Hacker Computer Security is Crucial when Hackers are Ahead

Cyber attackers are well-organized, well-funded, and right now, ahead of defenders. The threat landscape keeps changing, especially with AI influencing both cyberattacks and cybersecurity. But we can all take steps towards better hacker computer security. See Hackers are Winning with Evan Powell for a complete transcript of the Easy Prey podcast episode. Evan Powell is the founder and CEO of Deep Tempo, a company offering AI-based cybersecurity and threat detection solutions. He is a longtime founder and technologist who builds companies to help big enterprises. In the last few years, most of his work has been around cybersecurity, with a little bit of fraud work. Evan got into cybersecurity when he was at a point where he was ready to start another company and was looking for a mission. He was brainstorming with his daughter about potential options. She asked him what he could do about the climate, and he got stuck there. His expertise didn’t really fit. Then she asked what he could do about how digital comments were getting attacked. That one seemed like a good fit, since Evan had a background in cyber. He decided to focus on digital security. To the best of Evan’s knowledge, he’s never personally been a victim of a cyberattack. But people he knows have been. One person was in a pretty senior role and had his home router hacked . The hacker pretended to be support from the cable company, and they were able to intercept the reset email sent to his email account. This attack made the news, as this person was the head of the CIA at the time. Cyberattacks happen to everybody. They happen repeatedly. And they happen to people who really do know better – but we’re all vulnerable in one way or another. The CIA head was spearphished with a very targeted attack. And it’s happening even more effectively today. Instead of showing up at your door or changing their voice on the phone, hackers can avoid live contact entirely or simulate it with AI. Evan has seen environments where smart people have worked their entire career to protect themselves and their environments from attacks, but their hacker computer security fell behind somewhere and they were successfully attacked. Despite spending $250 billion per year on cybersecurity, we’re behind. Unfortunately, at least as I see it … we’re losing. The attackers are making trillions. At a recently Silicon Valley event, somebody asked why attackers are winning. Much of it is because they’re better funded. They’re making trillions a year – surely some of that goes back into their systems. And their teams often don’t work at Silicon Valley rates, so they’re able to get a smart, skilled, professional team for cheaper. Their ill-gotten gains provide much more funding than security has. Why are the attackers winning? Well, they’re better funded. Right now, working on hacker computer security is fighting against a superior army. And there are two types of approaches companies can take. One, Evan calls CYA. It’s a compliance-centric approach to security. Your goal is to check the boxes and show you’ve taken the required steps. For individual security people, there’s a good chance you’ve moved on to another job before an incident happens, so you can show that you bought all the right products and did all the right trainings. The other approach goes beyond the regulatory checkboxes. It’s something called threat-informed defense. The goal is to think it through and understand from first principles. The surface area of businesses today is huge and always getting bigger. It’s almost impossible to plug every hole. But you might be able to learn what attackers are doing and behave appropriately. If it looks like criminals are exploiting vulnerabilities in one particular area, you can focus your hacker computer security around that rea. A lot of big enterprises in the US and Europe have moved beyond the compliance-centric approach. Many of them are creative in figuring out where attacks might come from and anticipating them. We have to move away from traditional systems, take a data-centric approach, and think creatively about threat-informed defense if we really want to move towards better security. There are ways to learn about threats without having them happen to you. Systems are out there monitoring interesting web addresses, drawing connections, figuring out potential attackers, and watching them. Some of these are government systems, but a lot are big enterprise or threat intel companies. Evan knows a couple large enterprises in the US who create honeypots – websites and systems designed to be attacked. When someone targets the honeypots, they can watch what they do and learn how they attack. They can then integrate these insights into future hacker computer security. Some of these honeypots are extremely complex, too. To get insight into attacks targeting individuals, these systems will create whole fake people for the criminals to attack. That’s the next generation of threat intelligence. One of the things we can do to get to a place where attackers aren’t ahead is increase the cost of attack. Not necessarily make it impossible for hackers to get in, but make it hard enough that what they get out of it isn’t worth the effort they’d have to put in. Locking down your router , using two-factor authentication , and other basic things to protect yourself are great. Not only do they keep you safer, but they keep hackers from using your devices for other attacks. Doing [security] things protects yourself, but they also prevent your system from being used for subsequent attacks. Just this year, denial-of-service attacks from compromised routers in the US are up 300%. Businesses under attack are looking at where it’s coming from, and it’s from random individuals around the country because they’ve been compromised. Manufacturers build routers, and if they discover a few years down the line that there’s a security issue, they just stop making them. Corporate America becomes victims of compromised routers, and consumer America has no idea. The average user doesn’t know what firmware is, let alone how to update it – assuming the manufacturer releases an update at all. Multiple people have responsibility, but if we all do a little bit more, it’s harder for attackers. Making the wall they have to get over just a little higher is great. Attackers are now using AI creatively to make even more advanced attacks. Evan is working on hacker computer security to fight those. But you can’t fight it if your approach