Rachael Lyon:
So kind of using as a jumping-off point and again reading who knows what. And I don't want to fear-monger, but when it comes to the long game, I know there's kind of two points in view. There's AI gets in, gets out. But then you hear a lot, particularly around geopolitical conflicts and offensive cyber strategies, let's say. And someone could dwell in your system for a few years, just kind of like a sleeper cell, just waiting, waiting to proliferate. And then you hear that in the context of water systems or electrical grids and things like that. But what are you seeing out there? Is that prevalent or those more kind of exceptions?

Jeremiah Baker:
I would say it's quite prevalent. And not just from my opinion. Right. Again, we can Google the news if we look at most of the major breaches again with the retailers, the credit bureaus, those folks that were hitting exactly what you just said is what happened. And then recently the feds, the FBI released that it was a foreign nation-state attacker that conducted this. And they basically, like for example, in one scenario a third-party HVAC vendor had been compromised. There wasn't proper, what's called segmentation, separation between the account and what hackers do when they get in. And I know this from the team that we have, is that they'll get in and their goal is to move what's called laterally and escalate their privileges to where they can get to be pretty catastrophic level of access to things.

Right. And that's exactly what they did. They had a third-party vendor that worked with the larger retailer, for example. There was not proper segmentation. They got all the way through to the credit card machine at the counter and then they had installed malware that was basically just pulling out the credit card data and then storing it and then slowly exfiltrating it, getting it out to themselves. And this went on for months before the victim had realized that happened. And the same thing with the credit bureau and the same thing with the next folks and the next folks and the next folks. So that's why it's so important to have your data loss prevention, your monitoring, your alerting.

We have to be on top of it and we have to think as if we are the malicious hacker. But on a good sense from the protective side. It can't be like just being so scared that we put our head in the sand. And unfortunately, that happens. And then the strangest thing, too, we've seen it across with hotel chains and it's endless, right? And the tough part is that I don't know what it is culturally inside of a company, but some of the employees seem terrified that they're always on the chopping block if something happens on their watch. And I think we need to flip that to where our employees and our co-workers and the people that we work with, we kind of become the superheroes inside of our company where we're defending against the bad guys and they're not worried, like, I gotta hide. I gotta hide because if something happens, I'm gonna get fired. Because that's what we saw happening, like with the large retailer that I'm talking about from maybe this is 10 years or so that rhymes with Tarjay or something like that.

But we saw in the news that they had let go of like a CEO or something like that, and the C-suite, and that was happening for some time where something would happen and then they just get rid of the person. I don't think that's really helping solve the issue, but that's what we, you know, we saw. And a lot of executives were terrified. So, yeah, such an interesting internal kind of feeling.

Rachael Lyon:
We've seen that also. Right. Bubble up to board and their fiduciary responsibility in the case of attacks as well. Right. For organizations, yeah.

Jeremiah Baker:
It's a very thankless job. You know, it's good as long as everything's good, but when you're on the defensive side and something happens, it can be really hard on the employees.

[24:13] AI in Cybersecurity: Offensively and Defensively 

Jonathan Knepher:
So we talked a bit about how the bad guys are using AI. How are the good guys using it, and how should they be using it?

Jeremiah Baker:
That's a good question. It's so new, you know, relatively speaking, that one. I don't feel that enough of the good guys are using it enough. Because this is. You all may have seen this too, right, over the years, where it seems like the malicious attackers, the cybercriminals, are the most innovative.

Rachael Lyon:
Right.

