Automated Transcript
Jason: Hello, and welcome to this edition of Gamma Secure, where we help you understand the evolving threats, and how our managed detection and response service helps you with the humanising of cyber security. My name is Jason Simper, and I’m the Cyber Business Director here at Gamma Communications, and today I’m joined by Martin Kramer from KnowBe4.
Martin: Hi Jason, it’s my pleasure to be here today.
Jason: So Martin, thank you for joining us today. Can you tell us a little bit about your role, what it is you do for KnowBe4, and how you help partners like ourselves?
Martin: I’m a security awareness advocate at KnowBe4. That means I advocate for a better understanding of the human aspect in cyber security that is often still not fully understood in the ways that we needed to be understood. So that means I come up with creative ways of talking about it. I do that at events, trade shows, fairs. I do it in writing also, and of course in a podcast like this one today.
Jason: So making it relevant for people, everyone able to understand how the humanised, you know, the cyber security protection is managed by KnowBe4.
Martin: Absolutely.
Jason: Excellent. Okay. Well, I’d like to start with one of the hot topics obviously – AI. AI is talked about in all different aspects of the service provision that we provide, and we look about it in service in terms of social engineering for you. So how are you managing social engineering and AI at KnowBe4?
Martin: So, in many different ways but first of all, I’d like to briefly say, you know, the AI has changed the threat landscape in the last few years. So in cyber security, we largely speak about three different aspects of it. That is one part is how it has affected social engineering. The other part is how it has affected malware. We’ve seen AI generated malware, and then of course this more or less hybrid threat of disinformation or narrative attacks that keep our businesses really up and awake at night almost because, all of a sudden, and when it comes to disinformation, you see that paired with traditional cyber attacks, and you also have to deal with the reputational damage and impact that those can cause.
Jason: So trying to work out what is a real threat and what’s not.
Martin: Yes, that and also of course, as you have been breached, how do you deal with the aftermath? How do you keep your customers happy in the sense of how do you rebuild trust? So how do you make sure that you’re not using the loyalty of your customers so they move over to the competition because they think you’re no longer reliable and secure? So you have to make sure that you protect your reputation as well as the security of your organisation itself.
Jason: So if we think about that, so we talk about applications, which is what people typically use to do this. If we think about the applications that we’re looking to manage, how they get onboarded and where the issues are, what are you seeing within KnowBe4 and how are you protecting those?
Martin: Yeah, so when it comes to KnowBe4, our main mission is to really address the ongoing challenge of social engineering. So with AI and social engineering, we see it used in a number of ways, and that’s also how we need to start tackling the challenge. So deep fakes, it’s a huge topic of course, we have seen it just last year where in an online meeting there were several deep fake people present and only one real person present. Which really troubled the… actually also British firm, Arup engineering firm, in the Hong Kong office. A finance worker was in that meeting, and then, you know, was tricked into carrying out financial transactions. The equivalent of 25 million US dollars was lost, 20 million pounds roughly. That was huge, and that was the first of its kind. That’s how deep fakes are used; to trick people into doing things they otherwise wouldn’t do. So social engineering.
Jason: And how hard are these deep fakes to pick up? Sorry to interrupt. How hard are they to pick up? I mean, you talked about, you know, two out of the three were deep fakes. What’s the sort of signs that people should look for?
Martin: To look for signs is becoming incredibly difficult and increasingly difficult these days. You know, just to give an example. What you can do is you can ask the person to move their hand in front of their face, because if you’re looking at a person who is imitating someone else who does a face swap in real time, then there might be a glitch that you see. You can… what you cannot do any longer is also important. It’s not very reliable to look at sort of blurred hairlines, to look at… if the mouth is twitching, if the eyes are twitching, if there’s any technology.
Jason: So it has gone way beyond that.