is about checking boxes. If you refactor from first principles, though, you can make attacks harder and more expensive for hackers. If you refactor from first principles you will drive up the cost of an attack massively. There are a lot of parallels between what’s going on in the fraud space and what’s happening in hacker computer security. Stripe, for example, is building models to see what’s normal and be able to flag anything abnormal quickly. And red teams are using fraud techniques. When they get hired to see if they can get into an enterprise, they often use social engineering to get in the door. Attackers use social engineering in all sorts of settings. If you mention on LinkedIn that you’re a Georgia Bulldogs fan and Evan strikes up a conversation with you and says he’s also a Georgia Bulldogs fan, that builds social trust. Once they have that trust, it’s a lot easier for them to scam you or get into your systems. Fraud rings are often decentralized, with a series of loosely affiliated people who handle various aspects of the fraud. Something similar is happening with hackers, too. A qualified attacker may get into a system, leave themselves a backdoor , and then sell access to ransomware organizations. It’s not always the same organization doing all parts of the attack. There is a policy debate in the US about whether some organizations should be allowed to “hack back.” A lot of cybercriminal environments are available on the dark web, and they have exploits, too. If they have a web server, why couldn’t part of hacker computer security be taking that down? Right now, it’s illegal for US companies to hack back like that. But some people think it’s time to take the gloves off to push back against he cyber threat. Answering that debate is beyond Evan’s pay grade, but it’s an interesting thought. A similar thought is whether companies should be allowed to go in and patch people’s machines for them if they don’t patch them themselves. If Microsoft identified 100,000 compromised machines, patching them would reduce attack vectors. But on the other hand, they didn’t get permission to go into people’s machines like that. It’s a bit of a gray area. Do network providers have an obligation to prevent network stuff? It’s an interesting question. It’s easy for them to see if a customer is being attacked or has been compromised, and they know what’s normal on residential devices. They may not have access to the actual voice on a phone call, but they have the metadata about it. Do they have an obligation to start acting like a firewall and do something about attacks or compromised devices? One thing to note is that this would be an unimaginable quantity of data for these companies to sift through. Network providers don’t have that capability yet. And customers can do stuff with devices that might not be bad or a sign of compromise, but is unexpected. That could throw up false positives. Evan has started to see some networks offering that kind of protection as an option. Customers can opt-in to higher protection, often for an additional fee, if they want the network to provide that service. On the other hand, if you get a call from someone claiming to be your ISP saying your computer is compromised, a smart customer would assume that’s a scammer and hang up. Usually those calls lead to a compromised computer, not the other way around. And those are good instincts. But it makes offering these kinds of services even more challenging for companies. Cloudflare protects millions of websites. It works so well because they have so many customers. They get enough data to start seeing patterns quickly, and they can learn from attacks in one place how to better protect all of their customers. A big challenge in hacker computer security is that there are so many vendors and platforms. If they’re not working together, and if they aren’t willing to share what they see so as not to reveal secrets, it makes security worse for everyone. On average, a mid- to large-sized enterprise in the US will have something like 55 cybersecurity vendors. Each of them ends up reinventing the wheel in some way because they don’t talk to each other. But we are starting to see a shift. There are companies that using data lakes, where all the data goes into one place and security vendors query that place instead of each alert going in front of a human. Data sharing is important, but feels risky. Nobody wants to be the company that went out of business because they gave away their best secrets to help others be more secure. And security professionals can feel like their careers are tied to certain systems. But we have to share data if we ever want to improve. There’s a lot of practitioners already talking about what works, and open-source tools like Mitre making it easier. But cybersecurity practitioners need to share data, not just tools and methods, if we really want to get ahead. The silos, one way or the other, cannot stand. We’ve got to share the info. Evan does think that eventually, the tide will shift in our favor. After 9/11, everyone started talking about OODA loops – the speed to Observe, Orient, Decide, Act. Some enterprises and government entities are building loops where they can see attacks starting and adjust defenses. AI can help tighten that loop, too, because it can work so fast. Sharing data between models can tighten it even more. We have a long way to go, and it will probably get worse before it gets better, but it’s doable. There’s nothing we can’t do if we set our minds to it. Right now, businesses need to think about how they think about security. Are you focusing on compliance, or understanding? Moving towards a data-centric solution will give you a faster loop. For the rest of us, we have to build new cybersecurity habits. It’s a pain, but eventually they do become habits. Know how to protect yourself. Use MFA, don’t reuse passwords, have safe words with your loved ones to spot AI fakes. It’s not just about protecting yourself, it’s about keeping you from being a platform for other attacks. If we can collectively increase the cost of attacks, it will push back on these forces that want to make money and don’t want an open digital society to flourish. Everything we do for better hacker computer security, no matter how small, is doing our part to protect society. Know how to protect yourself … [and] in a small way, we’re doing our part to protect this society. Learn more about Deep Tempo at deeptempo.ai . Find Evan Powell under his name all over the place, but these days mostly on LinkedIn .