Jeremiah Baker:
Because what their goal is is to execute what they're doing without getting caught. And if they get caught, then it's, you know, one, maybe they, it's simply they just don't get the money or what the data or whatever they're looking for. And then even worse, they get in a lot of legal trouble, right, potentially going to jail and things like this. So they're using it to effectively make themselves more efficient, more effective, not get caught and so forth. So we on the defensive and protective side have to be even more aggressive than they are. And that's the part that I would, you know, this could be a whole other discussion, but how do we incentivize ourselves, our companies, our own boards, our executives, from the C-suite down, to incentivize the defensive team to be using AI more aggressively and effectively on a protective method than the bad guys using it to do the attacking? Because in the past, and this is again just from my experience, is that when we're hired to attack and break into a company, our goal is to, we're under serious MSA and legal agreements and all this kind of stuff that goes on for months. And what we want to do is break in, find all the vulnerabilities, path to breach, get as far as we can without getting detected, then stop the exercise and say, okay, client, we're done. We got in and we didn't bring down any systems or cause any problems, disruption in business and things like that.

Then the idea there is, in the old days, which could be just two days ago with the way AI is working, is you would do something called footprinting or attack surface mapping. You would look for everything that's in the environment, then you would start to look for are there any known vulnerabilities in those things that they may not have patched and so forth. And again, I am not technically a hands-on-keyboard ethical hacker, but I've hired them and I work with them and this is what they do. And they then see where they can get in without getting caught. They don't want to go after the heaviest-hitting, most defensible tool sets. They're looking for the weakest link where they can get what they want to do done and then not get caught. Right. So what's happening now is that old way of things is kind of ancient history because from what the testers have shared with me is that with AI, the minute a CVE or a known vulnerability is released, the AI grabs it and can even create custom tool sets and abilities and attack methods to then quickly go compromise it.

So it's kind of like I see it, I got it. Whereas in the past, if it's taking people six months to even identify a breach like that, that can't be the case anymore. We have to stop that. And that is one good thing that I have seen with the use of AI is it's bringing the time to detect way down from a defensive capability. So that's really good. But we have seriously always been in this cat-and-mouse kind of the attacker, the defender, and now with the tools, it's not as much about the human element. It's setting up the tools to follow a strategy to say, all right, quickly find the vulnerability and attack it and get what we want and get out before anyone even knows what's happening. So I think that with the AI, using it properly, I could see us getting more effective at staying just one step ahead of how the attackers are using it from a detection, a monitoring, a response and even a defensibility perspective so that these attacks aren't as damaging as they are.

But honestly, it makes me really nervous because in the past we were more worried about a human attacker that had natural built-in inefficiencies in the way they do things and they didn't want to get caught. If it's just the machine doing it and it's more efficient, it doesn't get tired, it's smarter, it can pull from all the information globally. That's why we have to use AI equally as a defensible strategy. And I think, I don't know if this is true, but that's probably why when Anthropic was rolling out their tool set, when they had said that they were going to the largest players to allow them to get the defensibility set up internally before malicious attackers rather got access to the tool set. They're following a simple strategy of that, like let you defend before this thing gets out in the wild. But even then, I mean, how effective can you be? Because you're only as effective as your weakest link. And if you only help the subset of companies on the planet to be defensible, what about everybody else, right? So we have to really change our thinking and we can no longer just sit on the sidelines and hope that nothing will happen or wait till something does happen, we have to make this, if the attackers can use AI very efficiently, we have to be that much more efficient and effective in using it from a defensive perspective is what that's my point of view.

Rachael Lyon:
And I hate to do this, everyone, but we're going to pause today's discussion right here and pick back up next week. Thanks for joining us this week and as always, don't forget to smash that subscription button and we'll see you next week. Till next time, stay safe. Thanks for joining us on the To The Point Cybersecurity Podcast, brought to you by Forcepoint. For more information and show notes from today's episode, please visit forcepoint.com/podcast and don't forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.

About Our Guest

Jeremiah Baker, Cybersecurity Expert, Speaker, and Consultant

Jeremiah Baker is an ethical hacker-turned keynote speaker and author with nearly 20 years of experience in cybersecurity. A proven business growth strategist, he scaled a cybersecurity firm into a dominant industry player as an equity partner. His commitment to security is rooted in his personal experience growing up with 56 foster children, which taught him that a data breach is a fundamental loss of stability for people. Today, he leverages those lessons to protect companies and employees from cyber threats.

Check out his LinkedIn