Martin: Massively advanced, massively advanced, and it will continue to do so. That’s why I was quite hesitant to say, “well here’s something that you can do as of now.” Yes, you can ask them to move their hand in front of your face to make sure, but at the end of the day, if you look at, even the commercial space of deep fakes, that’s right now available. If you look at these platforms that are out there for video synthesis, for audio signals etc, they are so far advanced and they continue to advance so quickly that in the very near future, I do not think you can say “okay, please look out for these red flags, please look out for these signs.” So we need to sort of come back to the core of it all, which is if I have a gut feeling, if I have the inkling that I’m being tricked and manipulated by someone else, particularly if it’s emotional, I need to sort of stop and think that’s where the trust but verify, or stop and think, all of these slogans that we traditionally use to combat social engineering. That’s where all of those come in, and they’re still relevant. They’re as relevant… if you’re sitting in front of a deep fake or you suspect you’re sitting in front of a deep fake, as if you’re sitting in front of a suspicious email. It basically comes back to the same core.
Jason: If you’re questioning yourself, then stop and think about it.
Martin: Trust yourself. Trust your gut feeling. Take action. Take action, and for that action, of course, you can always ask a colleague, “hey, what do you think about this?” You can always report it to your information security teams. That’s where the entire organisation and the security procedures also come into play.
Jason: So the level of sophistication is increasing so fast. It’s a bit like cyber security in itself. You know, the very reason that we exist is because we’re only trying to keep up with the cyber criminals and the cyber hackers. Knowing what they’re doing and responding to that is the only way we can try and protect people.
Martin: And of course, we have to realise that, you know, technology is advancing at a perhaps higher pace than we humans can keep up with it. And particularly at a much quicker pace than the entire workforce broadly can keep up with it. So cyber security is not going to get easier. Well, it’s going to get more complicated, and you know, organisations really have to do their level best to protect their workforce.
Jason: So you say organisations, I’m aware that yourselves, you had an issue with an application process in, I think it was in Asia. Can you tell us a little bit more about that?
Martin: So the application process itself was actually in the US. It turned out to be a massive sort of news headline, which we were eager to share actually. So, I’m gonna tell you all about it. Basically, the news headline was KnowBe4 hired a North Korean fake employee.
Jason: That’s what I heard.
Martin: Yes. So, that was the headline. We actually went public with, and we did that, you know, for the purpose of making others aware.
Jason: Education and awareness.
Martin: Exactly So that is, you know, the essence of what we are all about, and even in this, even if it sort of doesn’t look too good on us, we thought, “okay, this is very important for us to do.” So what happened is, as many other organisations around the world, looking for talent in data science in order to fight AI, you have to do AI. So, we need the required talent for that, and it’s incredibly difficult. We have a skills shortage not just in cyber security, but also of course data science. It’s a hot topic. Eventually, you know, we received some applications, some good applications, and there’s this-
Jason: One of them obviously very good.
Martin: Very good. There’s this one candidate that, you know, is perfectly suited for this job. Goes through all of our standard procedures. So at the time, you have to imagine, these are… obviously sends the resume, got references on there, has a valid social security number in the US, has all of the documentation in place, and then goes through a series of four online interviews on Zoom.
Jason: And then actually did some face to video-based interviews.
Martin: Face to face interviews.
Jason: So back to the point you were saying, how hard it is to decide the person in front of you on the screen. Wow.
Martin: And then, even because it’s a software engineering job, or like data science job. So there are challenges, coding challenges. So manages to complete all of these tests, and then effectively-
Jason: Probably got some high scores, considering.
Martin: Good scores and everything. Good scores and everything. Good profile, good scores and everything. And we hired that person fair square. So at the time, the person was, or we sort of referred to him as Kyle, obviously not really the real name etc. But so Kyle got hired from scrap. Then, the sort of first day of work comes around, and the way we do it in this case, he’s a fully 100% remote worker. So laptops get shipped to basically the residents, to their home address, and there’s a little detail here that will become relevant. So Kyle did ask for the laptop to be shipped to a different address, so we ship the laptop, you know, Kyle picks up the laptop, gets the laptop, sets it up on the first day, logs in. So for all we know then, of course, comes online, and anyone who starts to work with us goes through a protected onboarding environment where they have to complete training before, after so many weeks depending on the job role. They get to actually have full access and get on with their job. But so what happened in this case is they log on, and almost immediately after logging in, they try to download a software package from the internet. When that is blocked by our InfoSec team, they try to download that software package from the local network, at which point it’s flagged to our information security team, and they do reach out on… we use Slack, on Slack. So, they’re like, “okay, you know, whatever’s going on here.” At this point, they’re still… our CEO told me, sort of, “we’re still believing, at this point, this person legitimately has trouble with, you know, onboarding with, getting the system up and running.”
Jason: Your own organisation had the security controls in place, so you recognised that something wasn’t right.
Martin: Yeah. So, we recognised something wasn’t right. So we reached out to him, and he said “Well, I’ve got some trouble with my network connection. Just trying to sort it out. That’s why I’m sort of doing stuff on the local network as well, and trying to move, trying to update my router actually.” That’s what he said. Of course, that did not line up with what we are seeing – software being downloaded on the laptop. So, what has that to do with your router? Like, that immediately, why would you use your work laptop to update your router? So, and then of course, we also detected that the software package that the person was trying to download actually was a malware. So, okay then, challenged with that question of, you know, your story does not line up, the person became unavailable on Slack. Then we observed that the same person was trying to clean up some log file. So, trying to cover the tracks. And the information security team ultimately isolated the account and shut down the access. So, at no point did the person actually manage to install the malware or get access to our network, let alone any data. So by no means was that a data breach, but it was an insider, because we had hired Kyle at that point, fair and square, who tried to install a remote access software as we learned later. And then we almost immediately, we reached out to Mandiant, you know, our friends there who helped us to investigate, and the FBI. That’s when we learned this person most likely was part of a remote worker scheme that’s run by the North Korean regime.
Jason: So I was going to ask is that, was it part of a, you know ,what you think is a bigger risk and a wider scheme?
Martin: Yes. So they then told us, “okay, hang on, you might have just fallen victim to, you know, one of these remote workers.” And that’s when we learned what the entire scheme is about. So effectively, FBI has released a while ago a list, even of stolen identities that are used for the scheme. So anyone who’s wondering whether they are affected by it, go check out the FBI information on it.
Jason: That’s good information.
Martin: Absolutely essential. So the scheme, just quickly I can tell you how it works, now Kyle actually used a manipulated picture, a face swap picture, so that the picture on your CV-
Jason: Details off of the internet, use those.
Martin: The stock picture of the internet that you can actually find as a healthcare official, also on Amazon for book reviews, also on an insurance website, so it’s all over the internet, a picture. But the Facebook was just good enough so that when they did the video interviews, when my colleagues did the video interviews, it didn’t really flag anything then immediately. But ultimately, the way it works is Kyle might sit somewhere in China most likely, or in some other country, and Kyle might not have been the same Kyle who appeared in all of the interviews.
Jason: Even more confusing.
Martin: He has to be even more confusing. And Kyle definitely was never in the US, but we can tell from other news stories that there are sort of people in the US who run laptop farms. So they facilitate the entire process. That’s why the laptop was shipped to a different address. So the laptop was shipped to one of these farms. US citizens then take the laptop to set it up, try to install the remote access software, and then the remote workers, who are mostly located somewhere in or perhaps located somewhere in the China region, then log onto these laptops and actually work for the companies that, you know, they apply to. Now, the goal, the angle here is financial gain. So they just want to earn their salaries fair and square. That’s the first and foremost, the most important point, and then some of that money, or most of that money, you know, is essentially put back into the system, and that’s done through, you know, it’s laundered.
Jason: That’s interesting. So, I was trying to work out what the motivation was, and you just explained that it was financial gain, and so there’s a legitimate employee actually looking to make a small amount of money, the rest is being siphoned off for financial gain.
Martin: Absolutely, and of course, you know, these workers, they are trained in North Korea as far as we understand. Some of them are actually extremely capable, so there was a news story just summer last year, so after we released our statement, others came forward, and from that, you can see there’s a small group of people was… essentially installed remote workers, about 65 US businesses, and they allegedly have earned as much as 800,000 US dollars, and you can assume that most of it then has gone somehow to North Korea.
Jason: Okay. Excellent. Well, I think it’s really good that KnowBe4 have shared that experience to show that even someone an organisation of your type is susceptible to these types of attacks, and the sophistication that they have, and by doing so means everyone can learn a lesson from it. So that’s quite a specific case. I mean, how common are you seeing these threats in Europe? Is the same issue coming for us? What else is happening that we should be aware of?
Martin: So, the tricky bit is not many people come forward, not many organisations come forward. So, we know for a fact that, especially in the defence sector, and in the healthcare sector, organisations in Europe have been affected. There are reports of organisations in Spain and in Germany that have been affected. And what we see over here is that it is less common, and that the goal is not always financial gain. And we can speculate as to the reason of that, but perhaps it’s not as easy to get the money out and get the money transferred because, you know, sometimes the preference is to be paid in cryptocurrency, that’s less common in Europe etc etc. But the secondary motive, which over in Europe becomes almost, I would say, that the primary target is also espionage, specifically in the defence sector, and then also possibly extortion and disruption. So of course, once you’re on the inside, you can do all of these things fairly easily. You can install your ransomware. You, as a engineer software engineer, you have many times, you have privileged access to a lot of data. So that becomes very well possible.
Jason: Okay, thank you. And so finally, I guess, what are the general trends in the human risk landscape you’re seeing?
Martin: Yeah. Well, we have… we need to deal with these kind of trends. We need to deal with AI, you know, enabling and facilitating many cyber attacks. So, to stay within this example, as people try to exploit the onboarding and hiring process. What happens now is that not just are remote workers installed in organisations, but also, if you are a software engineer at an organisation, and as software engineers, we know, we frequently change jobs. So sometimes, attackers put fake job postings out there, so role descriptions. They then ask you to apply for it as part of the interview process, you’re again asked to download a software package in order to, you know, complete a coding challenge, because they have to test your technical skills, and that again is a malware, or there’s other ways to install malware. So what we’re seeing is many ways that the onboarding and hiring process is exploited, and that many times, people that are targeted are your software engineers, or are people in sort of privileged positions in organisations, and AI facilitates this by scraping data from the internet. So that’s how the attackers identify the victims by, of course, crafting the emails that you need, using the deep fake videos to get through, you know, the interview processes, faking voice, faking phone calls, all these ingredients make it more easy, make it way more accessible for attackers also.
Jason: And much harder for us to spot.
Martin: And much harder for us to spot, of course.
Jason: Thank you for that, it’s really interesting. So you can see how organisations that work with us can use our MDR service to include the services that you offer, to give them that broader spectrum of protection.
Martin: That’s absolutely essential, because what we are seeing is, technology alone is never enough, right? You always also need… it’s a very well-defined process, and you need to train your employees, and that is really where the area of human risk management is headed. You need to fundamentally understand what you’re doing is you’re managing cyber risk, and for the highest priority of risk, which is the most likely and the most impactful, if you’re looking at a risk assessment, you need to have people, process and technology measures in place. Now what has happened over the past few years is that is more and more understood. It used to be that people were like, “okay, well, there’s social engineering, that’s human risk, you know, let’s address this through training. and that’s done and dusted. “Now we’re seeing that’s no longer enough because deep fakes, difficult to spot. Can’t rely on technology to spot them for you, and you can’t rely on people alone. So you definitely need to have a fallback, which is a good process, and you have to have the training, so people do remember to do the right thing at the right point in time.
Jason: And that’s where the challenge comes with some of the organisations, because they don’t have that broadness of skill set or capability. They might understand their business, but not necessarily the technical delivery. So, working with Gamma Secure and yourselves gives them that augmented incremental value.
Martin: Yes.
Jason: Excellent. Okay. Well, we’re running an event, Martin, called GX, which is our experience in May at Queen Elizabeth Centre, and I know that your organisation is there. Our customers can look forward to coming to hear more about what you do and the services that you provide. So, thank you very much for that.
Martin: Thank you Thank you for having me today and looking forward to the event also.
Jason: Thanks, and thank you much for joining today, and we look forward to the next edition of Gamma Secure.
